initial checkin for pbr functionality

author: Robert Bays <robert@vyatta.com> 2012-06-26 13:32:41 -0700
committer: Robert Bays <robert@vyatta.com> 2012-09-03 10:18:38 -0700
commit: f3207bc0f15c9b94ed86c117e48c85c398dec8ea (patch)
tree: 50f9f82fbe0d92bcb275598968573296d56ad11a /templates
parent: 0da6be07418ae3f821368aa54adcd7913a2fc7b3 (diff)
download: vyatta-cfg-firewall-f3207bc0f15c9b94ed86c117e48c85c398dec8ea.tar.gz
vyatta-cfg-firewall-f3207bc0f15c9b94ed86c117e48c85c398dec8ea.zip
136 files changed, 99 insertions, 128 deletions
diff --git a/templates/firewall/ipv6-modify/node.tag/default-action/node.def b/templates/firewall/ipv6-modify/node.tag/default-action/node.def
deleted file mode 100644
index c4e73f6..0000000
--- a/templates/firewall/ipv6-modify/node.tag/default-action/node.def
+++ /dev/null
@@ -1,11 +0,0 @@
-type:  txt
-
-help: Default-action for rule-set
-
-default: "drop"
-
-syntax:expression: $VAR(@) in "drop", "accept";
-                   "default-action must be either drop or accept"
-
-val_help: drop; Drop if no prior rules are hit (default)
-val_help: accept; Accept if no prior rules are hit
diff --git a/templates/firewall/ipv6-modify/node.tag/description/node.def b/templates/firewall/ipv6-modify/node.tag/description/node.def
deleted file mode 100644
index e8e221b..0000000
--- a/templates/firewall/ipv6-modify/node.tag/description/node.def
+++ /dev/null
@@ -1,3 +0,0 @@
-type: txt
-
-help: Rule-set description
diff --git a/templates/firewall/ipv6-modify/node.tag/enable-default-log/node.def b/templates/firewall/ipv6-modify/node.tag/enable-default-log/node.def
deleted file mode 100644
index e540d3f..0000000
--- a/templates/firewall/ipv6-modify/node.tag/enable-default-log/node.def
+++ /dev/null
@@ -1 +0,0 @@
-help: Option to log packets hitting default-action 
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.def
deleted file mode 100644
index c31dfbd..0000000
--- a/templates/firewall/ipv6-modify/node.tag/rule/node.def
+++ /dev/null
@@ -1,9 +0,0 @@
-tag:
-
-type: u32
-
-help: Rule number (1-9999)
-
-syntax:expression: $VAR(@) > 0 && $VAR(@) <= 9999; "firewall rule number must be between 1 and 9999"
-
-val_help: u32:1-9999; Rule number
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/action/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/action/node.def
deleted file mode 100644
index 59b404a..0000000
--- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/action/node.def
+++ /dev/null
@@ -1,12 +0,0 @@
-type:  txt
-
-help: Rule action
-
-syntax:expression: $VAR(@) in "drop", "accept", "modify";
-                   "action must be one of drop, accept, or modify"
-
-allowed: echo "drop accept modify"
-
-val_help: drop; Rule action to drop
-val_help: accept;   Rule action to accept
-val_help: modify;   Rule action to modify
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/modify/mark/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/modify/mark/node.def
deleted file mode 100644
index 0776b34..0000000
--- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/modify/mark/node.def
+++ /dev/null
@@ -1,2 +0,0 @@
-type: u32
-help: Packet marking
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/all/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/all/node.def
deleted file mode 100644
index bd61a90..0000000
--- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/all/node.def
+++ /dev/null
@@ -1 +0,0 @@
-help: AppleJuice/BitTorrent/Direct Connect/eDonkey/eMule/Gnutella/KaZaA application packets
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/applejuice/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/applejuice/node.def
deleted file mode 100644
index 8e9f704..0000000
--- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/applejuice/node.def
+++ /dev/null
@@ -1 +0,0 @@
-help: AppleJuice application packets
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/bittorrent/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/bittorrent/node.def
deleted file mode 100644
index 1a56963..0000000
--- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/bittorrent/node.def
+++ /dev/null
@@ -1 +0,0 @@
-help: BitTorrent application packets
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/directconnect/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/directconnect/node.def
deleted file mode 100644
index eb84108..0000000
--- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/directconnect/node.def
+++ /dev/null
@@ -1 +0,0 @@
-help: Direct Connect application packets
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/edonkey/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/edonkey/node.def
deleted file mode 100644
index 255e618..0000000
--- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/edonkey/node.def
+++ /dev/null
@@ -1 +0,0 @@
-help: eDonkey/eMule application packets
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/gnutella/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/gnutella/node.def
deleted file mode 100644
index f21b60b..0000000
--- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/gnutella/node.def
+++ /dev/null
@@ -1 +0,0 @@
-help: Gnutella application packets
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/kazaa/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/kazaa/node.def
deleted file mode 100644
index 44c3156..0000000
--- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/kazaa/node.def
+++ /dev/null
@@ -1 +0,0 @@
-help: KaZaA application packets
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/node.def
deleted file mode 100644
index 5959d3d..0000000
--- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/node.def
+++ /dev/null
@@ -1 +0,0 @@
-help: P2P application packets
diff --git a/templates/firewall/ipv6-name/node.def b/templates/firewall/ipv6-name/node.def
index 0eb53f7..3501d9b 100644
--- a/templates/firewall/ipv6-name/node.def
+++ b/templates/firewall/ipv6-name/node.def
@@ -12,19 +12,19 @@ syntax:expression: pattern $VAR(@) "^[^|;&$<>]*$" ; \
 syntax:expression: ! pattern $VAR(@) "^VZONE" ; \
                    "Firewall rule set name cannot start with 'VZONE'"
 
-end: if sudo /opt/vyatta/sbin/vyatta-firewall.pl --update-rules ipv6-name "$VAR(@)" ;
+end: if sudo /opt/vyatta/sbin/vyatta-firewall.pl --update-rules "firewall ipv6-name" "$VAR(@)" ;
      then
        if [ ${COMMIT_ACTION} = 'DELETE' ] ; 
        then
-          if sudo /opt/vyatta/sbin/vyatta-firewall.pl --teardown-ok ipv6-name ; 
+          if sudo /opt/vyatta/sbin/vyatta-firewall.pl --teardown-ok "firewall ipv6-name" ;
           then
-             sudo /opt/vyatta/sbin/vyatta-firewall.pl --teardown ipv6-name
+             sudo /opt/vyatta/sbin/vyatta-firewall.pl --teardown "firewall ipv6-name"
           fi
        fi
      else
        exit 1;
      fi
 
