summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorBob Gilligan <gilligan@vyatta.com>2009-02-23 11:59:10 -0800
committerBob Gilligan <gilligan@vyatta.com>2009-02-23 11:59:10 -0800
commitd766dd656ad8af7219ff604609215a76596d13a8 (patch)
tree68d4ffa3c80cac29dfedcf86280d48b7ddcd759b
parentca464052ad78c6d840c9982fb5d9f1f016f7e3c9 (diff)
downloadvyatta-cfg-firewall-d766dd656ad8af7219ff604609215a76596d13a8.tar.gz
vyatta-cfg-firewall-d766dd656ad8af7219ff604609215a76596d13a8.zip
Add "ipv6-modify" firewall configuration sub-tree.
-rw-r--r--templates/firewall/ipv6-modify/node.def7
-rw-r--r--templates/firewall/ipv6-modify/node.tag/description/node.def3
-rw-r--r--templates/firewall/ipv6-modify/node.tag/rule/node.def7
-rw-r--r--templates/firewall/ipv6-modify/node.tag/rule/node.tag/action/node.def6
-rw-r--r--templates/firewall/ipv6-modify/node.tag/rule/node.tag/description/node.def3
-rw-r--r--templates/firewall/ipv6-modify/node.tag/rule/node.tag/destination/address/node.def14
-rw-r--r--templates/firewall/ipv6-modify/node.tag/rule/node.tag/destination/node.def1
-rw-r--r--templates/firewall/ipv6-modify/node.tag/rule/node.tag/destination/port/node.def10
-rw-r--r--templates/firewall/ipv6-modify/node.tag/rule/node.tag/disable/node.def1
-rw-r--r--templates/firewall/ipv6-modify/node.tag/rule/node.tag/icmpv6/node.def1
-rw-r--r--templates/firewall/ipv6-modify/node.tag/rule/node.tag/icmpv6/type/node.def135
-rw-r--r--templates/firewall/ipv6-modify/node.tag/rule/node.tag/ipsec/match-ipsec/node.def1
-rw-r--r--templates/firewall/ipv6-modify/node.tag/rule/node.tag/ipsec/match-none/node.def1
-rw-r--r--templates/firewall/ipv6-modify/node.tag/rule/node.tag/ipsec/node.def1
-rw-r--r--templates/firewall/ipv6-modify/node.tag/rule/node.tag/log/node.def3
-rw-r--r--templates/firewall/ipv6-modify/node.tag/rule/node.tag/modify/dscp/node.def4
-rw-r--r--templates/firewall/ipv6-modify/node.tag/rule/node.tag/modify/mark/node.def2
-rw-r--r--templates/firewall/ipv6-modify/node.tag/rule/node.tag/modify/node.def1
-rw-r--r--templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/all/node.def1
-rw-r--r--templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/applejuice/node.def1
-rw-r--r--templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/bittorrent/node.def1
-rw-r--r--templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/directconnect/node.def1
-rw-r--r--templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/edonkey/node.def1
-rw-r--r--templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/gnutella/node.def1
-rw-r--r--templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/kazaa/node.def1
-rw-r--r--templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/node.def1
-rw-r--r--templates/firewall/ipv6-modify/node.tag/rule/node.tag/protocol/node.def26
-rw-r--r--templates/firewall/ipv6-modify/node.tag/rule/node.tag/recent/count/node.def2
-rw-r--r--templates/firewall/ipv6-modify/node.tag/rule/node.tag/recent/node.def1
-rw-r--r--templates/firewall/ipv6-modify/node.tag/rule/node.tag/recent/time/node.def2
-rw-r--r--templates/firewall/ipv6-modify/node.tag/rule/node.tag/source/address/node.def14
-rw-r--r--templates/firewall/ipv6-modify/node.tag/rule/node.tag/source/mac-address/node.def3
-rw-r--r--templates/firewall/ipv6-modify/node.tag/rule/node.tag/source/node.def1
-rw-r--r--templates/firewall/ipv6-modify/node.tag/rule/node.tag/source/port/node.def8
-rw-r--r--templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/established/node.def3
-rw-r--r--templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/invalid/node.def3
-rw-r--r--templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/new/node.def3
-rw-r--r--templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/node.def1
-rw-r--r--templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/related/node.def3
-rw-r--r--templates/firewall/ipv6-modify/node.tag/rule/node.tag/tcp/flags/node.def12
-rw-r--r--templates/firewall/ipv6-modify/node.tag/rule/node.tag/tcp/node.def1
-rw-r--r--templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/monthdays/node.def8
-rw-r--r--templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/node.def1
