5 files changed, 28 insertions, 51 deletions

diff --git a/interface-definitions/firewall.xml.in b/interface-definitions/firewall.xml.in
index f838f1b88..ed84acbb7 100644
--- a/interface-definitions/firewall.xml.in
+++ b/interface-definitions/firewall.xml.in
@@ -383,26 +383,7 @@
                 </children>
               </node>
               #include <include/firewall/common-rule.xml.i>
-              <leafNode name="ip-length">
-                <properties>
-                  <help>Payload size in bytes, including any extension header</help>
-                  <valueHelp>
-                    <format>u32:1-65535</format>
-                    <description>Numbered packet length</description>
-                  </valueHelp>
-                  <valueHelp>
-                    <format>&lt;start-end&gt;</format>
-                    <description>Packet length range (e.g. 1001-1005)</description>
-                  </valueHelp>
-                  <valueHelp>
-                    <format> </format>
-                    <description>\n\n  Multiple values can be specified as a comma-separated list.\n  For example: '64, 512,1001-1005'</description>
-                  </valueHelp>
-                  <constraint>
-                    <validator name="ip-length"/>
-                  </constraint>
-                </properties>
-              </leafNode>
+              #include <include/firewall/packet-length.xml.i>
               <node name="hop-limit">
                 <properties>
                   <help>Hop Limit</help>
@@ -591,26 +572,7 @@
                 </children>
               </node>
               #include <include/firewall/common-rule.xml.i>
-              <leafNode name="ip-length">
-                <properties>
-                  <help>Packet size in bytes, including header and data</help>
-                  <valueHelp>
-                    <format>u32:1-65535</format>
-                    <description>Numbered packet length</description>
-                  </valueHelp>
-                  <valueHelp>
-                    <format>&lt;start-end&gt;</format>
-                    <description>Packet length range (e.g. 1001-1005)</description>
-                  </valueHelp>
-                  <valueHelp>
-                    <format> </format>
-                    <description>\n\n  Multiple values can be specified as a comma-separated list.\n  For example: '64, 512,1001-1005'</description>
-                  </valueHelp>
-                  <constraint>
-                    <validator name="ip-length"/>
-                  </constraint>
-                </properties>
-              </leafNode>
+              #include <include/firewall/packet-length.xml.i>
               <node name="icmp">
                 <properties>
                   <help>ICMP type and code information</help>
diff --git a/interface-definitions/include/firewall/packet-length.xml.i b/interface-definitions/include/firewall/packet-length.xml.i
new file mode 100644
index 000000000..866a76bbb
--- /dev/null
+++ b/interface-definitions/include/firewall/packet-length.xml.i
@@ -0,0 +1,18 @@
+<!-- include start from firewall/packet-length.xml.i -->
+<leafNode name="packet-length">
+  <properties>
+    <help>Payload size in bytes, including header and data</help>
+    <valueHelp>
+      <format>u32:1-65535</format>
+      <description>Packet length value. Multiple values can be specified as a comma-separated list. Inverted match is also supported</description>
+    </valueHelp>
+    <valueHelp>
+      <format>&lt;start-end&gt;</format>
+      <description>Packet length range. Inverted match is also supported (e.g. 1001-1005 or !1001-1005)</description>
+    </valueHelp>
+    <constraint>
+      <validator name="packet-length"/>
+    </constraint>
+  </properties>
+</leafNode>
+<!-- include end -->
diff --git a/python/vyos/firewall.py b/python/vyos/firewall.py
index a4fd64830..ea28aa91d 100644
--- a/python/vyos/firewall.py
+++ b/python/vyos/firewall.py
@@ -266,9 +266,9 @@ def parse_rule(rule_conf, fw_name, rule_id, ip_name):
                     output.append(icmp + ' type ' + rule_conf[icmp]['type'])
 