-create: sudo /opt/vyatta/sbin/vyatta-firewall.pl --setup ip6tables ipv6-name
+create: sudo /opt/vyatta/sbin/vyatta-firewall.pl --setup ip6tables "firewall ipv6-name"
 
 help: IPv6 firewall rule-set name
diff --git a/templates/firewall/modify/node.tag/default-action/node.def b/templates/firewall/modify/node.tag/default-action/node.def
deleted file mode 100644
index c4e73f6..0000000
--- a/templates/firewall/modify/node.tag/default-action/node.def
+++ /dev/null
@@ -1,11 +0,0 @@
-type:  txt
-
-help: Default-action for rule-set
-
-default: "drop"
-
-syntax:expression: $VAR(@) in "drop", "accept";
-                   "default-action must be either drop or accept"
-
-val_help: drop; Drop if no prior rules are hit (default)
-val_help: accept; Accept if no prior rules are hit
diff --git a/templates/firewall/modify/node.tag/description/node.def b/templates/firewall/modify/node.tag/description/node.def
deleted file mode 100644
index e8e221b..0000000
--- a/templates/firewall/modify/node.tag/description/node.def
+++ /dev/null
@@ -1,3 +0,0 @@
-type: txt
-
-help: Rule-set description
diff --git a/templates/firewall/modify/node.tag/rule/node.def b/templates/firewall/modify/node.tag/rule/node.def
deleted file mode 100644
index 661e943..0000000
--- a/templates/firewall/modify/node.tag/rule/node.def
+++ /dev/null
@@ -1,9 +0,0 @@
-tag:
-
-type: u32
-
-help: Rule number (1-9999)
-
-syntax:expression: $VAR(@) > 0 && $VAR(@) <= 9999; "modify rule number must be between 1 and 9999"
-
-val_help: u32:1-9999; Rule number
diff --git a/templates/firewall/modify/node.tag/rule/node.tag/action/node.def b/templates/firewall/modify/node.tag/rule/node.tag/action/node.def
deleted file mode 100644
index 20cf5bb..0000000
--- a/templates/firewall/modify/node.tag/rule/node.tag/action/node.def
+++ /dev/null
@@ -1,10 +0,0 @@
-type:  txt
-help: Rule action
-syntax:expression: $VAR(@) in "drop", "accept", "modify";
-                   "action must be one of drop, accept, or modify"
-
-allowed: echo "drop accept modify"
-
-val_help: drop; Rule action to drop
-val_help: accept; Rule action to accept
-val_help: modify; Rule action to modify
diff --git a/templates/firewall/modify/node.tag/rule/node.tag/modify/mark/node.def b/templates/firewall/modify/node.tag/rule/node.tag/modify/mark/node.def
deleted file mode 100644
index 0776b34..0000000
--- a/templates/firewall/modify/node.tag/rule/node.tag/modify/mark/node.def
+++ /dev/null
@@ -1,2 +0,0 @@
-type: u32
-help: Packet marking
diff --git a/templates/firewall/modify/node.tag/rule/node.tag/p2p/all/node.def b/templates/firewall/modify/node.tag/rule/node.tag/p2p/all/node.def
deleted file mode 100644
index bd61a90..0000000
--- a/templates/firewall/modify/node.tag/rule/node.tag/p2p/all/node.def
+++ /dev/null
@@ -1 +0,0 @@
-help: AppleJuice/BitTorrent/Direct Connect/eDonkey/eMule/Gnutella/KaZaA application packets
diff --git a/templates/firewall/modify/node.tag/rule/node.tag/p2p/applejuice/node.def b/templates/firewall/modify/node.tag/rule/node.tag/p2p/applejuice/node.def
deleted file mode 100644
index 8e9f704..0000000
--- a/templates/firewall/modify/node.tag/rule/node.tag/p2p/applejuice/node.def
+++ /dev/null
@@ -1 +0,0 @@
-help: AppleJuice application packets
diff --git a/templates/firewall/modify/node.tag/rule/node.tag/p2p/bittorrent/node.def b/templates/firewall/modify/node.tag/rule/node.tag/p2p/bittorrent/node.def
deleted file mode 100644
index 1a56963..0000000
--- a/templates/firewall/modify/node.tag/rule/node.tag/p2p/bittorrent/node.def
+++ /dev/null
@@ -1 +0,0 @@
-help: BitTorrent application packets
diff --git a/templates/firewall/modify/node.tag/rule/node.tag/p2p/directconnect/node.def b/templates/firewall/modify/node.tag/rule/node.tag/p2p/directconnect/node.def
deleted file mode 100644
index eb84108..0000000
--- a/templates/firewall/modify/node.tag/rule/node.tag/p2p/directconnect/node.def
+++ /dev/null
@@ -1 +0,0 @@
-help: Direct Connect application packets
diff --git a/templates/firewall/modify/node.tag/rule/node.tag/p2p/edonkey/node.def b/templates/firewall/modify/node.tag/rule/node.tag/p2p/edonkey/node.def
deleted file mode 100644
index 255e618..0000000
--- a/templates/firewall/modify/node.tag/rule/node.tag/p2p/edonkey/node.def
+++ /dev/null
@@ -1 +0,0 @@
-help: eDonkey/eMule application packets
diff --git a/templates/firewall/modify/node.tag/rule/node.tag/p2p/gnutella/node.def b/templates/firewall/modify/node.tag/rule/node.tag/p2p/gnutella/node.def
deleted file mode 100644
index f21b60b..0000000
--- a/templates/firewall/modify/node.tag/rule/node.tag/p2p/gnutella/node.def
+++ /dev/null
@@ -1 +0,0 @@
-help: Gnutella application packets
diff --git a/templates/firewall/modify/node.tag/rule/node.tag/p2p/kazaa/node.def b/templates/firewall/modify/node.tag/rule/node.tag/p2p/kazaa/node.def
deleted file mode 100644
index 44c3156..0000000
--- a/templates/firewall/modify/node.tag/rule/node.tag/p2p/kazaa/node.def
+++ /dev/null
@@ -1 +0,0 @@
-help: KaZaA application packets
diff --git a/templates/firewall/modify/node.tag/rule/node.tag/p2p/node.def b/templates/firewall/modify/node.tag/rule/node.tag/p2p/node.def
deleted file mode 100644
index 5959d3d..0000000
--- a/templates/firewall/modify/node.tag/rule/node.tag/p2p/node.def
+++ /dev/null
@@ -1 +0,0 @@
-help: P2P application packets
diff --git a/templates/firewall/name/node.def b/templates/firewall/name/node.def
index e8be1cd..0c3c096 100644
--- a/templates/firewall/name/node.def
+++ b/templates/firewall/name/node.def
@@ -12,13 +12,13 @@ syntax:expression: pattern $VAR(@) "^[^|;&$<>]*$" ; \
 syntax:expression: ! pattern $VAR(@) "^VZONE" ; \
                    "Firewall rule set name cannot start with 'VZONE'"
 