-rw-r--r--templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/startdate/node.def11
-rw-r--r--templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/starttime/node.def7
-rw-r--r--templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/stopdate/node.def11
-rw-r--r--templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/stoptime/node.def8
-rw-r--r--templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/utc/node.def1
-rw-r--r--templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/weekdays/node.def9
-rw-r--r--templates/firewall/ipv6-name/node.def2
-rw-r--r--templates/firewall/ipv6-name/node.tag/description/node.def2
-rw-r--r--templates/firewall/modify/node.def2
-rw-r--r--templates/firewall/modify/node.tag/description/node.def2
-rw-r--r--templates/firewall/name/node.def2
-rw-r--r--templates/firewall/name/node.tag/description/node.def2
55 files changed, 354 insertions, 6 deletions
diff --git a/templates/firewall/ipv6-modify/node.def b/templates/firewall/ipv6-modify/node.def
new file mode 100644
index 0000000..c0c324d
--- /dev/null
+++ b/templates/firewall/ipv6-modify/node.def
@@ -0,0 +1,7 @@
+tag:
+
+type: txt
+
+syntax:expression: pattern $VAR(@) "^[^-]" ; "Firewall rule set name cannot start with \"-\""
+
+help: Set IPv6 modify rule set name
diff --git a/templates/firewall/ipv6-modify/node.tag/description/node.def b/templates/firewall/ipv6-modify/node.tag/description/node.def
new file mode 100644
index 0000000..cbd090b
--- /dev/null
+++ b/templates/firewall/ipv6-modify/node.tag/description/node.def
@@ -0,0 +1,3 @@
+type: txt
+
+help: Set IPv6 modify rule set description
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.def
new file mode 100644
index 0000000..674abd2
--- /dev/null
+++ b/templates/firewall/ipv6-modify/node.tag/rule/node.def
@@ -0,0 +1,7 @@
+tag:
+
+type: u32
+
+help: Set IPv6 modify rule number (1-1024)
+
+syntax:expression: $VAR(@) > 0 && $VAR(@) < 1025; "firewall rule number must be between 1 and 1024"
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/action/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/action/node.def
new file mode 100644
index 0000000..ac60488
--- /dev/null
+++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/action/node.def
@@ -0,0 +1,6 @@
+type: txt
+
+help: Set firewall rule action
+
+syntax:expression: $VAR(@) in "drop", "reject", "accept", "modify";
+ "action must be one of drop, reject, accept, or modify"
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/description/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/description/node.def
new file mode 100644
index 0000000..b49b91e
--- /dev/null
+++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/description/node.def
@@ -0,0 +1,3 @@
+type: txt
+
+help: Set rule description
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/destination/address/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/destination/address/node.def
new file mode 100644
index 0000000..5c7f5e9
--- /dev/null
+++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/destination/address/node.def
@@ -0,0 +1,14 @@
+type: txt
+
+help: Set source IPv6 address, prefix or range to match
+
+comp_help: Possible completions:
+ <x:x:x:x:x:x:x:x> IPv6 address to match
+ <x:x:x:x:x:x:x:x>/<n> IPv6 prefix to match
+ <x:x:x:x:x:x>-<x:x:x:x:x:x> Range of IPv6 addresses
+ !<x:x:x:x:x:x:x:x> Everything except IPv6 address
+ !<x:x:x:x:x:x:x:x>/<n> Everything except IPv6 prefix
+ !<x:x:x:x:x:x>-<x:x:x:x:x:x> Everything except range
+
+syntax:expression: exec "/opt/vyatta/sbin/vyatta-validate-type.pl ipv6_addr_param $VAR(@)"
+
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/destination/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/destination/node.def
new file mode 100644
index 0000000..500e0bb
--- /dev/null
+++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/destination/node.def
@@ -0,0 +1 @@
+help: Set firewall destination parameters
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/destination/port/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/destination/port/node.def
new file mode 100644
index 0000000..b292864
--- /dev/null
+++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/destination/port/node.def
