Initial releasedebian/0.1

28 files changed, 1872 insertions, 0 deletions

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..3c75a2e
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,24 @@
+*~
+.*.swp
+*.[oa]
+*.l[oa]
+*.so
+*.libs
+*.deps
+.dirstamp
+libtool
+/aclocal.m4
+/autom4te.cache
+/build-stamp
+/config
+/config.log
+/config.guess
+/config.status
+/config.sub
+/configure
+/debian/files
+/debian/*log
+/debian/vyatta-zone
+/INSTALL
+/Makefile.in
+/Makefile
diff --git a/AUTHORS b/AUTHORS
new file mode 100644
index 0000000..ee635b2
--- /dev/null
+++ b/AUTHORS
@@ -0,0 +1 @@
+eng@vyatta.com
diff --git a/COPYING b/COPYING
new file mode 100644
index 0000000..3912109
--- /dev/null
+++ b/COPYING
@@ -0,0 +1,340 @@
+		    GNU GENERAL PUBLIC LICENSE
+		       Version 2, June 1991
+
+ Copyright (C) 1989, 1991 Free Software Foundation, Inc.
+                       51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+			    Preamble
+
+  The licenses for most software are designed to take away your
+freedom to share and change it.  By contrast, the GNU General Public
+License is intended to guarantee your freedom to share and change free
+software--to make sure the software is free for all its users.  This
+General Public License applies to most of the Free Software
+Foundation's software and to any other program whose authors commit to
+using it.  (Some other Free Software Foundation software is covered by
+the GNU Library General Public License instead.)  You can apply it to
+your programs, too.
+
+  When we speak of free software, we are referring to freedom, not
+price.  Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+this service if you wish), that you receive source code or can get it
+if you want it, that you can change the software or use pieces of it
+in new free programs; and that you know you can do these things.
+
+  To protect your rights, we need to make restrictions that forbid
+anyone to deny you these rights or to ask you to surrender the rights.
+These restrictions translate to certain responsibilities for you if you
+distribute copies of the software, or if you modify it.
+
+  For example, if you distribute copies of such a program, whether
+gratis or for a fee, you must give the recipients all the rights that
+you have.  You must make sure that they, too, receive or can get the
+source code.  And you must show them these terms so they know their
+rights.
+
+  We protect your rights with two steps: (1) copyright the software, and
+(2) offer you this license which gives you legal permission to copy,
+distribute and/or modify the software.
+
+  Also, for each author's protection and ours, we want to make certain
+that everyone understands that there is no warranty for this free
+software.  If the software is modified by someone else and passed on, we
+want its recipients to know that what they have is not the original, so
+that any problems introduced by others will not reflect on the original
+authors' reputations.
+
+  Finally, any free program is threatened constantly by software
+patents.  We wish to avoid the danger that redistributors of a free
+program will individually obtain patent licenses, in effect making the
+program proprietary.  To prevent this, we have made it clear that any
+patent must be licensed for everyone's free use or not licensed at all.
+
+  The precise terms and conditions for copying, distribution and
+modification follow.
+
+		    GNU GENERAL PUBLIC LICENSE
+   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
+
+  0. This License applies to any program or other work which contains
+a notice placed by the copyright holder saying it may be distributed
+under the terms of this General Public License.  The "Program", below,
+refers to any such program or work, and a "work based on the Program"
+means either the Program or any derivative work under copyright law:
+that is to say, a work containing the Program or a portion of it,
+either verbatim or with modifications and/or translated into another
+language.  (Hereinafter, translation is included without limitation in
+the term "modification".)  Each licensee is addressed as "you".
+
+Activities other than copying, distribution and modification are not
+covered by this License; they are outside its scope.  The act of
+running the Program is not restricted, and the output from the Program
+is covered only if its contents constitute a work based on the
+Program (independent of having been made by running the Program).
+Whether that is true depends on what the Program does.
+
+  1. You may copy and distribute verbatim copies of the Program's
+source code as you receive it, in any medium, provided that you
+conspicuously and appropriately publish on each copy an appropriate
+copyright notice and disclaimer of warranty; keep intact all the
+notices that refer to this License and to the absence of any warranty;
+and give any other recipients of the Program a copy of this License
+along with the Program.
+
+You may charge a fee for the physical act of transferring a copy, and
+you may at your option offer warranty protection in exchange for a fee.
+
+  2. You may modify your copy or copies of the Program or any portion
+of it, thus forming a work based on the Program, and copy and
+distribute such modifications or work under the terms of Section 1
+above, provided that you also meet all of these conditions:
+
+    a) You must cause the modified files to carry prominent notices
+    stating that you changed the files and the date of any change.
+
+    b) You must cause any work that you distribute or publish, that in
+    whole or in part contains or is derived from the Program or any
+    part thereof, to be licensed as a whole at no charge to all third
+    parties under the terms of this License.
+
+    c) If the modified program normally reads commands interactively
+    when run, you must cause it, when started running for such
+    interactive use in the most ordinary way, to print or display an
+    announcement including an appropriate copyright notice and a
+    notice that there is no warranty (or else, saying that you provide
+    a warranty) and that users may redistribute the program under
+    these conditions, and telling the user how to view a copy of this
+    License.  (Exception: if the Program itself is interactive but
+    does not normally print such an announcement, your work based on
+    the Program is not required to print an announcement.)
+
+These requirements apply to the modified work as a whole.  If
+identifiable sections of that work are not derived from the Program,
+and can be reasonably considered independent and separate works in
+themselves, then this License, and its terms, do not apply to those
+sections when you distribute them as separate works.  But when you
+distribute the same sections as part of a whole which is a work based
+on the Program, the distribution of the whole must be on the terms of
+this License, whose permissions for other licensees extend to the
+entire whole, and thus to each and every part regardless of who wrote it.
+
+Thus, it is not the intent of this section to claim rights or contest
+your rights to work written entirely by you; rather, the intent is to
+exercise the right to control the distribution of derivative or
+collective works based on the Program.
+
+In addition, mere aggregation of another work not based on the Program
+with the Program (or with a work based on the Program) on a volume of
+a storage or distribution medium does not bring the other work under
+the scope of this License.
+
+  3. You may copy and distribute the Program (or a work based on it,
+under Section 2) in object code or executable form under the terms of
+Sections 1 and 2 above provided that you also do one of the following:
+
+    a) Accompany it with the complete corresponding machine-readable
+    source code, which must be distributed under the terms of Sections
+    1 and 2 above on a medium customarily used for software interchange; or,
+
+    b) Accompany it with a written offer, valid for at least three
+    years, to give any third party, for a charge no more than your
+    cost of physically performing source distribution, a complete
+    machine-readable copy of the corresponding source code, to be
+    distributed under the terms of Sections 1 and 2 above on a medium
+    customarily used for software interchange; or,
+
+    c) Accompany it with the information you received as to the offer
+    to distribute corresponding source code.  (This alternative is
+    allowed only for noncommercial distribution and only if you
+    received the program in object code or executable form with such
+    an offer, in accord with Subsection b above.)
+
+The source code for a work means the preferred form of the work for
+making modifications to it.  For an executable work, complete source
+code means all the source code for all modules it contains, plus any
+associated interface definition files, plus the scripts used to
+control compilation and installation of the executable.  However, as a
+special exception, the source code distributed need not include
+anything that is normally distributed (in either source or binary
+form) with the major components (compiler, kernel, and so on) of the
+operating system on which the executable runs, unless that component
+itself accompanies the executable.
+
+If distribution of executable or object code is made by offering
+access to copy from a designated place, then offering equivalent
+access to copy the source code from the same place counts as
+distribution of the source code, even though third parties are not
+compelled to copy the source along with the object code.
+
+  4. You may not copy, modify, sublicense, or distribute the Program
+except as expressly provided under this License.  Any attempt
+otherwise to copy, modify, sublicense or distribute the Program is
+void, and will automatically terminate your rights under this License.
+However, parties who have received copies, or rights, from you under
+this License will not have their licenses terminated so long as such
+parties remain in full compliance.
+
+  5. You are not required to accept this License, since you have not
+signed it.  However, nothing else grants you permission to modify or
+distribute the Program or its derivative works.  These actions are
+prohibited by law if you do not accept this License.  Therefore, by
+modifying or distributing the Program (or any work based on the
+Program), you indicate your acceptance of this License to do so, and
+all its terms and conditions for copying, distributing or modifying
+the Program or works based on it.
+
+  6. Each time you redistribute the Program (or any work based on the
+Program), the recipient automatically receives a license from the
+original licensor to copy, distribute or modify the Program subject to
+these terms and conditions.  You may not impose any further
+restrictions on the recipients' exercise of the rights granted herein.
+You are not responsible for enforcing compliance by third parties to
+this License.
+
+  7. If, as a consequence of a court judgment or allegation of patent
+infringement or for any other reason (not limited to patent issues),
+conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License.  If you cannot
+distribute so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you
+may not distribute the Program at all.  For example, if a patent
+license would not permit royalty-free redistribution of the Program by
+all those who receive copies directly or indirectly through you, then
+the only way you could satisfy both it and this License would be to
+refrain entirely from distribution of the Program.
+
+If any portion of this section is held invalid or unenforceable under
+any particular circumstance, the balance of the section is intended to
+apply and the section as a whole is intended to apply in other
+circumstances.
