From 76976c044de639bb4bf170aa1c7a33fbeca1f1a5 Mon Sep 17 00:00:00 2001 From: Jo-Philipp Wich Date: Thu, 10 Oct 2013 20:36:08 +0000 Subject: [PATCH] Use fw3_ipt_rule_replace() when setting up zone interface rules This avoids duplicate rules in the final ruleset when multiple interfaces, subnets or devices in a zone specification resolve to the same values. --- zones.c | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/zones.c b/zones.c index 04784c7..8d8fd3d 100644 --- a/zones.c +++ b/zones.c @@ -345,8 +345,8 @@ print_interface_rule(struct fw3_ipt_handle *handle, struct fw3_state *state, r = fw3_ipt_rule_create(handle, NULL, dev, NULL, sub, NULL); fw3_ipt_rule_target(r, jump_target(t)); fw3_ipt_rule_extra(r, zone->extra_src); - fw3_ipt_rule_append(r, "zone_%s_src_%s", zone->name, - fw3_flag_names[t]); + fw3_ipt_rule_replace(r, "zone_%s_src_%s", zone->name, + fw3_flag_names[t]); } if (has(zone->flags, handle->family, t)) @@ -354,8 +354,8 @@ print_interface_rule(struct fw3_ipt_handle *handle, struct fw3_state *state, r = fw3_ipt_rule_create(handle, NULL, NULL, dev, NULL, sub); fw3_ipt_rule_target(r, jump_target(t)); fw3_ipt_rule_extra(r, zone->extra_dest); - fw3_ipt_rule_append(r, "zone_%s_dest_%s", zone->name, - fw3_flag_names[t]); + fw3_ipt_rule_replace(r, "zone_%s_dest_%s", zone->name, + fw3_flag_names[t]); } } @@ -373,7 +373,7 @@ print_interface_rule(struct fw3_ipt_handle *handle, struct fw3_state *state, else fw3_ipt_rule_extra(r, zone->extra_src); - fw3_ipt_rule_append(r, "delegate_%s", chains[i]); + fw3_ipt_rule_replace(r, "delegate_%s", chains[i]); } } else if (handle->table == FW3_TABLE_NAT) @@ -383,7 +383,7 @@ print_interface_rule(struct fw3_ipt_handle *handle, struct fw3_state *state, r = fw3_ipt_rule_create(handle, NULL, dev, NULL, sub, NULL); fw3_ipt_rule_target(r, "zone_%s_prerouting", zone->name); fw3_ipt_rule_extra(r, zone->extra_src); - fw3_ipt_rule_append(r, "delegate_prerouting"); + fw3_ipt_rule_replace(r, "delegate_prerouting"); } if (has(zone->flags, handle->family, FW3_FLAG_SNAT)) @@ -391,7 +391,7 @@ print_interface_rule(struct fw3_ipt_handle *handle, struct fw3_state *state, r = fw3_ipt_rule_create(handle, NULL, NULL, dev, NULL, sub); fw3_ipt_rule_target(r, "zone_%s_postrouting", zone->name); fw3_ipt_rule_extra(r, zone->extra_dest); - fw3_ipt_rule_append(r, "delegate_postrouting"); + fw3_ipt_rule_replace(r, "delegate_postrouting"); } } else if (handle->table == FW3_TABLE_MANGLE) @@ -409,7 +409,7 @@ print_interface_rule(struct fw3_ipt_handle *handle, struct fw3_state *state, fw3_ipt_rule_comment(r, "%s (mtu_fix logging)", zone->name); fw3_ipt_rule_target(r, "LOG"); fw3_ipt_rule_addarg(r, false, "--log-prefix", buf); - fw3_ipt_rule_append(r, "mssfix"); + fw3_ipt_rule_replace(r, "mssfix"); } r = fw3_ipt_rule_create(handle, &tcp, NULL, dev, NULL, sub); @@ -418,7 +418,7 @@ print_interface_rule(struct fw3_ipt_handle *handle, struct fw3_state *state, fw3_ipt_rule_comment(r, "%s (mtu_fix)", zone->name); fw3_ipt_rule_target(r, "TCPMSS"); fw3_ipt_rule_addarg(r, false, "--clamp-mss-to-pmtu", NULL); - fw3_ipt_rule_append(r, "mssfix"); + fw3_ipt_rule_replace(r, "mssfix"); } } else if (handle->table == FW3_TABLE_RAW) @@ -428,7 +428,7 @@ print_interface_rule(struct fw3_ipt_handle *handle, struct fw3_state *state, r = fw3_ipt_rule_create(handle, NULL, dev, NULL, sub, NULL); fw3_ipt_rule_target(r, "zone_%s_notrack", zone->name); fw3_ipt_rule_extra(r, zone->extra_src); - fw3_ipt_rule_append(r, "delegate_notrack"); + fw3_ipt_rule_replace(r, "delegate_notrack"); } } } -- 2.30.2