Add "ipv6-modify" firewall configuration sub-tree.

55 files changed, 354 insertions, 6 deletions

diff --git a/templates/firewall/ipv6-modify/node.def b/templates/firewall/ipv6-modify/node.def
new file mode 100644
index 0000000..c0c324d
--- /dev/null
+++ b/templates/firewall/ipv6-modify/node.def
@@ -0,0 +1,7 @@
+tag:
+
+type: txt
+
+syntax:expression: pattern $VAR(@) "^[^-]" ; "Firewall rule set name cannot start with \"-\""
+
+help: Set IPv6 modify rule set name
diff --git a/templates/firewall/ipv6-modify/node.tag/description/node.def b/templates/firewall/ipv6-modify/node.tag/description/node.def
new file mode 100644
index 0000000..cbd090b
--- /dev/null
+++ b/templates/firewall/ipv6-modify/node.tag/description/node.def
@@ -0,0 +1,3 @@
+type: txt
+
+help: Set IPv6 modify rule set description
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.def
new file mode 100644
index 0000000..674abd2
--- /dev/null
+++ b/templates/firewall/ipv6-modify/node.tag/rule/node.def
@@ -0,0 +1,7 @@
+tag:
+
+type: u32
+
+help: Set IPv6 modify rule number (1-1024)
+
+syntax:expression: $VAR(@) > 0 && $VAR(@) < 1025; "firewall rule number must be between 1 and 1024"
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/action/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/action/node.def
new file mode 100644
index 0000000..ac60488
--- /dev/null
+++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/action/node.def
@@ -0,0 +1,6 @@
+type:  txt
+
+help: Set firewall rule action
+
+syntax:expression: $VAR(@) in "drop", "reject", "accept", "modify";
+                   "action must be one of drop, reject, accept, or modify"
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/description/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/description/node.def
new file mode 100644
index 0000000..b49b91e
--- /dev/null
+++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/description/node.def
@@ -0,0 +1,3 @@
+type: txt
+
+help: Set rule description
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/destination/address/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/destination/address/node.def
new file mode 100644
index 0000000..5c7f5e9
--- /dev/null
+++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/destination/address/node.def
@@ -0,0 +1,14 @@
+type: txt
+
+help: Set source IPv6 address, prefix or range to match
+
+comp_help: Possible completions:
+  <x:x:x:x:x:x:x:x>             IPv6 address to match
+  <x:x:x:x:x:x:x:x>/<n>         IPv6 prefix to match
+  <x:x:x:x:x:x>-<x:x:x:x:x:x>   Range of IPv6 addresses
+  !<x:x:x:x:x:x:x:x>            Everything except IPv6 address
+  !<x:x:x:x:x:x:x:x>/<n>        Everything except IPv6 prefix
+  !<x:x:x:x:x:x>-<x:x:x:x:x:x>  Everything except range
+
+syntax:expression: exec "/opt/vyatta/sbin/vyatta-validate-type.pl ipv6_addr_param $VAR(@)"
+
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/destination/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/destination/node.def
new file mode 100644
index 0000000..500e0bb
--- /dev/null
+++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/destination/node.def
@@ -0,0 +1 @@
+help: Set firewall destination parameters
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/destination/port/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/destination/port/node.def
new file mode 100644
index 0000000..b292864
--- /dev/null
+++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/destination/port/node.def
@@ -0,0 +1,10 @@
+type: txt
+
+help: Set destination port
+
+comp_help: Destination port(s) can be specified as a comma-separated list of:
+  <port name>           Named port (any name in /etc/services, e.g., http)
+  <1-65535>             Numbered port
+  <start>-<end>         Numbered port range (e.g., 1001-1005)
+The whole list can also be "negated" using '!'. For example:
+  '!22,telnet,http,123,1001-1005'
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/disable/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/disable/node.def
new file mode 100644
index 0000000..498a027
--- /dev/null
+++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/disable/node.def
@@ -0,0 +1 @@
+help: Set firewall rule disabled
\ No newline at end of file
