projects / oweals / firewall3.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: fca5e39)
Use fw3_ipt_rule_replace() when setting up zone interface rules
authorJo-Philipp Wich <jow@openwrt.org>
Thu, 10 Oct 2013 20:36:08 +0000 (20:36 +0000)
committerJo-Philipp Wich <jow@openwrt.org>
Thu, 10 Oct 2013 20:36:08 +0000 (20:36 +0000)
This avoids duplicate rules in the final ruleset when multiple interfaces,
subnets or devices in a zone specification resolve to the same values.

zones.c patch | blob | history

diff --git a/zones.c b/zones.c
index 04784c72eece3022af77f0e8e99cebaef1840304..8d8fd3d05d41c4b0badc032aa6d7c6daf6d35259 100644 (file)
--- a/zones.c
+++ b/zones.c
@@ -345,8 +345,8 @@ print_interface_rule(struct fw3_ipt_handle *handle, struct fw3_state *state,
                                r = fw3_ipt_rule_create(handle, NULL, dev, NULL, sub, NULL);
                                fw3_ipt_rule_target(r, jump_target(t));
                                fw3_ipt_rule_extra(r, zone->extra_src);
-                               fw3_ipt_rule_append(r, "zone_%s_src_%s", zone->name,
-                                                   fw3_flag_names[t]);
+                               fw3_ipt_rule_replace(r, "zone_%s_src_%s", zone->name,
+                                                    fw3_flag_names[t]);
                        }
 
                        if (has(zone->flags, handle->family, t))
@@ -354,8 +354,8 @@ print_interface_rule(struct fw3_ipt_handle *handle, struct fw3_state *state,
                                r = fw3_ipt_rule_create(handle, NULL, NULL, dev, NULL, sub);
                                fw3_ipt_rule_target(r, jump_target(t));
                                fw3_ipt_rule_extra(r, zone->extra_dest);
-                               fw3_ipt_rule_append(r, "zone_%s_dest_%s", zone->name,
-                                                   fw3_flag_names[t]);
+                               fw3_ipt_rule_replace(r, "zone_%s_dest_%s", zone->name,
+                                                    fw3_flag_names[t]);
                        }
                }
 
@@ -373,7 +373,7 @@ print_interface_rule(struct fw3_ipt_handle *handle, struct fw3_state *state,
                        else
                                fw3_ipt_rule_extra(r, zone->extra_src);
 
-                       fw3_ipt_rule_append(r, "delegate_%s", chains[i]);
+                       fw3_ipt_rule_replace(r, "delegate_%s", chains[i]);
                }
        }
        else if (handle->table == FW3_TABLE_NAT)
@@ -383,7 +383,7 @@ print_interface_rule(struct fw3_ipt_handle *handle, struct fw3_state *state,
                        r = fw3_ipt_rule_create(handle, NULL, dev, NULL, sub, NULL);
                        fw3_ipt_rule_target(r, "zone_%s_prerouting", zone->name);
                        fw3_ipt_rule_extra(r, zone->extra_src);
-                       fw3_ipt_rule_append(r, "delegate_prerouting");
+                       fw3_ipt_rule_replace(r, "delegate_prerouting");
                }
 
                if (has(zone->flags, handle->family, FW3_FLAG_SNAT))
@@ -391,7 +391,7 @@ print_interface_rule(struct fw3_ipt_handle *handle, struct fw3_state *state,
                        r = fw3_ipt_rule_create(handle, NULL, NULL, dev, NULL, sub);
                        fw3_ipt_rule_target(r, "zone_%s_postrouting", zone->name);
                        fw3_ipt_rule_extra(r, zone->extra_dest);
-                       fw3_ipt_rule_append(r, "delegate_postrouting");
+                       fw3_ipt_rule_replace(r, "delegate_postrouting");
                }
        }
        else if (handle->table == FW3_TABLE_MANGLE)
@@ -409,7 +409,7 @@ print_interface_rule(struct fw3_ipt_handle *handle, struct fw3_state *state,
                                fw3_ipt_rule_comment(r, "%s (mtu_fix logging)", zone->name);
                                fw3_ipt_rule_target(r, "LOG");
                                fw3_ipt_rule_addarg(r, false, "--log-prefix", buf);
-                               fw3_ipt_rule_append(r, "mssfix");
+                               fw3_ipt_rule_replace(r, "mssfix");
                        }
 
                        r = fw3_ipt_rule_create(handle, &tcp, NULL, dev, NULL, sub);
@@ -418,7 +418,7 @@ print_interface_rule(struct fw3_ipt_handle *handle, struct fw3_state *state,
                        fw3_ipt_rule_comment(r, "%s (mtu_fix)", zone->name);
                        fw3_ipt_rule_target(r, "TCPMSS");
                        fw3_ipt_rule_addarg(r, false, "--clamp-mss-to-pmtu", NULL);
-                       fw3_ipt_rule_append(r, "mssfix");
+                       fw3_ipt_rule_replace(r, "mssfix");
                }
        }
        else if (handle->table == FW3_TABLE_RAW)
@@ -428,7 +428,7 @@ print_interface_rule(struct fw3_ipt_handle *handle, struct fw3_state *state,
                        r = fw3_ipt_rule_create(handle, NULL, dev, NULL, sub, NULL);
                        fw3_ipt_rule_target(r, "zone_%s_notrack", zone->name);
                        fw3_ipt_rule_extra(r, zone->extra_src);
-                       fw3_ipt_rule_append(r, "delegate_notrack");
+                       fw3_ipt_rule_replace(r, "delegate_notrack");
                }
        }
 }
Unnamed repository; edit this file 'description' to name the repository.