ebtables-compat: prevent same matches to be included multiple times

Using two matches options results in two copies of the match being included
in the nft rule.

Example before this patch:
 % ebtables-compat -A FORWARD -p 0x0800 --ip-src 10.0.0.1 --ip-dst 10.0.0.2 -j ACCEPT
 % ebtables-compat -L
 [...]
 -p 0x0800 --ip-src 10.0.0.1 --ip-dst 10.0.0.2 --ip-src 10.0.0.1 --ip-dst 10.0.0.2 -j ACCEPT

Example with this patch:
 % ebtables-compat -A FORWARD -p 0x0800 --ip-src 10.0.0.1 --ip-dst 10.0.0.2 -j ACCEPT
 % ebtables-compat -L
 [...]
 % -p 0x0800 --ip-src 10.0.0.1 --ip-dst 10.0.0.2 -j ACCEPT

[Note: the br_ip extension comes in a follow-up patch]

Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c
index b559a533dc0001064d5ce72cd4d74c4853820b01..a0786794c1faa11d9dc59597249e520af829c278 100644 (file)
--- a/iptables/xtables-eb.c
+++ b/iptables/xtables-eb.c
@@ -644,6 +644,14 @@ static void ebt_load_matches(void)
 static void ebt_add_match(struct xtables_match *m,
                          struct xtables_rule_match **rule_matches)
 {
+       struct xtables_rule_match *i;
+
+       /* match already in rule_matches, skip inclusion */
+       for (i = *rule_matches; i; i = i->next) {
+               if (strcmp(m->name, i->match->name) == 0)
+                       return;
+       }
+
        if (xtables_find_match(m->name, XTF_LOAD_MUST_SUCCEED, rule_matches) == NULL)
                xtables_error(OTHER_PROBLEM,
                              "Unable to add match %s", m->name);