-end: if sudo /opt/vyatta/sbin/vyatta-firewall.pl --update-rules name "$VAR(@)" ;
+end: if sudo /opt/vyatta/sbin/vyatta-firewall.pl --update-rules "firewall name" "$VAR(@)" ;
      then
        if [ ${COMMIT_ACTION} = 'DELETE' ] ; 
        then
-          if sudo /opt/vyatta/sbin/vyatta-firewall.pl --teardown-ok name ; 
+          if sudo /opt/vyatta/sbin/vyatta-firewall.pl --teardown-ok "firewall name" ;
           then
-             sudo /opt/vyatta/sbin/vyatta-firewall.pl --teardown name
+             sudo /opt/vyatta/sbin/vyatta-firewall.pl --teardown "firewall name"
           fi
        fi
      else
@@ -26,6 +26,6 @@ end: if sudo /opt/vyatta/sbin/vyatta-firewall.pl --update-rules name "$VAR(@)" ;
      fi
      sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=prune-deleted-sets
 
-create: sudo /opt/vyatta/sbin/vyatta-firewall.pl --setup iptables name
+create: sudo /opt/vyatta/sbin/vyatta-firewall.pl --setup iptables "firewall name"
 
 help: IPv4 firewall rule-set name
diff --git a/templates/firewall/ipv6-modify/node.def b/templates/policy/ipv6-route/node.def
index 035ddd1..08b4f4a 100644
--- a/templates/firewall/ipv6-modify/node.def
+++ b/templates/policy/ipv6-route/node.def
@@ -4,27 +4,27 @@ priority: 210
 type: txt
 
 syntax:expression: pattern $VAR(@) "^[[:print:]]{1,28}$" ; \
-                   "Firewall name must be 28 characters or less"
+                   "Policy ipv6-route rule set name must be 28 characters or less"
 syntax:expression: pattern $VAR(@) "^[^-]" ; \
-                   "Firewall rule set name cannot start with \"-\""
+                   "Policy ipv6-route rule set name cannot start with \"-\""
 syntax:expression: pattern $VAR(@) "^[^;]*$" ; \
-                   "Firewall rule set name cannot contain ';'"
+                   "Policy ipv6-route rule set name cannot contain ';'"
 syntax:expression: ! pattern $VAR(@) "^VZONE" ; \
-                   "Firewall rule set name cannot start with 'VZONE'"
+                   "Policy ipv6-route rule set name cannot start with 'VZONE'"
 
-end: if sudo /opt/vyatta/sbin/vyatta-firewall.pl --update-rules ipv6-modify "$VAR(@)" ;
+end: if sudo /opt/vyatta/sbin/vyatta-firewall.pl --update-rules "policy ipv6-route" "$VAR(@)" ;
      then
-       if [ ${COMMIT_ACTION} = 'DELETE' ] ; 
+       if [ ${COMMIT_ACTION} = 'DELETE' ] ;
        then
-          if sudo /opt/vyatta/sbin/vyatta-firewall.pl --teardown-ok ipv6-modify ; 
+          if sudo /opt/vyatta/sbin/vyatta-firewall.pl --teardown-ok "policy ipv6-route" ;
           then
-             sudo /opt/vyatta/sbin/vyatta-firewall.pl --teardown ipv6-modify
+             sudo /opt/vyatta/sbin/vyatta-firewall.pl --teardown "policy ipv6-route"
           fi
        fi
      else
        exit 1;
      fi
 
-create: sudo /opt/vyatta/sbin/vyatta-firewall.pl --setup ip6tables ipv6-modify
+create: sudo /opt/vyatta/sbin/vyatta-firewall.pl --setup ip6tables "policy ipv6-route"
 
-help: IPv6 modify rule-set name
+help: IPv6 policy route rule set name
diff --git a/templates/policy/ipv6-route/node.tag/description/node.def b/templates/policy/ipv6-route/node.tag/description/node.def
new file mode 100644
index 0000000..ceeca5d
--- /dev/null
+++ b/templates/policy/ipv6-route/node.tag/description/node.def
@@ -0,0 +1,3 @@
+type: txt
+
+help: Policy ipv6-route rule set description
diff --git a/templates/firewall/modify/node.tag/enable-default-log/node.def b/templates/policy/ipv6-route/node.tag/enable-default-log/node.def
index 697719d..697719d 100644
--- a/templates/firewall/modify/node.tag/enable-default-log/node.def
+++ b/templates/policy/ipv6-route/node.tag/enable-default-log/node.def
diff --git a/templates/policy/ipv6-route/node.tag/rule/node.def b/templates/policy/ipv6-route/node.tag/rule/node.def
new file mode 100644
index 0000000..d5f8461
--- /dev/null
+++ b/templates/policy/ipv6-route/node.tag/rule/node.def
@@ -0,0 +1,9 @@
+tag:
+
+type: u32
+
+help: Rule number (1-9999)
+
+syntax:expression: $VAR(@) > 0 && $VAR(@) <= 9999; "policy ipv6-route rule number must be between 1 and 9999"
+
+val_help: u32:1-9999; Rule number
diff --git a/templates/policy/ipv6-route/node.tag/rule/node.tag/action/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/action/node.def
new file mode 100644
index 0000000..10236f7
--- /dev/null
+++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/action/node.def
@@ -0,0 +1,10 @@
+type:  txt
+
+help: Rule action
+
+syntax:expression: $VAR(@) in "drop";
+                   "action must be drop"
+
+allowed: echo "drop"
+
+val_help: drop;     Rule action to drop
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/description/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/description/node.def
index 90bf88b..90bf88b 100644
--- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/description/node.def
+++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/description/node.def
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/destination/address/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/destination/address/node.def
index 2ace3b3..2ace3b3 100644
--- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/destination/address/node.def
+++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/destination/address/node.def
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/destination/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/destination/node.def
index dc227b7..dc227b7 100644
--- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/destination/node.def
+++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/destination/node.def
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/destination/port/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/destination/port/node.def
index 2b2d8c7..2b2d8c7 100644
--- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/destination/port/node.def
+++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/destination/port/node.def
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/disable/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/disable/node.def
index 70565eb..70565eb 100644
--- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/disable/node.def
+++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/disable/node.def
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/icmpv6/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/icmpv6/node.def
index 7032b30..7032b30 100644
--- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/icmpv6/node.def
+++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/icmpv6/node.def
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/icmpv6/type/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/icmpv6/type/node.def
index d11da4e..087c7ab 100644
--- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/icmpv6/type/node.def
+++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/icmpv6/type/node.def
@@ -125,10 +125,10 @@ syntax:expression: exec "
 	    exit 1
 	fi
 "
-	
 
