9 files changed, 38 insertions, 36 deletions

diff --git a/scripts/firewall/VyattaIpTablesAddressFilter.pm b/scripts/firewall/VyattaIpTablesAddressFilter.pm
index f07a0ef..df68693 100644
--- a/scripts/firewall/VyattaIpTablesAddressFilter.pm
+++ b/scripts/firewall/VyattaIpTablesAddressFilter.pm
@@ -43,14 +43,21 @@ sub setup {
   $self->{_protocol}        = $config->returnValue(".. protocol");
 
   # setup address filter nodes
-  $self->{_range_start}     = $config->returnValue("range start");
-  $self->{_range_stop}      = $config->returnValue("range stop");
   $self->{_address}         = $config->returnValue("address");
   $self->{_network} = undef;
-  if (defined($self->{_address}) && ($self->{_address} =~ /\//)) {
-    $self->{_network} = $self->{_address};
-    $self->{_address} = undef;
+  $self->{_range_start} = undef;
+  $self->{_range_stop} = undef;
+  if (defined($self->{_address})) {
+    if ($self->{_address} =~ /\//) {
+      $self->{_network} = $self->{_address};
+      $self->{_address} = undef;
+    } elsif ($self->{_address} =~ /^([^-]+)-([^-]+)$/) {
+      $self->{_range_start} = $1;
+      $self->{_range_stop} = $2;
+      $self->{_address} = undef;
+    }
   }
+
   $self->{_port}         = $config->returnValue("port");
   $self->{_src_mac}  = $config->returnValue("mac-address");
 
@@ -68,14 +75,21 @@ sub setupOrig {
   $self->{_protocol}        = $config->returnOrigValue(".. protocol");
 
   # setup address filter nodes
-  $self->{_range_start}     = $config->returnOrigValue("range start");
-  $self->{_range_stop}      = $config->returnOrigValue("range stop");
   $self->{_address}         = $config->returnOrigValue("address");
   $self->{_network} = undef;
-  if (defined($self->{_address}) && ($self->{_address} =~ /\//)) {
-    $self->{_network} = $self->{_address};
-    $self->{_address} = undef;
+  $self->{_range_start} = undef;
+  $self->{_range_stop} = undef;
+  if (defined($self->{_address})) {
+    if ($self->{_address} =~ /\//) {
+      $self->{_network} = $self->{_address};
+      $self->{_address} = undef;
+    } elsif ($self->{_address} =~ /^([^-]+)-([^-]+)$/) {
+      $self->{_range_start} = $1;
+      $self->{_range_stop} = $2;
+      $self->{_address} = undef;
+    }
   }
+
   $self->{_port}         = $config->returnOrigValue("port");
   $self->{_src_mac}  = $config->returnValue("mac-address");
 
@@ -124,13 +138,17 @@ sub rule {
     $str =~ s/^\!(.*)$/! $1/;
     $rule .= "--$self->{_srcdst} $str ";
   } elsif ((defined $self->{_range_start}) && (defined $self->{_range_stop})) {
+    my $start = $self->{_range_start};
+    my $negate = '';
+    if ($self->{_range_start} =~ /^!(.*)$/) {
+      $start = $1;
+      $negate = '! '
+    }
     if ("$self->{_srcdst}" eq "source") { 
-      $rule .= ("-m iprange " 
-                . "--src-range $self->{_range_start}-$self->{_range_stop} ");
+      $rule .= ("-m iprange $negate--src-range $start-$self->{_range_stop} ");
     }
     elsif ("$self->{_srcdst}" eq "destination") { 
-      $rule .= ("-m iprange "
-                . "--dst-range $self->{_range_start}-$self->{_range_stop} ");
+      $rule .= ("-m iprange $negate--dst-range $start-$self->{_range_stop} ");
     }
   }
 
