694 files changed, 25459 insertions, 10281 deletions

diff --git a/.gitattributes b/.gitattributes
index ea2cc59e4..1d79e0804 100644
--- a/.gitattributes
+++ b/.gitattributes
@@ -1,4 +1,75 @@
-data/templates/**/*.conf linguist-language=Jinja
-*.tmpl linguist-language=Jinja
-*.xml.i linguist-language=XML
-*.xml.in linguist-language=XML
+# Common settings that generally should always be used with your language specific settings
+
+# Auto detect text files and perform LF normalization
+*          text=auto
+
+#
+# The above will handle all files NOT found below
+#
+
+# Documents
+*.md       text diff=markdown
+*.mdx      text diff=markdown
+*.adoc     text
+*.csv      text eol=crlf
+*.rst      text
+*.txt      text
+
+# Graphics
+*.png      binary
+*.jpg      binary
+*.jpeg     binary
+*.gif      binary
+*.tif      binary
+*.tiff     binary
+*.ico      binary
+# SVG treated as text by default.
+*.svg      text
+# If you want to treat it as binary,
+# use the following line instead.
+# *.svg    binary
+
+# Scripts
+*.bash     text eol=lf diff=bash
+*.sh       text eol=lf diff=bash
+
+# Serialisation
+*.conf     text
+*.graphql  text
+*.j2       text
+*.json     text
+*.rules    text
+*.service  text
+*.toml     text
+*.tmpl     text linguist-language=Jinja
+*.xml      text
+*.xml.i    text linguist-language=XML
+*.xml.in   text linguist-language=XML
+*.yaml     text
+*.yml      text
+
+# Text files where line endings should be preserved
+*.patch    -text
+*.diff     -text
+
+# Python files
+*.pxd    text diff=python
+*.py     text diff=python
+*.py3    text diff=python
+*.pyw    text diff=python
+*.pyx    text diff=python
+*.pyz    text diff=python
+*.pyi    text diff=python
+
+# Fix syntax highlighting on GitHub to allow comments
+.vscode/*.json linguist-language=JSON-with-Comments
+
+#
+# Exclude files from exporting
+#
+
+.gitattributes        export-ignore
+.gitignore            export-ignore
+.gitkeep              export-ignore
+*.pyc          binary export-ignore
+*.pyo          binary export-ignore
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
deleted file mode 100644
index d77275d38..000000000
--- a/.github/workflows/build.yml
+++ /dev/null
@@ -1,20 +0,0 @@
-name: Build
-on:
-  push:
-    branches:
-      - current
-  pull_request:
-    types: [opened, synchronize, reopened]
-jobs:
-  sonarcloud:
-    name: SonarCloud
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v3
-        with:
-          fetch-depth: 0  # Shallow clones should be disabled for a better relevancy of analysis
-      - name: SonarCloud Scan
-        uses: SonarSource/sonarcloud-github-action@master
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}  # Needed to get PR information, if any
-          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
diff --git a/.vscode/settings.json b/.vscode/settings.json
index caa87ba4a..27ed4c296 100644
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@@ -1,18 +1,26 @@
 {
-    "files.trimTrailingWhitespace": true,
-    "editor.tabSize": 4,
-    "editor.insertSpaces": true,
     "files.insertFinalNewline": true,
-    "files.eol": "\n",
-    # https://code.visualstudio.com/docs/languages/identifiers#_known-language-identifiers
+    "files.trimFinalNewlines": true,
+    "files.trimTrailingWhitespace": true,
+
+    // https://code.visualstudio.com/docs/languages/identifiers#_known-language-identifiers
     "files.associations": {
+        "*.j2": "jinja",
         "*.xml.i": "xml",
         "*.xml.in": "xml",
-        "*.j2": "jinja",
     },
-    "editor.indentSize": "tabSize",
     "[jinja]": {
-        "editor.tabSize": 4,
-        "editor.wordBasedSuggestions": false
-    }
+        "editor.wordBasedSuggestions": "off"
+    },
+    // https://code.visualstudio.com/docs/python/settings-reference
+    "python.analysis.extraPaths": [
+        "./python"
+    ],
+    // https://help.gitkraken.com/gitlens/gitlens-settings/#autolink-settings
+    "gitlens.autolinks": [
+        {
+            "prefix": "T",
+            "url": "https://vyos.dev/T<num>"
+        }
+    ],
 }
diff --git a/Makefile b/Makefile
index b75a78784..23e060125 100644
--- a/Makefile
+++ b/Makefile
@@ -26,10 +26,10 @@ interface_definitions: $(config_xml_obj)
 
 	$(CURDIR)/scripts/override-default $(BUILD_DIR)/interface-definitions
 
-	$(CURDIR)/python/vyos/xml_ref/generate_cache.py --xml-dir $(BUILD_DIR)/interface-definitions || exit 1
-
 	find $(BUILD_DIR)/interface-definitions -type f -name "*.xml" | xargs -I {} $(CURDIR)/scripts/build-command-templates {} $(CURDIR)/schema/interface_definition.rng $(TMPL_DIR) || exit 1
 
+	$(CURDIR)/python/vyos/xml_ref/generate_cache.py --xml-dir $(BUILD_DIR)/interface-definitions || exit 1
+
 	# XXX: delete top level node.def's that now live in other packages
 	# IPSec VPN EAP-RADIUS does not support source-address
 	rm -rf $(TMPL_DIR)/vpn/ipsec/remote-access/radius/source-address
@@ -60,14 +60,12 @@ op_mode_definitions: $(op_xml_obj)
 	rm -f $(OP_TMPL_DIR)/clear/interfaces/node.def
 	rm -f $(OP_TMPL_DIR)/clear/node.def
 	rm -f $(OP_TMPL_DIR)/delete/node.def
-	rm -f $(OP_TMPL_DIR)/generate/node.def
-	rm -f $(OP_TMPL_DIR)/set/node.def
-	rm -f $(OP_TMPL_DIR)/show/tech-support/node.def
 
-	# XXX: ping and traceroute must be able to recursivly call itself as the
-	# options are provided from the script itself
+	# XXX: ping, traceroute and mtr must be able to recursivly call themselves as the
+	# options are provided from the scripts themselves
 	ln -s ../node.tag $(OP_TMPL_DIR)/ping/node.tag/node.tag/
 	ln -s ../node.tag $(OP_TMPL_DIR)/traceroute/node.tag/node.tag/
+	ln -s ../node.tag $(OP_TMPL_DIR)/mtr/node.tag/node.tag/
 
 	# XXX: test if there are empty node.def files - this is not allowed as these
 	# could mask help strings or mandatory priority statements
diff --git a/data/config-mode-dependencies.json b/data/config-mode-dependencies.json
deleted file mode 100644
index 91a757c16..000000000
--- a/data/config-mode-dependencies.json
+++ /dev/null
@@ -1,35 +0,0 @@
-{
-  "firewall": {"group_resync": ["nat", "policy-route"]},
-  "http_api": {"https": ["https"]},
-  "pki": {
-           "ethernet": ["interfaces-ethernet"],
-           "openvpn": ["interfaces-openvpn"],
-           "https": ["https"],
-           "ipsec": ["vpn_ipsec"],
-           "openconnect": ["vpn_openconnect"],
-           "sstp": ["vpn_sstp"]
-         },
-  "qos": {
-           "bonding": ["interfaces-bonding"],
-           "bridge": ["interfaces-bridge"],
-           "dummy": ["interfaces-dummy"],
-           "ethernet": ["interfaces-ethernet"],
-           "geneve": ["interfaces-geneve"],
-           "input": ["interfaces-input"],
-           "l2tpv3": ["interfaces-l2tpv3"],
-           "loopback": ["interfaces-loopback"],
-           "macsec": ["interfaces-macsec"],
-           "openvpn": ["interfaces-openvpn"],
-           "pppoe": ["interfaces-pppoe"],
-           "pseudo-ethernet": ["interfaces-pseudo-ethernet"],
-           "tunnel": ["interfaces-tunnel"],
-           "vti": ["interfaces-vti"],
-           "vxlan": ["interfaces-vxlan"],
-           "wireguard": ["interfaces-wireguard"],
-           "wireless": ["interfaces-wireless"],
-           "wwan": ["interfaces-wwan"]
-         },
-  "vpp": {
-           "ethernet": ["interfaces-ethernet"]
-         }
-}
diff --git a/data/config-mode-dependencies/vyos-1x.json b/data/config-mode-dependencies/vyos-1x.json
new file mode 100644
index 000000000..50473a6a1
--- /dev/null
+++ b/data/config-mode-dependencies/vyos-1x.json
@@ -0,0 +1,39 @@
+{
+  "firewall": {
+    "group_resync": ["nat", "policy_route"]
+  },
+  "interfaces_bonding": {
+    "ethernet": ["interfaces_ethernet"]
+  },
+  "interfaces_bridge": {
+    "vxlan": ["interfaces_vxlan"]
+  },
+  "pki": {
+    "ethernet": ["interfaces_ethernet"],
+    "openvpn": ["interfaces_openvpn"],
+    "https": ["service_https"],
+    "ipsec": ["vpn_ipsec"],
+    "openconnect": ["vpn_openconnect"],
+    "sstp": ["vpn_sstp"]
+  },
+  "qos": {
+    "bonding": ["interfaces_bonding"],
+    "bridge": ["interfaces_bridge"],
+    "dummy": ["interfaces_dummy"],
+    "ethernet": ["interfaces_ethernet"],
+    "geneve": ["interfaces_geneve"],
+    "input": ["interfaces_input"],
+    "l2tpv3": ["interfaces_l2tpv3"],
+    "loopback": ["interfaces_loopback"],
+    "macsec": ["interfaces_macsec"],
+    "openvpn": ["interfaces_openvpn"],
+    "pppoe": ["interfaces_pppoe"],
+    "pseudo-ethernet": ["interfaces_pseudo-ethernet"],
+    "tunnel": ["interfaces_tunnel"],
+    "vti": ["interfaces_vti"],
+    "vxlan": ["interfaces_vxlan"],
+    "wireguard": ["interfaces_wireguard"],
+    "wireless": ["interfaces_wireless"],
+    "wwan": ["interfaces_wwan"]
+  }
+}
diff --git a/data/configd-include.json b/data/configd-include.json
index 84bc1f14e..fe27ae2b7 100644
--- a/data/configd-include.json
+++ b/data/configd-include.json
@@ -1,87 +1,110 @@
 [
-"arp.py",
-"bcast_relay.py",
 "container.py",
-"conntrack.py",
-"conntrack_sync.py",
-"dhcp_relay.py",
-"dhcp_server.py",
-"dhcpv6_relay.py",
-"dhcpv6_server.py",
-"dns_forwarding.py",
-"dns_dynamic.py",
 "firewall.py",
-"flow_accounting_conf.py",
 "high-availability.py",
-"host_name.py",
-"igmp_proxy.py",
-"intel_qat.py",
-"interfaces-bonding.py",
-"interfaces-bridge.py",
-"interfaces-dummy.py",
-"interfaces-ethernet.py",
-"interfaces-geneve.py",
-"interfaces-l2tpv3.py",
-"interfaces-loopback.py",
-"interfaces-macsec.py",
-"interfaces-openvpn.py",
-"interfaces-pppoe.py",
-"interfaces-pseudo-ethernet.py",
-"interfaces-sstpc.py",
-"interfaces-tunnel.py",
-"interfaces-vti.py",
-"interfaces-vxlan.py",
-"interfaces-wireguard.py",
-"interfaces-wireless.py",
-"interfaces-wwan.py",
-"lldp.py",
+"interfaces_bonding.py",
+"interfaces_bridge.py",
+"interfaces_dummy.py",
+"interfaces_ethernet.py",
+"interfaces_geneve.py",
+"interfaces_input.py",
+"interfaces_l2tpv3.py",
+"interfaces_loopback.py",
+"interfaces_macsec.py",
+"interfaces_openvpn.py",
+"interfaces_pppoe.py",
+"interfaces_pseudo-ethernet.py",
+"interfaces_sstpc.py",
+"interfaces_tunnel.py",
+"interfaces_virtual-ethernet.py",
+"interfaces_vti.py",
+"interfaces_vxlan.py",
+"interfaces_wireguard.py",
+"interfaces_wireless.py",
+"interfaces_wwan.py",
+"load-balancing_reverse-proxy.py",
+"load-balancing_wan.py",
 "nat.py",
+"nat64.py",
 "nat66.py",
 "netns.py",
-"ntp.py",
 "pki.py",
 "policy.py",
-"policy-local-route.py",
+"policy_route.py",
+"policy_local-route.py",
+"protocols_babel.py",
 "protocols_bfd.py",
 "protocols_bgp.py",
-"protocols_igmp.py",
+"protocols_eigrp.py",
+"protocols_failover.py",
+"protocols_igmp-proxy.py",
 "protocols_isis.py",
 "protocols_mpls.py",
 "protocols_nhrp.py",
 "protocols_ospf.py",
 "protocols_ospfv3.py",
 "protocols_pim.py",
+"protocols_pim6.py",
 "protocols_rip.py",
 "protocols_ripng.py",
 "protocols_rpki.py",
+"protocols_segment-routing.py",
 "protocols_static.py",
+"protocols_static_arp.py",
 "protocols_static_multicast.py",
+"protocols_static_neighbor-proxy.py",
 "qos.py",
-"salt-minion.py",
+"service_broadcast-relay.py",
+"service_config-sync.py",
+"service_conntrack-sync.py",
 "service_console-server.py",
-"service_ids_fastnetmon.py",
+"service_dhcp-relay.py",
+"service_dhcp-server.py",
+"service_dhcpv6-relay.py",
+"service_dhcpv6-server.py",
+"service_dns_dynamic.py",
+"service_dns_forwarding.py",
+"service_event-handler.py",
+"service_https.py",
+"service_ids_ddos-protection.py",
 "service_ipoe-server.py",
-"service_mdns-repeater.py",
+"service_lldp.py",
+"service_mdns_repeater.py",
 "service_monitoring_telegraf.py",
+"service_monitoring_zabbix-agent.py",
+"service_ndp-proxy.py",
+"service_ntp.py",
 "service_pppoe-server.py",
 "service_router-advert.py",
+"service_salt-minion.py",
+"service_sla.py",
+"service_ssh.py",
+"service_tftp-server.py",
 "service_upnp.py",
-"ssh.py",
-"system-ip.py",
-"system-ipv6.py",
-"system-login-banner.py",
-"system-logs.py",
-"system-option.py",
-"system-proxy.py",
-"system_sflow.py",
-"system_sysctl.py",
-"system-syslog.py",
-"system-timezone.py",
+"service_webproxy.py",
+"system_acceleration.py",
+"system_config-management.py",
+"system_conntrack.py",
 "system_console.py",
+"system_flow-accounting.py",
+"system_frr.py",
+"system_host-name.py",
+"system_ip.py",
+"system_ipv6.py",
 "system_lcd.py",
-"task_scheduler.py",
-"tftp_server.py",
+"system_login_banner.py",
+"system_logs.py",
+"system_option.py",
+"system_proxy.py",
+"system_sflow.py",
+"system_sysctl.py",
+"system_syslog.py",
+"system_task-scheduler.py",
+"system_timezone.py",
+"system_update-check.py",
+"vpn_ipsec.py",
 "vpn_l2tp.py",
+"vpn_openconnect.py",
 "vpn_pptp.py",
 "vpn_sstp.py",
 "vrf.py",
diff --git a/data/op-mode-standardized.json b/data/op-mode-standardized.json
index 042c466ab..dfb7b023f 100644
--- a/data/op-mode-standardized.json
+++ b/data/op-mode-standardized.json
@@ -25,6 +25,5 @@
 "storage.py",
 "uptime.py",
 "version.py",
-"vrf.py",
-"zone.py"
+"vrf.py"
 ]
diff --git a/data/templates/accel-ppp/config_chap_secrets_radius.j2 b/data/templates/accel-ppp/config_chap_secrets_radius.j2
index a498d8186..595e3a565 100644
--- a/data/templates/accel-ppp/config_chap_secrets_radius.j2
+++ b/data/templates/accel-ppp/config_chap_secrets_radius.j2
@@ -30,7 +30,16 @@ dae-server={{ authentication.radius.dynamic_author.server }}:{{ authentication.r
 {%     endif %}
 {% endif %}
 {# Both chap-secrets and radius block required the gw-ip-address #}
-{% if gateway_address is vyos_defined %}
+{% if authentication.mode is vyos_defined('local') or authentication.mode is vyos_defined('radius') %}
+{%     if gateway_address is vyos_defined %}
+{%         if server_type == 'ipoe' %}
+{%             for gw in gateway_address %}
+{%                 set host_address, _ = gw.split('/') %}
+gw-ip-address={{ host_address }}
+{%             endfor %}
+{%         else %}
 gw-ip-address={{ gateway_address }}
+{%         endif %}
+{%     endif %}
 {% endif %}
 
diff --git a/data/templates/accel-ppp/config_ip_pool.j2 b/data/templates/accel-ppp/config_ip_pool.j2
index f7511e445..6ac04e1a1 100644
--- a/data/templates/accel-ppp/config_ip_pool.j2
+++ b/data/templates/accel-ppp/config_ip_pool.j2
@@ -1,24 +1,28 @@
-{% if client_ip_pool is vyos_defined %}
+{% if ordered_named_pools is vyos_defined %}
 [ip-pool]
 {%     if gateway_address is vyos_defined %}
+{%         if server_type == 'ipoe' %}
+{%             for gw in gateway_address %}
+{%                 set host_address, _ = gw.split('/') %}
+gw-ip-address={{ host_address }}
+{%             endfor %}
+{%         else %}
 gw-ip-address={{ gateway_address }}
+{%         endif %}
 {%     endif %}
-{%     if client_ip_pool.start is vyos_defined and client_ip_pool.stop is vyos_defined %}
-{{ client_ip_pool.start }}-{{ client_ip_pool.stop.split('.')[3] }}
-{%     endif %}
-{%     if client_ip_pool.subnet is vyos_defined %}
-{%         for subnet in client_ip_pool.subnet %}
-{{ subnet }}
-{%         endfor %}
-{%     endif %}
-{%     if client_ip_pool.name is vyos_defined %}
-{%         for pool, pool_config in client_ip_pool.name.items() %}
-{%             if pool_config.subnet is vyos_defined %}
-{{ pool_config.subnet }},name={{ pool }}
+{%     for pool in ordered_named_pools %}
+{%         for pool_name, pool_config in pool.items() %}
+{%             set iprange_str = pool_config.range %}
+{%             set iprange_list = pool_config.range.split('-') %}
+{%             if iprange_list | length == 2 %}
+{%                 set last_ip_oct = iprange_list[1].split('.') %}
+{%                 set iprange_str = iprange_list[0] + '-' + last_ip_oct[last_ip_oct | length - 1] %}
 {%             endif %}
-{%             if pool_config.gateway_address is vyos_defined %}
-gw-ip-address={{ pool_config.gateway_address }}
+{%             if pool_config.next_pool is vyos_defined %}
+{{ iprange_str }},name={{ pool_name }},next={{ pool_config.next_pool }}
+{%             else %}
+{{ iprange_str }},name={{ pool_name }}
 {%             endif %}
 {%         endfor %}
-{%     endif %}
+{%     endfor %}
 {% endif %}
\ No newline at end of file
diff --git a/data/templates/accel-ppp/config_shaper_radius.j2 b/data/templates/accel-ppp/config_shaper_radius.j2
index 0cf6a6a92..fcd68f69e 100644
--- a/data/templates/accel-ppp/config_shaper_radius.j2
+++ b/data/templates/accel-ppp/config_shaper_radius.j2
@@ -1,6 +1,7 @@
 {% if authentication.mode is vyos_defined('radius') or shaper is vyos_defined %}
 [shaper]
 verbose=1
+down-limiter=tbf
 {%     if authentication.radius.rate_limit.enable is vyos_defined %}
 attr={{ authentication.radius.rate_limit.attribute }}
 {%         if authentication.radius.rate_limit.vendor is vyos_defined %}
@@ -13,7 +14,6 @@ rate-multiplier={{ authentication.radius.rate_limit.multiplier }}
 {%     if shaper is vyos_defined %}
 {%         if shaper.fwmark is vyos_defined %}
 fwmark={{ shaper.fwmark }}
-down-limiter=htb
 {%         endif %}
 {%     endif %}
 {% endif %}
\ No newline at end of file
diff --git a/data/templates/accel-ppp/ipoe.config.j2 b/data/templates/accel-ppp/ipoe.config.j2
index f59428509..588f3d462 100644
--- a/data/templates/accel-ppp/ipoe.config.j2
+++ b/data/templates/accel-ppp/ipoe.config.j2
@@ -14,6 +14,11 @@ ippool
 [core]
 thread-count={{ thread_count }}
 
+[common]
+{% if max_concurrent_sessions is vyos_defined %}
+max-starting={{ max_concurrent_sessions }}
+{% endif %}
+
 [log]
 syslog=accel-ipoe,daemon
 copy=1
@@ -50,38 +55,18 @@ noauth=1
 username=ifname
 password=csid
 {% endif %}
-{% if client_ip_pool.name is vyos_defined %}
-{%     if first_named_pool is vyos_defined %}
-ip-pool={{ first_named_pool }}
-{%     else %}
-{%         for pool, pool_options in client_ip_pool.name.items() %}
-{%             if pool_options.subnet is vyos_defined %}
-ip-pool={{ pool }}
-{%             endif %}
-{%         endfor %}
-{%     endif %}
-{%     for pool, pool_options in client_ip_pool.name.items() %}
-{%         if pool_options.gateway_address is vyos_defined %}
-gw-ip-address={{ pool_options.gateway_address }}/{{ pool_options.subnet.split('/')[1] }}
-{%         endif %}
+{% if default_pool is vyos_defined %}
+ip-pool={{ default_pool }}
+{% endif %}
+{% if gateway_address is vyos_defined %}
+{%     for gw_addr in gateway_address %}
+gw-ip-address={{ gw_addr }}
 {%     endfor %}
 {% endif %}
 proxy-arp=1
 
-{% if ordered_named_pools is vyos_defined %}
-[ip-pool]
-{%     for p in ordered_named_pools %}
-{%         for pool, pool_options in p.items() %}
-{%             set next_named_pool = ',next=' ~ pool_options.next_pool if pool_options.next_pool is vyos_defined else '' %}
-{{ pool_options.subnet }},name={{ pool }}{{ next_named_pool }}
-{%         endfor %}
-{%     endfor %}
-{%     for p in ordered_named_pools %}
-{%         for pool, pool_options in p.items() %}
-gw-ip-address={{ pool_options.gateway_address }}/{{ pool_options.subnet.split('/')[1] }}
-{%         endfor %}
-{%     endfor %}
-{% endif %}
+{# Common IP pool definitions #}
+{% include 'accel-ppp/config_ip_pool.j2' %}
 
 {# Common IPv6 pool definitions #}
 {% include 'accel-ppp/config_ipv6_pool.j2' %}
diff --git a/data/templates/accel-ppp/l2tp.config.j2 b/data/templates/accel-ppp/l2tp.config.j2
index a2f9c9fc7..49755254a 100644
--- a/data/templates/accel-ppp/l2tp.config.j2
+++ b/data/templates/accel-ppp/l2tp.config.j2
@@ -2,46 +2,34 @@
 [modules]
 log_syslog
 l2tp
-chap-secrets
-{% for proto in auth_proto %}
-{{ proto }}
-{% endfor %}
-
-{% if auth_mode == 'radius' %}
-radius
-{% endif %}
-
-ippool
 shaper
-ipv6pool
-ipv6_nd
-ipv6_dhcp
+{# Common authentication backend definitions #}
+{% include 'accel-ppp/config_modules_auth_mode.j2' %}
+ippool
+{# Common IPv6 definitions #}
+{% include 'accel-ppp/config_modules_ipv6.j2' %}
+{# Common authentication protocols (pap, chap ...) #}
+{% include 'accel-ppp/config_modules_auth_protocols.j2' %}
 
 [core]
-thread-count={{ thread_cnt }}
+thread-count={{ thread_count }}
+
+[common]
+{% if max_concurrent_sessions is vyos_defined %}
+max-starting={{ max_concurrent_sessions }}
+{% endif %}
 
 [log]
 syslog=accel-l2tp,daemon
 copy=1
 level=5
 
-{% if dnsv4 %}
-[dns]
-{%     for dns in dnsv4 %}
-dns{{ loop.index }}={{ dns }}
-{%     endfor %}
-{% endif %}
-
-{% if dnsv6 %}
-[ipv6-dns]
-{%     for dns in dnsv6 %}
-{{ dns }}
-{%     endfor %}
-{% endif %}
+{# Common DNS name-server definition #}
+{% include 'accel-ppp/config_name_server.j2' %}
 
-{% if wins %}
+{% if wins_server is vyos_defined %}
 [wins]
-{%     for server in wins %}
+{%     for server in wins_server %}
 wins{{ loop.index }}={{ server }}
 {%     endfor %}
 {% endif %}
@@ -50,116 +38,59 @@ wins{{ loop.index }}={{ server }}
 verbose=1
 ifname=l2tp%d
 ppp-max-mtu={{ mtu }}
-mppe={{ ppp_mppe }}
-{% if outside_addr %}
-bind={{ outside_addr }}
+mppe={{ ppp_options.mppe }}
+{% if outside_address is vyos_defined %}
+bind={{ outside_address }}
 {% endif %}
-{% if lns_shared_secret %}
-secret={{ lns_shared_secret }}
+{% if lns.shared_secret is vyos_defined %}
+secret={{ lns.shared_secret }}
 {% endif %}
-{% if lns_host_name %}
-host-name={{ lns_host_name }}
+{% if lns.host_name is vyos_defined %}
+host-name={{ lns.host_name }}
+{% endif %}
+{% if default_pool is vyos_defined %}
+ip-pool={{ default_pool }}
 {% endif %}
 
 [client-ip-range]
 0.0.0.0/0
 
-{% if client_ip_pool or client_ip_subnets %}
-[ip-pool]
-{%     if client_ip_pool %}
-{{ client_ip_pool }}
-{%     endif %}
-{%     if client_ip_subnets %}
-{%         for sn in client_ip_subnets %}
-{{ sn }}
-{%         endfor %}
-{%     endif %}
-{% endif %}
-{% if gateway_address %}
-gw-ip-address={{ gateway_address }}
-{% endif %}
+{# Common IP pool definitions #}
+{% include 'accel-ppp/config_ip_pool.j2' %}
 