-	    
 
 
-	    
-	
+
+
+
+
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/ipsec/match-ipsec/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/ipsec/match-ipsec/node.def
index 96ada47..96ada47 100644
--- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/ipsec/match-ipsec/node.def
+++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/ipsec/match-ipsec/node.def
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/ipsec/match-none/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/ipsec/match-none/node.def
index 2d717d5..2d717d5 100644
--- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/ipsec/match-none/node.def
+++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/ipsec/match-none/node.def
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/ipsec/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/ipsec/node.def
index 96ada47..96ada47 100644
--- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/ipsec/node.def
+++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/ipsec/node.def
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/limit/burst/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/limit/burst/node.def
index 9097370..9097370 100644
--- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/limit/burst/node.def
+++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/limit/burst/node.def
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/limit/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/limit/node.def
index 75460b1..75460b1 100644
--- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/limit/node.def
+++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/limit/node.def
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/limit/rate/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/limit/rate/node.def
index cd108f4..cd108f4 100644
--- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/limit/rate/node.def
+++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/limit/rate/node.def
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/log/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/log/node.def
index 891cbcf..891cbcf 100644
--- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/log/node.def
+++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/log/node.def
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/protocol/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/protocol/node.def
index 5225eee..5225eee 100644
--- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/protocol/node.def
+++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/protocol/node.def
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/recent/count/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/recent/count/node.def
index 69a4ebd..69a4ebd 100644
--- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/recent/count/node.def
+++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/recent/count/node.def
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/recent/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/recent/node.def
index 3acc871..3acc871 100644
--- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/recent/node.def
+++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/recent/node.def
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/recent/time/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/recent/time/node.def
index 9c49ed8..9c49ed8 100644
--- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/recent/time/node.def
+++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/recent/time/node.def
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/modify/dscp/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/set/dscp/node.def
index 3ed8f0d..3ed8f0d 100644
--- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/modify/dscp/node.def
+++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/set/dscp/node.def
diff --git a/templates/policy/ipv6-route/node.tag/rule/node.tag/set/mark/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/set/mark/node.def
new file mode 100644
index 0000000..c8cb1b2
--- /dev/null
+++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/set/mark/node.def
@@ -0,0 +1,3 @@
+type: u32
+help: Packet marking
+syntax:expression: $VAR(@) > 0 && $VAR(@) <= 2147483647; "packet mark must be between 0 and 2,147,483,647"
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/modify/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/set/node.def
index c61402f..c61402f 100644
--- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/modify/node.def
+++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/set/node.def
diff --git a/templates/policy/ipv6-route/node.tag/rule/node.tag/set/table/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/set/table/node.def
new file mode 100644
index 0000000..dbde887
--- /dev/null
+++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/set/table/node.def
@@ -0,0 +1,4 @@
+type: u32
+help: Routing table to forward packet with
+syntax:expression: $VAR(@) >= 1 && $VAR(@) < 250;
+                   "Table must be between 1 and 250"
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/modify/tcp-mss/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/set/tcp-mss/node.def
index 8d2248e..8d2248e 100644
--- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/modify/tcp-mss/node.def
+++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/set/tcp-mss/node.def
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/source/address/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/source/address/node.def
index 2fe8a42..2fe8a42 100644
--- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/source/address/node.def
+++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/source/address/node.def
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/source/mac-address/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/source/mac-address/node.def
index 5519871..5519871 100644
--- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/source/mac-address/node.def
+++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/source/mac-address/node.def
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/source/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/source/node.def
index 84cdc1f..84cdc1f 100644
--- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/source/node.def
+++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/source/node.def
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/source/port/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/source/port/node.def
index adfae7a..adfae7a 100644
--- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/source/port/node.def
+++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/source/port/node.def
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/established/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/state/established/node.def
index a4f3120..a4f3120 100644
--- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/established/node.def
+++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/state/established/node.def
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/invalid/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/state/invalid/node.def
index dc6110d..dc6110d 100644
--- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/invalid/node.def
+++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/state/invalid/node.def
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/new/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/state/new/node.def
index 6ef1f7a..6ef1f7a 100644
--- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/new/node.def
+++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/state/new/node.def
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/state/node.def
index 0e38df4..0e38df4 100644
--- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/node.def
+++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/state/node.def
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/related/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/state/related/node.def
index 2364c31..2364c31 100644
--- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/related/node.def
+++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/state/related/node.def
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/tcp/flags/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/tcp/flags/node.def
index b86e707..b86e707 100644
--- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/tcp/flags/node.def
+++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/tcp/flags/node.def
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/tcp/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/tcp/node.def
index 66bc295..66bc295 100644
--- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/tcp/node.def
+++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/tcp/node.def
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/monthdays/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/time/monthdays/node.def
index 14c1d5c..14c1d5c 100644
--- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/monthdays/node.def
+++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/time/monthdays/node.def
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/time/node.def
index 238acd2..238acd2 100644
--- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/node.def
+++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/time/node.def
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/startdate/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/time/startdate/node.def
index 46f9eb9..250ed0f 100644
--- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/startdate/node.def
+++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/time/startdate/node.def
@@ -2,10 +2,10 @@ type: txt
 help: Date to start matching rule
 syntax:expression: pattern $VAR(@) "^[[:digit:]]\{4\}[-][[:digit:]]\{2\}[-][[:digit:]]\{2\}(T[[:digit:]]\{2\}[:][[:digit:]]\{2\}[:][[:digit:]]\{2\})?$" ; \
 "Invalid value for startdate. Date should use yyyy-mm-dd format. To specify time
-of date with startdate, append 'T' to date followed by time in 24 hour notation 
-hh:mm:ss. For example startdate value of 2009-01-21T13:30:00 refers to 
+of date with startdate, append 'T' to date followed by time in 24 hour notation
+hh:mm:ss. For example startdate value of 2009-01-21T13:30:00 refers to
 21st January 2009 with time 13:30:00"
 
-comp_help: Format for date : yyyy-mm-dd. To specify time of date with startdate, append 
-'T' to date followed by time in 24 hour notation hh:mm:ss. For eg startdate 
+comp_help: Format for date : yyyy-mm-dd. To specify time of date with startdate, append
+'T' to date followed by time in 24 hour notation hh:mm:ss. For eg startdate
 value of 2009-01-21T13:30:00 refers to 21st Jan 2009 with time 13:30:00
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/starttime/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/time/starttime/node.def
index ab69c45..ab69c45 100644
--- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/starttime/node.def
+++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/time/starttime/node.def
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/stopdate/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/time/stopdate/node.def
index 93fc8b6..93fc8b6 100644
--- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/stopdate/node.def
+++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/time/stopdate/node.def
diff --git a/templates/firewall/modify/node.tag/rule/node.tag/time/stoptime/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/time/stoptime/node.def
index 4a42ca3..b108175 100644
--- a/templates/firewall/modify/node.tag/rule/node.tag/time/stoptime/node.def
+++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/time/stoptime/node.def
@@ -3,6 +3,6 @@ help: Time of day to stop matching rule
 syntax:expression: pattern $VAR(@) "^[[:digit:]]\{2\}[:][[:digit:]]\{2\}[:][[:digit:]]\{2\}$" ; \
                    "Incorrect value for stoptime. Time should be entered using 24 hour notation - hh:mm:ss"
 
-comp_help: Enter time using using 24 hour notation - hh:mm:ss 
+comp_help: Enter time using using 24 hour notation - hh:mm:ss
 
