From 47ae6cea4cdf295c21c574b1910489a12e86c757 Mon Sep 17 00:00:00 2001
From: Jaime Melis <jmelis@opennebula.org>
Date: Wed, 5 Feb 2014 14:21:59 +0100
Subject: [PATCH] Bug #2667: Don't add rules if chain already exists

---
 src/vnm_mad/remotes/Firewall.rb | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/vnm_mad/remotes/Firewall.rb b/src/vnm_mad/remotes/Firewall.rb
index feb7b1b84b..08cd05d158 100644
--- a/src/vnm_mad/remotes/Firewall.rb
+++ b/src/vnm_mad/remotes/Firewall.rb
@@ -41,6 +41,8 @@ class OpenNebulaFirewall < OpenNebulaNetwork
             chain   = "one-#{vm_id}-#{nic[:network_id]}"
             tap     = nic[:tap]
 
+            next if chain_exists?(chain)
+
             if tap
                 #TCP
                 if range = nic[:white_ports_tcp]
@@ -149,6 +151,12 @@ class OpenNebulaFirewall < OpenNebulaNetwork
         rule "-N #{chain}"
     end
 
+    def chain_exists?(chain)
+        iptables_nl =`#{COMMANDS[:iptables]} -nL`
+        chains = iptables_nl.scan(/(one-.*?) .*references/).flatten
+        chains.include? chain
+    end
+
     def rule(rule)
         "#{COMMANDS[:iptables]} #{rule}"
     end