-{% if auth_mode == 'local' %}
-[chap-secrets]
-chap-secrets={{ chap_secrets_file }}
-{% elif auth_mode == 'radius' %}
-[radius]
-verbose=1
-{%     for r in radius_server %}
-server={{ r.server }},{{ r.key }},auth-port={{ r.port }},acct-port={{ r.acct_port }},req-limit=0,fail-time={{ r.fail_time }}
-{%     endfor %}
-{%     if radius_dynamic_author.server is vyos_defined %}
-dae-server={{ radius_dynamic_author.server }}:{{ radius_dynamic_author.port }},{{ radius_dynamic_author.key }}
-{%     endif %}
-{%     if radius_acct_interim_interval is vyos_defined %}
-acct-interim-interval={{ radius_acct_interim_interval }}
-{%     endif %}
-{%     if radius_acct_inter_jitter %}
-acct-interim-jitter={{ radius_acct_inter_jitter }}
-{%     endif %}
-acct-timeout={{ radius_acct_tmo }}
-timeout={{ radius_timeout }}
-max-try={{ radius_max_try }}
-{%     if radius_nas_id %}
-nas-identifier={{ radius_nas_id }}
-{%     endif %}
-{%     if radius_nas_ip %}
-nas-ip-address={{ radius_nas_ip }}
-{%     endif %}
-{%     if radius_source_address %}
-bind={{ radius_source_address }}
-{%     endif %}
-{% endif %}
-{% if gateway_address %}
-gw-ip-address={{ gateway_address }}
-{% endif %}
+{# Common chap-secrets and RADIUS server/option definitions #}
+{% include 'accel-ppp/config_chap_secrets_radius.j2' %}
 
 [ppp]
 verbose=1
 check-ip=1
 single-session=replace
-lcp-echo-timeout={{ ppp_echo_timeout }}
-lcp-echo-interval={{ ppp_echo_interval }}
-lcp-echo-failure={{ ppp_echo_failure }}
-{% if ccp_disable %}
+lcp-echo-interval={{ ppp_options.lcp_echo_interval }}
+lcp-echo-timeout={{ ppp_options.lcp_echo_timeout }}
+lcp-echo-failure={{ ppp_options.lcp_echo_failure }}
+{# MTU #}
+mtu={{ mtu }}
+ipv6={{ 'allow' if ppp_options.ipv6 is vyos_defined("deny") and client_ipv6_pool is vyos_defined else ppp_options.ipv6 }}
+ipv4={{ ppp_options.ipv4 }}
+mppe={{ ppp_options.mppe }}
+{% if ccp_disable is vyos_defined %}
 ccp=0
 {% endif %}
-{% if ppp_ipv6 is vyos_defined %}
-ipv6={{ ppp_ipv6 }}
-{% else %}
-{{ 'ipv6=allow' if client_ipv6_pool_configured else '' }}
-{% endif %}
-{% if ppp_ipv6_intf_id is vyos_defined %}
-ipv6-intf-id={{ ppp_ipv6_intf_id }}
-{% endif %}
-{% if ppp_ipv6_peer_intf_id is vyos_defined %}
-ipv6-peer-intf-id={{ ppp_ipv6_peer_intf_id }}
-{% endif %}
-ipv6-accept-peer-intf-id={{ "1" if ppp_ipv6_accept_peer_intf_id else "0" }}
+unit-preallocate={{ "1" if authentication.radius.preallocate_vif is vyos_defined else "0" }}
 
-{% if client_ipv6_pool %}
-[ipv6-pool]
-{%     for p in client_ipv6_pool %}
-{{ p.prefix }},{{ p.mask }}
-{%     endfor %}
-{%     for p in client_ipv6_delegate_prefix %}
-delegate={{ p.prefix }},{{ p.mask }}
-{%     endfor %}
+{% if ppp_options.ipv6_intf_id is vyos_defined %}
+ipv6-intf-id={{ ppp_options.ipv6_intf_id }}
 {% endif %}
-
-{% if client_ipv6_delegate_prefix %}
-[ipv6-dhcp]
-verbose=1
+{% if ppp_options.ipv6_peer_intf_id is vyos_defined %}
+ipv6-peer-intf-id={{ ppp_options.ipv6_peer_intf_id }}
 {% endif %}
+ipv6-accept-peer-intf-id={{ "1" if ppp_options.ipv6_accept_peer_intf_id is vyos_defined else "0" }}
 
-{% if radius_shaper_attr %}
-[shaper]
-verbose=1
-attr={{ radius_shaper_attr }}
-{%     if radius_shaper_vendor %}
-vendor={{ radius_shaper_vendor }}
-{%     endif %}
-{% endif %}
+{# Common IPv6 pool definitions #}
+{% include 'accel-ppp/config_ipv6_pool.j2' %}
+
+{# Common RADIUS shaper configuration #}
+{% include 'accel-ppp/config_shaper_radius.j2' %}
 
 [cli]
 tcp=127.0.0.1:2004
diff --git a/data/templates/accel-ppp/pppoe.config.j2 b/data/templates/accel-ppp/pppoe.config.j2
index dd53edd28..4bb1c4450 100644
--- a/data/templates/accel-ppp/pppoe.config.j2
+++ b/data/templates/accel-ppp/pppoe.config.j2
@@ -62,10 +62,13 @@ wins{{ loop.index }}={{ server }}
 {# Common chap-secrets and RADIUS server/option definitions #}
 {% include 'accel-ppp/config_chap_secrets_radius.j2' %}
 
-{% if session_control is vyos_defined and session_control is not vyos_defined('disable') %}
 [common]
+{% if session_control is vyos_defined and session_control is not vyos_defined('disable') %}
 single-session={{ session_control }}
 {% endif %}
+{% if max_concurrent_sessions is vyos_defined %}
+max-starting={{ max_concurrent_sessions }}
+{% endif %}
 
 [ppp]
 verbose=1
@@ -105,7 +108,6 @@ unit-cache={{ ppp_options.interface_cache }}
 [pppoe]
 verbose=1
 ac-name={{ access_concentrator }}
-
 {% if interface is vyos_defined %}
 {%     for iface, iface_config in interface.items() %}
 {%         if iface_config.vlan is not vyos_defined %}
@@ -118,11 +120,9 @@ vlan-mon={{ iface }},{{ iface_config.vlan | join(',') }}
 {%         endif %}
 {%     endfor %}
 {% endif %}
-
 {% if service_name %}
 service-name={{ service_name | join(',') }}
 {% endif %}
-
 {% if pado_delay %}
 {%     set pado_delay_param = namespace(value='0') %}
 {%     for delay in pado_delay | sort(attribute='0') %}
@@ -137,21 +137,11 @@ pado-delay={{ pado_delay_param.value }}
 {% if authentication.radius.called_sid_format is vyos_defined %}
 called-sid={{ authentication.radius.called_sid_format }}
 {% endif %}
-
-{% if authentication.mode is vyos_defined("local") or authentication.mode is vyos_defined("noauth") %}
-{%     if authentication.mode is vyos_defined("noauth") %}
+{% if authentication.mode is vyos_defined("noauth") %}
 noauth=1
-{%     endif %}
-{%     if client_ip_pool.name is vyos_defined %}
-{%         for pool, pool_config in client_ip_pool.name.items() %}
-{%             if pool_config.subnet is vyos_defined %}
-ip-pool={{ pool }}
-{%             endif %}
-{%             if pool_config.gateway_address is vyos_defined %}
-gw-ip-address={{ pool_config.gateway_address }}/{{ pool_config.subnet.split('/')[1] }}
-{%             endif %}
-{%         endfor %}
-{%     endif %}
+{% endif %}
+{% if default_pool is vyos_defined %}
+ip-pool={{ default_pool }}
 {% endif %}
 
 {% if limits is vyos_defined %}
diff --git a/data/templates/accel-ppp/pptp.config.j2 b/data/templates/accel-ppp/pptp.config.j2
index 0082e55bf..daafd6e92 100644
--- a/data/templates/accel-ppp/pptp.config.j2
+++ b/data/templates/accel-ppp/pptp.config.j2
@@ -3,34 +3,39 @@
 log_syslog
 pptp
 shaper
-{% if auth_mode == 'local' %}
-chap-secrets
-{% elif auth_mode == 'radius' %}
-radius
-{% endif %}
+{# Common authentication backend definitions #}
+{% include 'accel-ppp/config_modules_auth_mode.j2' %}
 ippool
-{% for proto in auth_proto %}
-{{ proto }}
-{% endfor %}
+{# Common authentication protocols (pap, chap ...) #}
+{% if authentication.require is vyos_defined %}
+{%     if authentication.require == 'chap' %}
+auth_chap_md5
+{%     elif authentication.require == 'mschap' %}
+auth_mschap_v1
+{%     else %}
+auth_{{ authentication.require.replace('-', '_') }}
+{%     endif %}
+{% endif %}
 
 [core]
-thread-count={{ thread_cnt }}
+thread-count={{ thread_count }}
+
+[common]
+{% if max_concurrent_sessions is vyos_defined %}
+max-starting={{ max_concurrent_sessions }}
+{% endif %}
 
 [log]
 syslog=accel-pptp,daemon
 copy=1
 level=5
 
-{% if dnsv4 %}
-[dns]
-{%     for dns in dnsv4 %}
-dns{{ loop.index }}={{ dns }}
-{%     endfor %}
-{% endif %}
+{# Common DNS name-server definition #}
+{% include 'accel-ppp/config_name_server.j2' %}
 
-{% if wins %}
+{% if wins_server is vyos_defined %}
 [wins]
-{%     for server in wins %}
+{%     for server in wins_server %}
 wins{{ loop.index }}={{ server }}
 {%     endfor %}
 {% endif %}
@@ -38,77 +43,34 @@ wins{{ loop.index }}={{ server }}
 
 [pptp]
 ifname=pptp%d
-{% if outside_addr %}
-bind={{ outside_addr }}
+{% if outside_address is vyos_defined %}
+bind={{ outside_address }}
 {% endif %}
 verbose=1
 ppp-max-mtu={{ mtu }}
-mppe={{ ppp_mppe }}
+mppe={{ authentication.mppe }}
 echo-interval=10
 echo-failure=3
-
+{% if default_pool is vyos_defined %}
+ip-pool={{ default_pool }}
+{% endif %}
 
 [client-ip-range]
 0.0.0.0/0
 
-[ip-pool]
-tunnel={{ client_ip_pool }}
-gw-ip-address={{ gw_ip }}
+{# Common IP pool definitions #}
+{% include 'accel-ppp/config_ip_pool.j2' %}
 
 [ppp]
 verbose=5
 check-ip=1
 single-session=replace
 
-{% if auth_mode == 'local' %}
-[chap-secrets]
-chap-secrets={{ chap_secrets_file }}
-{% elif auth_mode == 'radius' %}
-[radius]
-verbose=1
-{%     for r in radius_server %}
-server={{ r.server }},{{ r.key }},auth-port={{ r.port }},acct-port={{ r.acct_port }},req-limit=0,fail-time={{ r.fail_time }}
-{%     endfor %}
-
-{%     if radius_acct_interim_interval is vyos_defined %}
-acct-interim-interval={{ radius_acct_interim_interval }}
-{%     endif %}
-{%     if radius_acct_inter_jitter %}
-acct-interim-jitter={{ radius_acct_inter_jitter }}
-{%     endif %}
-
-acct-timeout={{ radius_acct_tmo }}
-timeout={{ radius_timeout }}
-max-try={{ radius_max_try }}
+{# Common chap-secrets and RADIUS server/option definitions #}
+{% include 'accel-ppp/config_chap_secrets_radius.j2' %}
 
-{%     if radius_nas_id %}
-nas-identifier={{ radius_nas_id }}
-{%     endif %}
-{%     if radius_nas_ip %}
-nas-ip-address={{ radius_nas_ip }}
-{%     endif %}
-{%     if radius_source_address %}
-bind={{ radius_source_address }}
-{%     endif %}
-{% endif %}
-{# Both chap-secrets and radius block required the gw-ip-address #}
-{% if gw_ip is defined and gw_ip is not none %}
-gw-ip-address={{ gw_ip }}
-{% endif %}
-
-{% if radius_shaper_enable %}
-[shaper]
-verbose=1
-{%     if radius_shaper_attr %}
-attr={{ radius_shaper_attr }}
-{%     endif %}
-{%     if radius_shaper_multiplier %}
-rate-multiplier={{ radius_shaper_multiplier }}
-{%     endif %}
-{%     if radius_shaper_vendor %}
-vendor={{ radius_shaper_vendor }}
-{%     endif %}
-{% endif %}
+{# Common RADIUS shaper configuration #}
+{% include 'accel-ppp/config_shaper_radius.j2' %}
 
 [cli]
 tcp=127.0.0.1:2003
diff --git a/data/templates/accel-ppp/sstp.config.j2 b/data/templates/accel-ppp/sstp.config.j2
index 7ee28dd21..014ae1235 100644
--- a/data/templates/accel-ppp/sstp.config.j2
+++ b/data/templates/accel-ppp/sstp.config.j2
@@ -16,6 +16,9 @@ thread-count={{ thread_count }}
 
 [common]
 single-session=replace
+{% if max_concurrent_sessions is vyos_defined %}
+max-starting={{ max_concurrent_sessions }}
+{% endif %}
 
 [log]
 syslog=accel-sstp,daemon
@@ -33,6 +36,9 @@ accept=ssl
 ssl-ca-file=/run/accel-pppd/sstp-ca.pem
 ssl-pemfile=/run/accel-pppd/sstp-cert.pem
 ssl-keyfile=/run/accel-pppd/sstp-cert.key
+{% if default_pool is vyos_defined %}
+ip-pool={{ default_pool }}
+{% endif %}
 
 {# Common IP pool definitions #}
 {% include 'accel-ppp/config_ip_pool.j2' %}
@@ -51,9 +57,9 @@ verbose=1
 check-ip=1
 {# MTU #}
 mtu={{ mtu }}
+unit-preallocate={{ "1" if authentication.radius.preallocate_vif is vyos_defined else "0" }}
 ipv6={{ 'allow' if ppp_options.ipv6 is vyos_defined("deny") and client_ipv6_pool is vyos_defined else ppp_options.ipv6 }}
 ipv4={{ ppp_options.ipv4 }}
-
 mppe={{ ppp_options.mppe }}
 lcp-echo-interval={{ ppp_options.lcp_echo_interval }}
 lcp-echo-timeout={{ ppp_options.lcp_echo_timeout }}
diff --git a/data/templates/bcast-relay/udp-broadcast-relay.j2 b/data/templates/bcast-relay/udp-broadcast-relay.j2
index 75740e04c..3f5b5bbe3 100644
--- a/data/templates/bcast-relay/udp-broadcast-relay.j2
+++ b/data/templates/bcast-relay/udp-broadcast-relay.j2
@@ -1,4 +1,4 @@
-### Autogenerated by bcast_relay.py ###
+### Autogenerated by service_broadcast-relay.py ###
 
 # UDP broadcast relay configuration for instance {{ id }}
 {{ '# ' ~ description if description is vyos_defined }}
diff --git a/data/templates/chrony/chrony.conf.j2 b/data/templates/chrony/chrony.conf.j2
index 0daec8fb8..d02fbf71d 100644
--- a/data/templates/chrony/chrony.conf.j2
+++ b/data/templates/chrony/chrony.conf.j2
@@ -1,4 +1,4 @@
-### Autogenerated by ntp.py ###
+### Autogenerated by service_ntp.py ###
 
 # This would step the system clock if the adjustment is larger than 0.1 seconds,
 # but only in the first three clock updates.
diff --git a/data/templates/conntrack/sysctl.conf.j2 b/data/templates/conntrack/sysctl.conf.j2
index 075402c04..9ea1ed2d8 100644
--- a/data/templates/conntrack/sysctl.conf.j2
+++ b/data/templates/conntrack/sysctl.conf.j2
@@ -1,4 +1,4 @@
-# Autogenerated by conntrack.py
+# Autogenerated by system_conntrack.py
 {# all values have defaults - thus no checking required #}
 
 net.netfilter.nf_conntrack_expect_max = {{ expect_table_size }}
diff --git a/data/templates/conntrack/vyos_nf_conntrack.conf.j2 b/data/templates/conntrack/vyos_nf_conntrack.conf.j2
index 111459485..290607662 100644
--- a/data/templates/conntrack/vyos_nf_conntrack.conf.j2
+++ b/data/templates/conntrack/vyos_nf_conntrack.conf.j2
@@ -1,3 +1,2 @@
-# Autogenerated by conntrack.py
+# Autogenerated by system_conntrack.py
 options nf_conntrack hashsize={{ hash_size }} nf_conntrack_helper=1
-
diff --git a/data/templates/conntrackd/conntrackd.conf.j2 b/data/templates/conntrackd/conntrackd.conf.j2
index 808a77759..8f56c8171 100644
--- a/data/templates/conntrackd/conntrackd.conf.j2
+++ b/data/templates/conntrackd/conntrackd.conf.j2
@@ -1,4 +1,4 @@
-# autogenerated by conntrack_sync.py
+### autogenerated by service_conntrack-sync.py ###
 
 # Synchronizer settings
 Sync {
@@ -111,4 +111,3 @@ General {
     }
 {% endif %}
 }
-
diff --git a/data/templates/container/containers.conf.j2 b/data/templates/container/containers.conf.j2
index c635ca213..c8b54dfbb 100644
--- a/data/templates/container/containers.conf.j2
+++ b/data/templates/container/containers.conf.j2
@@ -1,709 +1,709 @@
-### Autogenerated by container.py ###

-

-# The containers configuration file specifies all of the available configuration

-# command-line options/flags for container engine tools like Podman & Buildah,

-# but in a TOML format that can be easily modified and versioned.

-

-# Please refer to containers.conf(5) for details of all configuration options.

-# Not all container engines implement all of the options.

-# All of the options have hard coded defaults and these options will override

-# the built in defaults. Users can then override these options via the command

-# line. Container engines will read containers.conf files in up to three

-# locations in the following order:

-#  1. /usr/share/containers/containers.conf

-#  2. /etc/containers/containers.conf

-#  3. $HOME/.config/containers/containers.conf (Rootless containers ONLY)

-#  Items specified in the latter containers.conf, if they exist, override the

-# previous containers.conf settings, or the default settings.

-

-[containers]

-

-# List of annotation. Specified as

-# "key = value"

-# If it is empty or commented out, no annotations will be added

-#

-#annotations = []

-

-# Used to change the name of the default AppArmor profile of container engine.

-#

-#apparmor_profile = "container-default"

-

-# The hosts entries from the base hosts file are added to the containers hosts

-# file. This must be either an absolute path or as special values "image" which

-# uses the hosts file from the container image or "none" which means

-# no base hosts file is used. The default is "" which will use /etc/hosts.

-#

-#base_hosts_file = ""

-

-# Default way to to create a cgroup namespace for the container

-# Options are:

-# `private` Create private Cgroup Namespace for the container.

-# `host`    Share host Cgroup Namespace with the container.

-#

-#cgroupns = "private"

-

-# Control container cgroup configuration

-# Determines  whether  the  container will create CGroups.

-# Options are:

-# `enabled`   Enable cgroup support within container

-# `disabled`  Disable cgroup support, will inherit cgroups from parent

-# `no-conmon` Do not create a cgroup dedicated to conmon.

-#

-#cgroups = "enabled"

-

-# List of default capabilities for containers. If it is empty or commented out,

-# the default capabilities defined in the container engine will be added.

-#

-default_capabilities = [

-  "CHOWN",

-  "DAC_OVERRIDE",

-  "FOWNER",

-  "FSETID",

-  "KILL",

-  "NET_BIND_SERVICE",

-  "SETFCAP",

-  "SETGID",

-  "SETPCAP",

-  "SETUID",

-  "SYS_CHROOT"

-]

-

-# A list of sysctls to be set in containers by default,

-# specified as "name=value",

-# for example:"net.ipv4.ping_group_range=0 0".

-#

-default_sysctls = [

-  "net.ipv4.ping_group_range=0 0",

-]

-

-# A list of ulimits to be set in containers by default, specified as

-# "<ulimit name>=<soft limit>:<hard limit>", for example:

-# "nofile=1024:2048"

-# See setrlimit(2) for a list of resource names.

-# Any limit not specified here will be inherited from the process launching the

-# container engine.

-# Ulimits has limits for non privileged container engines.

-#

-#default_ulimits = [

-#  "nofile=1280:2560",

-#]

-

-# List of devices. Specified as

-# "<device-on-host>:<device-on-container>:<permissions>", for example:

-# "/dev/sdc:/dev/xvdc:rwm".

-# If it is empty or commented out, only the default devices will be used

-#

-#devices = []

-

-# List of default DNS options to be added to /etc/resolv.conf inside of the container.

-#

-#dns_options = []

-

-# List of default DNS search domains to be added to /etc/resolv.conf inside of the container.

-#

-#dns_searches = []

-

-# Set default DNS servers.

-# This option can be used to override the DNS configuration passed to the

-# container. The special value "none" can be specified to disable creation of

-# /etc/resolv.conf in the container.

-# The /etc/resolv.conf file in the image will be used without changes.

-#

-#dns_servers = []

-

-# Environment variable list for the conmon process; used for passing necessary

-# environment variables to conmon or the runtime.

-#

-#env = [

-#  "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",

-#  "TERM=xterm",

-#]

-

-# Pass all host environment variables into the container.

-#

-#env_host = false

-

-# Set the ip for the host.containers.internal entry in the containers /etc/hosts

-# file. This can be set to "none" to disable adding this entry. By default it

-# will automatically choose the host ip.

-#

-# NOTE: When using podman machine this entry will never be added to the containers

-# hosts file instead the gvproxy dns resolver will resolve this hostname. Therefore

-# it is not possible to disable the entry in this case.

-#

-#host_containers_internal_ip = ""

-

-# Default proxy environment variables passed into the container.

-# The environment variables passed in include:

-# http_proxy, https_proxy, ftp_proxy, no_proxy, and the upper case versions of

-# these. This option is needed when host system uses a proxy but container

-# should not use proxy. Proxy environment variables specified for the container

-# in any other way will override the values passed from the host.

-#

-#http_proxy = true

-

-# Run an init inside the container that forwards signals and reaps processes.

-#

-#init = false

-

-# Container init binary, if init=true, this is the init binary to be used for containers.

-#

-#init_path = "/usr/libexec/podman/catatonit"

-

-# Default way to to create an IPC namespace (POSIX SysV IPC) for the container

-# Options are:

-#  "host"     Share host IPC Namespace with the container.

-#  "none"     Create shareable IPC Namespace for the container without a private /dev/shm.

-#  "private"  Create private IPC Namespace for the container, other containers are not allowed to share it.

-#  "shareable" Create shareable IPC Namespace for the container.

-#

-#ipcns = "shareable"

-

-# keyring tells the container engine whether to create

-# a kernel keyring for use within the container.

-#

-#keyring = true

-

-# label tells the container engine whether to use container separation using

-# MAC(SELinux) labeling or not.

-# The label flag is ignored on label disabled systems.

-#

-#label = true

-

-# Logging driver for the container. Available options: k8s-file and journald.

-#

-#log_driver = "k8s-file"

-

-# Maximum size allowed for the container log file. Negative numbers indicate

-# that no size limit is imposed. If positive, it must be >= 8192 to match or

-# exceed conmon's read buffer. The file is truncated and re-opened so the

-# limit is never exceeded.

-#

-#log_size_max = -1

-

-# Specifies default format tag for container log messages.

-# This is useful for creating a specific tag for container log messages.

-# Containers logs default to truncated container ID as a tag.

-#

-#log_tag = ""

-

-# Default way to to create a Network namespace for the container

-# Options are:

-# `private` Create private Network Namespace for the container.

-# `host`    Share host Network Namespace with the container.

-# `none`    Containers do not use the network

-#

-#netns = "private"

-

-# Create /etc/hosts for the container.  By default, container engine manage

-# /etc/hosts, automatically adding  the container's  own  IP  address.

-#

-#no_hosts = false

-

-# Default way to to create a PID namespace for the container

-# Options are:

-# `private` Create private PID Namespace for the container.

-# `host`    Share host PID Namespace with the container.

-#

-#pidns = "private"

-

-# Maximum number of processes allowed in a container.

-#

-#pids_limit = 2048

-

-# Copy the content from the underlying image into the newly created volume

-# when the container is created instead of when it is started. If false,

-# the container engine will not copy the content until the container is started.

-# Setting it to true may have negative performance implications.

-#

-#prepare_volume_on_create = false

-

-# Path to the seccomp.json profile which is used as the default seccomp profile

-# for the runtime.

-#

-#seccomp_profile = "/usr/share/containers/seccomp.json"

-

-# Size of /dev/shm. Specified as <number><unit>.

-# Unit is optional, values:

-# b (bytes), k (kilobytes), m (megabytes), or g (gigabytes).

-# If the unit is omitted, the system uses bytes.

-#

-#shm_size = "65536k"

-

-# Set timezone in container. Takes IANA timezones as well as "local",

-# which sets the timezone in the container to match the host machine.

-#

-#tz = ""

-

-# Set umask inside the container

-#

-#umask = "0022"

-

-# Default way to to create a User namespace for the container

-# Options are:

-# `auto`        Create unique User Namespace for the container.

-# `host`    Share host User Namespace with the container.

-#

-#userns = "host"

-

-# Number of UIDs to allocate for the automatic container creation.

-# UIDs are allocated from the "container" UIDs listed in

-# /etc/subuid & /etc/subgid

-#

-#userns_size = 65536

-

-# Default way to to create a UTS namespace for the container

-# Options are:

-# `private`        Create private UTS Namespace for the container.

-# `host`    Share host UTS Namespace with the container.

-#

-#utsns = "private"

-

-# List of volumes. Specified as

-# "<directory-on-host>:<directory-in-container>:<options>", for example:

-# "/db:/var/lib/db:ro".