 
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/utc/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/time/utc/node.def
index 167f191..167f191 100644
--- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/utc/node.def
+++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/time/utc/node.def
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/weekdays/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/time/weekdays/node.def
index dd2649b..dd2649b 100644
--- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/weekdays/node.def
+++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/time/weekdays/node.def
diff --git a/templates/firewall/modify/node.def b/templates/policy/route/node.def
index 640a89c..edfd75b 100644
--- a/templates/firewall/modify/node.def
+++ b/templates/policy/route/node.def
@@ -1,24 +1,24 @@
 tag:
-priority: 210
+priority: 471
 
 type: txt
 
 syntax:expression: pattern $VAR(@) "^[[:print:]]{1,28}$" ; \
-                   "Firewall name must be 28 characters or less"
+                   "Policy route rule set name must be 28 characters or less"
 syntax:expression: pattern $VAR(@) "^[^-]" ; \
-                   "Firewall rule set name cannot start with \"-\""
+                   "Policy route rule set name cannot start with \"-\""
 syntax:expression: pattern $VAR(@) "^[^;]*$" ; \
-                   "Firewall rule set name cannot contain ';'"
+                   "Policy route rule set name cannot contain ';'"
 syntax:expression: ! pattern $VAR(@) "^VZONE" ; \
-                   "Firewall rule set name cannot start with 'VZONE'"
+                   "Policy route rule set name cannot start with 'VZONE'"
 
-end: if sudo /opt/vyatta/sbin/vyatta-firewall.pl --update-rules modify "$VAR(@)" ;
+end: if sudo /opt/vyatta/sbin/vyatta-firewall.pl --update-rules "policy route" "$VAR(@)" ;
      then
-       if [ ${COMMIT_ACTION} = 'DELETE' ] ; 
+       if [ ${COMMIT_ACTION} = 'DELETE' ] ;
        then
-          if sudo /opt/vyatta/sbin/vyatta-firewall.pl --teardown-ok modify ; 
+          if sudo /opt/vyatta/sbin/vyatta-firewall.pl --teardown-ok "policy route" ;
           then
-             sudo /opt/vyatta/sbin/vyatta-firewall.pl --teardown modify
+             sudo /opt/vyatta/sbin/vyatta-firewall.pl --teardown "policy route"
           fi
        fi
      else
@@ -26,6 +26,6 @@ end: if sudo /opt/vyatta/sbin/vyatta-firewall.pl --update-rules modify "$VAR(@)"
      fi
      sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=prune-deleted-sets
 
-create: sudo /opt/vyatta/sbin/vyatta-firewall.pl --setup iptables modify
+create: sudo /opt/vyatta/sbin/vyatta-firewall.pl --setup iptables "policy route"
 