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/icmpv6/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/icmpv6/node.def
new file mode 100644
index 0000000..d4dc9c0
--- /dev/null
+++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/icmpv6/node.def
@@ -0,0 +1 @@
+help: Set rule ICMPv6 type and code information
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/icmpv6/type/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/icmpv6/type/node.def
new file mode 100644
index 0000000..13ff654
--- /dev/null
+++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/icmpv6/type/node.def
@@ -0,0 +1,135 @@
+type: txt
+
+help: Set ICMPv6 type/code
+
+comp_help: Possible completions:
+  destination-unreachable       ICMPv6 type/code name
+   no-route                     ICMPv6 type/code name
+   communication-prohibited     ICMPv6 type/code name
+   address-unreachable          ICMPv6 type/code name
+   port-unreachable             ICMPv6 type/code name
+  packet-too-big                ICMPv6 type/code name
+  time-exceeded                 ICMPv6 type/code name
+   ttl-zero-during-transit      ICMPv6 type/code name
+   ttl-zero-during-reassembly   ICMPv6 type/code name
+  parameter-problem             ICMPv6 type/code name
+   bad-header                   ICMPv6 type/code name
+   unknown-header-type          ICMPv6 type/code name
+   unknown-option               ICMPv6 type/code name
+  echo-request                  ICMPv6 type/code name
+  ping                          ICMPv6 type/code name
+  echo-reply                    ICMPv6 type/code name
+  pong                          ICMPv6 type/code name
+  router-solicitation           ICMPv6 type/code name
+  router-advertisement          ICMPv6 type/code name
+  neighbour-solicitation        ICMPv6 type/code name
+  neighbor-solicitation         ICMPv6 type/code name
+  neighbour-advertisement       ICMPv6 type/code name
+  neighbor-advertisement        ICMPv6 type/code name
+  <0 - 255>                     ICMPv6 type number
+  <0 - 255>/<0 - 255>           ICMPv6 type and code numbers
+
+allowed:
+        array=(
+        destination-unreachable
+           no-route
+           communication-prohibited
+           address-unreachable
+           port-unreachable
+        packet-too-big
+        time-exceeded
+           ttl-zero-during-transit
+           ttl-zero-during-reassembly
+        parameter-problem
+           bad-header
+           unknown-header-type
+           unknown-option
+        echo-request
+        ping
+        echo-reply
+        pong
+        router-solicitation
+        router-advertisement
+        neighbour-solicitation
+        neighbor-solicitation
+        neighbour-advertisement
+        neighbor-advertisement )
+	echo -n ${array[@]}
+
+syntax:expression: exec "
+        array=(
+        destination-unreachable
+           no-route
+           communication-prohibited
+           address-unreachable
+           port-unreachable
+        packet-too-big
+        time-exceeded
+           ttl-zero-during-transit
+           ttl-zero-during-reassembly
+        parameter-problem
+           bad-header
+           unknown-header-type
+           unknown-option
+        echo-request
+        ping
+        echo-reply
+        pong
+        router-solicitation
+        router-advertisement
+        neighbour-solicitation
+        neighbor-solicitation
+        neighbour-advertisement
+        neighbor-advertisement )
+        len=${#array[*]}
+        i=0
+        while [ $i -lt $len ]; do
+            if [ \"${array[$i]}\" == \"$VAR(@)\" ] ; then
+                exit 0
+            fi
+            let i++
+        done
+
+	param=$VAR(@)
+	codepart=${param##*/}
+	if [ -z \"$codepart\" -o \"$codepart\" = \"$param\" ]; then
+	    codepart=\"0\"
+	fi
+
+	typepart=${param%%/*}
+	if [ -z \"$typepart\" ]; then
+	    echo \"Must specify ICMPv6 type\"
+	    exit 1
+	fi
+
+	shopt -s extglob
+
+	leftover=${typepart##*([0-9])}
+	if [ -n \"$leftover\" ]; then
+	    echo \"Invalid ICMPv6 type: $typepart\"
+	    exit 1
+	fi
+
+	leftover=${codepart##*([0-9])}
+	if [ -n \"$leftover\" ]; then
+	    echo \"Invalid ICMPv6 code: $codepart\"
+	    exit 1
+	fi
+
+	if [ $typepart -lt 0 -o $typepart -gt 255 ]; then