-# If it is empty or commented out, no volumes will be added

-#

-#volumes = []

-

-[secrets]

-#driver = "file"

-

-[secrets.opts]

-#root = "/example/directory"

-

-[network]

-

-# Network backend determines what network driver will be used to set up and tear down container networks.

-# Valid values are "cni" and "netavark".

-# The default value is empty which means that it will automatically choose CNI or netavark. If there are

-# already containers/images or CNI networks preset it will choose CNI.

-#

-# Before changing this value all containers must be stopped otherwise it is likely that

-# iptables rules and network interfaces might leak on the host. A reboot will fix this.

-#

-network_backend = "netavark"

-

-# Path to directory where CNI plugin binaries are located.

-#

-#cni_plugin_dirs = [

-#  "/usr/local/libexec/cni",

-#  "/usr/libexec/cni",

-#  "/usr/local/lib/cni",

-#  "/usr/lib/cni",

-#  "/opt/cni/bin",

-#]

-

-# The network name of the default network to attach pods to.

-#

-#default_network = "podman"

-

-# The default subnet for the default network given in default_network.

-# If a network with that name does not exist, a new network using that name and

-# this subnet will be created.

-# Must be a valid IPv4 CIDR prefix.

-#

-#default_subnet = "10.88.0.0/16"

-

-# DefaultSubnetPools is a list of subnets and size which are used to

-# allocate subnets automatically for podman network create.

-# It will iterate through the list and will pick the first free subnet

-# with the given size. This is only used for ipv4 subnets, ipv6 subnets

-# are always assigned randomly.

-#

-#default_subnet_pools = [

-#  {"base" = "10.89.0.0/16", "size" = 24},

-#  {"base" = "10.90.0.0/15", "size" = 24},

-#  {"base" = "10.92.0.0/14", "size" = 24},

-#  {"base" = "10.96.0.0/11", "size" = 24},

-#  {"base" = "10.128.0.0/9", "size" = 24},

-#]

-

-# Path to the directory where network configuration files are located.

-# For the CNI backend the default is "/etc/cni/net.d" as root

-# and "$HOME/.config/cni/net.d" as rootless.

-# For the netavark backend "/etc/containers/networks" is used as root

-# and "$graphroot/networks" as rootless.

-#

-#network_config_dir = "/etc/cni/net.d/"

-

-# Port to use for dns forwarding daemon with netavark in rootful bridge

-# mode and dns enabled.

-# Using an alternate port might be useful if other dns services should

-# run on the machine.

-#

-#dns_bind_port = 53

-

-[engine]

-# Index to the active service

-#

-#active_service = production

-

-# The compression format to use when pushing an image.

-# Valid options are: `gzip`, `zstd` and `zstd:chunked`.

-#

-#compression_format = "gzip"

-

-

-# Cgroup management implementation used for the runtime.

-# Valid options "systemd" or "cgroupfs"

-#

-#cgroup_manager = "systemd"

-

-# Environment variables to pass into conmon

-#

-#conmon_env_vars = [

-#  "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

-#]

-

-# Paths to look for the conmon container manager binary

-#

-#conmon_path = [

-#  "/usr/libexec/podman/conmon",

-#  "/usr/local/libexec/podman/conmon",

-#  "/usr/local/lib/podman/conmon",

-#  "/usr/bin/conmon",

-#  "/usr/sbin/conmon",

-#  "/usr/local/bin/conmon",

-#  "/usr/local/sbin/conmon"

-#]

-

-# Enforces using docker.io for completing short names in Podman's compatibility

-# REST API. Note that this will ignore unqualified-search-registries and

-# short-name aliases defined in containers-registries.conf(5).

-#compat_api_enforce_docker_hub = true

-

-# Specify the keys sequence used to detach a container.

-# Format is a single character [a-Z] or a comma separated sequence of

-# `ctrl-<value>`, where `<value>` is one of:

-# `a-z`, `@`, `^`, `[`, `\`, `]`, `^` or `_`

-#

-#detach_keys = "ctrl-p,ctrl-q"

-

-# Determines whether engine will reserve ports on the host when they are

-# forwarded to containers. When enabled, when ports are forwarded to containers,

-# ports are held open by as long as the container is running, ensuring that

-# they cannot be reused by other programs on the host. However, this can cause

-# significant memory usage if a container has many ports forwarded to it.

-# Disabling this can save memory.

-#

-#enable_port_reservation = true

-

-# Environment variables to be used when running the container engine (e.g., Podman, Buildah).

-# For example "http_proxy=internal.proxy.company.com".

-# Note these environment variables will not be used within the container.

-# Set the env section under [containers] table, if you want to set environment variables for the container.

-#

-#env = []

-

-# Define where event logs will be stored, when events_logger is "file".

-#events_logfile_path=""

-

-# Sets the maximum size for events_logfile_path.

-# The size can be b (bytes), k (kilobytes), m (megabytes), or g (gigabytes).

-# The format for the size is `<number><unit>`, e.g., `1b` or `3g`.

-# If no unit is included then the size will be read in bytes.

-# When the limit is exceeded, the logfile will be rotated and the old one will be deleted.

-# If the maximum size is set to 0, then no limit will be applied,

-# and the logfile will not be rotated.

-#events_logfile_max_size = "1m"

-

-# Selects which logging mechanism to use for container engine events.

-# Valid values are `journald`, `file` and `none`.

-#

-#events_logger = "journald"

-

-# A is a list of directories which are used to search for helper binaries.

-#

-#helper_binaries_dir = [

-#  "/usr/local/libexec/podman",

-#  "/usr/local/lib/podman",

-#  "/usr/libexec/podman",

-#  "/usr/lib/podman",

-#]

-

-# Path to OCI hooks directories for automatically executed hooks.

-#

-#hooks_dir = [

-#  "/usr/share/containers/oci/hooks.d",

-#]

-

-# Manifest Type (oci, v2s2, or v2s1) to use when pulling, pushing, building

-# container images. By default image pulled and pushed match the format of the

-# source image. Building/committing defaults to OCI.

-#

-#image_default_format = ""

-

-# Default transport method for pulling and pushing for images

-#

-#image_default_transport = "docker://"

-

-# Maximum number of image layers to be copied (pulled/pushed) simultaneously.

-# Not setting this field, or setting it to zero, will fall back to containers/image defaults.

-#

-#image_parallel_copies = 0

-

-# Tells container engines how to handle the builtin image volumes.

-#   * bind: An anonymous named volume will be created and mounted

-#     into the container.

-#   * tmpfs: The volume is mounted onto the container as a tmpfs,

-#     which allows users to create content that disappears when

-#     the container is stopped.

-#   * ignore: All volumes are just ignored and no action is taken.

-#

-#image_volume_mode = ""

-

-# Default command to run the infra container

-#

-#infra_command = "/pause"

-

-# Infra (pause) container image name for pod infra containers.  When running a

-# pod, we start a `pause` process in a container to hold open the namespaces

-# associated with the  pod.  This container does nothing other then sleep,

-# reserving the pods resources for the lifetime of the pod. By default container

-# engines run a builtin container using the pause executable. If you want override

-# specify an image to pull.

-#

-#infra_image = ""

-

-# Specify the locking mechanism to use; valid values are "shm" and "file".

-# Change the default only if you are sure of what you are doing, in general

-# "file" is useful only on platforms where cgo is not available for using the

-# faster "shm" lock type. You may need to run "podman system renumber" after

-# you change the lock type.

-#

-#lock_type** = "shm"

-

-# MultiImageArchive - if true, the container engine allows for storing archives

-# (e.g., of the docker-archive transport) with multiple images.  By default,

-# Podman creates single-image archives.

-#

-#multi_image_archive = "false"

-

-# Default engine namespace

-# If engine is joined to a namespace, it will see only containers and pods

-# that were created in the same namespace, and will create new containers and

-# pods in that namespace.

-# The default namespace is "", which corresponds to no namespace. When no

-# namespace is set, all containers and pods are visible.

-#

-#namespace = ""

-

-# Path to the slirp4netns binary

-#

-#network_cmd_path = ""

-

-# Default options to pass to the slirp4netns binary.

-# Valid options values are:

-#

-# - allow_host_loopback=true|false: Allow the slirp4netns to reach the host loopback IP (`10.0.2.2`).

-#   Default is false.

-# - mtu=MTU: Specify the MTU to use for this network. (Default is `65520`).

-# - cidr=CIDR: Specify ip range to use for this network. (Default is `10.0.2.0/24`).

-# - enable_ipv6=true|false: Enable IPv6. Default is true. (Required for `outbound_addr6`).

-# - outbound_addr=INTERFACE: Specify the outbound interface slirp should bind to (ipv4 traffic only).

-# - outbound_addr=IPv4: Specify the outbound ipv4 address slirp should bind to.

-# - outbound_addr6=INTERFACE: Specify the outbound interface slirp should bind to (ipv6 traffic only).

-# - outbound_addr6=IPv6: Specify the outbound ipv6 address slirp should bind to.

-# - port_handler=rootlesskit: Use rootlesskit for port forwarding. Default.

-#   Note: Rootlesskit changes the source IP address of incoming packets to a IP address in the container

-#   network namespace, usually `10.0.2.100`. If your application requires the real source IP address,

-#   e.g. web server logs, use the slirp4netns port handler. The rootlesskit port handler is also used for

-#   rootless containers when connected to user-defined networks.

-# - port_handler=slirp4netns: Use the slirp4netns port forwarding, it is slower than rootlesskit but

-#   preserves the correct source IP address. This port handler cannot be used for user-defined networks.

-#

-#network_cmd_options = []

-

-# Whether to use chroot instead of pivot_root in the runtime

-#

-#no_pivot_root = false

-

-# Number of locks available for containers and pods.

-# If this is changed, a lock renumber must be performed (e.g. with the

-# 'podman system renumber' command).

-#

-#num_locks = 2048

-

-# Set the exit policy of the pod when the last container exits.

-#pod_exit_policy = "continue"

-

-# Whether to pull new image before running a container

-#

-#pull_policy = "missing"

-

-# Indicates whether the application should be running in remote mode. This flag modifies the

-# --remote option on container engines. Setting the flag to true will default

-# `podman --remote=true` for access to the remote Podman service.

-#

-#remote = false

-

-# Default OCI runtime

-#

-#runtime = "crun"

-

-# List of the OCI runtimes that support --format=json. When json is supported

-# engine will use it for reporting nicer errors.

-#

-#runtime_supports_json = ["crun", "runc", "kata", "runsc", "krun"]

-

-# List of the OCI runtimes that supports running containers with KVM Separation.

-#

-#runtime_supports_kvm = ["kata", "krun"]

-

-# List of the OCI runtimes that supports running containers without cgroups.

-#

-#runtime_supports_nocgroups = ["crun", "krun"]

-

-# Default location for storing temporary container image content. Can be overridden with the TMPDIR environment

-# variable. If you specify "storage", then the location of the

-# container/storage tmp directory will be used.

-# image_copy_tmp_dir="/var/tmp"

-

-# Number of seconds to wait without a connection

-# before the `podman system service` times out and exits

-#

-#service_timeout = 5

-

-# Directory for persistent engine files (database, etc)

-# By default, this will be configured relative to where the containers/storage

-# stores containers

-# Uncomment to change location from this default

-#

-#static_dir = "/var/lib/containers/storage/libpod"

-

-# Number of seconds to wait for container to exit before sending kill signal.

-#

-#stop_timeout = 10

-

-# Number of seconds to wait before exit command in API process is given to.

-# This mimics Docker's exec cleanup behaviour, where the default is 5 minutes (value is in seconds).

-#

-#exit_command_delay = 300

-

-# map of service destinations

-#

-#[service_destinations]

-#  [service_destinations.production]

-#     URI to access the Podman service

-#     Examples:

-#       rootless "unix://run/user/$UID/podman/podman.sock" (Default)

-#       rootful "unix://run/podman/podman.sock (Default)

-#       remote rootless ssh://engineering.lab.company.com/run/user/1000/podman/podman.sock

-#       remote rootful ssh://root@10.10.1.136:22/run/podman/podman.sock

-#

-#    uri = "ssh://user@production.example.com/run/user/1001/podman/podman.sock"

-#    Path to file containing ssh identity key

-#    identity = "~/.ssh/id_rsa"

-

-# Directory for temporary files. Must be tmpfs (wiped after reboot)

-#

-#tmp_dir = "/run/libpod"

-

-# Directory for libpod named volumes.

-# By default, this will be configured relative to where containers/storage

-# stores containers.

-# Uncomment to change location from this default.

-#

-#volume_path = "/var/lib/containers/storage/volumes"

-

-# Default timeout (in seconds) for volume plugin operations.

-# Plugins are external programs accessed via a REST API; this sets a timeout

-# for requests to that API.

-# A value of 0 is treated as no timeout.

-#volume_plugin_timeout = 5

-

-# Paths to look for a valid OCI runtime (crun, runc, kata, runsc, krun, etc)

-[engine.runtimes]

-#crun = [

-#  "/usr/bin/crun",

-#  "/usr/sbin/crun",

-#  "/usr/local/bin/crun",

-#  "/usr/local/sbin/crun",

-#  "/sbin/crun",

-#  "/bin/crun",

-#  "/run/current-system/sw/bin/crun",

-#]

-

-#kata = [

-#  "/usr/bin/kata-runtime",

-#  "/usr/sbin/kata-runtime",

-#  "/usr/local/bin/kata-runtime",

-#  "/usr/local/sbin/kata-runtime",

-#  "/sbin/kata-runtime",

-#  "/bin/kata-runtime",

-#  "/usr/bin/kata-qemu",

-#  "/usr/bin/kata-fc",

-#]

-

-#runc = [

-#  "/usr/bin/runc",

-#  "/usr/sbin/runc",

-#  "/usr/local/bin/runc",

-#  "/usr/local/sbin/runc",

-#  "/sbin/runc",

-#  "/bin/runc",

-#  "/usr/lib/cri-o-runc/sbin/runc",

-#]

-

-#runsc = [

-#  "/usr/bin/runsc",

-#  "/usr/sbin/runsc",

-#  "/usr/local/bin/runsc",

-#  "/usr/local/sbin/runsc",

-#  "/bin/runsc",

-#  "/sbin/runsc",

-#  "/run/current-system/sw/bin/runsc",

-#]

-

-#krun = [

-#  "/usr/bin/krun",

-#  "/usr/local/bin/krun",

-#]

-

-[engine.volume_plugins]

-#testplugin = "/run/podman/plugins/test.sock"

-

-[machine]

-# Number of CPU's a machine is created with.

-#

-#cpus=1

-

-# The size of the disk in GB created when init-ing a podman-machine VM.

-#

-#disk_size=10

-

-# Default image URI when creating a new VM using `podman machine init`.

-# Options: On Linux/Mac, `testing`, `stable`, `next`. On Windows, the major

-# version of the OS (e.g `36`) for Fedora 36. For all platforms you can

-# alternatively specify a custom download URL to an image. Container engines

-# translate URIs $OS and $ARCH to the native OS and ARCH. URI

-# "https://example.com/$OS/$ARCH/foobar.ami" becomes

-# "https://example.com/linux/amd64/foobar.ami" on a Linux AMD machine.

-# The default value is `testing`.

-#

-# image = "testing"

-

-# Memory in MB a machine is created with.

-#

-#memory=2048

-

-# The username to use and create on the podman machine OS for rootless

-# container access.

-#

-#user = "core"

-

-# Host directories to be mounted as volumes into the VM by default.

-# Environment variables like $HOME as well as complete paths are supported for

-# the source and destination. An optional third field `:ro` can be used to

-# tell the container engines to mount the volume readonly.

-#

-# volumes = [

-#  "$HOME:$HOME",

-#]

-

-# The [machine] table MUST be the last entry in this file.

-# (Unless another table is added)

-# TOML does not provide a way to end a table other than a further table being

-# defined, so every key hereafter will be part of [machine] and not the

-# main config.