-help: IPv4 modify rule-set name
+help: Policy route rule set name
diff --git a/templates/policy/route/node.tag/description/node.def b/templates/policy/route/node.tag/description/node.def
new file mode 100644
index 0000000..6e49257
--- /dev/null
+++ b/templates/policy/route/node.tag/description/node.def
@@ -0,0 +1,3 @@
+type: txt
+
+help: Policy route rule set description
diff --git a/templates/policy/route/node.tag/enable-default-log/node.def b/templates/policy/route/node.tag/enable-default-log/node.def
new file mode 100644
index 0000000..697719d
--- /dev/null
+++ b/templates/policy/route/node.tag/enable-default-log/node.def
@@ -0,0 +1 @@
+help: Option to log packets hitting default-action
diff --git a/templates/policy/route/node.tag/rule/node.def b/templates/policy/route/node.tag/rule/node.def
new file mode 100644
index 0000000..f06c3a5
--- /dev/null
+++ b/templates/policy/route/node.tag/rule/node.def
@@ -0,0 +1,9 @@
+tag:
+
+type: u32
+
+help: Rule number (1-9999)
+
+syntax:expression: $VAR(@) > 0 && $VAR(@) <= 9999; "policy route rule number must be between 1 and 9999"
+
+val_help: u32:1-9999; Rule number
diff --git a/templates/policy/route/node.tag/rule/node.tag/action/node.def b/templates/policy/route/node.tag/rule/node.tag/action/node.def
new file mode 100644
index 0000000..a244a4c
--- /dev/null
+++ b/templates/policy/route/node.tag/rule/node.tag/action/node.def
@@ -0,0 +1,10 @@
+type:  txt
+
+help: Rule action
+
+syntax:expression: $VAR(@) in "drop";
+                   "action must be drop"
+
+allowed: echo "drop modify"
+
+val_help: drop     ; Rule action to drop
diff --git a/templates/firewall/modify/node.tag/rule/node.tag/description/node.def b/templates/policy/route/node.tag/rule/node.tag/description/node.def
index dd2f535..dd2f535 100644
--- a/templates/firewall/modify/node.tag/rule/node.tag/description/node.def
+++ b/templates/policy/route/node.tag/rule/node.tag/description/node.def
diff --git a/templates/firewall/modify/node.tag/rule/node.tag/destination/address/node.def b/templates/policy/route/node.tag/rule/node.tag/destination/address/node.def
index f142aba..f142aba 100644
--- a/templates/firewall/modify/node.tag/rule/node.tag/destination/address/node.def
+++ b/templates/policy/route/node.tag/rule/node.tag/destination/address/node.def
diff --git a/templates/firewall/modify/node.tag/rule/node.tag/destination/group/address-group/node.def b/templates/policy/route/node.tag/rule/node.tag/destination/group/address-group/node.def
index 07e791c..07e791c 100644
--- a/templates/firewall/modify/node.tag/rule/node.tag/destination/group/address-group/node.def
+++ b/templates/policy/route/node.tag/rule/node.tag/destination/group/address-group/node.def
diff --git a/templates/firewall/modify/node.tag/rule/node.tag/destination/group/network-group/node.def b/templates/policy/route/node.tag/rule/node.tag/destination/group/network-group/node.def
index bf018a0..bf018a0 100644
--- a/templates/firewall/modify/node.tag/rule/node.tag/destination/group/network-group/node.def
+++ b/templates/policy/route/node.tag/rule/node.tag/destination/group/network-group/node.def
diff --git a/templates/firewall/modify/node.tag/rule/node.tag/destination/group/node.def b/templates/policy/route/node.tag/rule/node.tag/destination/group/node.def
index bb11dae..bb11dae 100644
--- a/templates/firewall/modify/node.tag/rule/node.tag/destination/group/node.def
+++ b/templates/policy/route/node.tag/rule/node.tag/destination/group/node.def
diff --git a/templates/firewall/modify/node.tag/rule/node.tag/destination/group/port-group/node.def b/templates/policy/route/node.tag/rule/node.tag/destination/group/port-group/node.def
index 865d2c5..865d2c5 100644
--- a/templates/firewall/modify/node.tag/rule/node.tag/destination/group/port-group/node.def
+++ b/templates/policy/route/node.tag/rule/node.tag/destination/group/port-group/node.def
diff --git a/templates/firewall/modify/node.tag/rule/node.tag/destination/node.def b/templates/policy/route/node.tag/rule/node.tag/destination/node.def
index dc227b7..dc227b7 100644
--- a/templates/firewall/modify/node.tag/rule/node.tag/destination/node.def
+++ b/templates/policy/route/node.tag/rule/node.tag/destination/node.def
diff --git a/templates/firewall/modify/node.tag/rule/node.tag/destination/port/node.def b/templates/policy/route/node.tag/rule/node.tag/destination/port/node.def
index 3299c9a..3299c9a 100644
--- a/templates/firewall/modify/node.tag/rule/node.tag/destination/port/node.def
+++ b/templates/policy/route/node.tag/rule/node.tag/destination/port/node.def
diff --git a/templates/firewall/modify/node.tag/rule/node.tag/disable/node.def b/templates/policy/route/node.tag/rule/node.tag/disable/node.def
index 70565eb..70565eb 100644
--- a/templates/firewall/modify/node.tag/rule/node.tag/disable/node.def
+++ b/templates/policy/route/node.tag/rule/node.tag/disable/node.def
diff --git a/templates/firewall/modify/node.tag/rule/node.tag/fragment/match-frag/node.def b/templates/policy/route/node.tag/rule/node.tag/fragment/match-frag/node.def
index 2f830a1..2f830a1 100644
--- a/templates/firewall/modify/node.tag/rule/node.tag/fragment/match-frag/node.def
+++ b/templates/policy/route/node.tag/rule/node.tag/fragment/match-frag/node.def
diff --git a/templates/firewall/modify/node.tag/rule/node.tag/fragment/match-non-frag/node.def b/templates/policy/route/node.tag/rule/node.tag/fragment/match-non-frag/node.def
index 3590869..3590869 100644
--- a/templates/firewall/modify/node.tag/rule/node.tag/fragment/match-non-frag/node.def
+++ b/templates/policy/route/node.tag/rule/node.tag/fragment/match-non-frag/node.def
diff --git a/templates/firewall/modify/node.tag/rule/node.tag/fragment/node.def b/templates/policy/route/node.tag/rule/node.tag/fragment/node.def
index c3d9f02..c3d9f02 100644
--- a/templates/firewall/modify/node.tag/rule/node.tag/fragment/node.def
+++ b/templates/policy/route/node.tag/rule/node.tag/fragment/node.def
diff --git a/templates/firewall/modify/node.tag/rule/node.tag/icmp/code/node.def b/templates/policy/route/node.tag/rule/node.tag/icmp/code/node.def
index b102b99..b102b99 100644
--- a/templates/firewall/modify/node.tag/rule/node.tag/icmp/code/node.def
+++ b/templates/policy/route/node.tag/rule/node.tag/icmp/code/node.def
diff --git a/templates/firewall/modify/node.tag/rule/node.tag/icmp/node.def b/templates/policy/route/node.tag/rule/node.tag/icmp/node.def
index 33a8e89..33a8e89 100644
--- a/templates/firewall/modify/node.tag/rule/node.tag/icmp/node.def
+++ b/templates/policy/route/node.tag/rule/node.tag/icmp/node.def
diff --git a/templates/firewall/modify/node.tag/rule/node.tag/icmp/type-name/node.def b/templates/policy/route/node.tag/rule/node.tag/icmp/type-name/node.def
index b71c23a..b71c23a 100644
--- a/templates/firewall/modify/node.tag/rule/node.tag/icmp/type-name/node.def
+++ b/templates/policy/route/node.tag/rule/node.tag/icmp/type-name/node.def
diff --git a/templates/firewall/modify/node.tag/rule/node.tag/icmp/type/node.def b/templates/policy/route/node.tag/rule/node.tag/icmp/type/node.def
index 9d879e1..9d879e1 100644
--- a/templates/firewall/modify/node.tag/rule/node.tag/icmp/type/node.def
+++ b/templates/policy/route/node.tag/rule/node.tag/icmp/type/node.def
diff --git a/templates/firewall/modify/node.tag/rule/node.tag/ipsec/match-ipsec/node.def b/templates/policy/route/node.tag/rule/node.tag/ipsec/match-ipsec/node.def
index 96ada47..96ada47 100644
--- a/templates/firewall/modify/node.tag/rule/node.tag/ipsec/match-ipsec/node.def
+++ b/templates/policy/route/node.tag/rule/node.tag/ipsec/match-ipsec/node.def
diff --git a/templates/firewall/modify/node.tag/rule/node.tag/ipsec/match-none/node.def b/templates/policy/route/node.tag/rule/node.tag/ipsec/match-none/node.def
index 2d717d5..2d717d5 100644
--- a/templates/firewall/modify/node.tag/rule/node.tag/ipsec/match-none/node.def
+++ b/templates/policy/route/node.tag/rule/node.tag/ipsec/match-none/node.def
diff --git a/templates/firewall/modify/node.tag/rule/node.tag/ipsec/node.def b/templates/policy/route/node.tag/rule/node.tag/ipsec/node.def
index 96ada47..96ada47 100644
--- a/templates/firewall/modify/node.tag/rule/node.tag/ipsec/node.def
+++ b/templates/policy/route/node.tag/rule/node.tag/ipsec/node.def
diff --git a/templates/firewall/modify/node.tag/rule/node.tag/limit/burst/node.def b/templates/policy/route/node.tag/rule/node.tag/limit/burst/node.def
index 9097370..9097370 100644
--- a/templates/firewall/modify/node.tag/rule/node.tag/limit/burst/node.def
+++ b/templates/policy/route/node.tag/rule/node.tag/limit/burst/node.def
diff --git a/templates/firewall/modify/node.tag/rule/node.tag/limit/node.def b/templates/policy/route/node.tag/rule/node.tag/limit/node.def
index 75460b1..75460b1 100644
--- a/templates/firewall/modify/node.tag/rule/node.tag/limit/node.def
+++ b/templates/policy/route/node.tag/rule/node.tag/limit/node.def
diff --git a/templates/firewall/modify/node.tag/rule/node.tag/limit/rate/node.def b/templates/policy/route/node.tag/rule/node.tag/limit/rate/node.def
index cd108f4..cd108f4 100644
--- a/templates/firewall/modify/node.tag/rule/node.tag/limit/rate/node.def
+++ b/templates/policy/route/node.tag/rule/node.tag/limit/rate/node.def
diff --git a/templates/firewall/modify/node.tag/rule/node.tag/log/node.def b/templates/policy/route/node.tag/rule/node.tag/log/node.def
index 891cbcf..891cbcf 100644
--- a/templates/firewall/modify/node.tag/rule/node.tag/log/node.def
+++ b/templates/policy/route/node.tag/rule/node.tag/log/node.def
diff --git a/templates/firewall/modify/node.tag/rule/node.tag/protocol/node.def b/templates/policy/route/node.tag/rule/node.tag/protocol/node.def
index c456f95..6e0e9a6 100644
--- a/templates/firewall/modify/node.tag/rule/node.tag/protocol/node.def
+++ b/templates/policy/route/node.tag/rule/node.tag/protocol/node.def
@@ -1,4 +1,5 @@
 type: txt
+
 help: Protocol to match (protocol name in /etc/protocols or protocol number or "all")
 