+	    echo \"ICMPv6 type  must be between 0 and 255\"
+	    exit 1
+	fi
+
+	if [ $codepart -lt 0 -o $codepart -gt 255 ]; then
+	    echo \"ICMPv6 code must be between 0 and 255\"
+	    exit 1
+	fi
+"
+	
+
+	    
+
+
+	    
+	
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/ipsec/match-ipsec/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/ipsec/match-ipsec/node.def
new file mode 100644
index 0000000..8d4bf12
--- /dev/null
+++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/ipsec/match-ipsec/node.def
@@ -0,0 +1 @@
+help: Match inbound IPsec packets
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/ipsec/match-none/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/ipsec/match-none/node.def
new file mode 100644
index 0000000..cfcbc8a
--- /dev/null
+++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/ipsec/match-none/node.def
@@ -0,0 +1 @@
+help: Match inbound non-IPsec packets
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/ipsec/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/ipsec/node.def
new file mode 100644
index 0000000..c905e2d
--- /dev/null
+++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/ipsec/node.def
@@ -0,0 +1 @@
+help: Set inbound IPsec packet matching
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/log/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/log/node.def
new file mode 100644
index 0000000..5023547
--- /dev/null
+++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/log/node.def
@@ -0,0 +1,3 @@
+type: txt; "firwall logging must be enable or disable"
+help: Set firewall logging
+syntax:expression: $VAR(@) in "enable", "disable"; "firwall logging must be enable or disable"
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/modify/dscp/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/modify/dscp/node.def
new file mode 100644
index 0000000..b20f58c
--- /dev/null
+++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/modify/dscp/node.def
@@ -0,0 +1,4 @@
+type: u32
+help: Set packet Differentiated Services Codepoint (DSCP)
+syntax:expression: $VAR(@) >= 0 && $VAR(@) < 64;
+                   "DSCP must be between 0 and 63"
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/modify/mark/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/modify/mark/node.def
new file mode 100644
index 0000000..0830b9b
--- /dev/null
+++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/modify/mark/node.def
@@ -0,0 +1,2 @@
+type: u32
+help: Set packet marking
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/modify/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/modify/node.def
new file mode 100644
index 0000000..f629b92
--- /dev/null
+++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/modify/node.def
@@ -0,0 +1 @@
+help: Set packet modifications
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/all/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/all/node.def
new file mode 100644
index 0000000..3359454
--- /dev/null
+++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/all/node.def
@@ -0,0 +1 @@
+help: Match AppleJuice/BitTorrent/Direct Connect/eDonkey/eMule/Gnutella/KaZaA application packets
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/applejuice/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/applejuice/node.def
new file mode 100644
index 0000000..35c2182
--- /dev/null
+++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/applejuice/node.def
@@ -0,0 +1 @@
+help: Match AppleJuice application packets
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/bittorrent/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/bittorrent/node.def
new file mode 100644
index 0000000..a6330de
--- /dev/null
+++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/bittorrent/node.def
@@ -0,0 +1 @@
+help: Match BitTorrent application packets
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/directconnect/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/directconnect/node.def
new file mode 100644
index 0000000..ab11805
--- /dev/null
+++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/directconnect/node.def
@@ -0,0 +1 @@
+help: Match Direct Connect application packets
