[PATCH/iptables] Duplicated matches/targets

Felipe Kellermann stdfk at terra.com.br
Wed Nov 2 07:04:36 CET 2005 

While doing little modifications in my extension list, I've accidently
built a binary (NO_SHARED_LIBS) with a duplicated match. I immediately
noticed this because with that duplicated match I couldn't "load" some
other matches of my list of matches (e.g., state).

% sort initext.c | uniq -d
        ipt_comment_init();
extern void ipt_comment_init(void);
% iptables -m state
iptables v1.3.4: Couldn't find match `state'
Try `iptables -h' or 'iptables --help' for more information.

With a trivial debugging I noticed that the iptables_match list was
leaking. find_match() is always returning NULL when loaded == 0 and
ipt_tryload == DONT_LOAD and NO_SHARED_LIBS is defined. Just setting
loaded to 1 when it's successfully "loaded" solved the problem.

Additionally, IMHO we shouldn't exit() while registering matches or
targets that are already registered. Doing that could prevent rules of
getting commited just because there are duplicated matches or targets.

Any objections to just skipping when the revisions are the same? The
current code already skips when the old revision is greater than "me".

% iptables -m state
iptables: match `comment' already registered.
iptables v1.3.4: You must specify `--state'
Try `iptables -h' or 'iptables --help' for more information.

-- 
Felipe Kellermann
-------------- next part --------------
Index: iptables.c
===================================================================
--- iptables.c	(revision 4420)
+++ iptables.c	(working copy)
@@ -1120,7 +1120,7 @@
 			fprintf(stderr,
 				"%s: match `%s' already registered.\n",
 				program_name, me->name);
-			exit(1);
+			return;
 		}
 
 		/* Now we have two (or more) options, check compatibility. */
@@ -1150,6 +1150,7 @@
 
 	me->m = NULL;
 	me->mflags = 0;
+	me->loaded = 1;
 }
 
 void
@@ -1178,7 +1179,7 @@
 			fprintf(stderr,
 				"%s: target `%s' already registered.\n",
 				program_name, me->name);
-			exit(1);
+			return;
 		}
 
 		/* Now we have two (or more) options, check compatibility. */

More information about the netfilter-devel mailing list