+### Autogenerated by container.py ###
+
+# The containers configuration file specifies all of the available configuration
+# command-line options/flags for container engine tools like Podman & Buildah,
+# but in a TOML format that can be easily modified and versioned.
+
+# Please refer to containers.conf(5) for details of all configuration options.
+# Not all container engines implement all of the options.
+# All of the options have hard coded defaults and these options will override
+# the built in defaults. Users can then override these options via the command
+# line. Container engines will read containers.conf files in up to three
+# locations in the following order:
+#  1. /usr/share/containers/containers.conf
+#  2. /etc/containers/containers.conf
+#  3. $HOME/.config/containers/containers.conf (Rootless containers ONLY)
+#  Items specified in the latter containers.conf, if they exist, override the
+# previous containers.conf settings, or the default settings.
+
+[containers]
+
+# List of annotation. Specified as
+# "key = value"
+# If it is empty or commented out, no annotations will be added
+#
+#annotations = []
+
+# Used to change the name of the default AppArmor profile of container engine.
+#
+#apparmor_profile = "container-default"
+
+# The hosts entries from the base hosts file are added to the containers hosts
+# file. This must be either an absolute path or as special values "image" which
+# uses the hosts file from the container image or "none" which means
+# no base hosts file is used. The default is "" which will use /etc/hosts.
+#
+#base_hosts_file = ""
+
+# Default way to to create a cgroup namespace for the container
+# Options are:
+# `private` Create private Cgroup Namespace for the container.
+# `host`    Share host Cgroup Namespace with the container.
+#
+#cgroupns = "private"
+
+# Control container cgroup configuration
+# Determines  whether  the  container will create CGroups.
+# Options are:
+# `enabled`   Enable cgroup support within container
+# `disabled`  Disable cgroup support, will inherit cgroups from parent
+# `no-conmon` Do not create a cgroup dedicated to conmon.
+#
+#cgroups = "enabled"
+
+# List of default capabilities for containers. If it is empty or commented out,
+# the default capabilities defined in the container engine will be added.
+#
+default_capabilities = [
+  "CHOWN",
+  "DAC_OVERRIDE",
+  "FOWNER",
+  "FSETID",
+  "KILL",
+  "NET_BIND_SERVICE",
+  "SETFCAP",
+  "SETGID",
+  "SETPCAP",
+  "SETUID",
+  "SYS_CHROOT"
+]
+
+# A list of sysctls to be set in containers by default,
+# specified as "name=value",
+# for example:"net.ipv4.ping_group_range=0 0".
+#
+default_sysctls = [
+  "net.ipv4.ping_group_range=0 0",
+]
+
+# A list of ulimits to be set in containers by default, specified as
+# "<ulimit name>=<soft limit>:<hard limit>", for example:
+# "nofile=1024:2048"
+# See setrlimit(2) for a list of resource names.
+# Any limit not specified here will be inherited from the process launching the
+# container engine.
+# Ulimits has limits for non privileged container engines.
+#
+#default_ulimits = [
+#  "nofile=1280:2560",
+#]
+
+# List of devices. Specified as
+# "<device-on-host>:<device-on-container>:<permissions>", for example:
+# "/dev/sdc:/dev/xvdc:rwm".
+# If it is empty or commented out, only the default devices will be used
+#
+#devices = []
+
+# List of default DNS options to be added to /etc/resolv.conf inside of the container.
+#
+#dns_options = []
+
+# List of default DNS search domains to be added to /etc/resolv.conf inside of the container.
+#
+#dns_searches = []
+
+# Set default DNS servers.
+# This option can be used to override the DNS configuration passed to the
+# container. The special value "none" can be specified to disable creation of
+# /etc/resolv.conf in the container.
+# The /etc/resolv.conf file in the image will be used without changes.
+#
+#dns_servers = []
+
+# Environment variable list for the conmon process; used for passing necessary
+# environment variables to conmon or the runtime.
+#
+#env = [
+#  "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
+#  "TERM=xterm",
+#]
+
+# Pass all host environment variables into the container.
+#
+#env_host = false
+
+# Set the ip for the host.containers.internal entry in the containers /etc/hosts
+# file. This can be set to "none" to disable adding this entry. By default it
+# will automatically choose the host ip.
+#
+# NOTE: When using podman machine this entry will never be added to the containers
+# hosts file instead the gvproxy dns resolver will resolve this hostname. Therefore
+# it is not possible to disable the entry in this case.
+#
+#host_containers_internal_ip = ""
+
+# Default proxy environment variables passed into the container.
+# The environment variables passed in include:
+# http_proxy, https_proxy, ftp_proxy, no_proxy, and the upper case versions of
+# these. This option is needed when host system uses a proxy but container
+# should not use proxy. Proxy environment variables specified for the container
+# in any other way will override the values passed from the host.
+#
+#http_proxy = true
+
+# Run an init inside the container that forwards signals and reaps processes.
+#
+#init = false
+
+# Container init binary, if init=true, this is the init binary to be used for containers.
+#
+#init_path = "/usr/libexec/podman/catatonit"
+
+# Default way to to create an IPC namespace (POSIX SysV IPC) for the container
+# Options are:
+#  "host"     Share host IPC Namespace with the container.
+#  "none"     Create shareable IPC Namespace for the container without a private /dev/shm.
+#  "private"  Create private IPC Namespace for the container, other containers are not allowed to share it.
+#  "shareable" Create shareable IPC Namespace for the container.
+#
+#ipcns = "shareable"
+
+# keyring tells the container engine whether to create
+# a kernel keyring for use within the container.
+#
+#keyring = true
+
+# label tells the container engine whether to use container separation using
+# MAC(SELinux) labeling or not.
+# The label flag is ignored on label disabled systems.
+#
+#label = true
+
+# Logging driver for the container. Available options: k8s-file and journald.
+#
+#log_driver = "k8s-file"
+
+# Maximum size allowed for the container log file. Negative numbers indicate
+# that no size limit is imposed. If positive, it must be >= 8192 to match or
+# exceed conmon's read buffer. The file is truncated and re-opened so the
+# limit is never exceeded.
+#
+#log_size_max = -1
+
+# Specifies default format tag for container log messages.
+# This is useful for creating a specific tag for container log messages.
+# Containers logs default to truncated container ID as a tag.
+#
+#log_tag = ""
+
+# Default way to to create a Network namespace for the container
+# Options are:
+# `private` Create private Network Namespace for the container.
+# `host`    Share host Network Namespace with the container.
+# `none`    Containers do not use the network
+#
+#netns = "private"
+
+# Create /etc/hosts for the container.  By default, container engine manage
+# /etc/hosts, automatically adding  the container's  own  IP  address.
+#
+#no_hosts = false
+
+# Default way to to create a PID namespace for the container
+# Options are:
+# `private` Create private PID Namespace for the container.
+# `host`    Share host PID Namespace with the container.
+#
+#pidns = "private"
+
+# Maximum number of processes allowed in a container.
+#
+#pids_limit = 2048
+
+# Copy the content from the underlying image into the newly created volume
+# when the container is created instead of when it is started. If false,
+# the container engine will not copy the content until the container is started.
+# Setting it to true may have negative performance implications.
+#
+#prepare_volume_on_create = false
+
+# Path to the seccomp.json profile which is used as the default seccomp profile
+# for the runtime.
+#
+#seccomp_profile = "/usr/share/containers/seccomp.json"
+
+# Size of /dev/shm. Specified as <number><unit>.
+# Unit is optional, values:
+# b (bytes), k (kilobytes), m (megabytes), or g (gigabytes).
+# If the unit is omitted, the system uses bytes.
+#
+#shm_size = "65536k"
+
+# Set timezone in container. Takes IANA timezones as well as "local",
+# which sets the timezone in the container to match the host machine.
+#
+#tz = ""
+
+# Set umask inside the container
+#
+#umask = "0022"
+
+# Default way to to create a User namespace for the container
+# Options are:
+# `auto`        Create unique User Namespace for the container.
+# `host`    Share host User Namespace with the container.
+#
+#userns = "host"
+
+# Number of UIDs to allocate for the automatic container creation.
+# UIDs are allocated from the "container" UIDs listed in
+# /etc/subuid & /etc/subgid
+#
+#userns_size = 65536
+
+# Default way to to create a UTS namespace for the container
+# Options are:
+# `private`        Create private UTS Namespace for the container.
+# `host`    Share host UTS Namespace with the container.
+#
+#utsns = "private"
+
+# List of volumes. Specified as
+# "<directory-on-host>:<directory-in-container>:<options>", for example:
+# "/db:/var/lib/db:ro".
+# If it is empty or commented out, no volumes will be added
+#
+#volumes = []
+
+[secrets]
+#driver = "file"
+
+[secrets.opts]
+#root = "/example/directory"
+
+[network]
+
+# Network backend determines what network driver will be used to set up and tear down container networks.
+# Valid values are "cni" and "netavark".
+# The default value is empty which means that it will automatically choose CNI or netavark. If there are
+# already containers/images or CNI networks preset it will choose CNI.
+#
+# Before changing this value all containers must be stopped otherwise it is likely that
+# iptables rules and network interfaces might leak on the host. A reboot will fix this.
+#
+network_backend = "netavark"
+
+# Path to directory where CNI plugin binaries are located.
+#
+#cni_plugin_dirs = [
+#  "/usr/local/libexec/cni",
+#  "/usr/libexec/cni",
+#  "/usr/local/lib/cni",
+#  "/usr/lib/cni",
+#  "/opt/cni/bin",
+#]
+
+# The network name of the default network to attach pods to.
+#
+#default_network = "podman"
+
+# The default subnet for the default network given in default_network.
+# If a network with that name does not exist, a new network using that name and
+# this subnet will be created.
+# Must be a valid IPv4 CIDR prefix.
+#
+#default_subnet = "10.88.0.0/16"
+
+# DefaultSubnetPools is a list of subnets and size which are used to
+# allocate subnets automatically for podman network create.
+# It will iterate through the list and will pick the first free subnet
+# with the given size. This is only used for ipv4 subnets, ipv6 subnets
+# are always assigned randomly.
+#
+#default_subnet_pools = [
+#  {"base" = "10.89.0.0/16", "size" = 24},
+#  {"base" = "10.90.0.0/15", "size" = 24},
+#  {"base" = "10.92.0.0/14", "size" = 24},
+#  {"base" = "10.96.0.0/11", "size" = 24},
+#  {"base" = "10.128.0.0/9", "size" = 24},
+#]
+
+# Path to the directory where network configuration files are located.
+# For the CNI backend the default is "/etc/cni/net.d" as root
+# and "$HOME/.config/cni/net.d" as rootless.
+# For the netavark backend "/etc/containers/networks" is used as root
+# and "$graphroot/networks" as rootless.
+#
+#network_config_dir = "/etc/cni/net.d/"
+
+# Port to use for dns forwarding daemon with netavark in rootful bridge
+# mode and dns enabled.
+# Using an alternate port might be useful if other dns services should
+# run on the machine.
+#
+#dns_bind_port = 53
+
+[engine]
+# Index to the active service
+#
+#active_service = production
+
+# The compression format to use when pushing an image.
+# Valid options are: `gzip`, `zstd` and `zstd:chunked`.
+#
+#compression_format = "gzip"
+
+
+# Cgroup management implementation used for the runtime.
+# Valid options "systemd" or "cgroupfs"
+#
+#cgroup_manager = "systemd"
+
+# Environment variables to pass into conmon
+#
+#conmon_env_vars = [
+#  "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+#]
+
+# Paths to look for the conmon container manager binary
+#
+#conmon_path = [
+#  "/usr/libexec/podman/conmon",
+#  "/usr/local/libexec/podman/conmon",
+#  "/usr/local/lib/podman/conmon",
+#  "/usr/bin/conmon",
+#  "/usr/sbin/conmon",
+#  "/usr/local/bin/conmon",
+#  "/usr/local/sbin/conmon"
+#]
+
+# Enforces using docker.io for completing short names in Podman's compatibility
+# REST API. Note that this will ignore unqualified-search-registries and
+# short-name aliases defined in containers-registries.conf(5).
+#compat_api_enforce_docker_hub = true
+
+# Specify the keys sequence used to detach a container.
+# Format is a single character [a-Z] or a comma separated sequence of
+# `ctrl-<value>`, where `<value>` is one of:
+# `a-z`, `@`, `^`, `[`, `\`, `]`, `^` or `_`
+#
+#detach_keys = "ctrl-p,ctrl-q"
+
+# Determines whether engine will reserve ports on the host when they are
+# forwarded to containers. When enabled, when ports are forwarded to containers,
+# ports are held open by as long as the container is running, ensuring that
+# they cannot be reused by other programs on the host. However, this can cause
+# significant memory usage if a container has many ports forwarded to it.
+# Disabling this can save memory.
+#
+#enable_port_reservation = true
+
+# Environment variables to be used when running the container engine (e.g., Podman, Buildah).
+# For example "http_proxy=internal.proxy.company.com".
+# Note these environment variables will not be used within the container.
+# Set the env section under [containers] table, if you want to set environment variables for the container.
+#
+#env = []
+
+# Define where event logs will be stored, when events_logger is "file".
+#events_logfile_path=""
+
+# Sets the maximum size for events_logfile_path.
+# The size can be b (bytes), k (kilobytes), m (megabytes), or g (gigabytes).
+# The format for the size is `<number><unit>`, e.g., `1b` or `3g`.
+# If no unit is included then the size will be read in bytes.
+# When the limit is exceeded, the logfile will be rotated and the old one will be deleted.
+# If the maximum size is set to 0, then no limit will be applied,
+# and the logfile will not be rotated.
+#events_logfile_max_size = "1m"
+
+# Selects which logging mechanism to use for container engine events.
+# Valid values are `journald`, `file` and `none`.
+#
+#events_logger = "journald"
+
+# A is a list of directories which are used to search for helper binaries.
+#
+#helper_binaries_dir = [
+#  "/usr/local/libexec/podman",
+#  "/usr/local/lib/podman",
+#  "/usr/libexec/podman",
+#  "/usr/lib/podman",
+#]
+
+# Path to OCI hooks directories for automatically executed hooks.
+#
+#hooks_dir = [
+#  "/usr/share/containers/oci/hooks.d",
+#]
+
+# Manifest Type (oci, v2s2, or v2s1) to use when pulling, pushing, building
+# container images. By default image pulled and pushed match the format of the
+# source image. Building/committing defaults to OCI.
+#
+#image_default_format = ""
+
+# Default transport method for pulling and pushing for images
+#
+#image_default_transport = "docker://"
+
+# Maximum number of image layers to be copied (pulled/pushed) simultaneously.
+# Not setting this field, or setting it to zero, will fall back to containers/image defaults.
+#
+#image_parallel_copies = 0
+
+# Tells container engines how to handle the builtin image volumes.
+#   * bind: An anonymous named volume will be created and mounted
+#     into the container.
+#   * tmpfs: The volume is mounted onto the container as a tmpfs,
+#     which allows users to create content that disappears when
+#     the container is stopped.
+#   * ignore: All volumes are just ignored and no action is taken.
+#
+#image_volume_mode = ""
+
+# Default command to run the infra container
+#
+#infra_command = "/pause"
+
+# Infra (pause) container image name for pod infra containers.  When running a
+# pod, we start a `pause` process in a container to hold open the namespaces
+# associated with the  pod.  This container does nothing other then sleep,
+# reserving the pods resources for the lifetime of the pod. By default container
+# engines run a builtin container using the pause executable. If you want override
+# specify an image to pull.
+#
+#infra_image = ""
+
+# Specify the locking mechanism to use; valid values are "shm" and "file".
+# Change the default only if you are sure of what you are doing, in general
+# "file" is useful only on platforms where cgo is not available for using the
+# faster "shm" lock type. You may need to run "podman system renumber" after
+# you change the lock type.
+#
+#lock_type** = "shm"
+
+# MultiImageArchive - if true, the container engine allows for storing archives
+# (e.g., of the docker-archive transport) with multiple images.  By default,
+# Podman creates single-image archives.
+#
+#multi_image_archive = "false"
+
+# Default engine namespace
+# If engine is joined to a namespace, it will see only containers and pods
+# that were created in the same namespace, and will create new containers and
+# pods in that namespace.
+# The default namespace is "", which corresponds to no namespace. When no
+# namespace is set, all containers and pods are visible.
+#
+#namespace = ""
+
+# Path to the slirp4netns binary
+#
+#network_cmd_path = ""
+
+# Default options to pass to the slirp4netns binary.
+# Valid options values are:
+#
+# - allow_host_loopback=true|false: Allow the slirp4netns to reach the host loopback IP (`10.0.2.2`).
+#   Default is false.
+# - mtu=MTU: Specify the MTU to use for this network. (Default is `65520`).
+# - cidr=CIDR: Specify ip range to use for this network. (Default is `10.0.2.0/24`).
+# - enable_ipv6=true|false: Enable IPv6. Default is true. (Required for `outbound_addr6`).
+# - outbound_addr=INTERFACE: Specify the outbound interface slirp should bind to (ipv4 traffic only).
+# - outbound_addr=IPv4: Specify the outbound ipv4 address slirp should bind to.
+# - outbound_addr6=INTERFACE: Specify the outbound interface slirp should bind to (ipv6 traffic only).
+# - outbound_addr6=IPv6: Specify the outbound ipv6 address slirp should bind to.
+# - port_handler=rootlesskit: Use rootlesskit for port forwarding. Default.
+#   Note: Rootlesskit changes the source IP address of incoming packets to a IP address in the container
+#   network namespace, usually `10.0.2.100`. If your application requires the real source IP address,
+#   e.g. web server logs, use the slirp4netns port handler. The rootlesskit port handler is also used for
+#   rootless containers when connected to user-defined networks.
+# - port_handler=slirp4netns: Use the slirp4netns port forwarding, it is slower than rootlesskit but
+#   preserves the correct source IP address. This port handler cannot be used for user-defined networks.
+#
+#network_cmd_options = []
+
+# Whether to use chroot instead of pivot_root in the runtime
+#
+#no_pivot_root = false
+
+# Number of locks available for containers and pods.
+# If this is changed, a lock renumber must be performed (e.g. with the
+# 'podman system renumber' command).
+#
+#num_locks = 2048
+
+# Set the exit policy of the pod when the last container exits.
+#pod_exit_policy = "continue"
+
+# Whether to pull new image before running a container
+#
+#pull_policy = "missing"
+
+# Indicates whether the application should be running in remote mode. This flag modifies the
+# --remote option on container engines. Setting the flag to true will default
+# `podman --remote=true` for access to the remote Podman service.
+#
+#remote = false
+
+# Default OCI runtime
+#
+#runtime = "crun"
+
+# List of the OCI runtimes that support --format=json. When json is supported
+# engine will use it for reporting nicer errors.
+#
+#runtime_supports_json = ["crun", "runc", "kata", "runsc", "krun"]
+
+# List of the OCI runtimes that supports running containers with KVM Separation.
+#
+#runtime_supports_kvm = ["kata", "krun"]
+
+# List of the OCI runtimes that supports running containers without cgroups.
+#
+#runtime_supports_nocgroups = ["crun", "krun"]
+
+# Default location for storing temporary container image content. Can be overridden with the TMPDIR environment
+# variable. If you specify "storage", then the location of the
+# container/storage tmp directory will be used.
+# image_copy_tmp_dir="/var/tmp"
+
+# Number of seconds to wait without a connection
+# before the `podman system service` times out and exits
+#
+#service_timeout = 5
+
+# Directory for persistent engine files (database, etc)
+# By default, this will be configured relative to where the containers/storage
+# stores containers
+# Uncomment to change location from this default
+#
+#static_dir = "/var/lib/containers/storage/libpod"
+
+# Number of seconds to wait for container to exit before sending kill signal.
+#
+#stop_timeout = 10
+
+# Number of seconds to wait before exit command in API process is given to.
+# This mimics Docker's exec cleanup behaviour, where the default is 5 minutes (value is in seconds).
+#
+#exit_command_delay = 300
+
+# map of service destinations
+#
+#[service_destinations]
+#  [service_destinations.production]
+#     URI to access the Podman service
+#     Examples:
+#       rootless "unix://run/user/$UID/podman/podman.sock" (Default)
+#       rootful "unix://run/podman/podman.sock (Default)
+#       remote rootless ssh://engineering.lab.company.com/run/user/1000/podman/podman.sock
+#       remote rootful ssh://root@10.10.1.136:22/run/podman/podman.sock
+#
+#    uri = "ssh://user@production.example.com/run/user/1001/podman/podman.sock"
+#    Path to file containing ssh identity key
+#    identity = "~/.ssh/id_rsa"
+
+# Directory for temporary files. Must be tmpfs (wiped after reboot)
+#
+#tmp_dir = "/run/libpod"
+
+# Directory for libpod named volumes.
+# By default, this will be configured relative to where containers/storage
+# stores containers.
+# Uncomment to change location from this default.
+#
+#volume_path = "/var/lib/containers/storage/volumes"
+
+# Default timeout (in seconds) for volume plugin operations.
+# Plugins are external programs accessed via a REST API; this sets a timeout
+# for requests to that API.
+# A value of 0 is treated as no timeout.
+#volume_plugin_timeout = 5
+
+# Paths to look for a valid OCI runtime (crun, runc, kata, runsc, krun, etc)
+[engine.runtimes]
+#crun = [
+#  "/usr/bin/crun",
+#  "/usr/sbin/crun",
+#  "/usr/local/bin/crun",
+#  "/usr/local/sbin/crun",
+#  "/sbin/crun",
+#  "/bin/crun",
+#  "/run/current-system/sw/bin/crun",
+#]
+
+#kata = [
+#  "/usr/bin/kata-runtime",
+#  "/usr/sbin/kata-runtime",
+#  "/usr/local/bin/kata-runtime",
+#  "/usr/local/sbin/kata-runtime",
+#  "/sbin/kata-runtime",
+#  "/bin/kata-runtime",
+#  "/usr/bin/kata-qemu",
+#  "/usr/bin/kata-fc",
+#]
+
+#runc = [
+#  "/usr/bin/runc",
+#  "/usr/sbin/runc",
+#  "/usr/local/bin/runc",
+#  "/usr/local/sbin/runc",
+#  "/sbin/runc",
+#  "/bin/runc",
+#  "/usr/lib/cri-o-runc/sbin/runc",
+#]
+
+#runsc = [
+#  "/usr/bin/runsc",
+#  "/usr/sbin/runsc",
+#  "/usr/local/bin/runsc",
+#  "/usr/local/sbin/runsc",
+#  "/bin/runsc",
+#  "/sbin/runsc",
+#  "/run/current-system/sw/bin/runsc",
+#]
+
+#krun = [
+#  "/usr/bin/krun",
+#  "/usr/local/bin/krun",
+#]
+
+[engine.volume_plugins]
+#testplugin = "/run/podman/plugins/test.sock"
+
+[machine]
+# Number of CPU's a machine is created with.
+#
+#cpus=1
+
+# The size of the disk in GB created when init-ing a podman-machine VM.
+#
+#disk_size=10
+
+# Default image URI when creating a new VM using `podman machine init`.
+# Options: On Linux/Mac, `testing`, `stable`, `next`. On Windows, the major
+# version of the OS (e.g `36`) for Fedora 36. For all platforms you can
+# alternatively specify a custom download URL to an image. Container engines
+# translate URIs $OS and $ARCH to the native OS and ARCH. URI
+# "https://example.com/$OS/$ARCH/foobar.ami" becomes
+# "https://example.com/linux/amd64/foobar.ami" on a Linux AMD machine.
+# The default value is `testing`.
+#
+# image = "testing"
+
+# Memory in MB a machine is created with.
+#
+#memory=2048
+
+# The username to use and create on the podman machine OS for rootless
+# container access.
+#
+#user = "core"
+
+# Host directories to be mounted as volumes into the VM by default.
+# Environment variables like $HOME as well as complete paths are supported for
+# the source and destination. An optional third field `:ro` can be used to
+# tell the container engines to mount the volume readonly.
+#
+# volumes = [
+#  "$HOME:$HOME",
+#]
+
+# The [machine] table MUST be the last entry in this file.
+# (Unless another table is added)
+# TOML does not provide a way to end a table other than a further table being
+# defined, so every key hereafter will be part of [machine] and not the
+# main config.
diff --git a/data/templates/dhcp-client/ipv4.j2 b/data/templates/dhcp-client/ipv4.j2
index cc5ddf09c..77905e054 100644
--- a/data/templates/dhcp-client/ipv4.j2
+++ b/data/templates/dhcp-client/ipv4.j2
@@ -9,14 +9,30 @@ interface "{{ ifname }}" {
     send host-name "{{ dhcp_options.host_name }}";
 {% if dhcp_options.client_id is vyos_defined %}
 {%     set client_id = dhcp_options.client_id %}
-{#   Use HEX representation of client-id as it is send in MAC-address style using hex characters. If not HEX, use double quotes ASCII format #}
-{%     if not dhcp_options.client_id.split(':') | length >= 5 %}
-{%         set client_id = '"' + dhcp_options.client_id + '"' %}
+{#   Use HEX representation of client-id as it is send in MAC-address style using hex characters. #}
+{#   If not HEX, use double quotes ASCII format #}
+{%     if not client_id.split(':') | length >= 3 %}
+{%         set client_id = '"' ~ dhcp_options.client_id ~ '"' %}
 {%     endif %}
     send dhcp-client-identifier {{ client_id }};
 {% endif %}
 {% if dhcp_options.vendor_class_id is vyos_defined %}
-    send vendor-class-identifier "{{ dhcp_options.vendor_class_id }}";
+{%     set vendor_class_id = dhcp_options.vendor_class_id %}
+{#   Use HEX representation of client-id as it is send in MAC-address style using hex characters. #}
+{#   If not HEX, use double quotes ASCII format #}
+{%     if not vendor_class_id.split(':') | length >= 3 %}
+{%         set vendor_class_id = '"' ~ dhcp_options.vendor_class_id ~ '"' %}
+{%     endif %}
+    send vendor-class-identifier {{ vendor_class_id }};
+{% endif %}
+{% if dhcp_options.user_class is vyos_defined %}
+{%     set user_class = dhcp_options.user_class %}
+{#   Use HEX representation of client-id as it is send in MAC-address style using hex characters. #}
+{#   If not HEX, use double quotes ASCII format #}
+{%     if not user_class.split(':') | length >= 3 %}
+{%         set user_class = '"' ~ dhcp_options.user_class ~ '"' %}
+{%     endif %}
+    send user-class {{ user_class }};
 {% endif %}
     # The request statement causes the client to request that any server responding to the
     # client send the client its values for the specified options.
diff --git a/data/templates/dhcp-relay/dhcrelay.conf.j2 b/data/templates/dhcp-relay/dhcrelay.conf.j2
index c26c263fd..71a395454 100644
--- a/data/templates/dhcp-relay/dhcrelay.conf.j2
+++ b/data/templates/dhcp-relay/dhcrelay.conf.j2
@@ -1,4 +1,4 @@
-### Autogenerated by dhcp_relay.py ###
+### Autogenerated by service_dhcp-relay.py ###
 
 {% set max_size = '-A ' ~ relay_options.max_size if relay_options.max_size is vyos_defined %}
 {# hop_count and relay_agents_packets is a default option, thus it is always present #}
@@ -6,4 +6,4 @@
 OPTIONS="-c {{ relay_options.hop_count }} -a -m {{ relay_options.relay_agents_packets }} {{ max_size }} -i {{ interface | join(' -i ') }} {{ server | join(' ') }}"
 {% else %}
 OPTIONS="-c {{ relay_options.hop_count }} -a -m {{ relay_options.relay_agents_packets }} {{ max_size }} -id {{ listen_interface | join(' -id ') }} -iu {{ upstream_interface | join(' -iu ') }} {{ server | join(' ') }}"
-{% endif %}
\ No newline at end of file
+{% endif %}
diff --git a/data/templates/dhcp-relay/dhcrelay6.conf.j2 b/data/templates/dhcp-relay/dhcrelay6.conf.j2
index 6365346b4..25f7671b3 100644
--- a/data/templates/dhcp-relay/dhcrelay6.conf.j2
+++ b/data/templates/dhcp-relay/dhcrelay6.conf.j2
@@ -1,4 +1,4 @@
-### Autogenerated by dhcpv6_relay.py ###
+### Autogenerated by service_dhcpv6-relay.py ###
 
 {# upstream_interface is mandatory so it's always present #}
 {% set upstream = namespace(value='')  %}
@@ -18,4 +18,3 @@
 {% endfor %}
 
 OPTIONS="{{ listen.value }} {{ upstream.value }} -c {{ max_hop_count }} {{ '-I' if use_interface_id_option is vyos_defined }}"
-
diff --git a/data/templates/dns-dynamic/ddclient.conf.j2 b/data/templates/dns-dynamic/ddclient.conf.j2
index 3446a9d1b..6c0653a55 100644
--- a/data/templates/dns-dynamic/ddclient.conf.j2
+++ b/data/templates/dns-dynamic/ddclient.conf.j2
@@ -13,63 +13,44 @@ web-skip{{ ipv }}='{{ web_options.skip }}', \
 if{{ ipv }}={{ address }}, \
 {%     endif %}
 {% endfor %}
-{# Other service options #}
-{% for k,v in kwargs.items() %}
-{%     if v is vyos_defined %}
-{{ k }}={{ v }}{{ ',' if not loop.last }} \
-{%     endif %}
+{# Other service options with special treatment for password #}
+{% for k,v in kwargs.items() if v is vyos_defined %}
+{{ k | replace('_', '-') }}={{ "'%s'" % (v) if k == 'password' else v }}{{ ',' if not loop.last }} \
 {% endfor %}
 {# Actual hostname for the service #}
 {{ host }}
 {% endmacro %}
-### Autogenerated by dns_dynamic.py ###
-daemon={{ timeout }}
+### Autogenerated by service_dns_dynamic.py ###
+daemon={{ interval }}
 syslog=yes
 ssl=yes
 pid={{ config_file | replace('.conf', '.pid') }}
 cache={{ config_file | replace('.conf', '.cache') }}
-{# Explicitly override global options for reliability #}
-web=googledomains {# ddclient default ('dyndns') doesn't support ssl and results in process lockup #}
-use=no            {# ddclient default ('ip') results in confusing warning message in log #}
-
-{% if address is vyos_defined %}
-{%     for address, service_cfg in address.items() %}
-{%         if service_cfg.rfc2136 is vyos_defined %}
-{%             for name, config in service_cfg.rfc2136.items() %}
-{%                 if config.description is vyos_defined %}
-# {{ config.description }}
+{# ddclient default (web=dyndns) doesn't support ssl and results in process lockup #}
+web=googledomains
+{# ddclient default (use=ip) results in confusing warning message in log #}
+use=no
 
-{%                 endif %}
-{%                 for host in config.host_name if config.host_name is vyos_defined %}
-# RFC2136 dynamic DNS configuration for {{ name }}: [{{ config.zone }}, {{ host }}]
-{# Don't append 'new-style' compliant suffix ('usev4', 'usev6', 'ifv4', 'ifv6' etc.)
-   to the properties since 'nsupdate' doesn't support that yet. #}
-{{ render_config(host, address, service_cfg.web_options,
-                 protocol='nsupdate', server=config.server, zone=config.zone,
-                 password=config.key, ttl=config.ttl) }}
+{% if name is vyos_defined %}
+{%     for service, config in name.items() %}
+{%         if config.description is vyos_defined %}
 
-{%                 endfor %}
-{%             endfor %}
-{%         endif %}
-{%         if service_cfg.service is vyos_defined %}
-{%             for name, config in service_cfg.service.items() %}
-{%                 if config.description is vyos_defined %}
 # {{ config.description }}
+{%         endif %}
+{%         for host in config.host_name if config.host_name is vyos_defined %}
+{#             ip_suffixes can be either of ['v4'], ['v6'], ['v4', 'v6'] for all protocols except 'nsupdate'
+               ip_suffixes must be [''] for nsupdate since it doesn't support usevX/wantipvX yet #}
+{%             set ip_suffixes = ['v4', 'v6'] if config.ip_version == 'both'
+                                 else ([config.ip_version[2:]] if config.protocol != 'nsupdate'
+                                       else ['']) %}
+{%             set password = config.key if config.protocol == 'nsupdate'
+                              else config.password %}
 
-{%                 endif %}
-{%                 for host in config.host_name if config.host_name is vyos_defined %}
-{%                     set ip_suffixes = ['v4', 'v6'] if config.ip_version == 'both'
-                                                      else (['v6'] if config.ip_version == 'ipv6' else ['']) %}
-# Web service dynamic DNS configuration for {{ name }}: [{{ config.protocol }}, {{ host }}]
-{# For ipv4 only setup or legacy ipv6 setup, don't append 'new-style' compliant suffix
-   ('usev4', 'ifv4', 'webv4' etc.) to the properties and instead live through the
-   deprecation warnings for better compatibility with most ddclient protocols. #}
-{{ render_config(host, address, service_cfg.web_options, ip_suffixes,
+# Web service dynamic DNS configuration for {{ service }}: [{{ config.protocol }}, {{ host }}]
+{{ render_config(host, config.address, config.web_options, ip_suffixes,
                  protocol=config.protocol, server=config.server, zone=config.zone,
-                 login=config.username, password=config.password) }}
-
-{%                 endfor %}
-{%             endfor %}
-{%         endif %}
+                 login=config.username, password=password, ttl=config.ttl,
+                 min_interval=config.wait_time, max_interval=config.expiry_time) }}
+{%         endfor %}
 {%     endfor %}
 {% endif %}
diff --git a/data/templates/dns-dynamic/override.conf.j2 b/data/templates/dns-dynamic/override.conf.j2
index 6ca1b8a45..4a6851cef 100644
--- a/data/templates/dns-dynamic/override.conf.j2
+++ b/data/templates/dns-dynamic/override.conf.j2
@@ -7,4 +7,4 @@ After=vyos-router.service
 PIDFile={{ config_file | replace('.conf', '.pid') }}
 EnvironmentFile=
 ExecStart=
-ExecStart=/usr/bin/ddclient -file {{ config_file }}
+ExecStart={{ vrf_command }}/usr/bin/ddclient -file {{ config_file }}
diff --git a/data/templates/dns-forwarding/recursor.conf.j2 b/data/templates/dns-forwarding/recursor.conf.j2
index e02e6c13d..55b37732b 100644
--- a/data/templates/dns-forwarding/recursor.conf.j2
+++ b/data/templates/dns-forwarding/recursor.conf.j2
@@ -1,5 +1,5 @@
 {# j2lint: disable=single-statement-per-line #}
-### Autogenerated by dns_forwarding.py ###
+### Autogenerated by service_dns_forwarding.py ###
 
 # XXX: pdns recursor doesn't like whitespace near entry separators,
 # especially in the semicolon-separated lists of name servers.
@@ -40,6 +40,16 @@ dnssec={{ dnssec }}
 dns64-prefix={{ dns64_prefix }}
 {% endif %}
 
+{% if exclude_throttle_address is vyos_defined %}
+# dont-throttle-netmasks
+dont-throttle-netmasks={{ exclude_throttle_address | join(',') }}
+{% endif %}
+
+{% if serve_stale_extension is vyos_defined %}
+# serve-stale-extensions
+serve-stale-extensions={{ serve_stale_extension }}
+{% endif %}
+
 # serve rfc1918 records
 serve-rfc1918={{ 'no' if no_serve_rfc1918 is vyos_defined else 'yes' }}
 
@@ -47,4 +57,3 @@ serve-rfc1918={{ 'no' if no_serve_rfc1918 is vyos_defined else 'yes' }}
 auth-zones={% for z in authoritative_zones %}{{ z.name }}={{ z.file }}{{- "," if not loop.last -}}{% endfor %}
 
 forward-zones-file=recursor.forward-zones.conf
-
diff --git a/data/templates/dns-forwarding/recursor.conf.lua.j2 b/data/templates/dns-forwarding/recursor.conf.lua.j2
index e2506238d..816f69160 100644
--- a/data/templates/dns-forwarding/recursor.conf.lua.j2
+++ b/data/templates/dns-forwarding/recursor.conf.lua.j2
@@ -1,4 +1,4 @@
--- Autogenerated by VyOS (dns_forwarding.py) --
+-- Autogenerated by VyOS (service_dns_forwarding.py) --
 -- Do not edit, your changes will get overwritten --
 
 -- Load DNSSEC root keys from dns-root-data package.
@@ -6,4 +6,3 @@ dofile("/usr/share/pdns-recursor/lua-config/rootkeys.lua")
 