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/edonkey/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/edonkey/node.def
new file mode 100644
index 0000000..25a97e5
--- /dev/null
+++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/edonkey/node.def
@@ -0,0 +1 @@
+help: Match eDonkey/eMule application packets
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/gnutella/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/gnutella/node.def
new file mode 100644
index 0000000..52d9d6c
--- /dev/null
+++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/gnutella/node.def
@@ -0,0 +1 @@
+help: Match Gnutella application packets
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/kazaa/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/kazaa/node.def
new file mode 100644
index 0000000..a6eab48
--- /dev/null
+++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/kazaa/node.def
@@ -0,0 +1 @@
+help: Match KaZaA application packets
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/node.def
new file mode 100644
index 0000000..9013fe5
--- /dev/null
+++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/node.def
@@ -0,0 +1 @@
+help: Set P2P application packet matching
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/protocol/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/protocol/node.def
new file mode 100644
index 0000000..d43ffdd
--- /dev/null
+++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/protocol/node.def
@@ -0,0 +1,26 @@
+type: txt
+
+help: Set IPv6 protocol to match (protocol name, number, or "all")
+
+syntax:expression: exec "
+	param=$VAR(@)
+	if [ \"$param\" = \"icmpv6\" ]; then 
+	    exit 0
+	fi
+	/opt/vyatta/sbin/vyatta-validate-type.pl protocol_negate '$VAR(@)'
+	" ;
+	"invalid protocol \"$VAR(@)\""
+
+# Provide some help for command completion.  Doesn't return negated
+# values or protocol numbers
+allowed:
+	protos=`cat /etc/protocols | sed -e '/^#.*/d' | awk '{ print $1 }'`
+	protos="all icmpv6 $protos"
+	echo -n $protos
+
+comp_help:Possible completions:
+  <text>        An IPv6 protocol name (e.g. "tcp" or "udp")
+  <1-255>       An IPv6 protocol number
+  all           All IPv6 protocols
+  !<text>       All IPv6 protocols except for the specified name
+  !<1-255>      All IPv6 protocols except for the specified number
\ No newline at end of file
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/recent/count/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/recent/count/node.def
new file mode 100644
index 0000000..a07010f
--- /dev/null
+++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/recent/count/node.def
@@ -0,0 +1,2 @@
+type: u32
+help: Set to N to only match source addresses seen more than N times
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/recent/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/recent/node.def
new file mode 100644
index 0000000..e1be0a3
--- /dev/null
+++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/recent/node.def
@@ -0,0 +1 @@
+help: Set parameters for matching recently seen sources
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/recent/time/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/recent/time/node.def
new file mode 100644
index 0000000..b84a0b7
--- /dev/null
+++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/recent/time/node.def
@@ -0,0 +1,2 @@
+type: u32
+help: Set to N to only match source addresses seen in the last N seconds
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/source/address/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/source/address/node.def
new file mode 100644
index 0000000..81f2b03
--- /dev/null
+++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/source/address/node.def
@@ -0,0 +1,14 @@
+
+type: txt
+
+help: Set source IPv6 address, prefix or range to match
+
+comp_help: Possible completions:
+  <x:x:x:x:x:x:x:x>             IPv6 address to match
+  <x:x:x:x:x:x:x:x>/<n>         IPv6 prefix to match
+  <x:x:x:x:x:x>-<x:x:x:x:x:x>   Range of IPv6 addresses
+  !<x:x:x:x:x:x:x:x>            Everything except IPv6 address
+  !<x:x:x:x:x:x:x:x>/<n>        Everything except IPv6 prefix
+  !<x:x:x:x:x:x>-<x:x:x:x:x:x>  Everything except range
+
+syntax:expression: exec "/opt/vyatta/sbin/vyatta-validate-type.pl ipv6_addr_param $VAR(@)"