+
+It is not the purpose of this section to induce you to infringe any
+patents or other property right claims or to contest validity of any
+such claims; this section has the sole purpose of protecting the
+integrity of the free software distribution system, which is
+implemented by public license practices.  Many people have made
+generous contributions to the wide range of software distributed
+through that system in reliance on consistent application of that
+system; it is up to the author/donor to decide if he or she is willing
+to distribute software through any other system and a licensee cannot
+impose that choice.
+
+This section is intended to make thoroughly clear what is believed to
+be a consequence of the rest of this License.
+
+  8. If the distribution and/or use of the Program is restricted in
+certain countries either by patents or by copyrighted interfaces, the
+original copyright holder who places the Program under this License
+may add an explicit geographical distribution limitation excluding
+those countries, so that distribution is permitted only in or among
+countries not thus excluded.  In such case, this License incorporates
+the limitation as if written in the body of this License.
+
+  9. The Free Software Foundation may publish revised and/or new versions
+of the General Public License from time to time.  Such new versions will
+be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+Each version is given a distinguishing version number.  If the Program
+specifies a version number of this License which applies to it and "any
+later version", you have the option of following the terms and conditions
+either of that version or of any later version published by the Free
+Software Foundation.  If the Program does not specify a version number of
+this License, you may choose any version ever published by the Free Software
+Foundation.
+
+  10. If you wish to incorporate parts of the Program into other free
+programs whose distribution conditions are different, write to the author
+to ask for permission.  For software which is copyrighted by the Free
+Software Foundation, write to the Free Software Foundation; we sometimes
+make exceptions for this.  Our decision will be guided by the two goals
+of preserving the free status of all derivatives of our free software and
+of promoting the sharing and reuse of software generally.
+
+			    NO WARRANTY
+
+  11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
+FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.  EXCEPT WHEN
+OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
+PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
+OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  THE ENTIRE RISK AS
+TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU.  SHOULD THE
+PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
+REPAIR OR CORRECTION.
+
+  12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
+REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
+INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
+OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
+TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
+YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
+PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGES.
+
+		     END OF TERMS AND CONDITIONS
+
+	    How to Apply These Terms to Your New Programs
+
+  If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+  To do so, attach the following notices to the program.  It is safest
+to attach them to the start of each source file to most effectively
+convey the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+    <one line to give the program's name and a brief idea of what it does.>
+    Copyright (C) <year>  <name of author>
+
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation; either version 2 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program; if not, write to the Free Software
+    Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+
+
+Also add information on how to contact you by electronic and paper mail.
+
+If the program is interactive, make it output a short notice like this
+when it starts in an interactive mode:
+
+    Gnomovision version 69, Copyright (C) year name of author
+    Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
+    This is free software, and you are welcome to redistribute it
+    under certain conditions; type `show c' for details.
+
+The hypothetical commands `show w' and `show c' should show the appropriate
+parts of the General Public License.  Of course, the commands you use may
+be called something other than `show w' and `show c'; they could even be
+mouse-clicks or menu items--whatever suits your program.
+
+You should also get your employer (if you work as a programmer) or your
+school, if any, to sign a "copyright disclaimer" for the program, if
+necessary.  Here is a sample; alter the names:
+
+  Yoyodyne, Inc., hereby disclaims all copyright interest in the program
+  `Gnomovision' (which makes passes at compilers) written by James Hacker.
+
+  <signature of Ty Coon>, 1 April 1989
+  Ty Coon, President of Vice
+
+This General Public License does not permit incorporating your program into
+proprietary programs.  If your program is a subroutine library, you may
+consider it more useful to permit linking proprietary applications with the
+library.  If this is what you want to do, use the GNU Library General
+Public License instead of this License.
diff --git a/ChangeLog b/ChangeLog
new file mode 120000
index 0000000..d526672
--- /dev/null
+++ b/ChangeLog
@@ -0,0 +1 @@
+debian/changelog
\ No newline at end of file
diff --git a/Makefile.am b/Makefile.am
new file mode 100644
index 0000000..dd54d4c
--- /dev/null
+++ b/Makefile.am
@@ -0,0 +1,17 @@
+cfgdir            = $(datadir)/vyatta-cfg/templates
+opdir		  = $(datadir)/vyatta-op/templates
+share_perl5dir	  = $(datarootdir)/perl5/Vyatta
+bin_sudo_usersdir = $(bindir)/sudo-users
+
+sbin_SCRIPTS = scripts/vyatta-zone.pl
+
+share_perl5_DATA  = lib/Vyatta/Zone.pm
+
+cpiop = find  . ! -regex '\(.*~\|.*\.bak\|.*\.swp\|.*\#.*\#\)' -print0 | \
+  cpio -0pd
+
+install-exec-hook:
+	mkdir -p $(DESTDIR)$(cfgdir)
+	cd templates-cfg; $(cpiop) $(DESTDIR)$(cfgdir)
+	mkdir -p $(DESTDIR)$(opdir)
+	cd templates-op; $(cpiop) $(DESTDIR)$(opdir)
diff --git a/NEWS b/NEWS
new file mode 100644
index 0000000..78fdaa6
--- /dev/null
+++ b/NEWS
@@ -0,0 +1 @@
+see http://www.vyatta.com/news/
diff --git a/README b/README
new file mode 100644
index 0000000..a9ddca0
--- /dev/null
+++ b/README
@@ -0,0 +1,2 @@
+This package has the vyatta-zone system, including the configuration
+cli and show commands.
diff --git a/configure.ac b/configure.ac
new file mode 100644
index 0000000..ca6c16f
--- /dev/null
+++ b/configure.ac
@@ -0,0 +1,36 @@
+# Process this file with autoconf to produce a configure script.
+AC_PREREQ(2.59)
+
+m4_define([VERSION_ID], [m4_esyscmd([
+	if test -f .version ; then
+	    head -n 1 .version | tr -d \\n
+	else
+	    echo -n 2.4
+	fi])])
+AC_INIT([vyatta-zone], VERSION_ID, [vyatta-support@vyatta.com])
+
+test -n "$VYATTA_VERSION" || VYATTA_VERSION=$PACKAGE_VERSION
+
+AC_CONFIG_AUX_DIR([config])
+AM_INIT_AUTOMAKE([gnu no-dist-gzip dist-bzip2 subdir-objects])
+AC_PREFIX_DEFAULT([/opt/vyatta])
+
+AC_PROG_CC
+AM_PROG_AS
+AM_PROG_CC_C_O
+AC_PROG_LIBTOOL
+AC_PROG_LEX
+AC_PROG_YACC
+
+AC_ARG_ENABLE([nostrip],
+	AC_HELP_STRING([--enable-nostrip],
+	[include -nostrip option during packaging]),
+	[NOSTRIP=-nostrip], [NOSTRIP=])
+
+AC_CONFIG_FILES(
+	[Makefile])
+
+AC_SUBST(NOSTRIP)
+
+AC_OUTPUT
+
diff --git a/debian/README b/debian/README
new file mode 100644
index 0000000..fcac669
--- /dev/null
+++ b/debian/README
@@ -0,0 +1,7 @@
+The Debian Package vyatta-zone
+------------------------------
+
+This package contains the vyatta zone-policy project developed by vyatta. This 
+package includes the programs, plus cli operational and commands.
+
+ -- Mohit Mehta <mohit@vyatta.com>  Thu, 07 Oct 2010
diff --git a/debian/autogen.sh b/debian/autogen.sh
new file mode 100755
index 0000000..adb6d1c
--- /dev/null
+++ b/debian/autogen.sh
@@ -0,0 +1,11 @@
+#!/bin/sh
+
+
+rm -rf config
+rm -f aclocal.m4 config.guess config.status config.sub configure INSTALL
+
+autoreconf --force --install
+
+rm -f config.sub config.guess
+ln -s /usr/share/misc/config.sub .
+ln -s /usr/share/misc/config.guess .
diff --git a/debian/compat b/debian/compat
new file mode 100644
index 0000000..7ed6ff8
--- /dev/null
+++ b/debian/compat
@@ -0,0 +1 @@
+5
diff --git a/debian/control b/debian/control
new file mode 100644
index 0000000..95ca4b5
--- /dev/null
+++ b/debian/control
@@ -0,0 +1,20 @@
+Source: vyatta-zone
+Section: contrib/net
+Priority: extra
+Maintainer: Vyatta Package Maintainers <maintainers@vyatta.com>
+Build-Depends: debhelper (>= 5), 
+ autotools-dev, 
+Standards-Version: 3.7.2
+
+Package: vyatta-zone
+Architecture: all
+Depends:  perl (>= 5.8.8),
+ vyatta-bash | bash (>= 3.1),
+ vyatta-cfg,
+ vyatta-cfg-firewall,
+ vyatta-idp-snort
+Replaces: vyatta-cfg,
+ vyatta-cfg-system
+Description: The vyatta-zone package
+ This package has the vyatta zone-policy programs, and
+ configuration/operational templates and scripts.
diff --git a/debian/copyright b/debian/copyright
new file mode 100644
index 0000000..e76762e
--- /dev/null
+++ b/debian/copyright
@@ -0,0 +1,15 @@
+This package was debianized by Mohit Mehta <mohit@vyatta.com> on
+Thu Oct  7 15:06:32 PDT 2010
+
+It's original content from the GIT repository
+<http://git.vyatta.com/git/vyatta-zone>
+
+Upstream Author: 
+
+    <eng@vyatta.com>
+
+Copyright: 
+
+    Copyright (C) 2010 Vyatta, Inc.