 -- Load lua from vyos-hostsd --
 dofile("recursor.vyos-hostsd.conf.lua")
-
diff --git a/data/templates/dns-forwarding/recursor.zone.conf.j2 b/data/templates/dns-forwarding/recursor.zone.conf.j2
index 25193c2ec..797068c49 100644
--- a/data/templates/dns-forwarding/recursor.zone.conf.j2
+++ b/data/templates/dns-forwarding/recursor.zone.conf.j2
@@ -1,5 +1,5 @@
 ;
-; Autogenerated by dns_forwarding.py
+; Autogenerated by service_dns_forwarding.py
 ;
 {% for r in records %}
 {{ r.name }}    {{ r.ttl }}    {{ r.type }}    {{ r.value }}
diff --git a/data/templates/ethernet/wpa_supplicant.conf.j2 b/data/templates/ethernet/wpa_supplicant.conf.j2
index cd35d6d1e..6da2fa5e0 100644
--- a/data/templates/ethernet/wpa_supplicant.conf.j2
+++ b/data/templates/ethernet/wpa_supplicant.conf.j2
@@ -1,4 +1,4 @@
-### Autogenerated by interfaces-ethernet.py ###
+### Autogenerated by interfaces_ethernet.py ###
 
 # see full documentation:
 # https://w1.fi/cgit/hostap/plain/wpa_supplicant/wpa_supplicant.conf
@@ -74,4 +74,3 @@ network={
     # does not work for VyOS' git builds of wpa_supplicant.
     phase1="allow_canned_success=1 tls_disable_tlsv1_0=0"
 }
-
diff --git a/data/templates/firewall/nftables-bridge.j2 b/data/templates/firewall/nftables-bridge.j2
new file mode 100644
index 000000000..1a4ad2ed9
--- /dev/null
+++ b/data/templates/firewall/nftables-bridge.j2
@@ -0,0 +1,35 @@
+{% macro bridge(bridge) %}
+{% set ns = namespace(sets=[]) %}
+{% if bridge.forward is vyos_defined %}
+{%     for prior, conf in bridge.forward.items() %}
+{%         set def_action = conf.default_action %}
+    chain VYOS_FORWARD_{{ prior }} {
+        type filter hook forward priority {{ prior }}; policy {{ def_action }};
+{%         if conf.rule is vyos_defined %}
+{%             for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
+    {{ rule_conf | nft_rule('FWD', prior, rule_id, 'bri') }}
+{%                 if rule_conf.recent is vyos_defined %}
+{%                     set ns.sets = ns.sets + ['FWD_' + prior + '_' + rule_id] %}
+{%                 endif %}
+{%             endfor %}
+{%         endif %}
+    }
+{%     endfor %}
+{% endif %}
+
+{% if bridge.name is vyos_defined %}
+{%     for name_text, conf in bridge.name.items() %}
+    chain NAME_{{ name_text }} {
+{%         if conf.rule is vyos_defined %}
+{%             for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
+    {{ rule_conf | nft_rule('NAM', name_text, rule_id, 'bri') }}
+{%                 if rule_conf.recent is vyos_defined %}
+{%                     set ns.sets = ns.sets + ['NAM_' + name_text + '_' + rule_id] %}
+{%                 endif %}
+{%             endfor %}
+{%         endif %}
+    {{ conf | nft_default_rule(name_text) }}
+    }
+{%     endfor %}
+{% endif %}
+{% endmacro %}
\ No newline at end of file
diff --git a/data/templates/firewall/nftables-defines.j2 b/data/templates/firewall/nftables-defines.j2
index 0a7e79edd..a20c399ae 100644
--- a/data/templates/firewall/nftables-defines.j2
+++ b/data/templates/firewall/nftables-defines.j2
@@ -1,7 +1,7 @@
-{% macro groups(group, is_ipv6) %}
+{% macro groups(group, is_ipv6, is_l3) %}
 {% if group is vyos_defined %}
 {%     set ip_type = 'ipv6_addr' if is_ipv6 else 'ipv4_addr' %}
-{%     if group.address_group is vyos_defined and not is_ipv6 %}
+{%     if group.address_group is vyos_defined and not is_ipv6 and is_l3 %}
 {%         for group_name, group_conf in group.address_group.items() %}
 {%             set includes = group_conf.include if group_conf.include is vyos_defined else [] %}
     set A_{{ group_name }} {
@@ -14,7 +14,7 @@
     }
 {%         endfor %}
 {%     endif %}
-{%     if group.ipv6_address_group is vyos_defined and is_ipv6 %}
+{%     if group.ipv6_address_group is vyos_defined and is_ipv6 and is_l3 %}
 {%         for group_name, group_conf in group.ipv6_address_group.items() %}
 {%             set includes = group_conf.include if group_conf.include is vyos_defined else [] %}
     set A6_{{ group_name }} {
@@ -27,7 +27,7 @@
     }
 {%         endfor %}
 {%     endif %}
-{%     if group.domain_group is vyos_defined %}
+{%     if group.domain_group is vyos_defined and is_l3 %}
 {%         for name, name_config in group.domain_group.items() %}
     set D_{{ name }} {
         type {{ ip_type }}
@@ -46,7 +46,7 @@
     }
 {%         endfor %}
 {%     endif %}
-{%     if group.network_group is vyos_defined and not is_ipv6 %}
+{%     if group.network_group is vyos_defined and not is_ipv6 and is_l3 %}
 {%         for group_name, group_conf in group.network_group.items() %}
 {%             set includes = group_conf.include if group_conf.include is vyos_defined else [] %}
     set N_{{ group_name }} {
@@ -59,7 +59,7 @@
     }
 {%         endfor %}
 {%     endif %}
-{%     if group.ipv6_network_group is vyos_defined and is_ipv6 %}
+{%     if group.ipv6_network_group is vyos_defined and is_ipv6 and is_l3 %}
 {%         for group_name, group_conf in group.ipv6_network_group.items() %}
 {%             set includes = group_conf.include if group_conf.include is vyos_defined else [] %}
     set N6_{{ group_name }} {
@@ -72,7 +72,7 @@
     }
 {%         endfor %}
 {%     endif %}
-{%     if group.port_group is vyos_defined %}
+{%     if group.port_group is vyos_defined and is_l3 %}
 {%         for group_name, group_conf in group.port_group.items() %}
 {%             set includes = group_conf.include if group_conf.include is vyos_defined else [] %}
     set P_{{ group_name }} {
diff --git a/data/templates/firewall/nftables-nat.j2 b/data/templates/firewall/nftables-nat.j2
index f0be3cf5d..dcf28da88 100644
--- a/data/templates/firewall/nftables-nat.j2
+++ b/data/templates/firewall/nftables-nat.j2
@@ -62,6 +62,6 @@ table ip vyos_nat {
         return
     }
 
-{{ group_tmpl.groups(firewall_group, False) }}
+{{ group_tmpl.groups(firewall_group, False, True) }}
 }
 {% endif %}
diff --git a/data/templates/firewall/nftables-offload.j2 b/data/templates/firewall/nftables-offload.j2
new file mode 100644
index 000000000..087fd141c
--- /dev/null
+++ b/data/templates/firewall/nftables-offload.j2
@@ -0,0 +1,9 @@
+{% macro flowtable(name, config) %}
+    flowtable VYOS_FLOWTABLE_{{ name }} {
+        hook ingress priority 0; devices = { {{ config.interface | join(', ') }} };
+{% if config.offload is vyos_defined('hardware') %}
+        flags offload;
+{% endif %}
+        counter
+    }
+{% endmacro %}
\ No newline at end of file
diff --git a/data/templates/firewall/nftables-policy.j2 b/data/templates/firewall/nftables-policy.j2
index 699349e2b..9e28899b0 100644
--- a/data/templates/firewall/nftables-policy.j2
+++ b/data/templates/firewall/nftables-policy.j2
@@ -28,11 +28,14 @@ table ip vyos_mangle {
         {{ rule_conf | nft_rule('route', route_text, rule_id, 'ip') }}
 {%             endfor %}
 {%         endif %}
+{%         if conf.default_log is vyos_defined %}
+        counter log prefix "[ipv4-{{ (route_text)[:19] }}-default]"
+{%         endif %}
     }
 {%     endfor %}
 {% endif %}
 
-{{ group_tmpl.groups(firewall_group, False) }}
+{{ group_tmpl.groups(firewall_group, False, True) }}
 }
 
 table ip6 vyos_mangle {
@@ -57,9 +60,12 @@ table ip6 vyos_mangle {
         {{ rule_conf | nft_rule('route6', route_text, rule_id, 'ip6') }}
 {%             endfor %}
 {%         endif %}
+{%         if conf.default_log is vyos_defined %}
+        counter log prefix "[ipv6-{{ (route_text)[:19] }}-default]"
+{%         endif %}
     }
 {%     endfor %}
 {% endif %}
 
-{{ group_tmpl.groups(firewall_group, True) }}
+{{ group_tmpl.groups(firewall_group, True, True) }}
 }
diff --git a/data/templates/firewall/nftables-vrf-zones.j2 b/data/templates/firewall/nftables-vrf-zones.j2
index eecf47b78..3bce7312d 100644
--- a/data/templates/firewall/nftables-vrf-zones.j2
+++ b/data/templates/firewall/nftables-vrf-zones.j2
@@ -7,11 +7,11 @@ table inet vrf_zones {
   # Chain for inbound traffic
   chain vrf_zones_ct_in {
     type filter hook prerouting priority raw; policy accept;
-    counter ct zone set iifname map @ct_iface_map
+    counter ct original zone set iifname map @ct_iface_map
   }
   # Chain for locally-generated traffic
   chain vrf_zones_ct_out {
     type filter hook output priority raw; policy accept;
-    counter ct zone set oifname map @ct_iface_map
+    counter ct original zone set oifname map @ct_iface_map
   }
 }
diff --git a/data/templates/firewall/nftables-zone.j2 b/data/templates/firewall/nftables-zone.j2
new file mode 100644
index 000000000..506ad815e
--- /dev/null
+++ b/data/templates/firewall/nftables-zone.j2
@@ -0,0 +1,77 @@
+{% macro zone_chains(zone, ipv6=False, state_policy=False) %}
+{% set fw_name = 'ipv6_name' if ipv6 else 'name' %}
+{% set suffix = '6' if ipv6 else '' %}
+    chain VYOS_ZONE_FORWARD {
+        type filter hook forward priority 1; policy accept;
+{% if state_policy %}
+        jump VYOS_STATE_POLICY{{ suffix }}
+{% endif %}
+{% for zone_name, zone_conf in zone.items() %}
+{%     if 'local_zone' not in zone_conf %}
+        oifname { {{ zone_conf.interface | join(',') }} } counter jump VZONE_{{ zone_name }}
+{%     endif %}
+{% endfor %}
+    }
+    chain VYOS_ZONE_LOCAL {
+        type filter hook input priority 1; policy accept;
+{% if state_policy %}
+        jump VYOS_STATE_POLICY{{ suffix }}
+{% endif %}
+{% for zone_name, zone_conf in zone.items() %}
+{%     if 'local_zone' in zone_conf %}
+        counter jump VZONE_{{ zone_name }}_IN
+{%     endif %}
+{% endfor %}
+    }
+    chain VYOS_ZONE_OUTPUT {
+        type filter hook output priority 1; policy accept;
+{% if state_policy %}
+        jump VYOS_STATE_POLICY{{ suffix }}
+{% endif %}
+{% for zone_name, zone_conf in zone.items() %}
+{%     if 'local_zone' in zone_conf %}
+        counter jump VZONE_{{ zone_name }}_OUT
+{%     endif %}
+{% endfor %}
+    }
+{% for zone_name, zone_conf in zone.items() %}
+{%     if zone_conf.local_zone is vyos_defined %}
+    chain VZONE_{{ zone_name }}_IN {
+        iifname lo counter return
+{%         if zone_conf.from is vyos_defined %}
+{%             for from_zone, from_conf in zone_conf.from.items() if from_conf.firewall[fw_name] is vyos_defined %}
+        iifname { {{ zone[from_zone].interface | join(",") }} } counter jump NAME{{ suffix }}_{{ from_conf.firewall[fw_name] }}
+        iifname { {{ zone[from_zone].interface | join(",") }} } counter return
+{%             endfor %}
+{%         endif %}
+        {{ zone_conf | nft_default_rule('zone_' + zone_name) }}
+    }
+    chain VZONE_{{ zone_name }}_OUT {
+        oifname lo counter return
+{%         if zone_conf.from_local is vyos_defined %}
+{%             for from_zone, from_conf in zone_conf.from_local.items() if from_conf.firewall[fw_name] is vyos_defined %}
+        oifname { {{ zone[from_zone].interface | join(",") }} } counter jump NAME{{ suffix }}_{{ from_conf.firewall[fw_name] }}
+        oifname { {{ zone[from_zone].interface | join(",") }} } counter return
+{%             endfor %}
+{%         endif %}
+        {{ zone_conf | nft_default_rule('zone_' + zone_name) }}
+    }
+{%     else %}
+    chain VZONE_{{ zone_name }} {
+        iifname { {{ zone_conf.interface | join(",") }} } counter {{ zone_conf | nft_intra_zone_action(ipv6) }}
+{%         if zone_conf.intra_zone_filtering is vyos_defined %}
+        iifname { {{ zone_conf.interface | join(",") }} } counter return
+{%         endif %}
+{%         if zone_conf.from is vyos_defined %}
+{%             for from_zone, from_conf in zone_conf.from.items() if from_conf.firewall[fw_name] is vyos_defined %}
+{%                 if zone[from_zone].local_zone is not defined %}
+        iifname { {{ zone[from_zone].interface | join(",") }} } counter jump NAME{{ suffix }}_{{ from_conf.firewall[fw_name] }}
+        iifname { {{ zone[from_zone].interface | join(",") }} } counter return
+{%                 endif %}
+{%             endfor %}
+{%         endif %}
+        {{ zone_conf | nft_default_rule('zone_' + zone_name) }}
+    }
+{%     endif %}
+{% endfor %}
+{% endmacro %}
\ No newline at end of file
diff --git a/data/templates/firewall/nftables.j2 b/data/templates/firewall/nftables.j2
index a82a5537b..4851e3a05 100644
--- a/data/templates/firewall/nftables.j2
+++ b/data/templates/firewall/nftables.j2
@@ -1,6 +1,9 @@
 #!/usr/sbin/nft -f
 
 {% import 'firewall/nftables-defines.j2' as group_tmpl %}
+{% import 'firewall/nftables-bridge.j2' as bridge_tmpl %}
+{% import 'firewall/nftables-offload.j2' as offload_tmpl %}
+{% import 'firewall/nftables-zone.j2' as zone_tmpl %}
 
 flush chain raw FW_CONNTRACK
 flush chain ip6 raw FW_CONNTRACK
@@ -43,12 +46,20 @@ delete table ip vyos_filter
 {% endif %}
 table ip vyos_filter {
 {% if ipv4 is vyos_defined %}
+{%     if flowtable is vyos_defined %}
+{%         for name, flowtable_conf in flowtable.items() %}
+{{ offload_tmpl.flowtable(name, flowtable_conf) }}
+{%         endfor %}
+{%     endif %}
+
 {%     set ns = namespace(sets=[]) %}
 {%     if ipv4.forward is vyos_defined %}
 {%         for prior, conf in ipv4.forward.items() %}
-{%             set def_action = conf.default_action %}
     chain VYOS_FORWARD_{{ prior }} {
-        type filter hook forward priority {{ prior }}; policy {{ def_action }};
+        type filter hook forward priority {{ prior }}; policy accept;
+{%             if global_options.state_policy is vyos_defined %}
+        jump VYOS_STATE_POLICY
+{%             endif %}
 {%             if conf.rule is vyos_defined %}
 {%                 for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
         {{ rule_conf | nft_rule('FWD', prior, rule_id) }}
@@ -57,15 +68,18 @@ table ip vyos_filter {
 {%                     endif %}
 {%                 endfor %}
 {%             endif %}
+        {{ conf | nft_default_rule('FWD-filter') }}
     }
 {%         endfor %}
 {%     endif %}
 
 {%     if ipv4.input is vyos_defined %}
 {%         for prior, conf in ipv4.input.items() %}
-{%             set def_action = conf.default_action %}
     chain VYOS_INPUT_{{ prior }} {
-        type filter hook input priority {{ prior }}; policy {{ def_action }};
+        type filter hook input priority {{ prior }}; policy accept;
+{%             if global_options.state_policy is vyos_defined %}
+        jump VYOS_STATE_POLICY
+{%             endif %}
 {%             if conf.rule is vyos_defined %}
 {%                 for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
         {{ rule_conf | nft_rule('INP',prior, rule_id) }}
@@ -74,15 +88,18 @@ table ip vyos_filter {
 {%                     endif %}
 {%                 endfor %}
 {%             endif %}
+        {{ conf | nft_default_rule('INP-filter') }}
     }
 {%         endfor %}
 {%     endif %}
 
 {%     if ipv4.output is vyos_defined %}
 {%         for prior, conf in ipv4.output.items() %}
-{%             set def_action = conf.default_action %}
     chain VYOS_OUTPUT_{{ prior }} {
-        type filter hook output priority {{ prior }}; policy {{ def_action }};
+        type filter hook output priority {{ prior }}; policy accept;
+{%             if global_options.state_policy is vyos_defined %}
+        jump VYOS_STATE_POLICY
+{%             endif %}
 {%             if conf.rule is vyos_defined %}
 {%                 for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
         {{ rule_conf | nft_rule('OUT', prior, rule_id) }}
@@ -91,6 +108,7 @@ table ip vyos_filter {
 {%                     endif %}
 {%                 endfor %}
 {%             endif %}
+        {{ conf | nft_default_rule('OUT-filter') }}
     }
 {%         endfor %}
 {%     endif %}
@@ -100,9 +118,8 @@ table ip vyos_filter {
     }
 {%     if ipv4.prerouting is vyos_defined %}
 {%         for prior, conf in ipv4.prerouting.items() %}
-{%             set def_action = conf.default_action %}
     chain VYOS_PREROUTING_{{ prior }} {
-        type filter hook prerouting priority {{ prior }}; policy {{ def_action }};
+        type filter hook prerouting priority {{ prior }}; policy accept;
 {%             if conf.rule is vyos_defined %}
 {%                 for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
         {{ rule_conf | nft_rule('PRE', prior, rule_id) }}
@@ -111,7 +128,7 @@ table ip vyos_filter {
 {%                     endif %}
 {%                 endfor %}
 {%             endif %}
-        {{ conf | nft_default_rule(prior) }}
+        {{ conf | nft_default_rule('PRE-filter') }}
     }
 {%         endfor %}
 {%     endif %}
@@ -154,7 +171,25 @@ table ip vyos_filter {
 {%         endfor %}
 {%     endif %}
 {% endif %}
-{{ group_tmpl.groups(group, False) }}
+{{ group_tmpl.groups(group, False, True) }}
+
+{% if zone is vyos_defined %}
+{{ zone_tmpl.zone_chains(zone, False, global_options.state_policy is vyos_defined) }}
+{% endif %}
+{% if global_options.state_policy is vyos_defined %}
+    chain VYOS_STATE_POLICY {
+{%     if global_options.state_policy.established is vyos_defined %}
+        {{ global_options.state_policy.established | nft_state_policy('established') }}
+{%     endif %}
+{%     if global_options.state_policy.invalid is vyos_defined %}
+        {{ global_options.state_policy.invalid | nft_state_policy('invalid') }}
+{%     endif %}
+{%     if global_options.state_policy.related is vyos_defined %}
+        {{ global_options.state_policy.related | nft_state_policy('related') }}
+{%     endif %}
+        return
+    }
+{% endif %}
 }
 
 {% if first_install is not vyos_defined %}
@@ -162,12 +197,20 @@ delete table ip6 vyos_filter
 {% endif %}
 table ip6 vyos_filter {
 {% if ipv6 is vyos_defined %}
+{%     if flowtable is vyos_defined %}
+{%         for name, flowtable_conf in flowtable.items() %}
+{{ offload_tmpl.flowtable(name, flowtable_conf) }}
+{%         endfor %}
+{%     endif %}
+
 {%     set ns = namespace(sets=[]) %}
 {%     if ipv6.forward is vyos_defined %}
 {%         for prior, conf in ipv6.forward.items() %}
-{%             set def_action = conf.default_action %}
     chain VYOS_IPV6_FORWARD_{{ prior }} {
-        type filter hook forward priority {{ prior }}; policy {{ def_action }};
+        type filter hook forward priority {{ prior }}; policy accept;
+{%             if global_options.state_policy is vyos_defined %}
+        jump VYOS_STATE_POLICY6
+{%             endif %}
 {%             if conf.rule is vyos_defined %}
 {%                 for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
         {{ rule_conf | nft_rule('FWD', prior, rule_id ,'ip6') }}
@@ -176,15 +219,18 @@ table ip6 vyos_filter {
 {%                     endif %}
 {%                 endfor %}
 {%             endif %}
+        {{ conf | nft_default_rule('FWD-filter', ipv6=True) }}
     }
 {%         endfor %}
 {%     endif %}
 
 {%     if ipv6.input is vyos_defined %}
 {%         for prior, conf in ipv6.input.items() %}
-{%             set def_action = conf.default_action %}
     chain VYOS_IPV6_INPUT_{{ prior }} {
-        type filter hook input priority {{ prior }}; policy {{ def_action }};
+        type filter hook input priority {{ prior }}; policy accept;
+{%             if global_options.state_policy is vyos_defined %}
+        jump VYOS_STATE_POLICY6
+{%             endif %}
 {%             if conf.rule is vyos_defined %}
 {%                 for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
         {{ rule_conf | nft_rule('INP', prior, rule_id ,'ip6') }}
@@ -193,15 +239,18 @@ table ip6 vyos_filter {
 {%                     endif %}
 {%                 endfor %}
 {%             endif %}
+        {{ conf | nft_default_rule('INP-filter', ipv6=True) }}
     }
 {%         endfor %}
 {%     endif %}
 
