From 6f82bfe7d100eb8d2d6a87618e1e6a36576288fb Mon Sep 17 00:00:00 2001
From: Tom Eastep <teastep@shorewall.net>
Date: Fri, 29 Dec 2017 15:54:15 -0800
Subject: [PATCH] Handle PROTO '-' in conntrack file processing.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
---
 Shorewall/Perl/Shorewall/Raw.pm | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/Shorewall/Perl/Shorewall/Raw.pm b/Shorewall/Perl/Shorewall/Raw.pm
index 0d3bdb40b..06c6fba93 100644
--- a/Shorewall/Perl/Shorewall/Raw.pm
+++ b/Shorewall/Perl/Shorewall/Raw.pm
@@ -138,10 +138,12 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
 
 	require_capability 'CT_TARGET', 'CT entries in the conntrack file', '';
 
-	if ( $proto =~ s/:all$// ) {
-	    fatal_error '":all" may only be used with TCP' unless resolve_proto( $proto ) == TCP;
-	} else {
-	    $proto = TCP . ':syn' if $proto !~ /:syn/ && resolve_proto( $proto ) == TCP;
+	if ( $proto ne '-' ) {
+	    if ( $proto =~ s/:all$// ) {
+		fatal_error '":all" may only be used with TCP' unless resolve_proto( $proto ) == TCP;
+	    } else {
+		$proto = TCP . ':syn' if $proto !~ /:syn/ && resolve_proto( $proto ) == TCP;
+	    }
 	}
 
 	if ( $option eq 'notrack' ) {