+    All Rights Reserved.
+
diff --git a/debian/docs b/debian/docs
new file mode 100644
index 0000000..50bd824
--- /dev/null
+++ b/debian/docs
@@ -0,0 +1,2 @@
+NEWS
+README
diff --git a/debian/lintian b/debian/lintian
new file mode 100644
index 0000000..c9b27f0
--- /dev/null
+++ b/debian/lintian
@@ -0,0 +1,2 @@
+vyatta-zone: file-in-unusual-dir
+vyatta-zone: dir-or-file-in-opt
diff --git a/debian/rules b/debian/rules
new file mode 100755
index 0000000..f43d6fc
--- /dev/null
+++ b/debian/rules
@@ -0,0 +1,105 @@
+#!/usr/bin/make -f
+# -*- makefile -*-
+# Sample debian/rules that uses debhelper.
+# This file was originally written by Joey Hess and Craig Small.
+# As a special exception, when this file is copied by dh-make into a
+# dh-make output file, you may use that output file without restriction.
+# This special exception was added by Craig Small in version 0.37 of dh-make.
+
+# Uncomment this to turn on verbose mode.
+#export DH_VERBOSE=1
+
+export DEB_BUILD_HARDENING=1
+
+# These are used for cross-compiling and for saving the configure script
+# from having to guess our platform (since we know it already)
+DEB_HOST_GNU_TYPE   ?= $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE)
+DEB_BUILD_GNU_TYPE  ?= $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE)
+PACKAGE=vyatta-zone
+PKGDIR=$(CURDIR)/debian/$(PACKAGE)
+
+CFLAGS = -Wall -g 
+
+configure	 = ./configure
+configure	+= --host=$(DEB_HOST_GNU_TYPE)
+configure	+= --build=$(DEB_BUILD_GNU_TYPE)
+configure	+= --prefix=/opt/vyatta
+configure	+= --mandir=\$${prefix}/share/man
+configure	+= --infodir=\$${prefix}/share/info
+configure	+= CFLAGS="$(CFLAGS)"
+
+ifneq (,$(findstring noopt,$(DEB_BUILD_OPTIONS)))
+	CFLAGS += -O0
+else
+	CFLAGS += -O2
+endif
+
+configure: configure.ac Makefile.am
+	chmod +x debian/autogen.sh
+	debian/autogen.sh
+
+config.status: configure
+	dh_testdir
+	rm -f config.cache
+	$(configure)
+
+build: build-stamp
+
+build-stamp:  config.status
+	dh_testdir
+	$(MAKE)
+	touch $@
+
+clean: clean-patched
+
+# Clean everything up, including everything auto-generated
+# at build time that needs not to be kept around in the Debian diff
+clean-patched:
+	dh_testdir
+	dh_testroot
+	if test -f Makefile ; then $(MAKE) clean distclean ; fi
+	rm -f build-stamp
+	rm -f config.status config.sub config.guess config.log
+	rm -f aclocal.m4 configure Makefile.in Makefile INSTALL
+	rm -rf config
+	dh_clean 
+
+install: build
+	dh_testdir
+	dh_testroot
+	dh_clean -k 
+	dh_installdirs
+
+	$(MAKE) DESTDIR=$(PKGDIR) install
+
+	install -D --mode=0644 debian/lintian $(PKGDIR)/usr/share/lintian/overrides/$(PACKAGE)
+
+# Build architecture-independent files here.
+binary-indep: build install
+	rm -f debian/files
+	dh_testdir
+	dh_testroot
+	dh_installchangelogs ChangeLog
+	dh_installdocs
+	dh_install
+	dh_installdebconf	
+	dh_link
+	dh_strip
+	dh_compress
+	dh_fixperms
+	dh_installdeb
+	if [ -f "../.VYATTA_DEV_BUILD" ]; then \
+		dh_gencontrol -- -v999.dev; \
+	else \
+		dh_gencontrol; \
+	fi
+	dh_md5sums
+	dh_builddeb
+
+# Build architecture-dependent files here.
+binary-arch: build install
+# This is an architecture independent package
+# so; we have nothing to do by default.
+
+binary: binary-indep binary-arch
+.PHONY: build clean binary-indep binary-arch binary install 
diff --git a/lib/Vyatta/Zone.pm b/lib/Vyatta/Zone.pm
new file mode 100755
index 0000000..b23bc74
--- /dev/null
+++ b/lib/Vyatta/Zone.pm
@@ -0,0 +1,216 @@
+# Module: Zone.pm
+#
+# **** License ****
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# This code was originally developed by Vyatta, Inc.
+# Portions created by Vyatta are Copyright (C) 2009 Vyatta, Inc.
+# All Rights Reserved.
+#
+# Author: Mohit Mehta
+# Date: 2009
+# Description: vyatta zone management
+#
+# **** End License ****
+#
+
+package Vyatta::Zone;
+
+use Vyatta::Config;
+use Vyatta::Misc;
+use Vyatta::Interface;
+
+use strict;
+use warnings;
+
+my $debug="false";
+my $syslog="false";
+my $logger = 'sudo logger -t zone.pm -p local0.warn --';
+
+sub run_cmd {
+    my $cmd = shift;
+    my $error = system("$cmd");
+
+    if ($syslog eq "true") {
+        my $func = (caller(1))[3];
+        system("$logger [$func] [$cmd] = [$error]");
+    }
+    if ($debug eq "true") {
+        my $func = (caller(1))[3];
+        print "[$func] [$cmd] = [$error]\n";
+    }
+    return $error;
+}
+
+sub is_fwruleset_active {
+    my ($value_func, $ruleset_type, $fw_ruleset) = @_;
+    my $config = new Vyatta::Config;
+    return $config->$value_func("firewall $ruleset_type $fw_ruleset");
+}
+
+sub get_all_zones {
+    my $value_func = shift;
+    my $config = new Vyatta::Config;
+    return $config->$value_func("zone-policy zone");
+}
+
+sub get_zone_interfaces {
+    my ($value_func, $zone_name) = @_;
+    my $config = new Vyatta::Config;
+    return $config->$value_func("zone-policy zone $zone_name interface");
+}
+
+sub get_from_zones {
+    my ($value_func, $zone_name) = @_;
+    my $config = new Vyatta::Config;
+    return $config->$value_func("zone-policy zone $zone_name from");
+}
+
+sub get_firewall_ruleset {
+    my ($value_func, $zone_name, $from_zone, $firewall_type) = @_;
+    my $config = new Vyatta::Config;
+    return $config->$value_func("zone-policy zone $zone_name from $from_zone
+        firewall $firewall_type");
+}
+
+sub is_local_zone {
+    my ($value_func, $zone_name) = @_;
+    my $config = new Vyatta::Config;
+    return $config->$value_func("zone-policy zone $zone_name local-zone");
+}
+
+sub get_zone_default_policy {
+    my ($value_func, $zone_name) = @_;
+    my $config = new Vyatta::Config;
+    return $config->$value_func("zone-policy zone $zone_name default-action");
+}
+
+sub rule_exists {
+    my ($command, $table, $chain_name, $target, $interface) = @_;
+    my $cmd =
+        "sudo $command -t $table -L " .
+        "$chain_name -v 2>/dev/null | grep \" $target \" ";
+    if (defined $interface) {
+      $cmd .= "| grep \" $interface \" ";
+    }
+    $cmd .= "| wc -l";
+    my $result = `$cmd`;
+    return $result;
+}
+
+sub get_zone_chain {
+    my ($value_func, $zone, $localout) = @_;
+    my $chain = "VZONE_$zone";
+    if (defined(is_local_zone($value_func, $zone))) {
+      # local zone
+      if (defined $localout) {
+        # local zone out chain
+        $chain .= "_OUT";
+      } else {
+        # local zone in chain
+        $chain .= "_IN";
+      }
+    }
+    return $chain;
+}
+
+sub validity_checks {
+    my @all_zones = get_all_zones("listNodes");
+    my @all_interfaces = ();
+    my $num_local_zones = 0;
+    my $returnstring;
+    foreach my $zone (@all_zones) {
+      # get all from zones, see if they exist in config, if not display error
+      my @from_zones = get_from_zones("listNodes", $zone);
+      foreach my $from_zone (@from_zones) {
+        if (scalar(grep(/^$from_zone$/, @all_zones)) == 0) {
+          $returnstring = "$from_zone is a from zone under zone $zone\n" . 
+		"It is either not defined or deleted from config";
+          return ($returnstring, );
+        }
+      }
+      my @zone_intfs = get_zone_interfaces("returnValues", $zone);
+      if (scalar(@zone_intfs) == 0) {
+        # no interfaces defined for this zone
+        if (!defined(is_local_zone("exists", $zone))) {
+          $returnstring = "Zone $zone has no interfaces defined " .  
+				"and it's not a local-zone";
+          return($returnstring, );
+        }
+        # zone defined as a local-zone
+        my @zone_intfs_orig = get_zone_interfaces("returnOrigValues", $zone);
+        if (scalar(@zone_intfs_orig) != 0) {
+          # can't change change transit zone to local-zone on the fly
+          $returnstring = "Zone $zone is a transit zone. " .
+                "Cannot convert it to local-zone.\n" .
