Fix 8308, use C version of vyatta-validate-type, also fixing handling negation as per iptables in script

2 files changed, 7 insertions, 2 deletions

diff --git a/lib/Vyatta/Conntrack/RuleIgnore.pm b/lib/Vyatta/Conntrack/RuleIgnore.pm
index 9b9abe1..9127fa2 100644
--- a/lib/Vyatta/Conntrack/RuleIgnore.pm
+++ b/lib/Vyatta/Conntrack/RuleIgnore.pm
@@ -42,7 +42,12 @@ sub rule {
         exit 1;
   }
   if (defined($self->{_protocol})) {
-    $rule .= " -p $self->{_protocol}";
+    if ($self->{_protocol} =~ m/^!/) {
+      my $protocol = substr($self->{_protocol}, 1);
+      $rule .= " ! -p  $protocol";
+    } else {
+      $rule .= " -p $self->{_protocol}";
+    }
   }
   $rule .= " $srcrule $dstrule ";
   return $rule;
diff --git a/templates-cfg/system/conntrack/ignore/rule/node.tag/protocol/node.def b/templates-cfg/system/conntrack/ignore/rule/node.tag/protocol/node.def
index 59f23a3..93ae51a 100644
--- a/templates-cfg/system/conntrack/ignore/rule/node.tag/protocol/node.def
+++ b/templates-cfg/system/conntrack/ignore/rule/node.tag/protocol/node.def
@@ -7,7 +7,7 @@ val_help: tcp_udp ; Both TCP and UDP
 val_help: all ; All IP protocols
 val_help: !<protocol> ; All IP protocols except for the specified name or number (negation)
 
-syntax:expression: exec "if [ -n \"`/opt/vyatta/sbin/vyatta-validate-type.pl protocol_negate '$VAR(@)'`\" ] \
+syntax:expression: exec "if [ -n \"`/opt/vyatta/sbin/vyatta-validate-type protocol_negate '$VAR(@)'`\" ] \
                         && [ \"$VAR(@)\" != 'tcp_udp' ]; then \
         echo invalid protocol \"$VAR(@)\" ; \
         exit 1 ; \