 val_help: txt; IP protocol name from /etc/protocols (e.g. "tcp" or "udp")
diff --git a/templates/firewall/modify/node.tag/rule/node.tag/recent/count/node.def b/templates/policy/route/node.tag/rule/node.tag/recent/count/node.def
index defd974..defd974 100644
--- a/templates/firewall/modify/node.tag/rule/node.tag/recent/count/node.def
+++ b/templates/policy/route/node.tag/rule/node.tag/recent/count/node.def
diff --git a/templates/firewall/modify/node.tag/rule/node.tag/recent/node.def b/templates/policy/route/node.tag/rule/node.tag/recent/node.def
index 3acc871..3acc871 100644
--- a/templates/firewall/modify/node.tag/rule/node.tag/recent/node.def
+++ b/templates/policy/route/node.tag/rule/node.tag/recent/node.def
diff --git a/templates/firewall/modify/node.tag/rule/node.tag/recent/time/node.def b/templates/policy/route/node.tag/rule/node.tag/recent/time/node.def
index 9c49ed8..9c49ed8 100644
--- a/templates/firewall/modify/node.tag/rule/node.tag/recent/time/node.def
+++ b/templates/policy/route/node.tag/rule/node.tag/recent/time/node.def
diff --git a/templates/firewall/modify/node.tag/rule/node.tag/modify/dscp/node.def b/templates/policy/route/node.tag/rule/node.tag/set/dscp/node.def
index 3ed8f0d..3ed8f0d 100644
--- a/templates/firewall/modify/node.tag/rule/node.tag/modify/dscp/node.def
+++ b/templates/policy/route/node.tag/rule/node.tag/set/dscp/node.def
diff --git a/templates/policy/route/node.tag/rule/node.tag/set/mark/node.def b/templates/policy/route/node.tag/rule/node.tag/set/mark/node.def
new file mode 100644
index 0000000..c8cb1b2
--- /dev/null
+++ b/templates/policy/route/node.tag/rule/node.tag/set/mark/node.def
@@ -0,0 +1,3 @@
+type: u32
+help: Packet marking
+syntax:expression: $VAR(@) > 0 && $VAR(@) <= 2147483647; "packet mark must be between 0 and 2,147,483,647"
diff --git a/templates/firewall/modify/node.tag/rule/node.tag/modify/node.def b/templates/policy/route/node.tag/rule/node.tag/set/node.def
index c61402f..c61402f 100644
--- a/templates/firewall/modify/node.tag/rule/node.tag/modify/node.def
+++ b/templates/policy/route/node.tag/rule/node.tag/set/node.def
diff --git a/templates/policy/route/node.tag/rule/node.tag/set/table/node.def b/templates/policy/route/node.tag/rule/node.tag/set/table/node.def
new file mode 100644
index 0000000..dbde887
--- /dev/null
+++ b/templates/policy/route/node.tag/rule/node.tag/set/table/node.def
@@ -0,0 +1,4 @@
+type: u32
+help: Routing table to forward packet with
+syntax:expression: $VAR(@) >= 1 && $VAR(@) < 250;
+                   "Table must be between 1 and 250"
diff --git a/templates/firewall/modify/node.tag/rule/node.tag/modify/tcp-mss/node.def b/templates/policy/route/node.tag/rule/node.tag/set/tcp-mss/node.def
index 7a61966..7a61966 100644
--- a/templates/firewall/modify/node.tag/rule/node.tag/modify/tcp-mss/node.def
+++ b/templates/policy/route/node.tag/rule/node.tag/set/tcp-mss/node.def
diff --git a/templates/firewall/modify/node.tag/rule/node.tag/source/address/node.def b/templates/policy/route/node.tag/rule/node.tag/source/address/node.def
index 72d6a17..72d6a17 100644
--- a/templates/firewall/modify/node.tag/rule/node.tag/source/address/node.def
+++ b/templates/policy/route/node.tag/rule/node.tag/source/address/node.def
diff --git a/templates/firewall/modify/node.tag/rule/node.tag/source/group/address-group/node.def b/templates/policy/route/node.tag/rule/node.tag/source/group/address-group/node.def
index 97c748d..97c748d 100644
--- a/templates/firewall/modify/node.tag/rule/node.tag/source/group/address-group/node.def
+++ b/templates/policy/route/node.tag/rule/node.tag/source/group/address-group/node.def
diff --git a/templates/firewall/modify/node.tag/rule/node.tag/source/group/network-group/node.def b/templates/policy/route/node.tag/rule/node.tag/source/group/network-group/node.def
index bf018a0..bf018a0 100644
--- a/templates/firewall/modify/node.tag/rule/node.tag/source/group/network-group/node.def
+++ b/templates/policy/route/node.tag/rule/node.tag/source/group/network-group/node.def
diff --git a/templates/firewall/modify/node.tag/rule/node.tag/source/group/node.def b/templates/policy/route/node.tag/rule/node.tag/source/group/node.def
index 7b36071..7b36071 100644
--- a/templates/firewall/modify/node.tag/rule/node.tag/source/group/node.def
+++ b/templates/policy/route/node.tag/rule/node.tag/source/group/node.def
diff --git a/templates/firewall/modify/node.tag/rule/node.tag/source/group/port-group/node.def b/templates/policy/route/node.tag/rule/node.tag/source/group/port-group/node.def
index 865d2c5..865d2c5 100644
--- a/templates/firewall/modify/node.tag/rule/node.tag/source/group/port-group/node.def
+++ b/templates/policy/route/node.tag/rule/node.tag/source/group/port-group/node.def
diff --git a/templates/firewall/modify/node.tag/rule/node.tag/source/mac-address/node.def b/templates/policy/route/node.tag/rule/node.tag/source/mac-address/node.def
index 5519871..5519871 100644
--- a/templates/firewall/modify/node.tag/rule/node.tag/source/mac-address/node.def
+++ b/templates/policy/route/node.tag/rule/node.tag/source/mac-address/node.def
diff --git a/templates/firewall/modify/node.tag/rule/node.tag/source/node.def b/templates/policy/route/node.tag/rule/node.tag/source/node.def
index 84cdc1f..84cdc1f 100644
--- a/templates/firewall/modify/node.tag/rule/node.tag/source/node.def
+++ b/templates/policy/route/node.tag/rule/node.tag/source/node.def
diff --git a/templates/firewall/modify/node.tag/rule/node.tag/source/port/node.def b/templates/policy/route/node.tag/rule/node.tag/source/port/node.def
index adfae7a..adfae7a 100644
--- a/templates/firewall/modify/node.tag/rule/node.tag/source/port/node.def
+++ b/templates/policy/route/node.tag/rule/node.tag/source/port/node.def
diff --git a/templates/firewall/modify/node.tag/rule/node.tag/state/established/node.def b/templates/policy/route/node.tag/rule/node.tag/state/established/node.def
index a4f3120..a4f3120 100644
--- a/templates/firewall/modify/node.tag/rule/node.tag/state/established/node.def
+++ b/templates/policy/route/node.tag/rule/node.tag/state/established/node.def
diff --git a/templates/firewall/modify/node.tag/rule/node.tag/state/invalid/node.def b/templates/policy/route/node.tag/rule/node.tag/state/invalid/node.def
index dc6110d..dc6110d 100644
--- a/templates/firewall/modify/node.tag/rule/node.tag/state/invalid/node.def
+++ b/templates/policy/route/node.tag/rule/node.tag/state/invalid/node.def
diff --git a/templates/firewall/modify/node.tag/rule/node.tag/state/new/node.def b/templates/policy/route/node.tag/rule/node.tag/state/new/node.def
index 6ef1f7a..6ef1f7a 100644
--- a/templates/firewall/modify/node.tag/rule/node.tag/state/new/node.def
+++ b/templates/policy/route/node.tag/rule/node.tag/state/new/node.def
diff --git a/templates/firewall/modify/node.tag/rule/node.tag/state/node.def b/templates/policy/route/node.tag/rule/node.tag/state/node.def
index 0e38df4..0e38df4 100644
--- a/templates/firewall/modify/node.tag/rule/node.tag/state/node.def
+++ b/templates/policy/route/node.tag/rule/node.tag/state/node.def
diff --git a/templates/firewall/modify/node.tag/rule/node.tag/state/related/node.def b/templates/policy/route/node.tag/rule/node.tag/state/related/node.def
index 2364c31..2364c31 100644
--- a/templates/firewall/modify/node.tag/rule/node.tag/state/related/node.def
+++ b/templates/policy/route/node.tag/rule/node.tag/state/related/node.def
diff --git a/templates/firewall/modify/node.tag/rule/node.tag/tcp/flags/node.def b/templates/policy/route/node.tag/rule/node.tag/tcp/flags/node.def
index b86e707..b86e707 100644
--- a/templates/firewall/modify/node.tag/rule/node.tag/tcp/flags/node.def
+++ b/templates/policy/route/node.tag/rule/node.tag/tcp/flags/node.def
diff --git a/templates/firewall/modify/node.tag/rule/node.tag/tcp/node.def b/templates/policy/route/node.tag/rule/node.tag/tcp/node.def
index 66bc295..66bc295 100644
--- a/templates/firewall/modify/node.tag/rule/node.tag/tcp/node.def
+++ b/templates/policy/route/node.tag/rule/node.tag/tcp/node.def
diff --git a/templates/firewall/modify/node.tag/rule/node.tag/time/monthdays/node.def b/templates/policy/route/node.tag/rule/node.tag/time/monthdays/node.def
index 14c1d5c..14c1d5c 100644
--- a/templates/firewall/modify/node.tag/rule/node.tag/time/monthdays/node.def
+++ b/templates/policy/route/node.tag/rule/node.tag/time/monthdays/node.def
diff --git a/templates/firewall/modify/node.tag/rule/node.tag/time/node.def b/templates/policy/route/node.tag/rule/node.tag/time/node.def
index 238acd2..238acd2 100644
--- a/templates/firewall/modify/node.tag/rule/node.tag/time/node.def
+++ b/templates/policy/route/node.tag/rule/node.tag/time/node.def
diff --git a/templates/firewall/modify/node.tag/rule/node.tag/time/startdate/node.def b/templates/policy/route/node.tag/rule/node.tag/time/startdate/node.def
index 25e02e8..25e02e8 100644
--- a/templates/firewall/modify/node.tag/rule/node.tag/time/startdate/node.def
+++ b/templates/policy/route/node.tag/rule/node.tag/time/startdate/node.def
diff --git a/templates/firewall/modify/node.tag/rule/node.tag/time/starttime/node.def b/templates/policy/route/node.tag/rule/node.tag/time/starttime/node.def
index ab69c45..ab69c45 100644
--- a/templates/firewall/modify/node.tag/rule/node.tag/time/starttime/node.def
+++ b/templates/policy/route/node.tag/rule/node.tag/time/starttime/node.def
diff --git a/templates/firewall/modify/node.tag/rule/node.tag/time/stopdate/node.def b/templates/policy/route/node.tag/rule/node.tag/time/stopdate/node.def
index 8fdf6e0..8fdf6e0 100644
--- a/templates/firewall/modify/node.tag/rule/node.tag/time/stopdate/node.def
+++ b/templates/policy/route/node.tag/rule/node.tag/time/stopdate/node.def
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/stoptime/node.def b/templates/policy/route/node.tag/rule/node.tag/time/stoptime/node.def
index 4a42ca3..b108175 100644
--- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/stoptime/node.def
+++ b/templates/policy/route/node.tag/rule/node.tag/time/stoptime/node.def
@@ -3,6 +3,6 @@ help: Time of day to stop matching rule
 syntax:expression: pattern $VAR(@) "^[[:digit:]]\{2\}[:][[:digit:]]\{2\}[:][[:digit:]]\{2\}$" ; \
                    "Incorrect value for stoptime. Time should be entered using 24 hour notation - hh:mm:ss"
 