+                "Please define another zone to create local-zone";
+          return($returnstring, );
+        }
+        $num_local_zones++;
+        # make sure only one zone is a local-zone
+        if ($num_local_zones > 1) {
+          return ("Only one zone can be defined as a local-zone", );
+        }
+      } else {
+        # zone has interfaces, make sure it is not set as a local-zone
+        if (defined(is_local_zone("exists", $zone))) {
+          $returnstring = "local-zone cannot have interfaces defined";
+          return($returnstring, );
+        }
+        # make sure you're not converting local-zone to transit zone either
+        if (defined(is_local_zone("existsOrig", $zone))) {
+          $returnstring = "Cannot convert local-zone $zone to transit zone" .  
+				"\nPlease define another zone for it";
+          return($returnstring, );
+        }
+        foreach my $interface (@zone_intfs) {
+          # make sure zone features are not being used on zone interface
+          my $intf = new Vyatta::Interface($interface);
+          if ($intf) {
+            my $config = new Vyatta::Config;
+            $config->setLevel($intf->path());
+            # make sure firewall is not applied to this interface
+            if ($config->exists("firewall in name") ||
+                $config->exists("firewall out name") ||
+                $config->exists("firewall local name") ||
+                $config->exists("firewall in ipv6-name") ||
+                $config->exists("firewall out ipv6-name") ||
+                $config->exists("firewall local ipv6-name")) {
+              $returnstring =
+                        "interface $interface has firewall rule-set " .
+                        "configured, cannot be defined under a zone";
+              return($returnstring, );
+            }
+            # make sure content-inspection is not applied to this interface
+            if ($config->exists("content-inspection in enable") ||
+                $config->exists("content-inspection out enable") ||
+                $config->exists("content-inspection local enable") ||
+                $config->exists("content-inspection in ipv6-enable") ||
+                $config->exists("content-inspection out ipv6-enable") ||
+                $config->exists("content-inspection local ipv6-enable")) {
+              $returnstring =
+                        "interface $interface has content-inspection " .
+                        "configured, cannot be defined under a zone";
+              return($returnstring, );
+            }
+          }
+          # make sure an interface is not defined under two zones
+          if (scalar(grep(/^$interface$/, @all_interfaces)) > 0) {
+            return ("$interface defined under two zones", );
+          } else {
+            push(@all_interfaces, $interface);
+          }
+        }
+      }
+    }
+    return;
+}
+
+1;
diff --git a/scripts/vyatta-zone.pl b/scripts/vyatta-zone.pl
new file mode 100755
index 0000000..0c05842
--- /dev/null
+++ b/scripts/vyatta-zone.pl
@@ -0,0 +1,800 @@
+#!/usr/bin/perl
+#
+# Module: vyatta-zone.pl
+# 
+# **** License ****
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 as
+# published by the Free Software Foundation.
+# 
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+# 
+# This code was originally developed by Vyatta, Inc.
+# Portions created by Vyatta are Copyright (C) 2009 Vyatta, Inc.
+# All Rights Reserved.
+# 
+# Author: Mohit Mehta
+# Date: April 2009
+# Description: Script for Zone Based Firewall
+# 
+# **** End License ****
+#
+
+use Getopt::Long;
+use POSIX;
+
+use lib "/opt/vyatta/share/perl5";
+use Vyatta::Zone;
+use Vyatta::IpTables::Mgr;
+
+use warnings;
+use strict;
+
+# for future ease, when we add modify, these hashes will just be extended
+# firewall mapping from config node to iptables command.
+my %cmd_hash = ( 'name'        => '/sbin/iptables',
+                 'ipv6-name'   => '/sbin/ip6tables');
+
+# firewall mapping from config node to iptables/ip6tables table
+my %table_hash = ( 'name'        => 'filter',
+                   'ipv6-name'   => 'filter');
+
+# mapping from vyatta 'default-policy' to iptables jump target
+my %policy_hash = ( 'drop'    => 'DROP',
+                    'reject'  => 'REJECT' );
+
+sub setup_default_policy {
+    my ($zone_name, $default_policy, $localoutchain) = @_;
+    my ($cmd, $error);
+    my $zone_chain=Vyatta::Zone::get_zone_chain("exists",
+                        $zone_name, $localoutchain);
+
+    # add default policy for zone chains in filter, ip6filter tables
+    foreach my $tree (keys %cmd_hash) {
+
+      # set default policy for zone chain
+      $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} -A " .
+                "$zone_chain -j $policy_hash{$default_policy}";
+      $error =  Vyatta::Zone::run_cmd("$cmd");
+      return "Error: set default policy $zone_chain failed [$error]" if $error;
+
+      my $rule_cnt = Vyatta::IpTables::Mgr::count_iptables_rules($cmd_hash{$tree},
+                                $table_hash{$tree}, $zone_chain);
+
+      # if there's a drop|reject rule at rule_cnt - 1 then remove that
+      # in zone chain a drop|reject target can only be for default policy
+      if ($rule_cnt > 1) {
+        my $penultimate_rule_num=$rule_cnt-1;
+        $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} " .
+                "-L $zone_chain $penultimate_rule_num -v | awk {'print \$3'}";
+        my $target=`$cmd`;
+        chomp $target;
+        if (defined $target && ($target eq 'REJECT' || $target eq 'DROP')) {
+          $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} -D " .
+                 "$zone_chain $penultimate_rule_num";
+          $error =  Vyatta::Zone::run_cmd("$cmd");
+          return "Error: delete rule $penultimate_rule_num with $target
+in $zone_name chain failed [$error]" if $error;
+        }
+      }
+    }
+    return;
+}
+
+sub create_zone_chain {
+    my ($zone_name, $localoutchain) = @_;
+    my ($cmd, $error);
+    my $zone_chain=Vyatta::Zone::get_zone_chain("exists", 
+			$zone_name, $localoutchain);
+    
+    # create zone chains in filter, ip6filter tables
+    foreach my $tree (keys %cmd_hash) {
+     $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} " . 
+		"-L $zone_chain >&/dev/null";
+     $error = Vyatta::Zone::run_cmd($cmd);
+     if ($error) { 
+       # chain does not exist, go ahead create it
+       $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} -N $zone_chain";
+       $error = Vyatta::Zone::run_cmd($cmd);
+       return "Error: create $zone_name chain with failed [$error]" if $error;
+     }
+    }
+    
+    return;
+}
+
+sub delete_zone_chain {
+    my ($zone_name, $localoutchain) = @_;
+    my ($cmd, $error);
+    my $zone_chain=Vyatta::Zone::get_zone_chain("existsOrig", 
+			$zone_name, $localoutchain);
+    # delete zone chains from filter, ip6filter tables
+    foreach my $tree (keys %cmd_hash) {
+     # flush all rules from zone chain
+     $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} -F $zone_chain";
+     $error = Vyatta::Zone::run_cmd($cmd);
+     return "Error: flush all rules in $zone_name chain failed [$error]" if $error;
+
+     # delete zone chain
+     $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} -X $zone_chain";
+     $error = Vyatta::Zone::run_cmd($cmd);
+     return "Error: delete $zone_name chain failed [$error]" if $error;
+    }
+    return;
+}
+
+sub insert_from_rule {
+    my ($zone_name, $from_zone, $interface, $ruleset_type, $ruleset,
+        $direction, $zone_chain) = @_;
+    my ($cmd, $error);
+    my $ruleset_name;
+
+    if (defined $ruleset) { # called from node.def
+        $ruleset_name=$ruleset;
+    } else { # called from do_firewall_interface_zone()
+        $ruleset_name=Vyatta::Zone::get_firewall_ruleset("returnValue",
+                        $zone_name, $from_zone, $ruleset_type);
+    }
+
+    if (defined $ruleset_name) {
+     # get number of rules in ruleset_name
+     my $rule_cnt = Vyatta::IpTables::Mgr::count_iptables_rules($cmd_hash{$ruleset_type},
+                 $table_hash{$ruleset_type}, "$zone_chain");
+     # append rules before last drop all rule
+     my $insert_at_rule_num=1;
+     if ( $rule_cnt > 1 ) {
+        $insert_at_rule_num=$rule_cnt;
+     }
+     my $result = Vyatta::Zone::rule_exists ($cmd_hash{$ruleset_type},
+	$table_hash{$ruleset_type}, "$zone_chain", $ruleset_name, $interface);
+     if ($result < 1) {
+      # append rule before drop rule to jump to ruleset for in\out interface
+      $cmd = "sudo $cmd_hash{$ruleset_type} -t $table_hash{$ruleset_type} " . 
+"-I $zone_chain $insert_at_rule_num $direction $interface -j $ruleset_name";
+      $error = Vyatta::Zone::run_cmd($cmd);
+      return "Error: insert rule for $direction $interface into zone-chain 
+$zone_chain with target $ruleset_name failed [$error]" if $error;
+
+      # insert the RETURN rule next
+      $insert_at_rule_num++;
+      $cmd = "sudo $cmd_hash{$ruleset_type} -t $table_hash{$ruleset_type} " .