 {%     if ipv6.output is vyos_defined %}
 {%         for prior, conf in ipv6.output.items() %}
-{%             set def_action = conf.default_action %}
     chain VYOS_IPV6_OUTPUT_{{ prior }} {
-        type filter hook output priority {{ prior }}; policy {{ def_action }};
+        type filter hook output priority {{ prior }}; policy accept;
+{%             if global_options.state_policy is vyos_defined %}
+        jump VYOS_STATE_POLICY6
+{%             endif %}
 {%             if conf.rule is vyos_defined %}
 {%                 for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
         {{ rule_conf | nft_rule('OUT', prior, rule_id ,'ip6') }}
@@ -210,6 +259,7 @@ table ip6 vyos_filter {
 {%                     endif %}
 {%                 endfor %}
 {%             endif %}
+        {{ conf | nft_default_rule('OUT-filter', ipv6=True) }}
     }
 {%         endfor %}
 {%     endif %}
@@ -257,5 +307,34 @@ table ip6 vyos_filter {
 {%         endfor %}
 {%     endif %}
 {% endif %}
-{{ group_tmpl.groups(group, True) }}
+{{ group_tmpl.groups(group, True, True) }}
+
+{% if zone is vyos_defined %}
+{{ zone_tmpl.zone_chains(zone, True, global_options.state_policy is vyos_defined) }}
+{% endif %}
+{% if global_options.state_policy is vyos_defined %}
+    chain VYOS_STATE_POLICY6 {
+{%     if global_options.state_policy.established is vyos_defined %}
+        {{ global_options.state_policy.established | nft_state_policy('established') }}
+{%     endif %}
+{%     if global_options.state_policy.invalid is vyos_defined %}
+        {{ global_options.state_policy.invalid | nft_state_policy('invalid') }}
+{%     endif %}
+{%     if global_options.state_policy.related is vyos_defined %}
+        {{ global_options.state_policy.related | nft_state_policy('related') }}
+{%     endif %}
+        return
+    }
+{% endif %}
+
+}
+
+## Bridge Firewall
+{% if first_install is not vyos_defined %}
+delete table bridge vyos_filter
+{% endif %}
+table bridge vyos_filter {
+{{ bridge_tmpl.bridge(bridge) }}
+{{ group_tmpl.groups(group, False, False) }}
+
 }
\ No newline at end of file
diff --git a/data/templates/frr/bgpd.frr.j2 b/data/templates/frr/bgpd.frr.j2
index 7fa974254..679ba8b04 100644
--- a/data/templates/frr/bgpd.frr.j2
+++ b/data/templates/frr/bgpd.frr.j2
@@ -29,13 +29,14 @@
  neighbor {{ neighbor }} bfd profile {{ config.bfd.profile }}
 {%     endif %}
 {% endif %}
-{% if config.capability is vyos_defined %}
-{%     if config.capability.dynamic is vyos_defined %}
+{% if config.capability.dynamic is vyos_defined %}
  neighbor {{ neighbor }} capability dynamic
-{%     endif %}
-{%     if config.capability.extended_nexthop is vyos_defined %}
+{% endif %}
+{% if config.capability.extended_nexthop is vyos_defined %}
  neighbor {{ neighbor }} capability extended-nexthop
-{%     endif %}
+{% endif %}
+{% if config.capability.software_version is vyos_defined %}
+ neighbor {{ neighbor }} capability software-version
 {% endif %}
 {% if config.description is vyos_defined %}
  neighbor {{ neighbor }} description {{ config.description }}
@@ -77,6 +78,9 @@
 {% if config.path_attribute.discard is vyos_defined %}
  neighbor {{ neighbor }} path-attribute discard {{ config.path_attribute.discard }}
 {% endif %}
+{% if config.path_attribute.treat_as_withdraw is vyos_defined %}
+ neighbor {{ neighbor }} path-attribute treat-as-withdraw {{ config.path_attribute.treat_as_withdraw }}
+{% endif %}
 {% if config.port is vyos_defined %}
  neighbor {{ neighbor }} port {{ config.port }}
 {% endif %}
@@ -170,7 +174,7 @@
 {%             endif %}
 {%         endif %}
 {%         if afi_config.remove_private_as is vyos_defined %}
-  neighbor {{ neighbor }} remove-private-AS
+  neighbor {{ neighbor }} remove-private-AS {{ 'all' if afi_config.remove_private_as.all is vyos_defined }}
 {%         endif %}
 {%         if afi_config.route_reflector_client is vyos_defined %}
   neighbor {{ neighbor }} route-reflector-client
@@ -369,6 +373,26 @@ router bgp {{ system_as }} {{ 'vrf ' ~ vrf if vrf is vyos_defined }}
 {%         if afi_config.advertise_svi_ip is vyos_defined %}
   advertise-svi-ip
 {%         endif %}
+{%         if afi_config.default_originate.ipv4 is vyos_defined %}
+  default-originate ipv4
+{%         endif %}
+{%         if afi_config.default_originate.ipv6 is vyos_defined %}
+  default-originate ipv6
+{%         endif %}
+{%         if afi_config.disable_ead_evi_rx is vyos_defined %}
+  disable-ead-evi-rx
+{%         endif %}
+{%         if afi_config.disable_ead_evi_tx is vyos_defined %}
+  disable-ead-evi-tx
+{%         endif %}
+{%         if afi_config.ead_es_frag.evi_limit is vyos_defined %}
+  ead-es-frag evi-limit {{ afi_config.ead_es_frag.evi_limit }}
+{%         endif %}
+{%         if afi_config.ead_es_route_target.export is vyos_defined %}
+{%             for route_target in afi_config.ead_es_route_target.export %}
+ ead-es-route-target export {{ route_target }}
+{%             endfor %}
+{%         endif %}
 {%         if afi_config.rt_auto_derive is vyos_defined %}
   autort rfc8365-compatible
 {%         endif %}
@@ -446,6 +470,38 @@ router bgp {{ system_as }} {{ 'vrf ' ~ vrf if vrf is vyos_defined }}
 {%     endfor %}
 {% endif %}
  !
+{% if bmp is vyos_defined %}
+{%     if bmp.mirror_buffer_limit is vyos_defined %}
+ bmp mirror buffer-limit {{ bmp.mirror_buffer_limit }}
+ !
+{%     endif %}
+{%     if bmp.target is vyos_defined %}
+{%         for bmp, bmp_config in bmp.target.items() %}
+ bmp targets {{ bmp }}
+{%             if bmp_config.mirror is vyos_defined %}
+  bmp mirror
+{%             endif %}
+{%             if bmp_config.monitor is vyos_defined %}
+{%                 if bmp_config.monitor.ipv4_unicast.pre_policy is vyos_defined %}
+  bmp monitor ipv4 unicast pre-policy
+{%                 endif %}
+{%                 if bmp_config.monitor.ipv4_unicast.post_policy is vyos_defined %}
+  bmp monitor ipv4 unicast post-policy
+{%                 endif %}
+{%                 if bmp_config.monitor.ipv6_unicast.pre_policy is vyos_defined %}
+  bmp monitor ipv6 unicast pre-policy
+{%                 endif %}
+{%                 if bmp_config.monitor.ipv6_unicast.post_policy is vyos_defined %}
+  bmp monitor ipv6 unicast post-policy
+{%                 endif %}
+{%             endif %}
+{%             if bmp_config.address is vyos_defined %}
+  bmp connect {{ bmp_config.address }} port {{ bmp_config.port }} min-retry {{ bmp_config.min_retry }} max-retry {{ bmp_config.max_retry }}
+{%             endif %}
+{%         endfor %}
+ exit
+{%     endif %}
+{% endif %}
 {% if peer_group is vyos_defined %}
 {%     for peer, config in peer_group.items() %}
 {{ bgp_neighbor(peer, config, true) }}
@@ -564,6 +620,14 @@ bgp route-reflector allow-outbound-policy
 {% if parameters.tcp_keepalive.idle is vyos_defined and parameters.tcp_keepalive.interval is vyos_defined and parameters.tcp_keepalive.probes is vyos_defined %}
  bgp tcp-keepalive {{ parameters.tcp_keepalive.idle }} {{ parameters.tcp_keepalive.interval }} {{ parameters.tcp_keepalive.probes }}
 {% endif %}
+{% if srv6.locator is vyos_defined %}
+ segment-routing srv6
+  locator {{ srv6.locator }}
+ exit
+{% endif %}
+{% if sid.vpn.per_vrf.export is vyos_defined %}
+ sid vpn per-vrf export {{ sid.vpn.per_vrf.export }}
+{% endif %}
 {% if timers.keepalive is vyos_defined and timers.holdtime is vyos_defined %}
  timers bgp {{ timers.keepalive }} {{ timers.holdtime }}
 {% endif %}
diff --git a/data/templates/frr/daemons.frr.tmpl b/data/templates/frr/daemons.frr.tmpl
index 3aad8e8dd..339b4e52f 100644
--- a/data/templates/frr/daemons.frr.tmpl
+++ b/data/templates/frr/daemons.frr.tmpl
@@ -1,4 +1,26 @@
-zebra=yes
+#
+# The watchfrr, zebra, mgmtd and staticd daemons are always started.
+#
+# Note: The following FRR-services must be kept disabled because they are replaced by other packages in VyOS:
+#
+# pimd   Replaced by package igmpproxy.
+# nhrpd  Replaced by package opennhrp.
+# pbrd   Replaced by PBR in nftables.
+# vrrpd  Replaced by package keepalived.
+#
+# And these must be disabled aswell since they are currently missing a VyOS CLI:
+#
+# eigrp
+# sharpd
+# fabricd
+# pathd
+#
+# The zebra, mgmtd and staticd daemons are always started and can not be disabled
+#
+#zebra=yes
+#mgmtd=yes
+#staticd=yes
+
 bgpd=yes
 ospfd=yes
 ospf6d=yes
@@ -6,49 +28,86 @@ ripd=yes
 ripngd=yes
 isisd=yes
 pimd=no
+pim6d=yes
 ldpd=yes
 nhrpd=no
-eigrpd=yes
+eigrpd=no
 babeld=yes
 sharpd=no
 pbrd=no
 bfdd=yes
-staticd=yes
+fabricd=no
+vrrpd=no
+pathd=no
 
-vtysh_enable=yes
-zebra_options="  -s 90000000 --daemon -A 127.0.0.1
-{%- if irdp is defined %} -M irdp{% endif -%}
-{%- if snmp is defined and snmp.zebra is defined %} -M snmp{% endif -%}
-"
-bgpd_options="   --daemon -A 127.0.0.1
-{%- if bmp is defined %} -M bmp{% endif -%}
-{%- if snmp is defined and snmp.bgpd is defined %} -M snmp{% endif -%}
-"
-ospfd_options="  --daemon -A 127.0.0.1
-{%- if snmp is defined and snmp.ospfd is defined %} -M snmp{% endif -%}
-"
-ospf6d_options=" --daemon -A ::1
-{%- if snmp is defined and snmp.ospf6d is defined %} -M snmp{% endif -%}
-"
-ripd_options="   --daemon -A 127.0.0.1
-{%- if snmp is defined and snmp.ripd is defined %} -M snmp{% endif -%}
-"
+#
+# Define defaults for all services even those who shall be kept disabled.
+#
+
+zebra_options="  --daemon -A 127.0.0.1 -s 90000000{{ ' -M snmp' if snmp.zebra is vyos_defined }}{{ ' -M irdp' if irdp is vyos_defined }}"
+mgmtd_options="  --daemon -A 127.0.0.1"
+staticd_options="--daemon -A 127.0.0.1"
+bgpd_options="   --daemon -A 127.0.0.1 -M rpki{{ ' -M snmp' if snmp.bgpd is vyos_defined }}{{ ' -M bmp' if bmp is vyos_defined }}"
+ospfd_options="  --daemon -A 127.0.0.1{{ ' -M snmp' if snmp.ospfd is vyos_defined }}"
+ospf6d_options=" --daemon -A ::1{{ ' -M snmp' if snmp.ospf6d is vyos_defined }}"
+ripd_options="   --daemon -A 127.0.0.1{{ ' -M snmp' if snmp.ripd is vyos_defined }}"
 ripngd_options=" --daemon -A ::1"
-isisd_options="  --daemon -A 127.0.0.1
-{%- if snmp is defined and snmp.isisd is defined %} -M snmp{% endif -%}
-"
-pimd_options="  --daemon -A 127.0.0.1"
-ldpd_options="  --daemon -A 127.0.0.1
-{%- if snmp is defined and snmp.ldpd is defined %} -M snmp{% endif -%}
-"
-mgmtd_options=" --daemon -A 127.0.0.1"
+isisd_options="  --daemon -A 127.0.0.1{{ ' -M snmp' if snmp.isisd is vyos_defined }}"
+pimd_options="   --daemon -A 127.0.0.1"
+pim6d_options="  --daemon -A ::1"
+ldpd_options="   --daemon -A 127.0.0.1{{ ' -M snmp' if snmp.ldpd is vyos_defined }}"
 nhrpd_options="  --daemon -A 127.0.0.1"
-eigrpd_options="  --daemon -A 127.0.0.1"
-babeld_options="  --daemon -A 127.0.0.1"
-sharpd_options="  --daemon -A 127.0.0.1"
-pbrd_options="  --daemon -A 127.0.0.1"
-staticd_options="  --daemon -A 127.0.0.1"
-bfdd_options="  --daemon -A 127.0.0.1"
-
-watchfrr_enable=no
+eigrpd_options=" --daemon -A 127.0.0.1"
+babeld_options=" --daemon -A 127.0.0.1"
+sharpd_options=" --daemon -A 127.0.0.1"
+pbrd_options="   --daemon -A 127.0.0.1"
+bfdd_options="   --daemon -A 127.0.0.1"
+fabricd_options="--daemon -A 127.0.0.1"
+vrrpd_options="  --daemon -A 127.0.0.1"
+pathd_options="  --daemon -A 127.0.0.1"
+
+#frr_global_options=""
+
+#zebra_wrap=""
+#mgmtd_wrap=""
+#staticd_wrap=""
+#bgpd_wrap=""
+#ospfd_wrap=""
+#ospf6d_wrap=""
+#ripd_wrap=""
+#ripngd_wrap=""
+#isisd_wrap=""
+#pimd_wrap=""
+#pim6d_wrap=""
+#ldpd_wrap=""
+#nhrpd_wrap=""
+#eigrpd_wrap=""
+#babeld_wrap=""
+#sharpd_wrap=""
+#pbrd_wrap=""
+#bfdd_wrap=""
+#fabricd_wrap=""
+#vrrpd_wrap=""
+#pathd_wrap=""
+
+#all_wrap=""
+
+#
+# Other options.
+#
+# For more information see:
+# https://github.com/FRRouting/frr/blob/stable/9.0/tools/etc/frr/daemons
+# https://docs.frrouting.org/en/stable-9.0/setup.html
+#
+
+vtysh_enable=yes
+watchfrr_enable=yes
 valgrind_enable=no
+
+#watchfrr_options=""
+
+frr_profile="traditional"
+
+MAX_FDS={{ descriptors }}
+
+#FRR_NO_ROOT="yes"
diff --git a/data/templates/frr/eigrpd.frr.j2 b/data/templates/frr/eigrpd.frr.j2
index 67f8a3ad1..3038a0b1d 100644
--- a/data/templates/frr/eigrpd.frr.j2
+++ b/data/templates/frr/eigrpd.frr.j2
@@ -1,21 +1,21 @@
-!

