From a970778ae19b0fa8197f7bfdf6e0a9792557dcd7 Mon Sep 17 00:00:00 2001 From: bbruns Date: Fri, 12 Nov 2010 01:05:39 +0000 Subject: [PATCH] Code to avoid dupe rules --- bin/firewall-sosdg | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/bin/firewall-sosdg b/bin/firewall-sosdg index 7ee01dd..9d823f4 100755 --- a/bin/firewall-sosdg +++ b/bin/firewall-sosdg @@ -543,8 +543,11 @@ if [ $NAT ]; then $IPTABLES -A INPUT -p icmp --icmp-type fragmentation-needed -i ${NAT_RULE[1]} -j ACCEPT INIF_EXISTS="${INIF_EXISTS} $i" fi - $IPTABLES -A OUTPUT -p icmp --icmp-type time-exceeded -o ${NAT_RULE[3]} -j ACCEPT - $IPTABLES -A OUTPUT -p icmp --icmp-type fragmentation-needed -o ${NAT_RULE[3]} -j ACCEPT + if [[ ! "$OUTIF_EXISTS" =~ "${NAT_RULE[3]}" ]]; then + $IPTABLES -A OUTPUT -p icmp --icmp-type time-exceeded -o ${NAT_RULE[3]} -j ACCEPT + $IPTABLES -A OUTPUT -p icmp --icmp-type fragmentation-needed -o ${NAT_RULE[3]} -j ACCEPT + OUTIF_EXISTS="${OUTIF_EXISTS} $i" + fi $IPTABLES -A FORWARD -p icmp --icmp-type time-exceeded -i ${NAT_RULE[1]} -o ${NAT_RULE[3]} -j ACCEPT $IPTABLES -A FORWARD -p icmp --icmp-type fragmentation-needed -i ${NAT_RULE[1]} -o ${NAT_RULE[3]} -j ACCEPT ;; @@ -556,8 +559,11 @@ if [ $NAT ]; then $IPTABLES -A INPUT -p icmp --icmp-type fragmentation-needed -i ${NAT_RULE[1]} -j ACCEPT INIF_EXISTS="${INIF_EXISTS} $i" fi - $IPTABLES -A OUTPUT -p icmp --icmp-type time-exceeded -o ${NAT_RULE[3]} -j ACCEPT - $IPTABLES -A OUTPUT -p icmp --icmp-type fragmentation-needed -o ${NAT_RULE[3]} -j ACCEPT + if [[ ! "$OUTIF_EXISTS" =~ "${NAT_RULE[3]}" ]]; then + $IPTABLES -A OUTPUT -p icmp --icmp-type time-exceeded -o ${NAT_RULE[3]} -j ACCEPT + $IPTABLES -A OUTPUT -p icmp --icmp-type fragmentation-needed -o ${NAT_RULE[3]} -j ACCEPT + OUTIF_EXISTS="${OUTIF_EXISTS} $i" + fi $IPTABLES -A FORWARD -p icmp --icmp-type time-exceeded -i ${NAT_RULE[1]} -o ${NAT_RULE[3]} -j ACCEPT $IPTABLES -A FORWARD -p icmp --icmp-type fragmentation-needed -i ${NAT_RULE[1]} -o ${NAT_RULE[3]} -j ACCEPT ;;