@@ -0,0 +1,10 @@
+type: txt
+
+help: Set destination port
+
+comp_help: Destination port(s) can be specified as a comma-separated list of:
+ <port name> Named port (any name in /etc/services, e.g., http)
+ <1-65535> Numbered port
+ <start>-<end> Numbered port range (e.g., 1001-1005)
+The whole list can also be "negated" using '!'. For example:
+ '!22,telnet,http,123,1001-1005'
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/disable/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/disable/node.def
new file mode 100644
index 0000000..498a027
--- /dev/null
+++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/disable/node.def
@@ -0,0 +1 @@
+help: Set firewall rule disabled \ No newline at end of file
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/icmpv6/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/icmpv6/node.def
new file mode 100644
index 0000000..d4dc9c0
--- /dev/null
+++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/icmpv6/node.def
@@ -0,0 +1 @@
+help: Set rule ICMPv6 type and code information
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/icmpv6/type/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/icmpv6/type/node.def
new file mode 100644
index 0000000..13ff654
--- /dev/null
+++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/icmpv6/type/node.def
@@ -0,0 +1,135 @@
+type: txt
+
+help: Set ICMPv6 type/code
+
+comp_help: Possible completions:
+ destination-unreachable ICMPv6 type/code name
+ no-route ICMPv6 type/code name
+ communication-prohibited ICMPv6 type/code name
+ address-unreachable ICMPv6 type/code name
+ port-unreachable ICMPv6 type/code name
+ packet-too-big ICMPv6 type/code name
+ time-exceeded ICMPv6 type/code name
+ ttl-zero-during-transit ICMPv6 type/code name
+ ttl-zero-during-reassembly ICMPv6 type/code name
+ parameter-problem ICMPv6 type/code name
+ bad-header ICMPv6 type/code name
+ unknown-header-type ICMPv6 type/code name
+ unknown-option ICMPv6 type/code name
+ echo-request ICMPv6 type/code name
+ ping ICMPv6 type/code name
+ echo-reply ICMPv6 type/code name
+ pong ICMPv6 type/code name
+ router-solicitation ICMPv6 type/code name
+ router-advertisement ICMPv6 type/code name
+ neighbour-solicitation ICMPv6 type/code name
+ neighbor-solicitation ICMPv6 type/code name
+ neighbour-advertisement ICMPv6 type/code name
+ neighbor-advertisement ICMPv6 type/code name
+ <0 - 255> ICMPv6 type number
+ <0 - 255>/<0 - 255> ICMPv6 type and code numbers
+
+allowed:
+ array=(
+ destination-unreachable
+ no-route
+ communication-prohibited
+ address-unreachable
+ port-unreachable
+ packet-too-big
+ time-exceeded
+ ttl-zero-during-transit
+ ttl-zero-during-reassembly
+ parameter-problem
+ bad-header
+ unknown-header-type
+ unknown-option
+ echo-request
+ ping
+ echo-reply
+ pong
+ router-solicitation
+ router-advertisement
+ neighbour-solicitation
+ neighbor-solicitation
+ neighbour-advertisement
+ neighbor-advertisement )
+ echo -n ${array[@]}
+
+syntax:expression: exec "
+ array=(
+ destination-unreachable
+ no-route
+ communication-prohibited
+ address-unreachable
+ port-unreachable
+ packet-too-big
+ time-exceeded
+ ttl-zero-during-transit
+ ttl-zero-during-reassembly
+ parameter-problem
+ bad-header
+ unknown-header-type
+ unknown-option
+ echo-request
+ ping
+ echo-reply
+ pong
+ router-solicitation
+ router-advertisement
+ neighbour-solicitation
+ neighbor-solicitation
+ neighbour-advertisement
+ neighbor-advertisement )
+ len=${#array[*]}
+ i=0
+ while [ $i -lt $len ]; do
+ if [ \"${array[$i]}\" == \"$VAR(@)\" ] ; then
+ exit 0
+ fi
+ let i++
+ done
+
+ param=$VAR(@)
+ codepart=${param##*/}
+ if [ -z \"$codepart\" -o \"$codepart\" = \"$param\" ]; then
+ codepart=\"0\"
+ fi
+
+ typepart=${param%%/*}
+ if [ -z \"$typepart\" ]; then
+ echo \"Must specify ICMPv6 type\"
+ exit 1
+ fi
+
+ shopt -s extglob
+
+ leftover=${typepart##*([0-9])}
+ if [ -n \"$leftover\" ]; then
+ echo \"Invalid ICMPv6 type: $typepart\"
+ exit 1
+ fi
+
+ leftover=${codepart##*([0-9])}
+ if [ -n \"$leftover\" ]; then
+ echo \"Invalid ICMPv6 code: $codepart\"
+ exit 1
+ fi
+
+ if [ $typepart -lt 0 -o $typepart -gt 255 ]; then