-router eigrp {{ local_as }} {{ 'vrf ' ~ vrf if vrf is vyos_defined }}

-{% if maximum_paths is vyos_defined %}

-maximum-paths {{ maximum_paths }}

-{% endif %}

-{% if metric.weights is vyos_defined %}

-metric weights {{ metric.weights }}

-{% endif %}

-{% if network is vyos_defined %}

-{%     for net in network %}

-network {{ net }}

-{%     endfor %}

-{% endif %}

-{% if redistribute is vyos_defined %}

-{%     for protocol in redistribute %}

-redistribute {{ protocol }}

-{%     endfor %}

-{% endif %}

-{% if variance is vyos_defined %}

-variance {{ variance }}

+!
+router eigrp {{ local_as }} {{ 'vrf ' ~ vrf if vrf is vyos_defined }}
+{% if maximum_paths is vyos_defined %}
+maximum-paths {{ maximum_paths }}
+{% endif %}
+{% if metric.weights is vyos_defined %}
+metric weights {{ metric.weights }}
+{% endif %}
+{% if network is vyos_defined %}
+{%     for net in network %}
+network {{ net }}
+{%     endfor %}
+{% endif %}
+{% if redistribute is vyos_defined %}
+{%     for protocol in redistribute %}
+redistribute {{ protocol }}
+{%     endfor %}
+{% endif %}
+{% if variance is vyos_defined %}
+variance {{ variance }}
 {% endif %}
\ No newline at end of file
diff --git a/data/templates/frr/evpn.mh.frr.j2 b/data/templates/frr/evpn.mh.frr.j2
new file mode 100644
index 000000000..03aaac44b
--- /dev/null
+++ b/data/templates/frr/evpn.mh.frr.j2
@@ -0,0 +1,16 @@
+!
+interface {{ ifname }}
+{% if evpn.es_df_pref is vyos_defined %}
+ evpn mh es-df-pref {{ evpn.es_df_pref }}
+{% endif %}
+{% if evpn.es_id is vyos_defined %}
+ evpn mh es-id {{ evpn.es_id }}
+{% endif %}
+{% if evpn.es_sys_mac is vyos_defined %}
+ evpn mh es-sys-mac {{ evpn.es_sys_mac }}
+{% endif %}
+{% if evpn.uplink is vyos_defined %}
+ evpn mh uplink
+{% endif %}
+exit
+!
diff --git a/data/templates/frr/igmp.frr.j2 b/data/templates/frr/igmp.frr.j2
deleted file mode 100644
index b75884484..000000000
--- a/data/templates/frr/igmp.frr.j2
+++ /dev/null
@@ -1,41 +0,0 @@
-!
-{% for iface in old_ifaces %}
-interface {{ iface }}
-{%     for group in old_ifaces[iface].gr_join %}
-{%         if old_ifaces[iface].gr_join[group] %}
-{%             for source in old_ifaces[iface].gr_join[group] %}
- no ip igmp join {{ group }} {{ source }}
-{%             endfor %}
-{%         else %}
- no ip igmp join {{ group }}
-{%         endif %}
-{%     endfor %}
- no ip igmp
-!
-{% endfor %}
-{% for interface, interface_config in ifaces.items() %}
-interface {{ interface }}
-{%     if interface_config.version %}
- ip igmp version {{ interface_config.version }}
-{%     else %}
-{# IGMP default version 3 #}
- ip igmp
-{%     endif %}
-{%     if interface_config.query_interval %}
- ip igmp query-interval {{ interface_config.query_interval }}
-{%     endif %}
-{%     if interface_config.query_max_resp_time %}
- ip igmp query-max-response-time {{ interface_config.query_max_resp_time }}
-{%     endif %}
-{%     for group, sources in interface_config.gr_join.items() %}
-{%         if sources is vyos_defined %}
-{%             for source in sources %}
- ip igmp join {{ group }} {{ source }}
-{%             endfor %}
-{%         else %}
- ip igmp join {{ group }}
-{%         endif %}
-{%     endfor %}
-!
-{% endfor %}
-!
diff --git a/data/templates/frr/isisd.frr.j2 b/data/templates/frr/isisd.frr.j2
index 3c37e28b9..1e1cc3c27 100644
--- a/data/templates/frr/isisd.frr.j2
+++ b/data/templates/frr/isisd.frr.j2
@@ -58,6 +58,12 @@ exit
 !
 router isis VyOS {{ 'vrf ' + vrf if vrf is vyos_defined }}
  net {{ net }}
+{% if advertise_high_metrics is vyos_defined %}
+advertise-high-metrics
+{% endif %}
+{% if advertise_passive_only is vyos_defined %}
+advertise-passive-only
+{% endif %}
 {% if dynamic_hostname is vyos_defined %}
  hostname dynamic
 {% endif %}
@@ -159,6 +165,48 @@ router isis VyOS {{ 'vrf ' + vrf if vrf is vyos_defined }}
 {%         endfor %}
 {%     endfor %}
 {% endif %}
+{% if fast_reroute.lfa is vyos_defined %}
+{%     if fast_reroute.lfa.local is vyos_defined %}
+{%         if fast_reroute.lfa.local.load_sharing.disable.level_1 is vyos_defined %}
+ fast-reroute load-sharing disable level-1
+{%         elif fast_reroute.lfa.local.load_sharing.disable.level_2 is vyos_defined %}
+ fast-reroute load-sharing disable level-2
+{%         elif fast_reroute.lfa.local.load_sharing.disable is vyos_defined %}
+ fast-reroute load-sharing disable
+{%         endif %}
+{%         if fast_reroute.lfa.local.priority_limit is vyos_defined %}
+{%             for priority, priority_limit_options in fast_reroute.lfa.local.priority_limit.items() %}
+{%                 for level in priority_limit_options %}
+ fast-reroute priority-limit {{ priority }} {{ level | replace('_', '-') }}
+{%                 endfor %}                   
+{%             endfor %}
+{%         endif %}
+{%         if fast_reroute.lfa.local.tiebreaker is vyos_defined %}
+{%             for tiebreaker, tiebreaker_options in fast_reroute.lfa.local.tiebreaker.items() %}
+{%                 for index, index_options in tiebreaker_options.items() %}
+{%                     for index_value, index_value_options in index_options.items() %}
+{%                         for level in index_value_options %}
+ fast-reroute lfa tiebreaker {{ tiebreaker | replace('_', '-') }} index {{ index_value }} {{ level | replace('_', '-') }}
+{%                         endfor %}
+{%                     endfor %}
+{%                 endfor %}
+{%             endfor %}
+{%         endif %}
+{%     endif %}
+{%     if fast_reroute.lfa.remote.prefix_list is vyos_defined %}
+{%         for prefix_list, prefix_list_options in fast_reroute.lfa.remote.prefix_list.items() %}
+{%             if prefix_list_options.level_1 is vyos_defined %}
+fast-reroute remote-lfa prefix-list {{ prefix_list }} level-1
+{%             endif %}
+{%             if prefix_list_options.level_2 is vyos_defined %}
+fast-reroute remote-lfa prefix-list {{ prefix_list }} level-2
+{%             endif %}
+{%             if prefix_list is vyos_defined and prefix_list_options.level_1 is not vyos_defined and prefix_list_options.level_2 is not vyos_defined %}
+fast-reroute remote-lfa prefix-list {{ prefix_list }}
+{%             endif %}
+{%         endfor %}
+{%     endif %}
+{% endif %}
 {% if redistribute.ipv4 is vyos_defined %}
 {%     for protocol, protocol_options in redistribute.ipv4.items() %}
 {%         for level, level_config in protocol_options.items() %}
@@ -191,4 +239,4 @@ router isis VyOS {{ 'vrf ' + vrf if vrf is vyos_defined }}
  is-type {{ level }}
 {% endif %}
 exit
-!
\ No newline at end of file
+!
diff --git a/data/templates/frr/ldpd.frr.j2 b/data/templates/frr/ldpd.frr.j2
index 11aff331a..9a893cc55 100644
--- a/data/templates/frr/ldpd.frr.j2
+++ b/data/templates/frr/ldpd.frr.j2
@@ -14,19 +14,19 @@ mpls ldp
  ordered-control
 {%     endif %}
 {%     if ldp.neighbor is vyos_defined %}
-{%         for neighbor, neighbor_config in ldp.neighbor %}
+{%         for neighbor, neighbor_config in ldp.neighbor.items() %}
 {%             if neighbor_config.password is vyos_defined %}
- neighbor {{ neighbors }} password {{ neighbor_config.password }}
+ neighbor {{ neighbor }} password {{ neighbor_config.password }}
 {%             endif %}
 {%             if neighbor_config.ttl_security is vyos_defined %}
 {%                 if neighbor_config.ttl_security.disable is vyos_defined %}
- neighbor {{ neighbors }} ttl-security disable
+ neighbor {{ neighbor }} ttl-security disable
 {%                 else %}
- neighbor {{ neighbors }} ttl-security hops {{ neighbor_config.ttl_security }}
+ neighbor {{ neighbor }} ttl-security hops {{ neighbor_config.ttl_security }}
 {%                 endif %}
 {%             endif %}
 {%             if neighbor_config.session_holdtime is vyos_defined %}
- neighbor {{ neighbors }} session holdtime {{ neighbor_config.session_holdtime }}
+ neighbor {{ neighbor }} session holdtime {{ neighbor_config.session_holdtime }}
 {%             endif %}
 {%         endfor %}
 {%     endif %}
diff --git a/data/templates/frr/pim6d.frr.j2 b/data/templates/frr/pim6d.frr.j2
new file mode 100644
index 000000000..bac716fcc
--- /dev/null
+++ b/data/templates/frr/pim6d.frr.j2
@@ -0,0 +1,81 @@
+!
+{% if interface is vyos_defined %}
+{%     for iface, iface_config in interface.items() %}
+!
+interface {{ iface }}
+ ipv6 pim
+{%         if iface_config.no_bsm is vyos_defined %}
+ no ipv6 pim bsm
+{%         endif %}
+{%         if iface_config.dr_priority is vyos_defined %}
+ ipv6 pim drpriority {{ iface_config.dr_priority }}
+{%         endif %}
+{%         if iface_config.hello is vyos_defined %}
+ ipv6 pim hello {{ iface_config.hello }}
+{%         endif %}
+{%         if iface_config.no_unicast_bsm is vyos_defined %}
+ no ipv6 pim unicast-bsm
+{%         endif %}
+{%         if iface_config.passive is vyos_defined %}
+ ipv6 pim passive
+{%         endif %}
+{%         if iface_config.mld is vyos_defined and iface_config.mld.disable is not vyos_defined %}
+ ipv6 mld
+{%             if iface_config.mld.version is vyos_defined %}
+ ipv6 mld version {{ iface_config.mld.version }}
+{%             endif %}
+{%             if iface_config.mld.interval is vyos_defined %}
+ ipv6 mld query-interval {{ iface_config.mld.interval }}
+{%             endif %}
+{%             if iface_config.mld.max_response_time is vyos_defined %}
+ ipv6 mld query-max-response-time {{ iface_config.mld.max_response_time // 100 }}
+{%             endif %}
+{%             if iface_config.mld.last_member_query_count is vyos_defined %}
+ ipv6 mld last-member-query-count {{ iface_config.mld.last_member_query_count }}
+{%             endif %}
+{%             if iface_config.mld.last_member_query_interval is vyos_defined %}
+ ipv6 mld last-member-query-interval {{ iface_config.mld.last_member_query_interval // 100 }}
+{%             endif %}
+{%             if iface_config.mld.join is vyos_defined %}
+{%                 for group, group_config in iface_config.mld.join.items() %}
+{%                     if group_config.source is vyos_defined %}
+{%                         for source in group_config.source %}
+ ipv6 mld join {{ group }} {{ source }}
+{%                         endfor %}
+{%                     else %}
+ ipv6 mld join {{ group }}
+{%                     endif %}
+{%                 endfor %}
+{%             endif %}
+{%         endif %}
+exit
+{%     endfor %}
+{% endif %}
+!
+{% if join_prune_interval is vyos_defined %}
+ipv6 pim join-prune-interval {{ join_prune_interval }}
+{% endif %}
+{% if keep_alive_timer is vyos_defined %}
+ipv6 pim keep-alive-timer {{ keep_alive_timer }}
+{% endif %}
+{% if packets is vyos_defined %}
+ipv6 pim packets {{ packets }}
+{% endif %}
+{% if register_suppress_time is vyos_defined %}
+ipv6 pim register-suppress-time {{ register_suppress_time }}
+{% endif %}
+{% if rp.address is vyos_defined %}
+{%     for address, address_config in rp.address.items() %}
+{%         if address_config.group is vyos_defined %}
+{%             for group in address_config.group %}
+ipv6 pim rp {{ address }} {{ group }}
+{%             endfor %}
+{%         endif %}
+{%         if address_config.prefix_list6 is vyos_defined %}
+ipv6 pim rp {{ address }} prefix-list {{ address_config.prefix_list6 }}
+{%         endif %}
+{%     endfor %}
+{% endif %}
+{% if rp.keep_alive_timer is vyos_defined %}
+ipv6 pim rp keep-alive-timer {{ rp.keep_alive_timer }}
+{% endif %}
diff --git a/data/templates/frr/pimd.frr.j2 b/data/templates/frr/pimd.frr.j2
index cb2f2aa98..68edf4a5c 100644
--- a/data/templates/frr/pimd.frr.j2
+++ b/data/templates/frr/pimd.frr.j2
@@ -1,34 +1,95 @@
+{% if interface is vyos_defined %}
+{%     for iface, iface_config in interface.items() %}
 !
-{% for rp_addr in old_pim.rp %}
-{%     for group in old_pim.rp[rp_addr] %}
-no ip pim rp {{ rp_addr }} {{ group }}
+interface {{ iface }}
+ ip pim
+{%         if iface_config.bfd is vyos_defined %}
+ ip pim bfd {{ 'profile ' ~ iface_config.bfd.profile if iface_config.bfd.profile is vyos_defined }}
+{%         endif %}
+{%         if iface_config.no_bsm is vyos_defined %}
+ no ip pim bsm
+{%         endif %}
+{%         if iface_config.dr_priority is vyos_defined %}
+ ip pim drpriority {{ iface_config.dr_priority }}
+{%         endif %}
+{%         if iface_config.hello is vyos_defined %}
+ ip pim hello {{ iface_config.hello }}
+{%         endif %}
+{%         if iface_config.no_unicast_bsm is vyos_defined %}
+ no ip pim unicast-bsm
+{%         endif %}
+{%         if iface_config.passive is vyos_defined %}
+ ip pim passive
+{%         endif %}
+{%         if iface_config.source_address is vyos_defined %}
+ ip pim use-source {{ iface_config.source_address }}
+{%         endif %}
+{%         if iface_config.igmp is vyos_defined and iface_config.igmp.disable is not vyos_defined %}
+ ip igmp
+{%             if iface_config.igmp.query_interval %}
+ ip igmp query-interval {{ iface_config.igmp.query_interval }}
+{%             endif %}
+{%             if iface_config.igmp.query_max_response_time %}
+ ip igmp query-max-response-time {{ iface_config.igmp.query_max_response_time }}
+{%             endif %}
+{%             if iface_config.igmp.version is vyos_defined %}
+ ip igmp version {{ iface_config.igmp.version }}
+{%             endif %}
+{%             if iface_config.igmp.join is vyos_defined %}
+{%                 for join, join_config in iface_config.igmp.join.items() %}
+{%                     if join_config.source_address is vyos_defined %}
+{%                         for source_address in join_config.source_address %}
+ ip igmp join {{ join }} {{ source_address }}
+{%                         endfor %}
+{%                     else %}
+ ip igmp join {{ join }}
+{%                     endif %}
+{%                 endfor %}
+{%             endif %}
+{%         endif %}
+exit
 {%     endfor %}
-{% endfor %}
-{% if old_pim.rp_keep_alive %}
-no ip pim rp keep-alive-timer {{ old_pim.rp_keep_alive }}
 {% endif %}
-{% for iface in old_pim.ifaces %}
-interface {{ iface }}
-no ip pim
-!
-{% endfor %}
-{% for iface in pim.ifaces %}
-interface {{ iface }}
-ip pim
-{%     if pim.ifaces[iface].dr_prio %}
-ip pim drpriority {{ pim.ifaces[iface].dr_prio }}
-{%     endif %}
-{%     if pim.ifaces[iface].hello %}
-ip pim hello {{ pim.ifaces[iface].hello }}
-{%     endif %}
 !
-{% endfor %}
-{% for rp_addr in pim.rp %}
-{%     for group in pim.rp[rp_addr] %}
-ip pim rp {{ rp_addr }} {{ group }}
+{% if ecmp is vyos_defined %}
+ip pim ecmp {{ 'rebalance' if ecmp.rebalance is vyos_defined }}
+{% endif %}
+{% if join_prune_interval is vyos_defined %}
+ip pim join-prune-interval {{ join_prune_interval }}
+{% endif %}
+{% if keep_alive_timer is vyos_defined %}
+ip pim keep-alive-timer {{ keep_alive_timer }}
+{% endif %}
+{% if packets is vyos_defined %}
+ip pim packets {{ packets }}
+{% endif %}
+{% if register_accept_list.prefix_list is vyos_defined %}
+ip pim register-accept-list {{ register_accept_list.prefix_list }}
+{% endif %}
+{% if register_suppress_time is vyos_defined %}
+ip pim register-suppress-time {{ register_suppress_time }}
+{% endif %}
+{% if rp.address is vyos_defined %}
+{%     for address, address_config in rp.address.items() %}
+{%         for group in address_config.group %}
+ip pim rp {{ address }} {{ group }}
+{%         endfor %}
 {%     endfor %}
-{% endfor %}
-{% if pim.rp_keep_alive %}
-ip pim rp keep-alive-timer {{ pim.rp_keep_alive }}
+{% endif %}
+{% if rp.keep_alive_timer is vyos_defined %}
+ip pim rp keep-alive-timer {{ rp.keep_alive_timer }}
+{% endif %}
+{% if no_v6_secondary is vyos_defined %}
+no ip pim send-v6-secondary
+{% endif %}
+{% if spt_switchover.infinity_and_beyond is vyos_defined %}
+ip pim spt-switchover infinity-and-beyond {{ 'prefix-list ' ~ spt_switchover.infinity_and_beyond.prefix_list if spt_switchover.infinity_and_beyond.prefix_list is defined }}
+{% endif %}
+{% if ssm.prefix_list is vyos_defined %}
+ip pim ssm prefix-list {{ ssm.prefix_list }}
+{% endif %}
+!
+{% if igmp.watermark_warning is vyos_defined %}
+ip igmp watermark-warn {{ igmp.watermark_warning }}
 {% endif %}
 !
diff --git a/data/templates/frr/zebra.segment_routing.frr.j2 b/data/templates/frr/zebra.segment_routing.frr.j2
new file mode 100644
index 000000000..7b12fcdd0
--- /dev/null
+++ b/data/templates/frr/zebra.segment_routing.frr.j2
@@ -0,0 +1,23 @@
+!
+{% if srv6.locator is vyos_defined %}
+segment-routing
+ srv6
+  locators
+{%     for locator, locator_config in srv6.locator.items() %}
+   locator {{ locator }}
+{%         if locator_config.prefix is vyos_defined %}
+    prefix {{ locator_config.prefix }} block-len {{ locator_config.block_len }} node-len {{ locator_config.node_len }} func-bits {{ locator_config.func_bits }}
+{%         endif %}
+{%         if locator_config.behavior_usid is vyos_defined %}
+    behavior usid
+{%         endif %}
+    exit
+    !
+{%     endfor %}
+  exit
+  !
+exit
+!
+exit
+!
+{% endif %}
diff --git a/data/templates/grub/grub_common.j2 b/data/templates/grub/grub_common.j2
new file mode 100644
index 000000000..278ffbf2c
--- /dev/null
+++ b/data/templates/grub/grub_common.j2
@@ -0,0 +1,23 @@
+# load EFI video modules
+if [ "${grub_platform}" == "efi" ]; then
+    insmod efi_gop
+    insmod efi_uga
+fi
+
+# create and activate serial console
+function setup_serial {
+    # initialize the first serial port by default
+    if [ "${console_type}" == "ttyS" ]; then
+        serial --unit=${console_num}
+    else
+        serial --unit=0
+    fi
+    terminal_output --append serial console
+    terminal_input --append serial console
+}
+
+setup_serial
+
+{% if search_root %}
+{{ search_root }}
+{% endif %}
diff --git a/data/templates/grub/grub_compat.j2 b/data/templates/grub/grub_compat.j2
new file mode 100644
index 000000000..887d5d0bd
--- /dev/null
+++ b/data/templates/grub/grub_compat.j2
@@ -0,0 +1,63 @@
+{# j2lint: disable=S6 #}
+### Generated by VyOS image-tools v.{{ tools_version }} ###
+{% macro menu_name(mode) -%}
+{% if mode == 'normal' -%}
+    VyOS
+{%- elif mode == 'pw_reset' -%}
+    Lost password change
+{%- else -%}
+    Unknown
+{%- endif %}
+{%- endmacro %}
+{% macro console_name(type) -%}
+{% if type == 'tty' -%}
+    KVM
+{%- elif type == 'ttyS' -%}
+    Serial
+{%- elif type == 'ttyUSB' -%}
+    USB
+{%- else -%}
+    Unknown
+{%- endif %}
+{%- endmacro %}
+{% macro console_opts(type) -%}
+{% if type == 'tty' -%}
+    console=ttyS0,115200 console=tty0
+{%- elif type == 'ttyS' -%}
+    console=tty0 console=ttyS0,115200
+{%- elif type == 'ttyUSB' -%}
+    console=tty0 console=ttyUSB0,115200
+{%- else -%}
+    console=tty0 console=ttyS0,115200
+{%- endif %}
+{%- endmacro %}
+{% macro passwd_opts(mode) -%}
+{% if mode == 'pw_reset' -%}
+    init=/opt/vyatta/sbin/standalone_root_pw_reset
+{%- endif %}
+{%- endmacro %}
+set default={{ default }}
+set timeout={{ timeout }}
+{% if console_type == 'ttyS' %}
+serial --unit={{ console_num }} --speed=115200
+{% else %}
+serial --unit=0 --speed=115200
+{% endif %}
+terminal_output --append serial
+terminal_input serial console
+{% for mod in modules %}
+insmod {{ mod }}
+{% endfor %}
+{% if root %}
+set root={{ root }}
+{% endif %}
+{% if search_root %}
+{{ search_root }}
+{% endif %}
+
+{% for v in versions %}
+menuentry "{{ menu_name(v.bootmode) }} {{ v.version }} ({{ console_name(v.console_type) }} console)" {
+    linux /boot/{{ v.version }}/vmlinuz {{ v.boot_opts }} {{ console_opts(v.console_type) }} {{ passwd_opts(v.bootmode) }}
+    initrd /boot/{{ v.version }}/initrd.img
+}
+{% endfor %}
diff --git a/data/templates/grub/grub_main.j2 b/data/templates/grub/grub_main.j2
new file mode 100644
index 000000000..0c7ea0202
--- /dev/null
+++ b/data/templates/grub/grub_main.j2
@@ -0,0 +1,7 @@
+load_env
+insmod regexp
+
+for cfgfile in ${prefix}/grub.cfg.d/*-autoload.cfg
+do
+    source ${cfgfile}
+done
diff --git a/data/templates/grub/grub_menu.j2 b/data/templates/grub/grub_menu.j2
new file mode 100644
index 000000000..e73005f5d
--- /dev/null
+++ b/data/templates/grub/grub_menu.j2
@@ -0,0 +1,5 @@
+for cfgfile in ${config_directory}/vyos-versions/*.cfg
+do
+    source "${cfgfile}"
+done
+source ${config_directory}/50-vyos-options.cfg
diff --git a/data/templates/grub/grub_modules.j2 b/data/templates/grub/grub_modules.j2
new file mode 100644
index 000000000..24b540c9d
--- /dev/null
+++ b/data/templates/grub/grub_modules.j2
@@ -0,0 +1,3 @@
+{% for mod_name in mods_list %}
+insmod {{ mod_name | e }}
+{% endfor %}
diff --git a/data/templates/grub/grub_options.j2 b/data/templates/grub/grub_options.j2
new file mode 100644
index 000000000..c8a1472e1
--- /dev/null
+++ b/data/templates/grub/grub_options.j2
@@ -0,0 +1,52 @@
+submenu "Boot options" {
+    submenu "Select boot mode" {
+        menuentry "Normal" {
+            set bootmode="normal"
+            export bootmode
+            configfile ${prefix}/grub.cfg.d/*vyos-menu*.cfg
+        }
+        menuentry "Password reset" {
+            set bootmode="pw_reset"
+            export bootmode
+            configfile ${prefix}/grub.cfg.d/*vyos-menu*.cfg
+        }
+        menuentry "System recovery" {
+            set bootmode="recovery"
+            export bootmode
+            configfile ${prefix}/grub.cfg.d/*vyos-menu*.cfg
+        }
+        menuentry "Load the whole root filesystem to RAM" {
+            set boot_toram="yes"
+            export boot_toram
+            configfile ${prefix}/grub.cfg.d/*vyos-menu*.cfg
+        }
+    }
+    submenu "Select console type" {
+        menuentry "tty (graphical)" {
+            set console_type="tty"
+            export console_type
+            configfile ${prefix}/grub.cfg.d/*vyos-menu*.cfg
+        }
+        menuentry "ttyS (serial)" {
+            set console_type="ttyS"
+            export console_type
+            setup_serial
+            configfile ${prefix}/grub.cfg.d/*vyos-menu*.cfg
+        }
+        menuentry "ttyUSB (USB serial)" {
+            set console_type="ttyUSB"
+            export console_type
+            setup_serial
+            configfile ${prefix}/grub.cfg.d/*vyos-menu*.cfg
+        }
+    }
+    menuentry "Enter console number" {
+        read console_num
+        export console_num
+        setup_serial
+        configfile ${prefix}/grub.cfg.d/*vyos-menu*.cfg
+    }
+    menuentry "Current: boot mode: ${bootmode}, console: ${console_type}${console_num}" {
+        echo
+    }
+}
diff --git a/data/templates/grub/grub_vars.j2 b/data/templates/grub/grub_vars.j2
new file mode 100644
index 000000000..e0002e8d8
--- /dev/null
+++ b/data/templates/grub/grub_vars.j2
@@ -0,0 +1,4 @@
+{% for var_name, var_value in vars.items() %}
+set {{ var_name | e }}="{{ var_value | e }}"
+export {{ var_name | e }}
+{% endfor %}
diff --git a/data/templates/grub/grub_vyos_version.j2 b/data/templates/grub/grub_vyos_version.j2
new file mode 100644
index 000000000..97fbe8473
--- /dev/null
+++ b/data/templates/grub/grub_vyos_version.j2
@@ -0,0 +1,22 @@
+{% set boot_opts_default = "boot=live rootdelay=5 noautologin net.ifnames=0 biosdevname=0 vyos-union=/boot/" + version_name %}
+{% if boot_opts != '' %}
+{%     set boot_opts_rendered = boot_opts %}
+{% else %}
+{%     set boot_opts_rendered = boot_opts_default %}
+{% endif %}
+menuentry "{{ version_name }}" --id {{ version_uuid }} {
+    set boot_opts="{{ boot_opts_rendered }}"
+    # load rootfs to RAM
+    if [ "${boot_toram}" == "yes" ]; then
+        set boot_opts="${boot_opts} toram"
+    fi
+    if [ "${bootmode}" == "pw_reset" ]; then
+        set boot_opts="${boot_opts} console=${console_type}${console_num} init=/usr/libexec/vyos/system/standalone_root_pw_reset"
+    elif [ "${bootmode}" == "recovery" ]; then
+        set boot_opts="${boot_opts} console=${console_type}${console_num} init=/usr/bin/busybox init"
+    else
+        set boot_opts="${boot_opts} console=${console_type}${console_num}"
+    fi
+    linux "/boot/{{ version_name }}/vmlinuz" ${boot_opts}
+    initrd "/boot/{{ version_name }}/initrd.img"
+}
diff --git a/src/etc/systemd/system/keepalived.service.d/override.conf b/data/templates/high-availability/10-override.conf.j2
index d91a824b9..c153f09b4 100644
--- a/src/etc/systemd/system/keepalived.service.d/override.conf
+++ b/data/templates/high-availability/10-override.conf.j2
@@ -1,3 +1,5 @@
+### Autogenerated by ${vyos_conf_scripts_dir}/high-availability.py ###
+{% set snmp = '--snmp' if vrrp.snmp is vyos_defined else '' %}
 [Unit]
 After=vyos-router.service
 # Only start if there is our configuration file - remove Debian default
@@ -10,5 +12,5 @@ KillMode=process
 Type=simple
 # Read configuration variable file if it is present
 ExecStart=
-ExecStart=/usr/sbin/keepalived --use-file /run/keepalived/keepalived.conf --pid /run/keepalived/keepalived.pid --dont-fork --snmp
+ExecStart=/usr/sbin/keepalived --use-file /run/keepalived/keepalived.conf --pid /run/keepalived/keepalived.pid --dont-fork {{ snmp }}
 PIDFile=/run/keepalived/keepalived.pid
diff --git a/data/templates/https/nginx.default.j2 b/data/templates/https/nginx.default.j2
index b541ff309..5d17df001 100644
--- a/data/templates/https/nginx.default.j2
+++ b/data/templates/https/nginx.default.j2
@@ -1,64 +1,65 @@
-### Autogenerated by https.py ###
-# Default server configuration
+### Autogenerated by service_https.py ###
 
-{% for server in server_block_list %}
+{% if enable_http_redirect is vyos_defined %}
 server {
-        # SSL configuration
-        #
-{%     if server.address == '*' %}
-        listen {{ server.port }} ssl;
-        listen [::]:{{ server.port }} ssl;
-{%     else %}
-        listen {{ server.address | bracketize_ipv6 }}:{{ server.port }} ssl;
-{%     endif %}
+    listen 80 default_server;
+    server_name {{ hostname }};
+    return 301 https://$host$request_uri;
+}
+{% endif %}
 
-{%     for name in server.name %}
-        server_name {{ name }};
+server {
+{% if listen_address is vyos_defined %}
+{%     for address in listen_address %}
+    listen {{ address | bracketize_ipv6 }}:{{ port }} ssl;
 {%     endfor %}
+{% else %}
+    listen {{ port }} ssl;
+    listen [::]:{{ port }} ssl;
+{% endif %}
 
-        root /srv/localui;
+    server_name {{ hostname }};
+    root /srv/localui;
 
-{%     if server.certbot %}
-        ssl_certificate {{ server.certbot_dir }}/live/{{ server.certbot_domain_dir }}/fullchain.pem;
-        ssl_certificate_key {{ server.certbot_dir }}/live/{{ server.certbot_domain_dir }}/privkey.pem;
-        include {{ server.certbot_dir }}/options-ssl-nginx.conf;
-        ssl_dhparam {{ server.certbot_dir }}/ssl-dhparams.pem;
-{%     elif server.vyos_cert %}
-        ssl_certificate {{ server.vyos_cert.crt }};
-        ssl_certificate_key {{ server.vyos_cert.key }};
-{%     else %}
-        #
-        # Self signed certs generated by the ssl-cert package
-        # Don't use them in a production server!
-        #
-        include snippets/snakeoil.conf;
+    # SSL configuration
+{% if certificates.cert_path is vyos_defined and certificates.key_path is vyos_defined %}
+    ssl_certificate {{ certificates.cert_path }};
+    ssl_certificate_key {{ certificates.key_path }};
+{%     if certificates.dh_file is vyos_defined %}
+    ssl_dhparam {{ certificates.dh_file }};
 {%     endif %}
-        ssl_protocols TLSv1.2 TLSv1.3;
+{% else %}
+    # Self signed certs generated by the ssl-cert package
+    # Don't use them in a production server!
+    include snippets/snakeoil.conf;
+{% endif %}
 
-        # proxy settings for HTTP API, if enabled; 503, if not
-        location ~ ^/(retrieve|configure|config-file|image|container-image|generate|show|reset|docs|openapi.json|redoc|graphql) {
-{%     if server.api %}
-{%         if server.api.socket %}
-                proxy_pass http://unix:/run/api.sock;
-{%         else %}
-                proxy_pass http://localhost:{{ server.api.port }};
-{%         endif %}
-                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-                proxy_set_header X-Forwarded-Proto $scheme;
-                proxy_read_timeout 600;
-                proxy_buffering off;
-{%     else %}
-                return 503;
-{%     endif %}
-{%     if server.allow_client %}
-{%         for client in server.allow_client %}
-                allow {{ client }};
-{%         endfor %}
-                deny all;
-{%     endif %}
-        }
+    # Improve HTTPS performance with session resumption
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_timeout 10m;
+    ssl_protocols {{ 'TLSv' ~ ' TLSv'.join(tls_version) }};
 
-        error_page 497 =301 https://$host:{{ server.port }}$request_uri;
-}
+    # From LetsEncrypt
+    ssl_prefer_server_ciphers on;
+    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
 
-{% endfor %}
+    # proxy settings for HTTP API, if enabled; 503, if not
+    location ~ ^/(retrieve|configure|config-file|image|container-image|generate|show|reboot|reset|poweroff|docs|openapi.json|redoc|graphql) {
+{% if api is vyos_defined %}
+        proxy_pass http://unix:/run/api.sock;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_read_timeout 600;
+        proxy_buffering off;
+{% else %}
+        return 503;
+{% endif %}
+{% if allow_client.address is vyos_defined %}
+{%     for address in allow_client.address %}
+        allow {{ address }};
+{%     endfor %}
+        deny all;
+{% endif %}
+    }
+    error_page 497 =301 https://$host:{{ port }}$request_uri;
+}
diff --git a/data/templates/https/vyos-http-api.service.j2 b/data/templates/https/vyos-http-api.service.j2
index fb424e06c..aa4da7666 100644
--- a/data/templates/https/vyos-http-api.service.j2
+++ b/data/templates/https/vyos-http-api.service.j2
@@ -3,9 +3,11 @@
 Description=VyOS HTTP API service
 After=vyos-router.service
 Requires=vyos-router.service
+ConditionPathExists={{ api_config_state }}
 
 [Service]
 ExecStart={{ vrf_command }}/usr/libexec/vyos/services/vyos-http-api-server
+ExecReload=kill -HUP $MAINPID
 Type=idle
 
 SyslogIdentifier=vyos-http-api
@@ -19,4 +21,3 @@ Group=vyattacfg
 
 [Install]
 WantedBy=vyos.target
-
diff --git a/data/templates/igmp-proxy/igmpproxy.conf.j2 b/data/templates/igmp-proxy/igmpproxy.conf.j2
index ab3c9fd31..85a04de7d 100644
--- a/data/templates/igmp-proxy/igmpproxy.conf.j2
+++ b/data/templates/igmp-proxy/igmpproxy.conf.j2
@@ -1,6 +1,6 @@
 ########################################################
 #
-# autogenerated by igmp_proxy.py
+# autogenerated by protocols_igmp-proxy.py
 #
 # The configuration file must define one upstream interface, and one or more
 # downstream interfaces.
diff --git a/data/templates/ipsec/swanctl/remote_access.j2 b/data/templates/ipsec/swanctl/remote_access.j2
index 60d2d1807..01dc8a4a7 100644
--- a/data/templates/ipsec/swanctl/remote_access.j2
+++ b/data/templates/ipsec/swanctl/remote_access.j2
@@ -29,8 +29,10 @@
 {% endif %}
         }
         remote {
+{% if rw_conf.authentication.client_mode == 'x509' %}
+            auth = pubkey
+{% elif rw_conf.authentication.client_mode.startswith("eap") %}
             auth = {{ rw_conf.authentication.client_mode }}
-{% if rw_conf.authentication.client_mode.startswith("eap") %}
             eap_id = %any
 {% endif %}
         }
diff --git a/data/templates/lldp/lldpd.j2 b/data/templates/lldp/lldpd.j2
index 3c499197d..2238fe1c4 100644
--- a/data/templates/lldp/lldpd.j2
+++ b/data/templates/lldp/lldpd.j2
@@ -1,2 +1,2 @@
-### Autogenerated by lldp.py ###
-DAEMON_ARGS="-M 4 {{ '-x' if snmp.enable is vyos_defined }} {{ '-c' if legacy_protocols.cdp is vyos_defined }} {{ '-e' if legacy_protocols.edp is vyos_defined }} {{ '-f' if legacy_protocols.fdp is vyos_defined }} {{ '-s' if legacy_protocols.sonmp is vyos_defined }}"
+### Autogenerated by service_lldp.py ###
+DAEMON_ARGS="-M 4 {{ '-x' if snmp is vyos_defined }} {{ '-c' if legacy_protocols.cdp is vyos_defined }} {{ '-e' if legacy_protocols.edp is vyos_defined }} {{ '-f' if legacy_protocols.fdp is vyos_defined }} {{ '-s' if legacy_protocols.sonmp is vyos_defined }}"
diff --git a/data/templates/lldp/vyos.conf.j2 b/data/templates/lldp/vyos.conf.j2
index dfa422ab8..4b4228cea 100644
--- a/data/templates/lldp/vyos.conf.j2
+++ b/data/templates/lldp/vyos.conf.j2
@@ -1,4 +1,4 @@
-### Autogenerated by lldp.py ###
+### Autogenerated by service_lldp.py ###
 
 configure system platform VyOS
 configure system description "VyOS {{ version }}"
diff --git a/data/templates/load-balancing/haproxy.cfg.j2 b/data/templates/load-balancing/haproxy.cfg.j2
index 0a40e1ecf..849cef74d 100644
--- a/data/templates/load-balancing/haproxy.cfg.j2
+++ b/data/templates/load-balancing/haproxy.cfg.j2
@@ -1,4 +1,4 @@
-# Generated by ${vyos_conf_scripts_dir}/load-balancing-haproxy.py
+### Autogenerated by load-balancing_reverse-proxy.py ###
 
 global
     log /dev/log local0
@@ -50,13 +50,19 @@ defaults
 {% if service is vyos_defined %}
 {%     for front, front_config in service.items() %}
 frontend {{ front }}
-{%         set ssl_front =  'ssl crt /run/haproxy/' ~ front_config.ssl.certificate ~ '.pem' if front_config.ssl.certificate is vyos_defined else '' %}
+{%         set ssl_front = [] %}
+{%         if front_config.ssl.certificate is vyos_defined and front_config.ssl.certificate is iterable %}
+{%             for cert in front_config.ssl.certificate %}
+{%                 set _ = ssl_front.append('crt /run/haproxy/' ~ cert ~ '.pem') %}
+{%             endfor %}
+{%         endif %}
+{%         set ssl_directive = 'ssl' if ssl_front else '' %}
 {%         if front_config.listen_address is vyos_defined %}
 {%             for address in front_config.listen_address %}
-    bind {{ address | bracketize_ipv6 }}:{{ front_config.port }} {{ ssl_front }}
+    bind {{ address | bracketize_ipv6 }}:{{ front_config.port }} {{ ssl_directive }} {{ ssl_front | join(' ') }}
 {%             endfor %}
 {%         else %}
-    bind :::{{ front_config.port }} v4v6 {{ ssl_front }}
+    bind :::{{ front_config.port }} v4v6 {{ ssl_directive }} {{ ssl_front | join(' ') }}
 {%         endif %}
 {%         if front_config.redirect_http_to_https is vyos_defined %}
     http-request redirect scheme https unless { ssl_fc }
@@ -146,7 +152,7 @@ backend {{ back }}
 {%         if back_config.server is vyos_defined %}
 {%             set ssl_back =  'ssl ca-file /run/haproxy/' ~ back_config.ssl.ca_certificate ~ '.pem' if back_config.ssl.ca_certificate is vyos_defined else '' %}
 {%             for server, server_config in back_config.server.items() %}
-    server {{ server }} {{ server_config.address }}:{{ server_config.port }}{{ ' check' if server_config.check is vyos_defined }}{{ ' send-proxy' if server_config.send_proxy is vyos_defined }}{{ ' send-proxy-v2' if server_config.send_proxy_v2 is vyos_defined }} {{ ssl_back }}
+    server {{ server }} {{ server_config.address }}:{{ server_config.port }}{{ ' check' if server_config.check is vyos_defined }}{{ ' backup' if server_config.backup is vyos_defined }}{{ ' send-proxy' if server_config.send_proxy is vyos_defined }}{{ ' send-proxy-v2' if server_config.send_proxy_v2 is vyos_defined }} {{ ssl_back }}
 {%             endfor %}
 {%         endif %}
 {%         if back_config.timeout.check is vyos_defined %}
@@ -161,4 +167,3 @@ backend {{ back }}
 
 {%     endfor %}
 {% endif %}
-
diff --git a/data/templates/load-balancing/wlb.conf.j2 b/data/templates/load-balancing/wlb.conf.j2
index d3326b6b8..6557b6f4c 100644
--- a/data/templates/load-balancing/wlb.conf.j2
+++ b/data/templates/load-balancing/wlb.conf.j2
@@ -1,4 +1,4 @@
-# Generated by /usr/libexec/vyos/conf_mode/load-balancing-wan.py
+### Autogenerated by load-balancing_wan.py ###
 
