<!-- include start from firewall/global-options.xml.i -->
<node name="global-options">
  <properties>
    <help>Global Options</help>
  </properties>
  <children>
    <leafNode name="all-ping">
      <properties>
        <help>Policy for handling of all IPv4 ICMP echo requests</help>
        <completionHelp>
          <list>enable disable</list>
        </completionHelp>
        <valueHelp>
          <format>enable</format>
          <description>Enable processing of all IPv4 ICMP echo requests</description>
        </valueHelp>
        <valueHelp>
          <format>disable</format>
          <description>Disable processing of all IPv4 ICMP echo requests</description>
        </valueHelp>
        <constraint>
          <regex>(enable|disable)</regex>
        </constraint>
      </properties>
      <defaultValue>enable</defaultValue>
    </leafNode>
    <leafNode name="broadcast-ping">
      <properties>
        <help>Policy for handling broadcast IPv4 ICMP echo and timestamp requests</help>
        <completionHelp>
          <list>enable disable</list>
        </completionHelp>
        <valueHelp>
          <format>enable</format>
          <description>Enable processing of broadcast IPv4 ICMP echo/timestamp requests</description>
        </valueHelp>
        <valueHelp>
          <format>disable</format>
          <description>Disable processing of broadcast IPv4 ICMP echo/timestamp requests</description>
        </valueHelp>
        <constraint>
          <regex>(enable|disable)</regex>
        </constraint>
      </properties>
      <defaultValue>disable</defaultValue>
    </leafNode>
    <leafNode name="ip-src-route">
      <properties>
        <help>Policy for handling IPv4 packets with source route option</help>
        <completionHelp>
          <list>enable disable</list>
        </completionHelp>
        <valueHelp>
          <format>enable</format>
          <description>Enable processing of IPv4 packets with source route option</description>
        </valueHelp>
        <valueHelp>
          <format>disable</format>
          <description>Disable processing of IPv4 packets with source route option</description>
        </valueHelp>
        <constraint>
          <regex>(enable|disable)</regex>
        </constraint>
      </properties>
      <defaultValue>disable</defaultValue>
    </leafNode>
    <leafNode name="log-martians">
      <properties>
        <help>Policy for logging IPv4 packets with invalid addresses</help>
        <completionHelp>
          <list>enable disable</list>
        </completionHelp>
        <valueHelp>
          <format>enable</format>
          <description>Enable logging of IPv4 packets with invalid addresses</description>
        </valueHelp>
        <valueHelp>
          <format>disable</format>
          <description>Disable logging of Ipv4 packets with invalid addresses</description>
        </valueHelp>
        <constraint>
          <regex>(enable|disable)</regex>
        </constraint>
      </properties>
      <defaultValue>enable</defaultValue>
    </leafNode>
    <leafNode name="receive-redirects">
      <properties>
        <help>Policy for handling received IPv4 ICMP redirect messages</help>
        <completionHelp>
          <list>enable disable</list>
        </completionHelp>
        <valueHelp>
          <format>enable</format>
          <description>Enable processing of received IPv4 ICMP redirect messages</description>
        </valueHelp>
        <valueHelp>
          <format>disable</format>
          <description>Disable processing of received IPv4 ICMP redirect messages</description>
        </valueHelp>
        <constraint>
          <regex>(enable|disable)</regex>
        </constraint>
      </properties>
      <defaultValue>disable</defaultValue>
    </leafNode>
    <leafNode name="resolver-cache">
      <properties>
        <help>Retains last successful value if domain resolution fails</help>
        <valueless/>
      </properties>
    </leafNode>
    <leafNode name="resolver-interval">
      <properties>
        <help>Domain resolver update interval</help>
        <valueHelp>
          <format>u32:10-3600</format>
          <description>Interval (seconds)</description>
        </valueHelp>
        <constraint>
          <validator name="numeric" argument="--range 10-3600"/>
        </constraint>
      </properties>
      <defaultValue>300</defaultValue>
    </leafNode>
    <leafNode name="send-redirects">
      <properties>
        <help>Policy for sending IPv4 ICMP redirect messages</help>
        <completionHelp>
          <list>enable disable</list>
        </completionHelp>
        <valueHelp>
          <format>enable</format>
          <description>Enable sending IPv4 ICMP redirect messages</description>
        </valueHelp>
        <valueHelp>
          <format>disable</format>
          <description>Disable sending IPv4 ICMP redirect messages</description>
        </valueHelp>
        <constraint>
          <regex>(enable|disable)</regex>
        </constraint>
      </properties>
      <defaultValue>enable</defaultValue>
    </leafNode>
    <leafNode name="source-validation">
      <properties>
        <help>Policy for IPv4 source validation by reversed path, as specified in RFC3704</help>
        <completionHelp>
          <list>strict loose disable</list>
        </completionHelp>
        <valueHelp>
          <format>strict</format>
          <description>Enable IPv4 Strict Reverse Path Forwarding as defined in RFC3704</description>
        </valueHelp>
        <valueHelp>
          <format>loose</format>