+        "-I $zone_chain $insert_at_rule_num $direction $interface -j RETURN";
+      $error = Vyatta::Zone::run_cmd($cmd);
+      return "Error: insert rule for $direction $interface into zone chain 
+$zone_chain with target RETURN failed [$error]" if $error;
+     }
+    }
+
+    return;
+}
+
+
+sub add_fromzone_intf_ruleset {
+    my ($zone_name, $from_zone, $interface, $ruleset_type, $ruleset) = @_;
+    my $zone_chain=Vyatta::Zone::get_zone_chain("exists", $zone_name);
+    my $error = insert_from_rule ($zone_name, $from_zone, $interface,
+                $ruleset_type, $ruleset, '-i', $zone_chain);
+    return ($error, ) if $error;
+    return;
+}
+
+sub add_fromlocalzone_ruleset {
+    my ($zone_name, $from_zone, $interface, $ruleset_type, $ruleset) = @_;
+    my $zone_chain=Vyatta::Zone::get_zone_chain("exists", $from_zone, "localout");
+
+    my $error = insert_from_rule ($zone_name, $from_zone, $interface,
+                $ruleset_type, $ruleset, '-o', $zone_chain);
+    return ($error, ) if $error;
+
+    return;
+}
+
+sub delete_from_rule {
+
+    my ($zone_name, $from_zone, $interface, $ruleset_type, $ruleset, 
+	$direction, $zone_chain) = @_;
+    my ($cmd, $error);
+    my $ruleset_name;
+
+    if (defined $ruleset) { # called from node.def
+        $ruleset_name=$ruleset;
+    } else { # called from undo_firewall_interface_zone()
+        $ruleset_name=Vyatta::Zone::get_firewall_ruleset("returnOrigValue", 
+		$zone_name, $from_zone, $ruleset_type);
+    }
+
+    if (defined $ruleset_name) {
+     # delete rule to jump to ruleset for in|out interface in zone chain
+     $cmd = "sudo $cmd_hash{$ruleset_type} -t $table_hash{$ruleset_type} " .
+        "-D $zone_chain $direction $interface -j $ruleset_name";
+     $error = Vyatta::Zone::run_cmd($cmd);
+     return "Error: call to delete rule for $direction $interface
+in zone chain $zone_chain with target $ruleset_name failed [$error]" if $error;
+     
+     # delete RETURN rule for same interface
+     $cmd = "sudo $cmd_hash{$ruleset_type} -t $table_hash{$ruleset_type} " .
+        "-D $zone_chain $direction $interface -j RETURN";
+     $error = Vyatta::Zone::run_cmd($cmd);
+     return "Error: call to delete rule for $direction $interface into zone 
+chain $zone_chain with target RETURN for $zone_name failed [$error]" if $error;
+    }
+
+    return;
+}
+
+sub delete_fromzone_intf_ruleset {
+    my ($zone_name, $from_zone, $interface, $ruleset_type, $ruleset) = @_;
+    my $zone_chain=Vyatta::Zone::get_zone_chain("existsOrig", $zone_name);
+    my $error = delete_from_rule ($zone_name, $from_zone, $interface, 
+		$ruleset_type, $ruleset, '-i', $zone_chain);
+    return ($error, ) if $error;
+    return;
+}
+
+sub delete_fromlocalzone_ruleset {
+    my ($zone_name, $from_zone, $interface, $ruleset_type, $ruleset) = @_;
+    my $zone_chain=Vyatta::Zone::get_zone_chain("existsOrig", 
+			$from_zone, "localout");
+
+    my ($cmd, $error);
+    $error = delete_from_rule ($zone_name, $from_zone, $interface, 
+		$ruleset_type, $ruleset, '-o', $zone_chain);
+    return ($error, ) if $error;
+
+    return;
+}
+
+sub do_firewall_interface_zone {
+    my ($zone_name, $interface) = @_;
+    my $zone_chain=Vyatta::Zone::get_zone_chain("exists", $zone_name);
+    my ($cmd, $error);
+    foreach my $tree (keys %cmd_hash) {
+
+     my $result = Vyatta::Zone::rule_exists ($cmd_hash{$tree}, 
+	$table_hash{$tree}, "$zone_chain", "RETURN", $interface);
+     if ($result < 1) {
+      # add rule to allow same zone to same zone traffic
+      $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} -I $zone_chain " .
+	"-i $interface -j RETURN";
+      $error = Vyatta::Zone::run_cmd($cmd);
+      return "Error: call to add $interface to its zone-chain $zone_chain 
+failed [$error]" if $error;
+     }
+
+     # need to do this as an append before VYATTA_POST_FW_*_HOOK
+     my $rule_cnt = Vyatta::IpTables::Mgr::count_iptables_rules($cmd_hash{$tree}, 
+		$table_hash{$tree}, "FORWARD");
+     my $insert_at_rule_num=1;
+     if ( $rule_cnt > 1 ) {
+        $insert_at_rule_num=$rule_cnt;
+     }
+     $result = Vyatta::Zone::rule_exists ($cmd_hash{$tree}, $table_hash{$tree}, 
+		"FORWARD", "$zone_chain", $interface);
+     if ($result < 1) {
+      $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} -I FORWARD " . 
+	"$insert_at_rule_num -o $interface -j $zone_chain";
+      $error = Vyatta::Zone::run_cmd($cmd);
+      return "Error: call to add jump rule for outgoing interface $interface 
+to its $zone_chain chain failed [$error]" if $error;
+     }
+    }
+    
+    # get all zones in which this zone is being used as a from zone
+    # then in chains for those zones, add rules for this incoming interface
+    my @all_zones = Vyatta::Zone::get_all_zones("listNodes");
+    foreach my $zone (@all_zones) {
+      if (!($zone eq $zone_name)) {
+        my @from_zones = Vyatta::Zone::get_from_zones("listEffectiveNodes",
+                                                      $zone);
+	if (scalar(grep(/^$zone_name$/, @from_zones)) > 0) {
+	  foreach my $tree (keys %cmd_hash) {
+            # call function to append rules to $zone's chain
+	    $error = add_fromzone_intf_ruleset($zone, $zone_name, 
+			$interface, $tree);
+	    return "Error: $error" if $error;
+	  }
+	}
+      }
+    }
+
+    # if this zone has a local from zone, add interface to local zone out chain
+    my @my_from_zones = Vyatta::Zone::get_from_zones("listEffectiveNodes",
+                                                     $zone_name);
+    foreach my $fromzone (@my_from_zones) {
+      if (defined(Vyatta::Zone::is_local_zone("exists", $fromzone))) {
+        foreach my $tree (keys %cmd_hash) {
+          $error = add_fromlocalzone_ruleset($zone_name, $fromzone,
+                        $interface, $tree);
+          return "Error: $error" if $error;
+        }
+      }
+    }
+
+    return;
+}
+
+sub undo_firewall_interface_zone {
+    my ($zone_name, $interface) = @_;
+    my ($cmd, $error);
+    my $zone_chain=Vyatta::Zone::get_zone_chain("existsOrig", $zone_name);
+
+    foreach my $tree (keys %cmd_hash) {
+
+     # delete rule to allow same zone to same zone traffic
+     $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} -D FORWARD " .
+	"-o $interface -j $zone_chain";
+     $error = Vyatta::Zone::run_cmd($cmd);
+     return "Error: call to delete jump rule for outgoing interface $interface 
+to $zone_chain chain failed [$error]" if $error;
+
+     # delete ruleset jump for this in interface
+     $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} -D $zone_chain " .
+	"-i $interface -j RETURN";
+     $error = Vyatta::Zone::run_cmd($cmd);
+     return "Error: call to delete interface $interface from zone-chain 
+$zone_chain with failed [$error]" if $error;
+    }
+
+    # delete rules for this intf where this zone is being used as a from zone
+    my @all_zones = Vyatta::Zone::get_all_zones("listOrigNodes");
+    foreach my $zone (@all_zones) {
+      if (!($zone eq $zone_name)) {
+        my @from_zones = Vyatta::Zone::get_from_zones("listEffectiveNodes",
+                                                      $zone);
+        if (scalar(grep(/^$zone_name$/, @from_zones)) > 0) {
+          foreach my $tree (keys %cmd_hash) {
+            # call function to delete rules from $zone's chain
+            $error = delete_fromzone_intf_ruleset($zone, $zone_name, 
+			$interface, $tree);
+            return "Error: $error" if $error;
+          }
+        }
+      }
+    }
+
+    # if you have local from zone, delete interface to local zone out chain
+    my @my_from_zones = Vyatta::Zone::get_from_zones("listEffectiveNodes",
+                                                     $zone_name);
+    foreach my $fromzone (@my_from_zones) {
+      if (defined(Vyatta::Zone::is_local_zone("existsOrig", $fromzone))) {
+        foreach my $tree (keys %cmd_hash) {
+          $error = delete_fromlocalzone_ruleset($zone_name, $fromzone,
+                        $interface, $tree);
+          return "Error: $error" if $error;
+        }
+      }
+    }
+
+    return;
+}
+
+sub do_firewall_localzone {
+    my ($zone_name) = @_;
+    my ($cmd, $error);
+    my $zone_chain=Vyatta::Zone::get_zone_chain("exists", $zone_name);
+    foreach my $tree (keys %cmd_hash) {
+
+     my $rule_cnt = Vyatta::IpTables::Mgr::count_iptables_rules($cmd_hash{$tree}, 
+		$table_hash{$tree}, "INPUT");
+     my $insert_at_rule_num=1;
+     if ( $rule_cnt > 1 ) {
+        $insert_at_rule_num=$rule_cnt;
+     }
+     my $result = Vyatta::Zone::rule_exists ($cmd_hash{$tree}, 
+		$table_hash{$tree}, "INPUT", $zone_chain);
+
+     if ($result < 1) {
+      # insert rule to filter local traffic from interface per ruleset
+      $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} -I INPUT " .