+ echo \"ICMPv6 type must be between 0 and 255\"
+ exit 1
+ fi
+
+ if [ $codepart -lt 0 -o $codepart -gt 255 ]; then
+ echo \"ICMPv6 code must be between 0 and 255\"
+ exit 1
+ fi
+"
+
+
+
+
+
+
+
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/ipsec/match-ipsec/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/ipsec/match-ipsec/node.def
new file mode 100644
index 0000000..8d4bf12
--- /dev/null
+++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/ipsec/match-ipsec/node.def
@@ -0,0 +1 @@
+help: Match inbound IPsec packets
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/ipsec/match-none/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/ipsec/match-none/node.def
new file mode 100644
index 0000000..cfcbc8a
--- /dev/null
+++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/ipsec/match-none/node.def
@@ -0,0 +1 @@
+help: Match inbound non-IPsec packets
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/ipsec/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/ipsec/node.def
new file mode 100644
index 0000000..c905e2d
--- /dev/null
+++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/ipsec/node.def
@@ -0,0 +1 @@
+help: Set inbound IPsec packet matching
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/log/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/log/node.def
new file mode 100644
index 0000000..5023547
--- /dev/null
+++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/log/node.def
@@ -0,0 +1,3 @@
+type: txt; "firwall logging must be enable or disable"
+help: Set firewall logging
+syntax:expression: $VAR(@) in "enable", "disable"; "firwall logging must be enable or disable"
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/modify/dscp/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/modify/dscp/node.def
new file mode 100644
index 0000000..b20f58c
--- /dev/null
+++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/modify/dscp/node.def
@@ -0,0 +1,4 @@
+type: u32
+help: Set packet Differentiated Services Codepoint (DSCP)
+syntax:expression: $VAR(@) >= 0 && $VAR(@) < 64;
+ "DSCP must be between 0 and 63"
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/modify/mark/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/modify/mark/node.def
new file mode 100644
index 0000000..0830b9b
--- /dev/null
+++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/modify/mark/node.def
@@ -0,0 +1,2 @@
+type: u32
+help: Set packet marking
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/modify/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/modify/node.def
new file mode 100644
index 0000000..f629b92
--- /dev/null
+++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/modify/node.def
@@ -0,0 +1 @@
+help: Set packet modifications
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/all/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/all/node.def
new file mode 100644
index 0000000..3359454
--- /dev/null
+++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/all/node.def
@@ -0,0 +1 @@
+help: Match AppleJuice/BitTorrent/Direct Connect/eDonkey/eMule/Gnutella/KaZaA application packets
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/applejuice/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/applejuice/node.def
new file mode 100644
index 0000000..35c2182
--- /dev/null
+++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/applejuice/node.def
@@ -0,0 +1 @@
+help: Match AppleJuice application packets
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/bittorrent/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/bittorrent/node.def
new file mode 100644
index 0000000..a6330de
--- /dev/null
+++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/bittorrent/node.def
@@ -0,0 +1 @@
+help: Match BitTorrent application packets
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/directconnect/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/directconnect/node.def
new file mode 100644
index 0000000..ab11805
--- /dev/null
+++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/directconnect/node.def
@@ -0,0 +1 @@
+help: Match Direct Connect application packets
