summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorArturo Borrero <arturo.borrero.glez@gmail.com>2015-01-19 14:27:51 +0100
committerPablo Neira Ayuso <pablo@netfilter.org>2015-01-28 17:23:51 +0100
commitc5c011a13395ceab661eb2d5774487e1215ca9e7 (patch)
tree0a3abc9fce3326f49eee76d55684854634a1cedf
parent16331e1a3f592a6cb2d5e8eb64ea2e112d997e97 (diff)
ebtables-compat: prevent same matches to be included multiple times
Using two matches options results in two copies of the match being included in the nft rule. Example before this patch: % ebtables-compat -A FORWARD -p 0x0800 --ip-src 10.0.0.1 --ip-dst 10.0.0.2 -j ACCEPT % ebtables-compat -L [...] -p 0x0800 --ip-src 10.0.0.1 --ip-dst 10.0.0.2 --ip-src 10.0.0.1 --ip-dst 10.0.0.2 -j ACCEPT Example with this patch: % ebtables-compat -A FORWARD -p 0x0800 --ip-src 10.0.0.1 --ip-dst 10.0.0.2 -j ACCEPT % ebtables-compat -L [...] % -p 0x0800 --ip-src 10.0.0.1 --ip-dst 10.0.0.2 -j ACCEPT [Note: the br_ip extension comes in a follow-up patch] Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-rw-r--r--iptables/xtables-eb.c8
1 files changed, 8 insertions, 0 deletions
diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c
index b559a533..a0786794 100644
--- a/iptables/xtables-eb.c
+++ b/iptables/xtables-eb.c
@@ -644,6 +644,14 @@ static void ebt_load_matches(void)
static void ebt_add_match(struct xtables_match *m,
struct xtables_rule_match **rule_matches)
{
+ struct xtables_rule_match *i;
+
+ /* match already in rule_matches, skip inclusion */
+ for (i = *rule_matches; i; i = i->next) {
+ if (strcmp(m->name, i->match->name) == 0)
+ return;
+ }
+
if (xtables_find_match(m->name, XTF_LOAD_MUST_SUCCEED, rule_matches) == NULL)
xtables_error(OTHER_PROBLEM,
"Unable to add match %s", m->name);