+        "$insert_at_rule_num -j $zone_chain";
+      $error = Vyatta::Zone::run_cmd($cmd);
+      return "Error: call to add jump rule for local zone
+$zone_chain chain failed [$error]" if $error;
+     }
+    }
+
+    # get all zones in which local zone is being used as a from zone
+    # filter traffic from local zone to those zones
+    my @all_zones = Vyatta::Zone::get_all_zones("listNodes");
+    foreach my $zone (@all_zones) {
+      if (!($zone eq $zone_name)) {
+        my @from_zones = Vyatta::Zone::get_from_zones("listEffectiveNodes",
+                                                      $zone);
+        if (scalar(grep(/^$zone_name$/, @from_zones)) > 0) {
+          foreach my $tree (keys %cmd_hash) {
+            my @zone_interfaces = 
+		Vyatta::Zone::get_zone_interfaces("returnValues", $zone);
+            foreach my $intf (@zone_interfaces) {
+              $error = add_fromlocalzone_ruleset($zone, $zone_name,
+                        $intf, $tree);
+              return "Error: $error" if $error;
+            }
+          }
+        }
+      }
+    }
+    return;
+}
+
+sub undo_firewall_localzone {
+    my ($zone_name) = @_;
+    my ($cmd, $error);
+    my $zone_chain=Vyatta::Zone::get_zone_chain("existsOrig", $zone_name);
+
+    foreach my $tree (keys %cmd_hash) {
+     
+     # delete rule to filter traffic destined for system
+     $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} -D INPUT " .
+        "-j $zone_chain";
+     $error = Vyatta::Zone::run_cmd($cmd);
+     return "Error: call to delete local zone
+$zone_chain chain failed [$error]" if $error;
+    }
+
+    # get all zones in which local zone is being used as a from zone
+    # remove filter for traffic from local zone to those zones
+    my @all_zones = Vyatta::Zone::get_all_zones("listOrigNodes");
+    foreach my $zone (@all_zones) {
+      if (!($zone eq $zone_name)) {
+        my @from_zones = Vyatta::Zone::get_from_zones("listEffectiveNodes",
+                                                      $zone);
+        if (scalar(grep(/^$zone_name$/, @from_zones)) > 0) {
+          foreach my $tree (keys %cmd_hash) {
+	    my @zone_interfaces = 
+		Vyatta::Zone::get_zone_interfaces("returnOrigValues", $zone);
+            foreach my $intf (@zone_interfaces) {
+              $error = delete_fromlocalzone_ruleset($zone, $zone_name,
+                        $intf, $tree);
+              return "Error: $error" if $error;
+            }
+          }
+        }
+      }
+    }
+    return;
+}
+
+sub add_zone {
+    my $zone_name = shift;
+    # perform firewall related actions for this zone
+    my $error = create_zone_chain ($zone_name);
+    return ($error, ) if $error;
+
+    if (defined(Vyatta::Zone::is_local_zone("exists", $zone_name))) {
+      # make local out chain as well
+      $error = create_zone_chain ($zone_name, "localout");
+      return ($error, ) if $error;
+
+      # allow traffic sourced from and destined to localhost
+      my $cmd;
+      my @localchains=();
+      $localchains[0] = Vyatta::Zone::get_zone_chain("exists", $zone_name);
+      $localchains[1] = Vyatta::Zone::get_zone_chain("exists", $zone_name,
+                                                        'localout');
+
+      foreach my $tree (keys %cmd_hash) {
+        foreach my $chain (@localchains) {
+          my $loopback_intf = '';
+          if ($chain =~ m/_IN/) {
+            
+            # if the chain is INPUT chain
+            $loopback_intf = '$6';
+            
+            # set IPv6 params if using ip6tables
+            if ($cmd_hash{$tree} =~ '6') {
+              $loopback_intf = '$5';
+            }
+          
+          } else {
+            
+            # if the chain is OUTPUT chain
+            $loopback_intf = '$7';
+            
+            # set IPv6 params if using ip6tables
+            if ($cmd_hash{$tree} =~ '6') {
+              $loopback_intf = '$6';
+            }
+          
+          }
+          
+          $cmd =  "sudo $cmd_hash{$tree} -t $table_hash{$tree} -L $chain 1 -vn " .
+                  "| awk {'print \$3 \" \" $loopback_intf'} ". 
+                  "| grep 'RETURN lo\$' | wc -l";
+          
+          my $result=`$cmd`;
+          if ($result < 1) {
+            
+            $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} -I $chain ";
+            
+            if ($chain =~ m/_IN/) {
+            
+              # rule for INPUT chain
+              $cmd .= "-i lo -j RETURN";
+            
+            } else {
+            
+              # rule for OUTPUT chain
+              $cmd .= "-o lo -j RETURN";
+            
+            }
+            
+            $error = Vyatta::Zone::run_cmd($cmd);
+            return "Error: adding rule to allow localhost traffic failed [$error]" if $error;
+          
+          }
+        }
+      }
+
+    }
+
+    # set default policy
+    my $default_policy = Vyatta::Zone::get_zone_default_policy("returnValue",
+                                $zone_name);
+    $error = set_default_policy($zone_name, $default_policy);
+    return $error if $error;
+    return;
+}
+
+sub delete_zone {
+    my $zone_name = shift;
+    # undo firewall related actions for this zone
+    my $error = delete_zone_chain ($zone_name);
+    return ($error, ) if $error;
+    if (defined(Vyatta::Zone::is_local_zone("existsOrig", $zone_name))) {
+      # delete local out chain as well
+      $error = delete_zone_chain ($zone_name, "localout");
+      return ($error, ) if $error;
+    }
+    return;    
+}
+
+sub add_localzone {
+    my ($zone_name) = @_;
+    my $error;
+    # do firewall related stuff
+    $error = do_firewall_localzone ($zone_name);
+    return ($error, ) if $error;
+    return;
+}
+
+sub delete_localzone {
+    my ($zone_name) = @_;
+    my $error;
+    # undo firewall related stuff
+    $error = undo_firewall_localzone ($zone_name);
+    return ($error, ) if $error;
+    return;
+}
+
+sub add_zone_interface {
+    my ($zone_name, $interface) = @_;
+    return("Error: undefined interface", ) if ! defined $interface;
+    my $error;
+    # do firewall related stuff
+    $error = do_firewall_interface_zone ($zone_name, $interface);
+    return ($error, ) if $error;
+    return;
+}
+
+sub delete_zone_interface {
+    my ($zone_name, $interface) = @_;
+    return("Error: undefined interface", ) if ! defined $interface;
+    # undo firewall related stuff
+    my $error = undo_firewall_interface_zone ($zone_name, $interface);
+    return ($error, ) if $error;
+    return;
+}
+
+sub add_fromzone_fw {
+    my ($zone, $from_zone, $ruleset_type, $ruleset_name) = @_;
+    my ($cmd, $error);
+
+    # for all interfaces in from zone apply ruleset to filter traffic
+    # from this zone to specified zone (i.e. $zone)
+    my @from_zone_interfaces = 
+	Vyatta::Zone::get_zone_interfaces("returnValues", $from_zone);
+    if (scalar(@from_zone_interfaces) > 0) {
+      foreach my $intf (@from_zone_interfaces) {
+        $error = add_fromzone_intf_ruleset($zone, $from_zone, $intf, 
+			$ruleset_type, $ruleset_name);
+        return "Error: $error" if $error;
+      }
+    } else {
+      if (defined(Vyatta::Zone::is_local_zone("exists", $from_zone))) {
+        # local from zone
+        my @zone_interfaces = 
+		Vyatta::Zone::get_zone_interfaces("returnValues", $zone);
+        foreach my $intf (@zone_interfaces) {
+          $error = add_fromlocalzone_ruleset($zone, $from_zone, $intf, 
+			$ruleset_type, $ruleset_name);
+          return "Error: $error" if $error;        
+        }
+      }
+
+      my $zone_chain=Vyatta::Zone::get_zone_chain("exists",
+                        $from_zone, 'localout');
+      # add jump to local-zone-out chain in OUTPUT chains for [ip and ip6]tables
+      foreach my $tree (keys %cmd_hash) {
+        # if jump to localzoneout chain not inserted, then insert rule
+        my $rule_cnt = Vyatta::IpTables::Mgr::count_iptables_rules($cmd_hash{$tree},
+                $table_hash{$tree}, "OUTPUT");
+        my $insert_at_rule_num=1;
+        if ( $rule_cnt > 1 ) {
+          $insert_at_rule_num=$rule_cnt;
+        }
+        my $result = Vyatta::Zone::rule_exists ($cmd_hash{$tree},
+          $table_hash{$tree}, "OUTPUT", $zone_chain);
+        if ($result < 1) {
+          my $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} " .