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/edonkey/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/edonkey/node.def
new file mode 100644
index 0000000..25a97e5
--- /dev/null
+++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/edonkey/node.def
@@ -0,0 +1 @@
+help: Match eDonkey/eMule application packets
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/gnutella/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/gnutella/node.def
new file mode 100644
index 0000000..52d9d6c
--- /dev/null
+++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/gnutella/node.def
@@ -0,0 +1 @@
+help: Match Gnutella application packets
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/kazaa/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/kazaa/node.def
new file mode 100644
index 0000000..a6eab48
--- /dev/null
+++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/kazaa/node.def
@@ -0,0 +1 @@
+help: Match KaZaA application packets
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/node.def
new file mode 100644
index 0000000..9013fe5
--- /dev/null
+++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/node.def
@@ -0,0 +1 @@
+help: Set P2P application packet matching
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/protocol/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/protocol/node.def
new file mode 100644
index 0000000..d43ffdd
--- /dev/null
+++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/protocol/node.def
@@ -0,0 +1,26 @@
+type: txt
+
+help: Set IPv6 protocol to match (protocol name, number, or "all")
+
+syntax:expression: exec "
+ param=$VAR(@)
+ if [ \"$param\" = \"icmpv6\" ]; then
+ exit 0
+ fi
+ /opt/vyatta/sbin/vyatta-validate-type.pl protocol_negate '$VAR(@)'
+ " ;
+ "invalid protocol \"$VAR(@)\""
+
+# Provide some help for command completion. Doesn't return negated
+# values or protocol numbers
+allowed:
+ protos=`cat /etc/protocols | sed -e '/^#.*/d' | awk '{ print $1 }'`
+ protos="all icmpv6 $protos"
+ echo -n $protos
+
+comp_help:Possible completions:
+ <text> An IPv6 protocol name (e.g. "tcp" or "udp")
+ <1-255> An IPv6 protocol number
+ all All IPv6 protocols
+ !<text> All IPv6 protocols except for the specified name
+ !<1-255> All IPv6 protocols except for the specified number \ No newline at end of file
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/recent/count/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/recent/count/node.def
new file mode 100644
index 0000000..a07010f
--- /dev/null
+++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/recent/count/node.def
@@ -0,0 +1,2 @@
+type: u32
+help: Set to N to only match source addresses seen more than N times
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/recent/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/recent/node.def
new file mode 100644
index 0000000..e1be0a3
--- /dev/null
+++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/recent/node.def
@@ -0,0 +1 @@
+help: Set parameters for matching recently seen sources
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/recent/time/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/recent/time/node.def
new file mode 100644
index 0000000..b84a0b7
--- /dev/null
+++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/recent/time/node.def
@@ -0,0 +1,2 @@
+type: u32
+help: Set to N to only match source addresses seen in the last N seconds
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/source/address/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/source/address/node.def
new file mode 100644
index 0000000..81f2b03
--- /dev/null
+++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/source/address/node.def
@@ -0,0 +1,14 @@
+
+type: txt
+
+help: Set source IPv6 address, prefix or range to match
+
+comp_help: Possible completions:
+ <x:x:x:x:x:x:x:x> IPv6 address to match
+ <x:x:x:x:x:x:x:x>/<n> IPv6 prefix to match
+ <x:x:x:x:x:x>-<x:x:x:x:x:x> Range of IPv6 addresses
+ !<x:x:x:x:x:x:x:x> Everything except IPv6 address
+ !<x:x:x:x:x:x:x:x>/<n> Everything except IPv6 prefix
+ !<x:x:x:x:x:x>-<x:x:x:x:x:x> Everything except range
+
+syntax:expression: exec "/opt/vyatta/sbin/vyatta-validate-type.pl ipv6_addr_param $VAR(@)" \ No newline at end of file
