Merge pull request #3981 from nicolas-fort/T6646

T6646: conntrack: in ignore rules, if protocols=all, do not append it to the rule

2 files changed, 3 insertions, 1 deletions

diff --git a/python/vyos/template.py b/python/vyos/template.py
index aa99bed5a..be9f781a6 100644..100755
--- a/python/vyos/template.py
+++ b/python/vyos/template.py
@@ -694,7 +694,8 @@ def conntrack_rule(rule_conf, rule_id, action, ipv6=False):
         else:
             for protocol, protocol_config in rule_conf['protocol'].items():
                 proto = protocol
-        output.append(f'meta l4proto {proto}')
+        if proto != 'all':
+            output.append(f'meta l4proto {proto}')
 
     tcp_flags = dict_search_args(rule_conf, 'tcp', 'flags')
     if tcp_flags and action != 'timeout':
diff --git a/smoketest/scripts/cli/test_system_conntrack.py b/smoketest/scripts/cli/test_system_conntrack.py
index c07fdce77..72deb7525 100755
--- a/smoketest/scripts/cli/test_system_conntrack.py
+++ b/smoketest/scripts/cli/test_system_conntrack.py
@@ -209,6 +209,7 @@ class TestSystemConntrack(VyOSUnitTestSHIM.TestCase):
 
         self.cli_set(base_path + ['ignore', 'ipv4', 'rule', '2', 'source', 'address', '192.0.2.1'])
         self.cli_set(base_path + ['ignore', 'ipv4', 'rule', '2', 'destination', 'group', 'address-group', address_group])
+        self.cli_set(base_path + ['ignore', 'ipv4', 'rule', '2', 'protocol', 'all'])
 
         self.cli_set(base_path + ['ignore', 'ipv6', 'rule', '11', 'source', 'address', 'fe80::1'])
         self.cli_set(base_path + ['ignore', 'ipv6', 'rule', '11', 'destination', 'address', 'fe80::2'])