+             "-I OUTPUT $insert_at_rule_num -j $zone_chain";
+          $error = Vyatta::Zone::run_cmd($cmd);
+          return "Error: call to add jump rule for local zone out
+$zone_chain chain failed [$error]" if $error;
+        }
+      }
+
+    } # end of else
+
+    return;
+}
+
+sub delete_fromzone_fw {
+    my ($zone, $from_zone, $ruleset_type, $ruleset_name) = @_;
+    my ($cmd, $error);
+
+    # for all interfaces in from zone remove ruleset to filter traffic
+    # from this zone to specified zone (i.e. $zone)
+    my @from_zone_interfaces = 
+	Vyatta::Zone::get_zone_interfaces("returnOrigValues", $from_zone);
+    if (scalar(@from_zone_interfaces) > 0) {
+      foreach my $intf (@from_zone_interfaces) {
+        $error = delete_fromzone_intf_ruleset($zone, $from_zone, $intf, 
+			$ruleset_type, $ruleset_name);
+        return "Error: $error" if $error;
+      }
+    } else {
+      if (defined(Vyatta::Zone::is_local_zone("existsOrig", $from_zone))) {
+        # local from zone
+        my @zone_interfaces = 
+		Vyatta::Zone::get_zone_interfaces("returnOrigValues", $zone);
+        foreach my $intf (@zone_interfaces) {
+          $error = delete_fromlocalzone_ruleset($zone, $from_zone, $intf, 
+			$ruleset_type, $ruleset_name);
+          return "Error: $error" if $error;
+        }
+      }
+    
+      my $zone_chain=Vyatta::Zone::get_zone_chain("existsOrig",
+                        $from_zone, 'localout');
+      # if only drop rule & localhost allow rule in $zone_chain in both 
+      # [ip and ip6]tables then delete jump from OUTPUT chain in both
+      foreach my $tree (keys %cmd_hash) {
+        my $rule_cnt = Vyatta::IpTables::Mgr::count_iptables_rules($cmd_hash{$tree},
+        $table_hash{$tree}, $zone_chain);
+        if ($rule_cnt > 2) {
+         # atleast one of [ip or ip6]tables has local-zone as a from zone
+         return;
+        }
+      }
+
+      foreach my $tree (keys %cmd_hash) {
+           $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} " .
+           "-D OUTPUT -j $zone_chain";
+           $error = Vyatta::Zone::run_cmd($cmd);
+           return "Error: call to delete jump rule for local zone out
+$zone_chain chain failed [$error]" if $error;
+      }
+
+    } # end of else
+    return;
+}
+
+sub set_default_policy {
+    my ($zone, $default_policy) = @_;
+    # setup default policy for zone
+    my $error = setup_default_policy ($zone, $default_policy);
+    return ($error, ) if $error;
+    if (defined(Vyatta::Zone::is_local_zone("exists", $zone))) {
+      # set default policy for local out chain as well
+      $error = setup_default_policy ($zone, $default_policy, "localout");
+      return ($error, ) if $error;
+    }
+    return;
+}
+
+sub check_zones_validity {
+    my $silent = shift;
+    my $error;
+    $error = Vyatta::Zone::validity_checks();
+    if ($error) {
+      if ($silent eq 'true') {
+        # called from from/node.def which is a different transaction
+        # than everything else under zone-policy. We do not want to
+        # make chains or insert from rules into chains if we have a
+        # malfunctioning configuration. We fail in a silent way here
+        # so that when this function is called from zone-policy/node.def
+        # we will print the error and not repeat the same error twice
+        exit 1;
+      } else {
+        return ($error , );
+      }
+    }
+    return;
+}
+
+sub check_fwruleset_isActive {
+    my ($ruleset_type, $ruleset_name) = @_;
+    my $ret = Vyatta::Zone::is_fwruleset_active('isActive', $ruleset_type,
+                                                $ruleset_name);
+    return "Invalid firewall ruleset $ruleset_type $ruleset_name" if (!$ret);
+    return;
+}
+
+#
+# main
+#
+
+my ($action, $zone_name, $interface, $from_zone, $ruleset_type, $ruleset_name,
+	$default_policy, $silent_validate);
+
+GetOptions("action=s"         => \$action,
+           "zone-name=s"      => \$zone_name,
+	   "interface=s"      => \$interface,
+	   "from-zone=s"      => \$from_zone,
+           "ruleset-type=s"   => \$ruleset_type,
+	   "ruleset-name=s"   => \$ruleset_name,
+           "default-policy=s" => \$default_policy,
+           "silent-validate=s" => \$silent_validate,
+);
+
+die "undefined action" if ! defined $action;
+die "undefined zone" if ! defined $zone_name;
+
+my ($error, $warning);
+
+($error, $warning) = add_zone($zone_name) if $action eq 'add-zone';
+
+($error, $warning) = delete_zone($zone_name) if $action eq 'delete-zone';
+
+($error, $warning) = add_zone_interface($zone_name, $interface) 
+			if $action eq 'add-zone-interface';
+
+($error, $warning) = delete_zone_interface($zone_name, $interface) 
+			if $action eq 'delete-zone-interface';
+
+($error, $warning) = add_fromzone_fw($zone_name, $from_zone, $ruleset_type, 
+			$ruleset_name) if $action eq 'add-fromzone-fw';
+
+($error, $warning) = delete_fromzone_fw($zone_name, $from_zone, $ruleset_type, 
+			$ruleset_name) if $action eq 'delete-fromzone-fw';
+
+($error, $warning) = check_zones_validity($silent_validate) 
+			if $action eq 'validity-checks';
+
+($error, $warning) = add_localzone($zone_name)
+                        if $action eq 'add-localzone';
+
+($error, $warning) = delete_localzone($zone_name)
+                        if $action eq 'delete-localzone';
+
+($error, $warning) = set_default_policy($zone_name, $default_policy)
+                        if $action eq 'set-default-policy';
+
+($error, $warning) = check_fwruleset_isActive($ruleset_type, $ruleset_name)
+                        if $action eq 'is-fwruleset-active';
+
+if (defined $warning) {
+    print "$warning\n";
+}
+
+if (defined $error) {
+    print "$error\n";
+    exit 1;
+}
+
+exit 0;
+
+# end of file
diff --git a/templates-cfg/zone-policy/node.def b/templates-cfg/zone-policy/node.def
new file mode 100644
index 0000000..440d397
--- /dev/null
+++ b/templates-cfg/zone-policy/node.def
@@ -0,0 +1,6 @@
+priority: 250 # after zone-policy/zone/node.tag/from/
+help: Configure zone-policy
+begin: 
+if ! /opt/vyatta/sbin/vyatta-zone.pl --action=validity-checks --zone-name=none --silent-validate=false; then
+   exit 1
+fi
diff --git a/templates-cfg/zone-policy/zone/node.def b/templates-cfg/zone-policy/zone/node.def
new file mode 100644
index 0000000..eb8c3c8
--- /dev/null
+++ b/templates-cfg/zone-policy/zone/node.def
@@ -0,0 +1,24 @@
+tag:
+type: txt
+help: Zone name
+
+syntax:expression: pattern $VAR(@) "^[[:print:]]{1,20}$" ;
+                "Zone name must be 20 characters or less"
+
+syntax:expression: pattern $VAR(@) "^[^-]" ; "Zone name cannot start with \"-\""
+
+syntax:expression: pattern $VAR(@) "^[^;]*$" ; "Zone name cannot contain ';'"
+
+create: 
+	if ! /opt/vyatta/sbin/vyatta-zone.pl 	\
+          --action=add-zone                 	\
+          --zone-name="$VAR(@)"; then
+          exit 1
+        fi
+
+delete: 
+	if ! /opt/vyatta/sbin/vyatta-zone.pl 	\
+          --action=delete-zone                 	\
+          --zone-name="$VAR(@)"; then
+          exit 1
+        fi
diff --git a/templates-cfg/zone-policy/zone/node.tag/default-action/node.def b/templates-cfg/zone-policy/zone/node.tag/default-action/node.def
new file mode 100644
index 0000000..61c8c78
--- /dev/null
+++ b/templates-cfg/zone-policy/zone/node.tag/default-action/node.def
@@ -0,0 +1,26 @@
+type: txt
+help: Default-action for traffic coming into this zone
+default: "drop"
+allowed: echo drop reject
+
+syntax:expression: $VAR(@) in "drop", "reject";
+                   "default-action must be either drop or reject"
+
+val_help: drop; Drop silently (default)
+val_help: reject; Drop and notify source
+
+create: 
+	if ! /opt/vyatta/sbin/vyatta-zone.pl	\
+          --action=set-default-policy           \
+          --zone-name="$VAR(../@)"              \
+          --default-policy="$VAR(@)"; then
+          exit 1
+        fi
+
+update: 
+	if ! /opt/vyatta/sbin/vyatta-zone.pl	\
+          --action=set-default-policy           \
+          --zone-name="$VAR(../@)"              \
+          --default-policy="$VAR(@)"; then
+	  exit 1
+	fi
diff --git a/templates-cfg/zone-policy/zone/node.tag/description/node.def b/templates-cfg/zone-policy/zone/node.tag/description/node.def
new file mode 100644
index 0000000..7acb96d
--- /dev/null
+++ b/templates-cfg/zone-policy/zone/node.tag/description/node.def
@@ -0,0 +1,2 @@