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/source/mac-address/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/source/mac-address/node.def
new file mode 100644
index 0000000..fd10e26
--- /dev/null
+++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/source/mac-address/node.def
@@ -0,0 +1,3 @@
+type: txt
+help: Set source MAC address
+syntax:expression: exec "/opt/vyatta/sbin/vyatta-validate-type.pl macaddr_negate '$VAR(@)'" ; "invalid MAC address \"$VAR(@)\""
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/source/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/source/node.def
new file mode 100644
index 0000000..16ab3ad
--- /dev/null
+++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/source/node.def
@@ -0,0 +1 @@
+help: Set firewall source parameters
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/source/port/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/source/port/node.def
new file mode 100644
index 0000000..e65cbfd
--- /dev/null
+++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/source/port/node.def
@@ -0,0 +1,8 @@
+type: txt
+help: Set source port
+comp_help: Source port(s) can be specified as a comma-separated list of:
+ <port name> Named port (any name in /etc/services, e.g., http)
+ <1-65535> Numbered port
+ <start>-<end> Numbered port range (e.g., 1001-1005)
+The whole list can also be "negated" using '!'. For example:
+ '!22,telnet,http,123,1001-1005'
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/established/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/established/node.def
new file mode 100644
index 0000000..802e35d
--- /dev/null
+++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/established/node.def
@@ -0,0 +1,3 @@
+type: txt
+help: Set established state
+syntax:expression: $VAR(@) in "enable", "disable" ; "state value must be enable or disable"
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/invalid/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/invalid/node.def
new file mode 100644
index 0000000..ddba99f
--- /dev/null
+++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/invalid/node.def
@@ -0,0 +1,3 @@
+type: txt
+help: Set invalid state
+syntax:expression: $VAR(@) in "enable", "disable" ; "state value must be enable or disable"
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/new/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/new/node.def
new file mode 100644
index 0000000..23854e7
--- /dev/null
+++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/new/node.def
@@ -0,0 +1,3 @@
+type: txt
+help: Set new state
+syntax:expression: $VAR(@) in "enable", "disable" ; "state value must be enable or disable"
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/node.def
new file mode 100644
index 0000000..3b7b383
--- /dev/null
+++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/node.def
@@ -0,0 +1 @@
+help: Set session state
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/related/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/related/node.def
new file mode 100644
index 0000000..acddc3b
--- /dev/null
+++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/related/node.def
@@ -0,0 +1,3 @@
+type: txt
+help: Set related state
+syntax:expression: $VAR(@) in "enable", "disable" ; "state value must be enable or disable"
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/tcp/flags/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/tcp/flags/node.def
new file mode 100644
index 0000000..95f6a68
--- /dev/null
+++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/tcp/flags/node.def
@@ -0,0 +1,12 @@
+type: txt
+help: Set TCP flags to match
+syntax:expression: pattern $VAR(@) "^((!?ALL)|((!?(SYN|ACK|FIN|RST|PSH|URG),)*(!?(SYN|ACK|FIN|RST|PSH|URG))))$" ; \
+"Invalid value for TCP flags. Allowed values : SYN ACK FIN RST URG PSH ALL
+When specifying more than one flag, flags should be comma-separated.
+For example : value of 'SYN,!ACK,!FIN,!RST' will only match packets with
+the SYN flag set, and the ACK, FIN and RST flags unset"
+
+comp_help: Allowed values for TCP flags : SYN ACK FIN RST URG PSH ALL
+When specifying more than one flag, flags should be comma-separated.