\ No newline at end of file
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/source/mac-address/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/source/mac-address/node.def
new file mode 100644
index 0000000..fd10e26
--- /dev/null
+++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/source/mac-address/node.def
@@ -0,0 +1,3 @@
+type: txt
+help: Set source MAC address
+syntax:expression: exec "/opt/vyatta/sbin/vyatta-validate-type.pl macaddr_negate '$VAR(@)'" ; "invalid MAC address \"$VAR(@)\""
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/source/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/source/node.def
new file mode 100644
index 0000000..16ab3ad
--- /dev/null
+++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/source/node.def
@@ -0,0 +1 @@
+help: Set firewall source parameters
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/source/port/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/source/port/node.def
new file mode 100644
index 0000000..e65cbfd
--- /dev/null
+++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/source/port/node.def
@@ -0,0 +1,8 @@
+type: txt
+help: Set source port
+comp_help: Source port(s) can be specified as a comma-separated list of:
+  <port name>           Named port (any name in /etc/services, e.g., http)
+  <1-65535>             Numbered port
+  <start>-<end>         Numbered port range (e.g., 1001-1005)
+The whole list can also be "negated" using '!'. For example:
+  '!22,telnet,http,123,1001-1005'
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/established/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/established/node.def
new file mode 100644
index 0000000..802e35d
--- /dev/null
+++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/established/node.def
@@ -0,0 +1,3 @@
+type: txt
+help: Set established state
+syntax:expression: $VAR(@) in "enable", "disable" ; "state value must be enable or disable"
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/invalid/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/invalid/node.def
new file mode 100644
index 0000000..ddba99f
--- /dev/null
+++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/invalid/node.def
@@ -0,0 +1,3 @@
+type: txt
+help: Set invalid state
+syntax:expression: $VAR(@) in "enable", "disable" ; "state value must be enable or disable"
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/new/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/new/node.def
new file mode 100644
index 0000000..23854e7
--- /dev/null
+++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/new/node.def
@@ -0,0 +1,3 @@
+type: txt
+help: Set new state
+syntax:expression: $VAR(@) in "enable", "disable" ; "state value must be enable or disable"
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/node.def
new file mode 100644
index 0000000..3b7b383
--- /dev/null
+++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/node.def
@@ -0,0 +1 @@
+help: Set session state
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/related/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/related/node.def
new file mode 100644
index 0000000..acddc3b
--- /dev/null
+++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/related/node.def
@@ -0,0 +1,3 @@
+type: txt
+help: Set related state
+syntax:expression: $VAR(@) in "enable", "disable" ; "state value must be enable or disable"
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/tcp/flags/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/tcp/flags/node.def
new file mode 100644
index 0000000..95f6a68
--- /dev/null
+++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/tcp/flags/node.def
@@ -0,0 +1,12 @@
+type: txt
+help: Set TCP flags to match
+syntax:expression: pattern $VAR(@) "^((!?ALL)|((!?(SYN|ACK|FIN|RST|PSH|URG),)*(!?(SYN|ACK|FIN|RST|PSH|URG))))$" ; \
+"Invalid value for TCP flags. Allowed values : SYN ACK FIN RST URG PSH ALL
+When specifying more than one flag, flags should be comma-separated.
+For example : value of 'SYN,!ACK,!FIN,!RST' will only match packets with
+the SYN flag set, and the ACK, FIN and RST flags unset"
+
+comp_help: Allowed values for TCP flags : SYN ACK FIN RST URG PSH ALL
+When specifying more than one flag, flags should be comma-separated.