 
-    if 'ip_length' in rule_conf:
+    if 'packet_length' in rule_conf:
         #proto = rule_conf['protocol']
-        length = rule_conf['ip_length'].split(',')
+        length = rule_conf['packet_length'].split(',')
 
         lengths = []
         negated_lengths = []
@@ -279,9 +279,6 @@ def parse_rule(rule_conf, fw_name, rule_id, ip_name):
             else:
                 lengths.append(p)
 
-                #if proto == 'tcp_udp':
-                #    proto = 'th'
-
         if lengths:
             lengths_str = ','.join(lengths)
             output.append(f'ip{def_suffix} length {{{lengths_str}}}')
diff --git a/smoketest/scripts/cli/test_firewall.py b/smoketest/scripts/cli/test_firewall.py
index 5ca00eafa..8b6c221e3 100755
--- a/smoketest/scripts/cli/test_firewall.py
+++ b/smoketest/scripts/cli/test_firewall.py
@@ -210,11 +210,11 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
         self.cli_set(['firewall', 'name', 'smoketest', 'rule', '5', 'tcp', 'mss', mss_range])
 
         self.cli_set(['firewall', 'name', 'smoketest', 'rule', '6', 'action', 'accept'])
-        self.cli_set(['firewall', 'name', 'smoketest', 'rule', '6', 'ip-length', '64,512,1024'])
+        self.cli_set(['firewall', 'name', 'smoketest', 'rule', '6', 'packet-length', '64,512,1024'])
         self.cli_set(['firewall', 'name', 'smoketest', 'rule', '7', 'action', 'accept'])
-        self.cli_set(['firewall', 'name', 'smoketest', 'rule', '7', 'ip-length', '0-30000'])
+        self.cli_set(['firewall', 'name', 'smoketest', 'rule', '7', 'packet-length', '0-30000'])
         self.cli_set(['firewall', 'name', 'smoketest', 'rule', '8', 'action', 'accept'])
-        self.cli_set(['firewall', 'name', 'smoketest', 'rule', '8', 'ip-length', '!60000-65535'])
+        self.cli_set(['firewall', 'name', 'smoketest', 'rule', '8', 'packet-length', '!60000-65535'])
 
         self.cli_set(['interfaces', 'ethernet', 'eth0', 'firewall', 'in', 'name', 'smoketest'])
 
@@ -250,11 +250,11 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
         self.cli_set(['firewall', 'ipv6-name', 'v6-smoketest', 'rule', '2', 'destination', 'port', '8888'])
 
         self.cli_set(['firewall', 'ipv6-name', 'v6-smoketest', 'rule', '3', 'action', 'accept'])
-        self.cli_set(['firewall', 'ipv6-name', 'v6-smoketest', 'rule', '3', 'ip-length', '64,512,1024'])
+        self.cli_set(['firewall', 'ipv6-name', 'v6-smoketest', 'rule', '3', 'packet-length', '64,512,1024'])
         self.cli_set(['firewall', 'ipv6-name', 'v6-smoketest', 'rule', '4', 'action', 'accept'])
-        self.cli_set(['firewall', 'ipv6-name', 'v6-smoketest', 'rule', '4', 'ip-length', '0-30000'])
+        self.cli_set(['firewall', 'ipv6-name', 'v6-smoketest', 'rule', '4', 'packet-length', '0-30000'])
         self.cli_set(['firewall', 'ipv6-name', 'v6-smoketest', 'rule', '5', 'action', 'accept'])
-        self.cli_set(['firewall', 'ipv6-name', 'v6-smoketest', 'rule', '5', 'ip-length', '!60000-65535'])
+        self.cli_set(['firewall', 'ipv6-name', 'v6-smoketest', 'rule', '5', 'packet-length', '!60000-65535'])
 
         self.cli_set(['interfaces', 'ethernet', 'eth0', 'firewall', 'in', 'ipv6-name', 'v6-smoketest'])
 
diff --git a/src/validators/ip-length b/src/validators/packet-length
index d96093849..d96093849 100755
--- a/src/validators/ip-length
+++ b/src/validators/packet-length