+For example : value of 'SYN,!ACK,!FIN,!RST' will only match packets with
+the SYN flag set, and the ACK, FIN and RST flags unset
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/tcp/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/tcp/node.def
new file mode 100644
index 0000000..636f4a2
--- /dev/null
+++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/tcp/node.def
@@ -0,0 +1 @@
+help: Set tcp flags to match
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/monthdays/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/monthdays/node.def
new file mode 100644
index 0000000..025a2a9
--- /dev/null
+++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/monthdays/node.def
@@ -0,0 +1,8 @@
+type: txt
+help: Set monthdays on which to apply rule
+syntax:expression: pattern $VAR(@) "^!?([[:digit:]]\{1,2\}\,)*[[:digit:]]\{1,2\}$" ; \
+"Incorrect value for monthdays. Monthdays should be specified as 2,12,21
+For negation, add ! in front eg. !2,12,21"
+
+comp_help: Format for monthdays - 2,12,21
+To negate add ! at the front eg. !2,12,21
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/node.def
new file mode 100644
index 0000000..8061ba6
--- /dev/null
+++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/node.def
@@ -0,0 +1 @@
+help: Set time during which to apply rule
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/startdate/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/startdate/node.def
new file mode 100644
index 0000000..a971375
--- /dev/null
+++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/startdate/node.def
@@ -0,0 +1,11 @@
+type: txt
+help: Set to apply rule starting from specified date
+syntax:expression: pattern $VAR(@) "^[[:digit:]]\{4\}[-][[:digit:]]\{2\}[-][[:digit:]]\{2\}(T[[:digit:]]\{2\}[:][[:digit:]]\{2\}[:][[:digit:]]\{2\})?$" ; \
+"Invalid value for startdate. Date should use yyyy-mm-dd format. To specify time
+of date with startdate, append 'T' to date followed by time in 24 hour notation
+hh:mm:ss. For example startdate value of 2009-01-21T13:30:00 refers to
+21st January 2009 with time 13:30:00"
+
+comp_help: Format for date : yyyy-mm-dd. To specify time of date with startdate, append
+'T' to date followed by time in 24 hour notation hh:mm:ss. For eg startdate
+value of 2009-01-21T13:30:00 refers to 21st Jan 2009 with time 13:30:00
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/starttime/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/starttime/node.def
new file mode 100644
index 0000000..46c68c2
--- /dev/null
+++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/starttime/node.def
@@ -0,0 +1,7 @@
+type: txt
+help: Set to apply rule starting from specified time
+syntax:expression: pattern $VAR(@) "^[[:digit:]]\{2\}[:][[:digit:]]\{2\}[:][[:digit:]]\{2\}$" ; \
+ "Incorrect value for starttime. Date should be entered using 24 hour notation - hh:mm:ss"
+
+comp_help: Enter time using using 24 hour notation - hh:mm:ss
+
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/stopdate/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/stopdate/node.def
new file mode 100644
index 0000000..c99dd7b
--- /dev/null
+++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/stopdate/node.def
@@ -0,0 +1,11 @@
+type: txt
+help: Set to apply rule till specified date
+syntax:expression: pattern $VAR(@) "^[[:digit:]]\{4\}[-][[:digit:]]\{2\}[-][[:digit:]]\{2\}(T[[:digit:]]\{2\}[:][[:digit:]]\{2\}[:][[:digit:]]\{2\})?$" ; \
+"Invalid value for stopdate. Date should use yyyy-mm-dd format. To specify time
+of date with stopdate, append 'T' to date followed by time in 24 hour notation
+hh:mm:ss. For example stopdate value of 2009-01-31T13:30:00 refers to
+31st Jan 2009 with time 13:30:00"
+
+comp_help: Format for date : yyyy-mm-dd. To specify time of date with stopdate,
+append 'T' to date followed by time in 24 hour notation hh:mm:ss. For eg
+stopdate value of 2009-01-31T13:30:00 refers to 31st Jan 2009 with time 13:30:00