+For example : value of 'SYN,!ACK,!FIN,!RST' will only match packets with
+the SYN flag set, and the ACK, FIN and RST flags unset
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/tcp/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/tcp/node.def
new file mode 100644
index 0000000..636f4a2
--- /dev/null
+++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/tcp/node.def
@@ -0,0 +1 @@
+help: Set tcp flags to match
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/monthdays/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/monthdays/node.def
new file mode 100644
index 0000000..025a2a9
--- /dev/null
+++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/monthdays/node.def
@@ -0,0 +1,8 @@
+type: txt
+help: Set monthdays on which to apply rule
+syntax:expression: pattern $VAR(@) "^!?([[:digit:]]\{1,2\}\,)*[[:digit:]]\{1,2\}$" ; \
+"Incorrect value for monthdays. Monthdays should be specified as 2,12,21
+For negation, add ! in front eg. !2,12,21"
+
+comp_help: Format for monthdays - 2,12,21
+To negate add ! at the front eg. !2,12,21
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/node.def
new file mode 100644
index 0000000..8061ba6
--- /dev/null
+++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/node.def
@@ -0,0 +1 @@
+help: Set time during which to apply rule
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/startdate/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/startdate/node.def
new file mode 100644
index 0000000..a971375
--- /dev/null
+++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/startdate/node.def
@@ -0,0 +1,11 @@
+type: txt
+help: Set to apply rule starting from specified date
+syntax:expression: pattern $VAR(@) "^[[:digit:]]\{4\}[-][[:digit:]]\{2\}[-][[:digit:]]\{2\}(T[[:digit:]]\{2\}[:][[:digit:]]\{2\}[:][[:digit:]]\{2\})?$" ; \
+"Invalid value for startdate. Date should use yyyy-mm-dd format. To specify time
+of date with startdate, append 'T' to date followed by time in 24 hour notation 
+hh:mm:ss. For example startdate value of 2009-01-21T13:30:00 refers to 
+21st January 2009 with time 13:30:00"
+
+comp_help: Format for date : yyyy-mm-dd. To specify time of date with startdate, append 
+'T' to date followed by time in 24 hour notation hh:mm:ss. For eg startdate 
+value of 2009-01-21T13:30:00 refers to 21st Jan 2009 with time 13:30:00
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/starttime/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/starttime/node.def
new file mode 100644
index 0000000..46c68c2
--- /dev/null
+++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/starttime/node.def
@@ -0,0 +1,7 @@
+type: txt
+help: Set to apply rule starting from specified time
+syntax:expression: pattern $VAR(@) "^[[:digit:]]\{2\}[:][[:digit:]]\{2\}[:][[:digit:]]\{2\}$" ; \
+                   "Incorrect value for starttime. Date should be entered using 24 hour notation - hh:mm:ss"
+
+comp_help: Enter time using using 24 hour notation - hh:mm:ss
+
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/stopdate/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/stopdate/node.def
new file mode 100644
index 0000000..c99dd7b
--- /dev/null
+++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/stopdate/node.def
@@ -0,0 +1,11 @@
+type: txt
+help: Set to apply rule till specified date
+syntax:expression: pattern $VAR(@) "^[[:digit:]]\{4\}[-][[:digit:]]\{2\}[-][[:digit:]]\{2\}(T[[:digit:]]\{2\}[:][[:digit:]]\{2\}[:][[:digit:]]\{2\})?$" ; \
+"Invalid value for stopdate. Date should use yyyy-mm-dd format. To specify time
+of date with stopdate, append 'T' to date followed by time in 24 hour notation
+hh:mm:ss. For example stopdate value of 2009-01-31T13:30:00 refers to
+31st Jan 2009 with time 13:30:00"
+
+comp_help: Format for date : yyyy-mm-dd. To specify time of date with stopdate,
+append 'T' to date followed by time in 24 hour notation hh:mm:ss. For eg
+stopdate value of 2009-01-31T13:30:00 refers to 31st Jan 2009 with time 13:30:00