diff --git a/templates/firewall/name/node.tag/rule/node.tag/destination/address/node.def b/templates/firewall/name/node.tag/rule/node.tag/destination/address/node.def
index 48da82b..d6f1723 100644
--- a/templates/firewall/name/node.tag/rule/node.tag/destination/address/node.def
+++ b/templates/firewall/name/node.tag/rule/node.tag/destination/address/node.def
@@ -1,12 +1,9 @@
 type: txt
-help: Destination address or subnet
-syntax:expression: exec "/opt/vyatta/sbin/vyatta-validate-type.pl \
-                           -q ipv4_negate '$VAR(@)' \
-                         || /opt/vyatta/sbin/vyatta-validate-type.pl \
-                              -q ipv4net_negate '$VAR(@)'" \
-                   ; "invalid destination address \"$VAR(@)\""
+help: Destination IP address, subnet, or range
 comp_help: Possible completions:
   <IP address>                  IP address to match
   <IP address>/<prefix length>  Subnet to match
+  <IP address>-<IP address>     IP range to match
   !<IP address>                 Match everything except the specified address
   !<IP address>/<prefix length> Match everything except the specified subnet
+  !<IP address>-<IP address>    Match everything except the specified range 
diff --git a/templates/firewall/name/node.tag/rule/node.tag/destination/range/node.def b/templates/firewall/name/node.tag/rule/node.tag/destination/range/node.def
deleted file mode 100644
index 7954a1a..0000000
--- a/templates/firewall/name/node.tag/rule/node.tag/destination/range/node.def
+++ /dev/null
@@ -1 +0,0 @@
-help: Configure destination address range
diff --git a/templates/firewall/name/node.tag/rule/node.tag/destination/range/start/node.def b/templates/firewall/name/node.tag/rule/node.tag/destination/range/start/node.def
deleted file mode 100644
index e202887..0000000
--- a/templates/firewall/name/node.tag/rule/node.tag/destination/range/start/node.def
+++ /dev/null
@@ -1,2 +0,0 @@
-type: ipv4; "destination range start should be an IPv4 address"
-help: Configure destination range start
diff --git a/templates/firewall/name/node.tag/rule/node.tag/destination/range/stop/node.def b/templates/firewall/name/node.tag/rule/node.tag/destination/range/stop/node.def
deleted file mode 100644
index a58a3fb..0000000
--- a/templates/firewall/name/node.tag/rule/node.tag/destination/range/stop/node.def
+++ /dev/null
@@ -1,2 +0,0 @@
-type: ipv4; "destination range stop should be an IPv4 address"
-help: Configure destination range stop
diff --git a/templates/firewall/name/node.tag/rule/node.tag/source/address/node.def b/templates/firewall/name/node.tag/rule/node.tag/source/address/node.def
index a9dda73..ae18e02 100644
--- a/templates/firewall/name/node.tag/rule/node.tag/source/address/node.def
+++ b/templates/firewall/name/node.tag/rule/node.tag/source/address/node.def
@@ -1,12 +1,9 @@
 type: txt
-help: Source address or subnet
-syntax:expression: exec "/opt/vyatta/sbin/vyatta-validate-type.pl \
-                           -q ipv4_negate '$VAR(@)' \
-                         || /opt/vyatta/sbin/vyatta-validate-type.pl \
-                              -q ipv4net_negate '$VAR(@)'" \
-                   ; "invalid source address \"$VAR(@)\""
+help: Source IP address, subnet, or range
 comp_help: Possible completions:
   <IP address>                  IP address to match
   <IP address>/<prefix length>  Subnet to match
+  <IP address>-<IP address>     IP range to match
   !<IP address>                 Match everything except the specified address
   !<IP address>/<prefix length> Match everything except the specified subnet
+  !<IP address>-<IP address>    Match everything except the specified range
diff --git a/templates/firewall/name/node.tag/rule/node.tag/source/range/node.def b/templates/firewall/name/node.tag/rule/node.tag/source/range/node.def
deleted file mode 100644
index b9a0abd..0000000
--- a/templates/firewall/name/node.tag/rule/node.tag/source/range/node.def
+++ /dev/null
@@ -1 +0,0 @@
-help: Configure source address range
diff --git a/templates/firewall/name/node.tag/rule/node.tag/source/range/start/node.def b/templates/firewall/name/node.tag/rule/node.tag/source/range/start/node.def
deleted file mode 100644
index 8916cd3..0000000
--- a/templates/firewall/name/node.tag/rule/node.tag/source/range/start/node.def
+++ /dev/null
@@ -1,2 +0,0 @@
-type: ipv4; "source range start should be an IPv4 address"
-help: Configure source range start
diff --git a/templates/firewall/name/node.tag/rule/node.tag/source/range/stop/node.def b/templates/firewall/name/node.tag/rule/node.tag/source/range/stop/node.def
deleted file mode 100644
index 0f7f0e7..0000000
--- a/templates/firewall/name/node.tag/rule/node.tag/source/range/stop/node.def
+++ /dev/null
@@ -1,2 +0,0 @@
-type: ipv4; "source range stop should be an IPv4 address"
-help: Configure source range stop