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/stoptime/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/stoptime/node.def
new file mode 100644
index 0000000..0514e8b
--- /dev/null
+++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/stoptime/node.def
@@ -0,0 +1,8 @@
+type: txt
+help: Set to apply rule till specified time
+syntax:expression: pattern $VAR(@) "^[[:digit:]]\{2\}[:][[:digit:]]\{2\}[:][[:digit:]]\{2\}$" ; \
+ "Incorrect value for stoptime. Date should be entered using 24 hour notation - hh:mm:ss"
+
+comp_help: Enter time using using 24 hour notation - hh:mm:ss
+
+
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/utc/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/utc/node.def
new file mode 100644
index 0000000..68a0689
--- /dev/null
+++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/utc/node.def
@@ -0,0 +1 @@
+help: Set to interpret the times given for startdate, stopdate, starttime and stoptime to be UTC
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/weekdays/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/weekdays/node.def
new file mode 100644
index 0000000..aea3e22
--- /dev/null
+++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/weekdays/node.def
@@ -0,0 +1,9 @@
+type: txt
+help: Set weekdays on which to apply rules on
+syntax:expression: pattern $VAR(@) "^!?([[:upper:]][[:lower:]]\{2\}\,)*[[:upper:]][[:lower:]]\{2\}$" ; \
+"Incorrect value for weekdays. Weekdays should be specified using the first
+three characters of the day with the first character capitalized eg. Mon,Thu,Sat
+For negation, add ! in front eg. !Mon,Thu,Sat"
+
+comp_help: Format for weekdays - Mon,Thu,Sat
+To negate add ! at the front eg. !Mon,Thu,Sat
diff --git a/templates/firewall/ipv6-name/node.def b/templates/firewall/ipv6-name/node.def
index b82683d..60880c4 100644
--- a/templates/firewall/ipv6-name/node.def
+++ b/templates/firewall/ipv6-name/node.def
@@ -4,4 +4,4 @@ type: txt
syntax:expression: pattern $VAR(@) "^[^-]" ; "Firewall rule set name cannot start with \"-\""
-help: Set firewall rule set name
+help: Set IPv6 firewall rule set name
diff --git a/templates/firewall/ipv6-name/node.tag/description/node.def b/templates/firewall/ipv6-name/node.tag/description/node.def
index d181e33..faa5b85 100644
--- a/templates/firewall/ipv6-name/node.tag/description/node.def
+++ b/templates/firewall/ipv6-name/node.tag/description/node.def
@@ -1,3 +1,3 @@
type: txt
-help: Set firewall description
+help: Set IPv6 firewall rule set description
diff --git a/templates/firewall/modify/node.def b/templates/firewall/modify/node.def
index 7e9046f..f01b306 100644
--- a/templates/firewall/modify/node.def
+++ b/templates/firewall/modify/node.def
@@ -4,4 +4,4 @@ type: txt
syntax:expression: pattern $VAR(@) "^[^-]" ; "Modify rule set name cannot start with \"-\""
-help: Set modify rule set name
+help: Set IPv4 modify rule set name
diff --git a/templates/firewall/modify/node.tag/description/node.def b/templates/firewall/modify/node.tag/description/node.def
index fbf2144..ee0a94c 100644
--- a/templates/firewall/modify/node.tag/description/node.def
+++ b/templates/firewall/modify/node.tag/description/node.def
@@ -1,3 +1,3 @@
type: txt
-help: Set modify rule set description
+help: Set IPv4 modify rule set description
diff --git a/templates/firewall/name/node.def b/templates/firewall/name/node.def
index b82683d..628d014 100644
--- a/templates/firewall/name/node.def
+++ b/templates/firewall/name/node.def
@@ -4,4 +4,4 @@ type: txt
syntax:expression: pattern $VAR(@) "^[^-]" ; "Firewall rule set name cannot start with \"-\""
-help: Set firewall rule set name
+help: Set IPv4 firewall rule set name
diff --git a/templates/firewall/name/node.tag/description/node.def b/templates/firewall/name/node.tag/description/node.def
index d181e33..f56909a 100644
--- a/templates/firewall/name/node.tag/description/node.def
+++ b/templates/firewall/name/node.tag/description/node.def
@@ -1,3 +1,3 @@
type: txt
-help: Set firewall description
+help: Set IPv4 firewall rule set description