From e4d5a16244706421671bb97ba3d11f9c7588cab4 Mon Sep 17 00:00:00 2001
From: bbruns <bbruns@e5899ace-8841-11de-95b9-8f387cfb8bc3>
Date: Fri, 12 Nov 2010 01:03:34 +0000
Subject: [PATCH] Code to avoid dupe rules

---
 bin/firewall-sosdg | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/bin/firewall-sosdg b/bin/firewall-sosdg
index 4ff9770..7ee01dd 100755
--- a/bin/firewall-sosdg
+++ b/bin/firewall-sosdg
@@ -530,6 +530,7 @@ fi
 if [ $NAT ]; then
 	if [ "$NAT_RANGE" ]; then
 		display_c YELLOW "Adding NAT rule:"
+		unset INIF_EXISTS OUTIF_EXISTS
 		for i in $NAT_RANGE; do
 			NAT_RULE=( ${i//:/ } )
 			case ${NAT_RULE[0]} in
@@ -537,8 +538,11 @@ if [ $NAT ]; then
 				$IPTABLES -A POSTROUTING -t nat -s ${NAT_RULE[2]} -j SNAT \
 					-o ${NAT_RULE[3]} --to-source ${NAT_RULE[4]} 
 				display_c DEFAULT "\t${GREEN}SNAT:${PURPLE}${NAT_RULE[1]}:${NAT_RULE[2]}${AQUA}->${BLUE}${NAT_RULE[3]}:${NAT_RULE[4]}"
-				$IPTABLES -A INPUT -p icmp --icmp-type time-exceeded -i ${NAT_RULE[1]} -j ACCEPT
-				$IPTABLES -A INPUT -p icmp --icmp-type fragmentation-needed -i ${NAT_RULE[1]} -j ACCEPT
+				if [[ ! "$INIF_EXISTS" =~ "${NAT_RULE[1]}" ]]; then
+					$IPTABLES -A INPUT -p icmp --icmp-type time-exceeded -i ${NAT_RULE[1]} -j ACCEPT
+					$IPTABLES -A INPUT -p icmp --icmp-type fragmentation-needed -i ${NAT_RULE[1]} -j ACCEPT
+					INIF_EXISTS="${INIF_EXISTS} $i"
+				fi
 				$IPTABLES -A OUTPUT -p icmp --icmp-type time-exceeded -o ${NAT_RULE[3]} -j ACCEPT
 				$IPTABLES -A OUTPUT -p icmp --icmp-type fragmentation-needed -o ${NAT_RULE[3]} -j ACCEPT
 				$IPTABLES -A FORWARD -p icmp --icmp-type time-exceeded -i ${NAT_RULE[1]} -o ${NAT_RULE[3]} -j ACCEPT
@@ -547,8 +551,11 @@ if [ $NAT ]; then
 			MASQ)
 				$IPTABLES -A POSTROUTING -t nat -s ${NAT_RULE[2]} -j MASQUERADE -o ${NAT_RULE[3]}
 				display_c DEFAULT "\t${GREEN}MASQ:${PURPLE}${NAT_RULE[2]}${AQUA}->${BLUE}${NAT_RULE[3]}"
-				$IPTABLES -A INPUT -p icmp --icmp-type time-exceeded -i ${NAT_RULE[1]} -j ACCEPT
-				$IPTABLES -A INPUT -p icmp --icmp-type fragmentation-needed -i ${NAT_RULE[1]} -j ACCEPT
+				if [[ ! "$INIF_EXISTS" =~ "${NAT_RULE[1]}" ]]; then
+					$IPTABLES -A INPUT -p icmp --icmp-type time-exceeded -i ${NAT_RULE[1]} -j ACCEPT
+					$IPTABLES -A INPUT -p icmp --icmp-type fragmentation-needed -i ${NAT_RULE[1]} -j ACCEPT
+					INIF_EXISTS="${INIF_EXISTS} $i"
+				fi
 				$IPTABLES -A OUTPUT -p icmp --icmp-type time-exceeded -o ${NAT_RULE[3]} -j ACCEPT
 				$IPTABLES -A OUTPUT -p icmp --icmp-type fragmentation-needed -o ${NAT_RULE[3]} -j ACCEPT
 				$IPTABLES -A FORWARD -p icmp --icmp-type time-exceeded -i ${NAT_RULE[1]} -o ${NAT_RULE[3]} -j ACCEPT