diff options
author | Arturo Borrero <arturo.borrero.glez@gmail.com> | 2015-01-19 14:27:51 +0100 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2015-01-28 17:23:51 +0100 |
commit | c5c011a13395ceab661eb2d5774487e1215ca9e7 (patch) | |
tree | 0a3abc9fce3326f49eee76d55684854634a1cedf /iptables | |
parent | 16331e1a3f592a6cb2d5e8eb64ea2e112d997e97 (diff) |
ebtables-compat: prevent same matches to be included multiple times
Using two matches options results in two copies of the match being included
in the nft rule.
Example before this patch:
% ebtables-compat -A FORWARD -p 0x0800 --ip-src 10.0.0.1 --ip-dst 10.0.0.2 -j ACCEPT
% ebtables-compat -L
[...]
-p 0x0800 --ip-src 10.0.0.1 --ip-dst 10.0.0.2 --ip-src 10.0.0.1 --ip-dst 10.0.0.2 -j ACCEPT
Example with this patch:
% ebtables-compat -A FORWARD -p 0x0800 --ip-src 10.0.0.1 --ip-dst 10.0.0.2 -j ACCEPT
% ebtables-compat -L
[...]
% -p 0x0800 --ip-src 10.0.0.1 --ip-dst 10.0.0.2 -j ACCEPT
[Note: the br_ip extension comes in a follow-up patch]
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'iptables')
-rw-r--r-- | iptables/xtables-eb.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c index b559a533..a0786794 100644 --- a/iptables/xtables-eb.c +++ b/iptables/xtables-eb.c @@ -644,6 +644,14 @@ static void ebt_load_matches(void) static void ebt_add_match(struct xtables_match *m, struct xtables_rule_match **rule_matches) { + struct xtables_rule_match *i; + + /* match already in rule_matches, skip inclusion */ + for (i = *rule_matches; i; i = i->next) { + if (strcmp(m->name, i->match->name) == 0) + return; + } + if (xtables_find_match(m->name, XTF_LOAD_MUST_SUCCEED, rule_matches) == NULL) xtables_error(OTHER_PROBLEM, "Unable to add match %s", m->name); |