nwfilter: do not create ebtables chain unnecessarily

If only iptables rules are created then two unnecessary ebtables chains
are also created. This patch fixes this and prevents these chains from
being created. They have been cleaned up properly, though.

diff --git a/src/nwfilter/nwfilter_ebiptables_driver.c b/src/nwfilter/nwfilter_ebiptables_driver.c
index 8a42cb7b40b016962777556abb1ed8e0795dd90c..d8b1e9798ad2879e0ba23f079e91597585824d89 100644 (file)
--- a/src/nwfilter/nwfilter_ebiptables_driver.c
+++ b/src/nwfilter/nwfilter_ebiptables_driver.c
@@ -3619,10 +3619,12 @@ ebiptablesApplyNewRules(const char *ifname,
     NWFILTER_SET_EBTABLES_SHELLVAR(&buf);
 
     /* create needed chains */
-    if (ebtablesCreateTmpRootAndSubChains(&buf, ifname, chains_in_set , 1,
-                                          &ebtChains, &nEbtChains) < 0 ||
-        ebtablesCreateTmpRootAndSubChains(&buf, ifname, chains_out_set, 0,
-                                          &ebtChains, &nEbtChains) < 0) {
+    if ((virHashSize(chains_in_set) > 0 &&
+         ebtablesCreateTmpRootAndSubChains(&buf, ifname, chains_in_set , 1,
+                                           &ebtChains, &nEbtChains) < 0) ||
+        (virHashSize(chains_out_set) > 0 &&
+         ebtablesCreateTmpRootAndSubChains(&buf, ifname, chains_out_set, 0,
+                                           &ebtChains, &nEbtChains) < 0)) {
         goto tear_down_tmpebchains;
     }