-comp_help: Enter time using using 24 hour notation - hh:mm:ss 
+comp_help: Enter time using using 24 hour notation - hh:mm:ss
 
 
diff --git a/templates/firewall/modify/node.tag/rule/node.tag/time/utc/node.def b/templates/policy/route/node.tag/rule/node.tag/time/utc/node.def
index 89c17f7..89c17f7 100644
--- a/templates/firewall/modify/node.tag/rule/node.tag/time/utc/node.def
+++ b/templates/policy/route/node.tag/rule/node.tag/time/utc/node.def
diff --git a/templates/firewall/modify/node.tag/rule/node.tag/time/weekdays/node.def b/templates/policy/route/node.tag/rule/node.tag/time/weekdays/node.def
index dd2649b..dd2649b 100644
--- a/templates/firewall/modify/node.tag/rule/node.tag/time/weekdays/node.def
+++ b/templates/policy/route/node.tag/rule/node.tag/time/weekdays/node.def
author	Robert Bays <robert@vyatta.com>	2012-06-26 13:32:41 -0700
committer	Robert Bays <robert@vyatta.com>	2012-09-03 10:18:38 -0700
commit	f3207bc0f15c9b94ed86c117e48c85c398dec8ea (patch)
tree	50f9f82fbe0d92bcb275598968573296d56ad11a /templates
parent	0da6be07418ae3f821368aa54adcd7913a2fc7b3 (diff)
download	vyatta-cfg-firewall-f3207bc0f15c9b94ed86c117e48c85c398dec8ea.tar.gz vyatta-cfg-firewall-f3207bc0f15c9b94ed86c117e48c85c398dec8ea.zip