+type: txt
+help: Zone description
diff --git a/templates-cfg/zone-policy/zone/node.tag/from/node.def b/templates-cfg/zone-policy/zone/node.tag/from/node.def
new file mode 100644
index 0000000..433f423
--- /dev/null
+++ b/templates-cfg/zone-policy/zone/node.tag/from/node.def
@@ -0,0 +1,42 @@
+tag:
+priority: 245 # after firewall, content-inspection
+type: txt
+help: Zone from which to filter traffic
+
+allowed:
+        local -a zones ;
+        eval "zones=($(cli-shell-api listActiveNodes zone-policy zone))"
+        echo -n "${zones[@]}"
+
+begin:
+if ! /opt/vyatta/sbin/vyatta-zone.pl --action=validity-checks --zone-name=none --silent-validate=true; then
+   exit 1
+fi
+
+create:
+ parent_zone=$VAR(../@)
+ zones=($VAR(../@@))
+ num_zones=${#zones[*]}
+ i=0
+ found=0
+ while [ $i -lt $num_zones ]; do
+   if [ "${zones[$i]}" == "$VAR(@)" ] ; then
+     if [ "$parent_zone" == "$VAR(@)" ]; then
+       echo from zone same as zone [$parent_zone] itself
+       exit 1
+     fi
+     found=1
+   fi
+   let i++
+ done
+ if [ $found -eq 0 ]; then
+   echo Undefined from zone [$VAR(@)] under zone $parent_zone
+   exit 1
+ else
+   if ! /opt/vyatta/sbin/vyatta-zone.pl --action=add-zone --zone-name="$parent_zone"; then
+     exit 1
+   fi
+   if ! /opt/vyatta/sbin/vyatta-zone.pl --action=add-zone --zone-name="$VAR(@)"; then
+     exit 1
+   fi
+ fi
diff --git a/templates-cfg/zone-policy/zone/node.tag/from/node.tag/firewall/ipv6-name/node.def b/templates-cfg/zone-policy/zone/node.tag/from/node.tag/firewall/ipv6-name/node.def
new file mode 100644
index 0000000..391a66b
--- /dev/null
+++ b/templates-cfg/zone-policy/zone/node.tag/from/node.tag/firewall/ipv6-name/node.def
@@ -0,0 +1,65 @@
+type: txt
+help: IPv6 firewall ruleset
+
+allowed:
+        local -a params ;
+        eval "params=($(cli-shell-api listActiveNodes firewall ipv6-name))"
+        echo -n "${params[@]}"
+
+create:
+	if  ! /opt/vyatta/sbin/vyatta-zone.pl	\
+          --action=is-fwruleset-active          \
+          --zone-name="$VAR(../../../@)"        \
+          --ruleset-type=ipv6-name		\
+          --ruleset-name="$VAR(@)"; then
+          exit 1
+	fi
+
+	if !  /opt/vyatta/sbin/vyatta-zone.pl	\
+          --action=add-fromzone-fw              \
+          --zone-name="$VAR(../../../@)"        \
+          --from-zone="$VAR(../../@)"           \
+          --ruleset-type=ipv6-name              \
+          --ruleset-name="$VAR(@)"; then
+          exit 1
+	fi
+
+update:
+        if  ! /opt/vyatta/sbin/vyatta-zone.pl   \
+          --action=is-fwruleset-active          \
+          --zone-name="$VAR(../../../@)"        \
+          --ruleset-type=ipv6-name              \
+          --ruleset-name="$VAR(@)"; then
+          exit 1
+        fi
+
+        # need to undo previous ruleset here first
+        old_ruleset=$(cli-shell-api returnActiveValue zone-policy zone \
+                        $VAR(../../../@) from $VAR(../../@) firewall ipv6-name)
+	if !  /opt/vyatta/sbin/vyatta-zone.pl	\
+          --action=delete-fromzone-fw           \
+          --zone-name="$VAR(../../../@)"        \
+          --from-zone="$VAR(../../@)"           \
+          --ruleset-type=ipv6-name              \
+          --ruleset-name="$old_ruleset"; then
+	  exit 1
+	fi
+
+        if ! /opt/vyatta/sbin/vyatta-zone.pl	\
+          --action=add-fromzone-fw              \
+          --zone-name="$VAR(../../../@)"        \
+          --from-zone="$VAR(../../@)"           \
+          --ruleset-type=ipv6-name		\
+          --ruleset-name="$VAR(@)"; then
+	  exit 1
+	fi
+
+delete:
+	if ! /opt/vyatta/sbin/vyatta-zone.pl	\
+          --action=delete-fromzone-fw           \
+          --zone-name="$VAR(../../../@)"        \
+          --from-zone="$VAR(../../@)"           \
+          --ruleset-type=ipv6-name              \
+          --ruleset-name="$VAR(@)"; then
+	  exit 1
+	fi
diff --git a/templates-cfg/zone-policy/zone/node.tag/from/node.tag/firewall/name/node.def b/templates-cfg/zone-policy/zone/node.tag/from/node.tag/firewall/name/node.def
new file mode 100644
index 0000000..605add4
--- /dev/null
+++ b/templates-cfg/zone-policy/zone/node.tag/from/node.tag/firewall/name/node.def
@@ -0,0 +1,66 @@
+type: txt
+help: IPv4 firewall ruleset
+
+allowed:
+        local -a params ;
+        eval "params=($(cli-shell-api listActiveNodes firewall name))"
+        echo -n "${params[@]}"
+
+create:
+      if  ! /opt/vyatta/sbin/vyatta-zone.pl     \
+          --action=is-fwruleset-active          \
+          --zone-name="$VAR(../../../@)"        \
+          --ruleset-type=name                   \
+          --ruleset-name="$VAR(@)"; then
+          exit 1
+      fi
+
+      
+      if ! /opt/vyatta/sbin/vyatta-zone.pl	\
+          --action=add-fromzone-fw              \
+          --zone-name="$VAR(../../../@)"        \
+          --from-zone="$VAR(../../@)"           \
+          --ruleset-type=name                   \
+          --ruleset-name="$VAR(@)"; then
+          exit 1
+      fi
+
+update:
+      if  ! /opt/vyatta/sbin/vyatta-zone.pl     \
+          --action=is-fwruleset-active          \
+          --zone-name="$VAR(../../../@)"        \
+	  --ruleset-type=name			\
+          --ruleset-name="$VAR(@)"; then
+          exit 1
+      fi
+
+      # need to undo previous ruleset here first
+      old_ruleset=$(cli-shell-api returnActiveValue zone-policy zone \
+                      $VAR(../../../@) from $VAR(../../@) firewall name)
+      if ! /opt/vyatta/sbin/vyatta-zone.pl	\
+          --action=delete-fromzone-fw           \
+          --zone-name="$VAR(../../../@)"        \
+          --from-zone="$VAR(../../@)"           \
+          --ruleset-type=name                   \
+          --ruleset-name="$old_ruleset"; then
+          exit 1
+      fi
+
+      if ! /opt/vyatta/sbin/vyatta-zone.pl	\
+          --action=add-fromzone-fw              \
+          --zone-name="$VAR(../../../@)"        \
+          --from-zone="$VAR(../../@)"           \
+          --ruleset-type=name                   \
+          --ruleset-name="$VAR(@)"; then
+          exit 1
+      fi
+
+delete:
+      if ! /opt/vyatta/sbin/vyatta-zone.pl	\
+          --action=delete-fromzone-fw           \
+          --zone-name="$VAR(../../../@)"        \
+          --from-zone="$VAR(../../@)"           \
+          --ruleset-type=name                   \
+          --ruleset-name="$VAR(@)"; then
+          exit 1
+      fi
diff --git a/templates-cfg/zone-policy/zone/node.tag/from/node.tag/firewall/node.def b/templates-cfg/zone-policy/zone/node.tag/from/node.tag/firewall/node.def
new file mode 100644
index 0000000..bb7fff5
--- /dev/null
+++ b/templates-cfg/zone-policy/zone/node.tag/from/node.tag/firewall/node.def
@@ -0,0 +1 @@
+help: Firewall options
diff --git a/templates-cfg/zone-policy/zone/node.tag/interface/node.def b/templates-cfg/zone-policy/zone/node.tag/interface/node.def
new file mode 100644
index 0000000..36ff3e2
--- /dev/null
+++ b/templates-cfg/zone-policy/zone/node.tag/interface/node.def
@@ -0,0 +1,24 @@
+multi:
+type: txt
+help: Interface associated with zone
+allowed: /opt/vyatta/sbin/vyatta-interfaces.pl --show=all | sed -e s/'lo '//
+
+syntax:expression: $VAR(@) != "lo" ; "Cannot assign loopback interface to a transit zone. It's part of local-zone"
+
+create: /opt/vyatta/sbin/vyatta-interfaces.pl --dev=$VAR(@) --warn
+
+create: 
+	if ! /opt/vyatta/sbin/vyatta-zone.pl 	\
+	  --action=add-zone-interface		\
+          --zone-name="$VAR(../@)"		\
+          --interface="$VAR(@)"; then
+	  exit 1
+	fi
+
+delete: 
+	if ! /opt/vyatta/sbin/vyatta-zone.pl 	\
+	  --action=delete-zone-interface	\
+          --zone-name="$VAR(../@)"	 	\
+          --interface="$VAR(@)"; then
+	  exit 1
+	fi
diff --git a/templates-cfg/zone-policy/zone/node.tag/local-zone/node.def b/templates-cfg/zone-policy/zone/node.tag/local-zone/node.def
new file mode 100644
index 0000000..4db0f63
--- /dev/null
+++ b/templates-cfg/zone-policy/zone/node.tag/local-zone/node.def
@@ -0,0 +1,15 @@
+help: Zone to be local-zone
+
+create: 
+	if ! /opt/vyatta/sbin/vyatta-zone.pl	\
+          --action=add-localzone                \
+          --zone-name="$VAR(../@)"; then
+	  exit 1
+	fi
+
+delete: 
+	if ! /opt/vyatta/sbin/vyatta-zone.pl	\
+          --action=delete-localzone             \
+          --zone-name="$VAR(../@)"; then
+	  exit 1
+	fi