Correct handling of ORIGDEST with OLD_CONNTRACK_MATCH

- Also correct detection of OLD_CONNTRACK_MATCH in shorewall6

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall/Perl/Shorewall/Chains.pm

@@ -1143,16 +1143,30 @@ sub set_rule_option( $$$ ) {
 	#
 	# Consider each subtype as a separate type
 	#
-	my ( $invert, $subtype, $val, $rest ) = split ' ', $value;
+	if ( have_capability( 'OLD_CONNTRACK_MATCH' ) ) {
+	    my ( $subtype, $invert, $val, $rest ) = split ' ', $value;
 
-	if ( $invert eq '!' ) {
+	    if ( $invert eq '!' ) {
-	    assert( ! supplied $rest );
+		assert( ! supplied $rest );
-	    $option = join( ' ', $option, $invert, $subtype );
+		$option = join( ' ', $option, $subtype );
-	    $value  = $val;
+		$value  = join( ' ', $invert, $val );
+	    } else {
+		assert( ! supplied $val );
+		$option  = join( ' ', $invert , $option );
+		$value   = $invert;
+	    }
 	} else {
-	    assert( ! supplied $val );
+	    my ( $invert, $subtype, $val, $rest ) = split ' ', $value;
-	    $option  = join( ' ', $option, $invert );
+
-	    $value   = $subtype;
+	    if ( $invert eq '!' ) {
+		assert( ! supplied $rest );
+		$option = join( ' ', $option, $invert, $subtype );
+		$value  = $val;
+	    } else {
+		assert( ! supplied $val );
+		$option  = join( ' ', $option, $invert );
+		$value   = $subtype;
+	    }
 	}
 
 	$opttype = EXCLUSIVE;

Shorewall/Perl/Shorewall/Config.pm

@@ -4603,7 +4603,11 @@ sub New_Conntrack_Match() {
 }
 
 sub Old_Conntrack_Match() {
-    ! qt1( "$iptables $iptablesw -A $sillyname -m conntrack ! --ctorigdst 1.2.3.4" );
+    if ( $family == F_IPV4 ) {
+	! qt1( "$iptables $iptablesw -A $sillyname -m conntrack ! --ctorigdst 1.2.3.4" );
+    } else {
+	! qt1( "$iptables $iptablesw -A $sillyname -m conntrack ! --ctorigdst ::1" );
+    }
 }
 
 sub Multiport() {