          <description>Enable IPv4 Loose Reverse Path Forwarding as defined in RFC3704</description>
        </valueHelp>
        <valueHelp>
          <format>disable</format>
          <description>No IPv4 source validation</description>
        </valueHelp>
        <constraint>
          <regex>(strict|loose|disable)</regex>
        </constraint>
      </properties>
      <defaultValue>disable</defaultValue>
    </leafNode>
    <node name="state-policy">
      <properties>
        <help>Global firewall state-policy</help>
      </properties>
      <children>
        <node name="established">
          <properties>
            <help>Global firewall policy for packets part of an established connection</help>
          </properties>
          <children>
            #include <include/firewall/action-accept-drop-reject.xml.i>
            #include <include/firewall/log.xml.i>
            #include <include/firewall/rule-log-level.xml.i>
          </children>
        </node>
        <node name="invalid">
          <properties>
            <help>Global firewall policy for packets part of an invalid connection</help>
          </properties>
          <children>
            #include <include/firewall/action-accept-drop-reject.xml.i>
            #include <include/firewall/log.xml.i>
            #include <include/firewall/rule-log-level.xml.i>
          </children>
        </node>
        <node name="related">
          <properties>
            <help>Global firewall policy for packets part of a related connection</help>
          </properties>
          <children>
            #include <include/firewall/action-accept-drop-reject.xml.i>
            #include <include/firewall/log.xml.i>
            #include <include/firewall/rule-log-level.xml.i>
          </children>
        </node>
      </children>
    </node>
    <leafNode name="syn-cookies">
      <properties>
        <help>Policy for using TCP SYN cookies with IPv4</help>
        <completionHelp>
          <list>enable disable</list>
        </completionHelp>
        <valueHelp>
          <format>enable</format>
          <description>Enable use of TCP SYN cookies with IPv4</description>
        </valueHelp>
        <valueHelp>
          <format>disable</format>
          <description>Disable use of TCP SYN cookies with IPv4</description>
        </valueHelp>
        <constraint>
          <regex>(enable|disable)</regex>
        </constraint>
      </properties>
      <defaultValue>enable</defaultValue>
    </leafNode>
    <leafNode name="twa-hazards-protection">
      <properties>
        <help>RFC1337 TCP TIME-WAIT assasination hazards protection</help>
        <completionHelp>
          <list>enable disable</list>
        </completionHelp>
        <valueHelp>
          <format>enable</format>
          <description>Enable RFC1337 TIME-WAIT hazards protection</description>
        </valueHelp>
        <valueHelp>
          <format>disable</format>
          <description>Disable RFC1337 TIME-WAIT hazards protection</description>
        </valueHelp>
        <constraint>
          <regex>(enable|disable)</regex>
        </constraint>
      </properties>
      <defaultValue>disable</defaultValue>
    </leafNode>
    <leafNode name="ipv6-receive-redirects">
      <properties>
        <help>Policy for handling received ICMPv6 redirect messages</help>
        <completionHelp>
          <list>enable disable</list>
        </completionHelp>
        <valueHelp>
          <format>enable</format>
          <description>Enable processing of received ICMPv6 redirect messages</description>
        </valueHelp>
        <valueHelp>
          <format>disable</format>
          <description>Disable processing of received ICMPv6 redirect messages</description>
        </valueHelp>
        <constraint>
          <regex>(enable|disable)</regex>
        </constraint>
      </properties>
      <defaultValue>disable</defaultValue>
    </leafNode>
    <leafNode name="ipv6-source-validation">
      <properties>
        <help>Policy for IPv6 source validation by reversed path, as specified in RFC3704</help>
        <completionHelp>
          <list>strict loose disable</list>
        </completionHelp>
        <valueHelp>
          <format>strict</format>
          <description>Enable IPv6 Strict Reverse Path Forwarding as defined in RFC3704</description>
        </valueHelp>
        <valueHelp>
          <format>loose</format>
          <description>Enable IPv6 Loose Reverse Path Forwarding as defined in RFC3704</description>
        </valueHelp>
        <valueHelp>
          <format>disable</format>
          <description>No IPv6 source validation</description>
        </valueHelp>
        <constraint>
          <regex>(strict|loose|disable)</regex>
        </constraint>
      </properties>
      <defaultValue>disable</defaultValue>
    </leafNode>
    <leafNode name="ipv6-src-route">
      <properties>
        <help>Policy for handling IPv6 packets with routing extension header</help>
        <completionHelp>
          <list>enable disable</list>
        </completionHelp>
        <valueHelp>
          <format>enable</format>
          <description>Enable processing of IPv6 packets with routing header type 2</description>
        </valueHelp>
        <valueHelp>
          <format>disable</format>
          <description>Disable processing of IPv6 packets with routing header</description>
        </valueHelp>
        <constraint>
          <regex>(enable|disable)</regex>
        </constraint>
      </properties>
      <defaultValue>disable</defaultValue>
    </leafNode>
  </children>
</node>
<!-- include end -->