From c5c011a13395ceab661eb2d5774487e1215ca9e7 Mon Sep 17 00:00:00 2001 From: Arturo Borrero Date: Mon, 19 Jan 2015 14:27:51 +0100 Subject: ebtables-compat: prevent same matches to be included multiple times Using two matches options results in two copies of the match being included in the nft rule. Example before this patch: % ebtables-compat -A FORWARD -p 0x0800 --ip-src 10.0.0.1 --ip-dst 10.0.0.2 -j ACCEPT % ebtables-compat -L [...] -p 0x0800 --ip-src 10.0.0.1 --ip-dst 10.0.0.2 --ip-src 10.0.0.1 --ip-dst 10.0.0.2 -j ACCEPT Example with this patch: % ebtables-compat -A FORWARD -p 0x0800 --ip-src 10.0.0.1 --ip-dst 10.0.0.2 -j ACCEPT % ebtables-compat -L [...] % -p 0x0800 --ip-src 10.0.0.1 --ip-dst 10.0.0.2 -j ACCEPT [Note: the br_ip extension comes in a follow-up patch] Signed-off-by: Arturo Borrero Gonzalez Signed-off-by: Pablo Neira Ayuso --- iptables/xtables-eb.c | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'iptables') diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c index b559a533..a0786794 100644 --- a/iptables/xtables-eb.c +++ b/iptables/xtables-eb.c @@ -644,6 +644,14 @@ static void ebt_load_matches(void) static void ebt_add_match(struct xtables_match *m, struct xtables_rule_match **rule_matches) { + struct xtables_rule_match *i; + + /* match already in rule_matches, skip inclusion */ + for (i = *rule_matches; i; i = i->next) { + if (strcmp(m->name, i->match->name) == 0) + return; + } + if (xtables_find_match(m->name, XTF_LOAD_MUST_SUCCEED, rule_matches) == NULL) xtables_error(OTHER_PROBLEM, "Unable to add match %s", m->name); -- cgit v1.2.3