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/stoptime/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/stoptime/node.def
new file mode 100644
index 0000000..0514e8b
--- /dev/null
+++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/stoptime/node.def
@@ -0,0 +1,8 @@
+type: txt
+help: Set to apply rule till specified time
+syntax:expression: pattern $VAR(@) "^[[:digit:]]\{2\}[:][[:digit:]]\{2\}[:][[:digit:]]\{2\}$" ; \
+                   "Incorrect value for stoptime. Date should be entered using 24 hour notation - hh:mm:ss"
+
+comp_help: Enter time using using 24 hour notation - hh:mm:ss 
+
+
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/utc/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/utc/node.def
new file mode 100644
index 0000000..68a0689
--- /dev/null
+++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/utc/node.def
@@ -0,0 +1 @@
+help: Set to interpret the times given for startdate, stopdate, starttime and stoptime to be UTC
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/weekdays/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/weekdays/node.def
new file mode 100644
index 0000000..aea3e22
--- /dev/null
+++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/weekdays/node.def
@@ -0,0 +1,9 @@
+type: txt
+help: Set weekdays on which to apply rules on
+syntax:expression: pattern $VAR(@) "^!?([[:upper:]][[:lower:]]\{2\}\,)*[[:upper:]][[:lower:]]\{2\}$" ; \
+"Incorrect value for weekdays. Weekdays should be specified using the first
+three characters of the day with the first character capitalized eg. Mon,Thu,Sat
+For negation, add ! in front eg. !Mon,Thu,Sat"
+
+comp_help: Format for weekdays - Mon,Thu,Sat
+To negate add ! at the front eg. !Mon,Thu,Sat
diff --git a/templates/firewall/ipv6-name/node.def b/templates/firewall/ipv6-name/node.def
index b82683d..60880c4 100644
--- a/templates/firewall/ipv6-name/node.def
+++ b/templates/firewall/ipv6-name/node.def
@@ -4,4 +4,4 @@ type: txt
 
 syntax:expression: pattern $VAR(@) "^[^-]" ; "Firewall rule set name cannot start with \"-\""
 
-help: Set firewall rule set name
+help: Set IPv6 firewall rule set name
diff --git a/templates/firewall/ipv6-name/node.tag/description/node.def b/templates/firewall/ipv6-name/node.tag/description/node.def
index d181e33..faa5b85 100644
--- a/templates/firewall/ipv6-name/node.tag/description/node.def
+++ b/templates/firewall/ipv6-name/node.tag/description/node.def
@@ -1,3 +1,3 @@
 type: txt
 
-help: Set firewall description
+help: Set IPv6 firewall rule set description
diff --git a/templates/firewall/modify/node.def b/templates/firewall/modify/node.def
index 7e9046f..f01b306 100644
--- a/templates/firewall/modify/node.def
+++ b/templates/firewall/modify/node.def
@@ -4,4 +4,4 @@ type: txt
 
 syntax:expression: pattern $VAR(@) "^[^-]" ; "Modify rule set name cannot start with \"-\""
 
-help: Set modify rule set name
+help: Set IPv4 modify rule set name
diff --git a/templates/firewall/modify/node.tag/description/node.def b/templates/firewall/modify/node.tag/description/node.def
index fbf2144..ee0a94c 100644
--- a/templates/firewall/modify/node.tag/description/node.def
+++ b/templates/firewall/modify/node.tag/description/node.def
@@ -1,3 +1,3 @@
 type: txt
 
-help: Set modify rule set description
+help: Set IPv4 modify rule set description
diff --git a/templates/firewall/name/node.def b/templates/firewall/name/node.def
index b82683d..628d014 100644
--- a/templates/firewall/name/node.def
+++ b/templates/firewall/name/node.def
@@ -4,4 +4,4 @@ type: txt
 
 syntax:expression: pattern $VAR(@) "^[^-]" ; "Firewall rule set name cannot start with \"-\""
 
-help: Set firewall rule set name
+help: Set IPv4 firewall rule set name
diff --git a/templates/firewall/name/node.tag/description/node.def b/templates/firewall/name/node.tag/description/node.def
index d181e33..f56909a 100644
--- a/templates/firewall/name/node.tag/description/node.def
+++ b/templates/firewall/name/node.tag/description/node.def
@@ -1,3 +1,3 @@
 type: txt
 
-help: Set firewall description
+help: Set IPv4 firewall rule set description