 {% if disable_source_nat is vyos_defined %}
 disable-source-nat
@@ -41,7 +41,7 @@ health {
                 test-script {{ test_config.test_script }}
 {%                     endif %}
 {%                     if test_config.target is vyos_defined %}
-                target {{ test_config.target }} 
+                target {{ test_config.target }}
 {%                     endif %}
                 resp-time {{ test_config.resp_time | int * 1000 }}
             }
diff --git a/data/templates/login/authorized_keys.j2 b/data/templates/login/authorized_keys.j2
index aabca47cf..695b66abe 100644
--- a/data/templates/login/authorized_keys.j2
+++ b/data/templates/login/authorized_keys.j2
@@ -1,4 +1,4 @@
-### Automatically generated by system-login.py ###
+### Automatically generated by system_login.py ###
 
 {% if authentication.public_keys is vyos_defined %}
 {%     for key, key_options in authentication.public_keys.items() %}
@@ -6,4 +6,3 @@
 {{ key_options.options ~ ' ' if key_options.options is vyos_defined }}{{ key_options.type }} {{ key_options.key }} {{ key }}
 {%     endfor %}
 {% endif %}
-
diff --git a/data/templates/login/limits.j2 b/data/templates/login/limits.j2
index 5e2c11f35..31abc85dd 100644
--- a/data/templates/login/limits.j2
+++ b/data/templates/login/limits.j2
@@ -1,4 +1,4 @@
-# Generated by /usr/libexec/vyos/conf_mode/system-login.py
+# Generated by system_login.py
 
 {% if max_login_session is vyos_defined %}
 * - maxsyslogins {{ max_login_session }}
diff --git a/data/templates/login/nsswitch.conf.j2 b/data/templates/login/nsswitch.conf.j2
index 65dc88291..0adfb491c 100644
--- a/data/templates/login/nsswitch.conf.j2
+++ b/data/templates/login/nsswitch.conf.j2
@@ -1,4 +1,4 @@
-# Automatically generated by system-login.py
+# automatically generated by system_login.py ###
 # /etc/nsswitch.conf
 #
 # Example configuration of GNU Name Service Switch functionality.
@@ -18,4 +18,3 @@ ethers:         db files
 rpc:            db files
 
 netgroup:       nis
-
diff --git a/data/templates/login/pam_radius_auth.conf.j2 b/data/templates/login/pam_radius_auth.conf.j2
index c61154753..75437ca71 100644
--- a/data/templates/login/pam_radius_auth.conf.j2
+++ b/data/templates/login/pam_radius_auth.conf.j2
@@ -1,4 +1,4 @@
-# Automatically generated by system-login.py
+### Automatically generated by system_login.py ###
 # RADIUS configuration file
 
 {% if radius is vyos_defined %}
diff --git a/data/templates/login/tacplus_servers.j2 b/data/templates/login/tacplus_servers.j2
index 5a65d6e68..23e8e495e 100644
--- a/data/templates/login/tacplus_servers.j2
+++ b/data/templates/login/tacplus_servers.j2
@@ -1,4 +1,4 @@
-# Automatically generated by system-login.py
+# Automatically generated by system_login.py
 # TACACS+ configuration file
 
 # This is a common file used by audisp-tacplus, libpam_tacplus, and
@@ -56,4 +56,3 @@ user_homedir=1
 
 service=shell
 protocol=ssh
-
diff --git a/data/templates/macsec/wpa_supplicant.conf.j2 b/data/templates/macsec/wpa_supplicant.conf.j2
index 1f7ba16f4..4bb762935 100644
--- a/data/templates/macsec/wpa_supplicant.conf.j2
+++ b/data/templates/macsec/wpa_supplicant.conf.j2
@@ -1,4 +1,4 @@
-### Autogenerated by interfaces-macsec.py ###
+### Autogenerated by interfaces_macsec.py ###
 
 # see full documentation:
 # https://w1.fi/cgit/hostap/plain/wpa_supplicant/wpa_supplicant.conf
diff --git a/data/templates/mdns-repeater/avahi-daemon.j2 b/data/templates/mdns-repeater/avahi-daemon.conf.j2
index e0dfd897e..cc6495817 100644
--- a/data/templates/mdns-repeater/avahi-daemon.j2
+++ b/data/templates/mdns-repeater/avahi-daemon.conf.j2
@@ -1,7 +1,7 @@
-### Autogenerated by service_mdns-repeater.py ###
+### Autogenerated by service_mdns_repeater.py ###
 [server]
-use-ipv4=yes
-use-ipv6=yes
+use-ipv4={{ 'yes' if ip_version in ['ipv4', 'both'] else 'no' }}
+use-ipv6={{ 'yes' if ip_version in ['ipv6', 'both'] else 'no' }}
 allow-interfaces={{ interface | join(', ') }}
 {% if browse_domain is vyos_defined and browse_domain | length %}
 browse-domains={{ browse_domain | join(', ') }}
@@ -17,6 +17,8 @@ disable-user-service-publishing=yes
 publish-addresses=no
 publish-hinfo=no
 publish-workstation=no
+publish-aaaa-on-ipv4=no
+publish-a-on-ipv6=no
 
 [reflector]
 enable-reflector=yes
diff --git a/data/templates/mdns-repeater/override.conf.j2 b/data/templates/mdns-repeater/override.conf.j2
new file mode 100644
index 000000000..8c8187489
--- /dev/null
+++ b/data/templates/mdns-repeater/override.conf.j2
@@ -0,0 +1,7 @@
+[Unit]
+After=vyos-router.service
+ConditionPathExists={{ config_file }}
+
+[Service]
+ExecStart=
+ExecStart=/usr/sbin/avahi-daemon --syslog --file {{ config_file }}
diff --git a/data/templates/ndppd/ndppd.conf.j2 b/data/templates/ndppd/ndppd.conf.j2
index 120fa0a64..6369dbdeb 100644
--- a/data/templates/ndppd/ndppd.conf.j2
+++ b/data/templates/ndppd/ndppd.conf.j2
@@ -1,44 +1,35 @@
-########################################################
-#
-# autogenerated by nat66.py
-#
-#   The configuration file must define one upstream
-#   interface.
-#
-#   For some services, such as nat66, because it runs
-#    stateless, it needs to rely on NDP Proxy to respond
-#   to NDP requests.
-#
-#   When using nat66 source rules, NDP Proxy needs
-#   to be enabled
-#
-########################################################
+# autogenerated by service_ndp-proxy.py
 
-{% set global = namespace(ndppd_interfaces = [],ndppd_prefixs = []) %}
-{% if source.rule is vyos_defined %}
-{%     for rule, config in source.rule.items() if config.disable is not defined %}
-{%         if config.outbound_interface is vyos_defined %}
-{%             if config.outbound_interface not in global.ndppd_interfaces %}
-{%                 set global.ndppd_interfaces = global.ndppd_interfaces + [config.outbound_interface] %}
-{%             endif   %}
-{%             if config.translation.address is vyos_defined and config.translation.address | is_ip_network %}
-{%                 set global.ndppd_prefixs = global.ndppd_prefixs + [{'interface':config.outbound_interface,'rule':config.translation.address}] %}
-{%             endif %}
-{%         endif %}
-{%     endfor %}
-{% endif %}
+# This tells 'ndppd' how often to reload the route file /proc/net/ipv6_route
+route-ttl {{ route_refresh }}
+
+{% if interface is vyos_defined %}
+# This sets up a listener, that will listen for any Neighbor Solicitation
+# messages, and respond to them according to a set of rules
+{%     for iface, iface_config in interface.items() if iface_config.disable is not vyos_defined %}
+proxy {{ iface }} {
+    # Turn on or off the router flag for Neighbor Advertisements
+    router {{ 'yes' if iface_config.enable_router_bit is vyos_defined else 'no' }}
+    # Control how long to wait for a Neighbor Advertisment message before invalidating the entry (milliseconds)
+    timeout {{ iface_config.timeout }}
+    # Control how long a valid or invalid entry remains in the cache (milliseconds)
+    ttl {{ iface_config.ttl }}
 
-{% for interface in global.ndppd_interfaces %}
-proxy {{ interface }} {
-    router yes
-    timeout 500
-    ttl 30000
-{%     for map in global.ndppd_prefixs %}
-{%         if map.interface == interface %}
-    rule {{ map.rule }} {
-        static
+{%         if iface_config.prefix is vyos_defined %}
+    # This is a rule that the target address is to match against. If no netmask
+    # is provided, /128 is assumed. You may have several rule sections, and the
+    # addresses may or may not overlap.
+{%             for prefix, prefix_config in iface_config.prefix.items() if prefix_config.disable is not vyos_defined %}
+    rule {{ prefix }} {
+{%                 if prefix_config.mode is vyos_defined('interface') %}
+        iface {{ prefix_config.interface }}
+{%                 else %}
+        {{ prefix_config.mode }}
+{%                 endif %}
     }
-{%         endif  %}
-{%     endfor   %}
+{%             endfor %}
+{%         endif %}
 }
-{% endfor %}
+
+{%     endfor %}
+{% endif %}
diff --git a/data/templates/ocserv/ocserv_config.j2 b/data/templates/ocserv/ocserv_config.j2
index 1401b8b26..b5e890c32 100644
--- a/data/templates/ocserv/ocserv_config.j2
+++ b/data/templates/ocserv/ocserv_config.j2
@@ -119,4 +119,21 @@ split-dns = {{ tmp }}
 {%     for grp in authentication.group %}
 select-group = {{ grp }}
 {%     endfor %}
-{% endif %}
\ No newline at end of file
+{% endif %}
+
+{% if http_security_headers is vyos_defined %}
+# HTTP security headers
+included-http-headers = Strict-Transport-Security: max-age=31536000 ; includeSubDomains
+included-http-headers = X-Frame-Options: deny
+included-http-headers = X-Content-Type-Options: nosniff
+included-http-headers = Content-Security-Policy: default-src "none"
+included-http-headers = X-Permitted-Cross-Domain-Policies: none
+included-http-headers = Referrer-Policy: no-referrer
+included-http-headers = Clear-Site-Data: "cache","cookies","storage"
+included-http-headers = Cross-Origin-Embedder-Policy: require-corp
+included-http-headers = Cross-Origin-Opener-Policy: same-origin
+included-http-headers = Cross-Origin-Resource-Policy: same-origin
+included-http-headers = X-XSS-Protection: 0
+included-http-headers = Pragma: no-cache
+included-http-headers = Cache-control: no-store, no-cache
+{% endif %}
diff --git a/data/templates/openvpn/auth.pw.j2 b/data/templates/openvpn/auth.pw.j2
index 218121062..9f9b31e7a 100644
--- a/data/templates/openvpn/auth.pw.j2
+++ b/data/templates/openvpn/auth.pw.j2
@@ -1,4 +1,4 @@
-{# Autogenerated by interfaces-openvpn.py #}
+{# Autogenerated by interfaces_openvpn.py #}
 {% if authentication is vyos_defined %}
 {{ authentication.username }}
 {{ authentication.password }}
diff --git a/data/templates/openvpn/client.conf.j2 b/data/templates/openvpn/client.conf.j2
index 2e327e4d3..9edcdc8ae 100644
--- a/data/templates/openvpn/client.conf.j2
+++ b/data/templates/openvpn/client.conf.j2
@@ -1,4 +1,4 @@
-### Autogenerated by interfaces-openvpn.py ###
+### Autogenerated by interfaces_openvpn.py ###
 
 {% if ip is vyos_defined %}
 ifconfig-push {{ ip[0] }} {{ server_subnet[0] | netmask_from_cidr }}
diff --git a/data/templates/openvpn/server.conf.j2 b/data/templates/openvpn/server.conf.j2
index f76fbbe79..64c8e8086 100644
--- a/data/templates/openvpn/server.conf.j2
+++ b/data/templates/openvpn/server.conf.j2
@@ -1,4 +1,4 @@
-### Autogenerated by interfaces-openvpn.py ###
+### Autogenerated by interfaces_openvpn.py ###
 #
 # See https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
 # for individual keyword definition
@@ -74,26 +74,17 @@ topology {{ server.topology }}
 {%             endif %}
 {%             for subnet in server.subnet %}
 {%                 if subnet | is_ipv4 %}
-server {{ subnet | address_from_cidr }} {{ subnet | netmask_from_cidr }} nopool
+server {{ subnet | address_from_cidr }} {{ subnet | netmask_from_cidr }} {{ 'nopool' if server.client_ip_pool is vyos_defined and server.client_ip_pool.disable is not vyos_defined else '' }}
 {# First ip address is used as gateway. It's allows to use metrics #}
 {%                     if server.push_route is vyos_defined %}
 {%                         for route, route_config in server.push_route.items() %}
 {%                             if route | is_ipv4 %}
-push "route {{ route | address_from_cidr }} {{ route | netmask_from_cidr }} {{ subnet | first_host_address ~ ' ' ~ route_config.metric if route_config.metric is vyos_defined }}"
+push "route {{ route | address_from_cidr }} {{ route | netmask_from_cidr }} {{ 'vpn_gateway' ~ ' ' ~ route_config.metric if route_config.metric is vyos_defined }}"
 {%                             elif route | is_ipv6 %}
 push "route-ipv6 {{ route }}"
 {%                             endif %}
 {%                         endfor %}
 {%                     endif %}
-{# OpenVPN assigns the first IP address to its local interface so the pool used #}
-{# in net30 topology - where each client receives a /30 must start from the second subnet #}
-{%                     if server.topology is vyos_defined('net30') %}
-ifconfig-pool {{ subnet | inc_ip('4') }} {{ subnet | last_host_address | dec_ip('1') }} {{ subnet | netmask_from_cidr if device_type == 'tap' else '' }}
-{%                     else %}
-{# OpenVPN assigns the first IP address to its local interface so the pool must #}
-{# start from the second address and end on the last address #}
-ifconfig-pool {{ subnet | first_host_address | inc_ip('1') }} {{ subnet | last_host_address | dec_ip('1') }} {{ subnet | netmask_from_cidr if device_type == 'tun' else '' }}
-{%                     endif %}
 {%                 elif subnet | is_ipv6 %}
 server-ipv6 {{ subnet }}
 {%                 endif %}
diff --git a/data/templates/pmacct/override.conf.j2 b/data/templates/pmacct/override.conf.j2
index 213569ddc..44a100bb6 100644
--- a/data/templates/pmacct/override.conf.j2
+++ b/data/templates/pmacct/override.conf.j2
@@ -9,9 +9,9 @@ ConditionPathExists=/run/pmacct/uacctd.conf
 EnvironmentFile=
 ExecStart=
 ExecStart={{ vrf_command }}/usr/sbin/uacctd -f /run/pmacct/uacctd.conf
+ExecStop=/usr/libexec/vyos/system/uacctd_stop.py $MAINPID 60
 WorkingDirectory=
 WorkingDirectory=/run/pmacct
-PIDFile=
-PIDFile=/run/pmacct/uacctd.pid
 Restart=always
 RestartSec=10
+KillMode=mixed
diff --git a/data/templates/pmacct/uacctd.conf.j2 b/data/templates/pmacct/uacctd.conf.j2
index 1370f8121..aae0a0619 100644
--- a/data/templates/pmacct/uacctd.conf.j2
+++ b/data/templates/pmacct/uacctd.conf.j2
@@ -1,7 +1,7 @@
 # Genereated from VyOS configuration
 daemonize: true
 promisc: false
-pidfile: /run/pmacct/uacctd.pid
+syslog: daemon
 uacctd_group: 2
 uacctd_nl_size: 2097152
 snaplen: {{ packet_length }}
diff --git a/data/templates/pppoe/peer.j2 b/data/templates/pppoe/peer.j2
index f30cefe63..efe47f369 100644
--- a/data/templates/pppoe/peer.j2
+++ b/data/templates/pppoe/peer.j2
@@ -1,4 +1,4 @@
-### Autogenerated by interfaces-pppoe.py ###
+### Autogenerated by interfaces_pppoe.py ###
 {{ '# ' ~ description if description is vyos_defined else '' }}
 
 # Require peer to provide the local IP address if it is not
@@ -50,7 +50,7 @@ ifname {{ ifname }}
 ipparam {{ ifname }}
 debug
 mtu {{ mtu }}
-mru {{ mtu }}
+mru {{ mru }}
 
 {% if authentication is vyos_defined %}
 {{ 'user "' + authentication.username + '"' if authentication.username is vyos_defined }}
diff --git a/data/templates/rsyslog/logrotate.j2 b/data/templates/rsyslog/logrotate.j2
index cc535c48f..ea33fea4f 100644
--- a/data/templates/rsyslog/logrotate.j2
+++ b/data/templates/rsyslog/logrotate.j2
@@ -1,4 +1,4 @@
-### Autogenerated by system-syslog.py ###
+### Autogenerated by system_syslog.py ###
 /var/log/messages {
   missingok
   notifempty
diff --git a/data/templates/rsyslog/rsyslog.conf.j2 b/data/templates/rsyslog/rsyslog.conf.j2
index dff904129..97e0ee0b7 100644
--- a/data/templates/rsyslog/rsyslog.conf.j2
+++ b/data/templates/rsyslog/rsyslog.conf.j2
@@ -1,4 +1,4 @@
-### Autogenerated by system-syslog.py ###
+### Autogenerated by system_syslog.py ###
 
 {% if global.marker is vyos_defined %}
 $ModLoad immark
@@ -15,7 +15,7 @@ $outchannel global,/var/log/messages,262144,/usr/sbin/logrotate {{ logrotate }}
 {% if global.facility is vyos_defined %}
 {%     set tmp = [] %}
 {%     for facility, facility_options in global.facility.items() %}
-{%         set _ = tmp.append(facility.replace('all', '*') + '.' + facility_options.level) %}
+{%         set _ = tmp.append(facility.replace('all', '*') + '.' + facility_options.level.replace('all', '*')) %}
 {%     endfor %}
 {{ tmp | join(';') }} :omfile:$global
 {% endif %}
@@ -27,7 +27,7 @@ $outchannel global,/var/log/messages,262144,/usr/sbin/logrotate {{ logrotate }}
 $outchannel {{ file_name }},/var/log/user/{{ file_name }},{{ file_options.archive.size }},/usr/sbin/logrotate {{ logrotate }}
 {%         if file_options.facility is vyos_defined %}
 {%             for facility, facility_options in file_options.facility.items() %}
-{%                 set _ = tmp.append(facility.replace('all', '*') + '.' + facility_options.level) %}
+{%                 set _ = tmp.append(facility.replace('all', '*') + '.' + facility_options.level.replace('all', '*')) %}
 {%             endfor %}
 {%         endif %}
 {{ tmp | join(';') }} :omfile:${{ file }}
@@ -38,7 +38,7 @@ $outchannel {{ file_name }},/var/log/user/{{ file_name }},{{ file_options.archiv
 # Console logging
 {%     set tmp = [] %}
 {%     for facility, facility_options in console.facility.items() %}
-{%         set _ = tmp.append(facility.replace('all', '*') + '.' + facility_options.level) %}
+{%         set _ = tmp.append(facility.replace('all', '*') + '.' + facility_options.level.replace('all', '*')) %}
 {%     endfor %}
 {{ tmp | join(';') }} /dev/console
 {% endif %}
@@ -49,7 +49,7 @@ $outchannel {{ file_name }},/var/log/user/{{ file_name }},{{ file_options.archiv
 {%         set tmp = [] %}
 {%         if host_options.facility is vyos_defined %}
 {%             for facility, facility_options in host_options.facility.items() %}
-{%                 set _ = tmp.append(facility.replace('all', '*') + '.' + facility_options.level) %}
+{%                 set _ = tmp.append(facility.replace('all', '*') + '.' + facility_options.level.replace('all', '*')) %}
 {%             endfor %}
 {%         endif %}
 {%         if host_options.protocol is vyos_defined('tcp') %}
@@ -70,7 +70,7 @@ $outchannel {{ file_name }},/var/log/user/{{ file_name }},{{ file_options.archiv
 {%         set tmp = [] %}
 {%         if user_options.facility is vyos_defined %}
 {%             for facility, facility_options in user_options.facility.items() %}
-{%                 set _ = tmp.append(facility.replace('all', '*') + '.' + facility_options.level) %}
+{%                 set _ = tmp.append(facility.replace('all', '*') + '.' + facility_options.level.replace('all', '*')) %}
 {%             endfor %}
 {%         endif %}
 {{ tmp | join(';') }} :omusrmsg:{{ username }}
diff --git a/data/templates/salt-minion/minion.j2 b/data/templates/salt-minion/minion.j2
index f4001db64..a69438f0b 100644
--- a/data/templates/salt-minion/minion.j2
+++ b/data/templates/salt-minion/minion.j2
@@ -1,4 +1,4 @@
-### Autogenerated by salt-minion.py ###
+### Autogenerated by service_salt-minion.py ###
 
 ##### Primary configuration settings #####
 ##########################################
diff --git a/data/templates/snmp/etc.snmp.conf.j2 b/data/templates/snmp/etc.snmp.conf.j2
index 8012cf6bb..c214b2266 100644
--- a/data/templates/snmp/etc.snmp.conf.j2
+++ b/data/templates/snmp/etc.snmp.conf.j2
@@ -1,4 +1,4 @@
-### Autogenerated by snmp.py ###
+### Autogenerated by service_snmp.py ###
 {% if trap_source is vyos_defined %}
 clientaddr {{ trap_source }}
 {% endif %}
diff --git a/data/templates/snmp/etc.snmpd.conf.j2 b/data/templates/snmp/etc.snmpd.conf.j2
index 9d78d479a..b1ceb0451 100644
--- a/data/templates/snmp/etc.snmpd.conf.j2
+++ b/data/templates/snmp/etc.snmpd.conf.j2
@@ -1,4 +1,4 @@
-### Autogenerated by snmp.py ###
+### Autogenerated by service_snmp.py ###
 
 # non configurable defaults
 sysObjectID 1.3.6.1.4.1.44641
@@ -56,6 +56,16 @@ SysDescr {{ description }}
 {% endif %}
 agentaddress unix:/run/snmpd.socket{{ ',' ~ options | join(',') if options is vyos_defined }}
 
+{% if mib is vyos_defined %}
+# Interface MIB limits
+{%     if mib.interface_max is vyos_defined %}
+ifmib_max_num_ifaces {{ mib.interface_max }}
+{%     endif %}
+{%     if mib.interface is vyos_defined %}
+include_ifmib_iface_prefix {{ mib.interface | join(' ') }}
+{%     endif %}
+{% endif %}
+
 # SNMP communities
 {% if community is vyos_defined %}
 {%     for comm, comm_config in community.items() %}
diff --git a/data/templates/snmp/override.conf.j2 b/data/templates/snmp/override.conf.j2
index 443ee64db..42dc7a9d2 100644
--- a/data/templates/snmp/override.conf.j2
+++ b/data/templates/snmp/override.conf.j2
@@ -10,4 +10,3 @@ ExecStart=
 ExecStart={{ vrf_command }}/usr/sbin/snmpd -LS0-5d -Lf /dev/null -u Debian-snmp -g Debian-snmp -f -p /run/snmpd.pid
 Restart=always
 RestartSec=10
-
diff --git a/data/templates/snmp/usr.snmpd.conf.j2 b/data/templates/snmp/usr.snmpd.conf.j2
index a713c1cec..189032bb0 100644
--- a/data/templates/snmp/usr.snmpd.conf.j2
+++ b/data/templates/snmp/usr.snmpd.conf.j2
@@ -1,4 +1,4 @@
-### Autogenerated by snmp.py ###
+### Autogenerated by service_snmp.py ###
 {% if v3.user is vyos_defined %}
 {%     for user, user_config in v3.user.items() %}
 {{ user_config.mode }}user {{ user }}
diff --git a/data/templates/snmp/var.snmpd.conf.j2 b/data/templates/snmp/var.snmpd.conf.j2
index 012f33aeb..afab88abc 100644
--- a/data/templates/snmp/var.snmpd.conf.j2
+++ b/data/templates/snmp/var.snmpd.conf.j2
@@ -1,4 +1,4 @@
-### Autogenerated by snmp.py ###
+### Autogenerated by service_snmp.py ###
 # user
 {% if v3 is vyos_defined %}
 {%     if v3.user is vyos_defined %}
diff --git a/data/templates/ssh/sshd_config.j2 b/data/templates/ssh/sshd_config.j2
index 422969ed8..650fd25e6 100644
--- a/data/templates/ssh/sshd_config.j2
+++ b/data/templates/ssh/sshd_config.j2
@@ -1,4 +1,4 @@
-### Autogenerated by ssh.py ###
+### Autogenerated by service_ssh.py ###
 
 # https://linux.die.net/man/5/sshd_config
 
diff --git a/data/templates/ssh/sshguard_config.j2 b/data/templates/ssh/sshguard_config.j2
index 58c6ad48d..2e7507416 100644
--- a/data/templates/ssh/sshguard_config.j2
+++ b/data/templates/ssh/sshguard_config.j2
@@ -1,4 +1,4 @@
-### Autogenerated by ssh.py ###
+### Autogenerated by service_ssh.py ###
 
 {% if dynamic_protection is vyos_defined %}
 # Full path to backend executable (required, no default)
diff --git a/data/templates/ssh/sshguard_whitelist.j2 b/data/templates/ssh/sshguard_whitelist.j2
index 47a950a2b..194fa29df 100644
--- a/data/templates/ssh/sshguard_whitelist.j2
+++ b/data/templates/ssh/sshguard_whitelist.j2
@@ -1,4 +1,4 @@
-### Autogenerated by ssh.py ###
+### Autogenerated by service_ssh.py ###
 
 {% if dynamic_protection.allow_from is vyos_defined %}
 {%     for address in dynamic_protection.allow_from %}
diff --git a/data/templates/sstp-client/peer.j2 b/data/templates/sstp-client/peer.j2
index 745a09e14..d38e53f15 100644
--- a/data/templates/sstp-client/peer.j2
+++ b/data/templates/sstp-client/peer.j2
@@ -1,4 +1,4 @@
-### Autogenerated by interfaces-sstpc.py ###
+### Autogenerated by interfaces_sstpc.py ###
 {{ '# ' ~ description if description is vyos_defined else '' }}
 
 # Require peer to provide the local IP address if it is not
diff --git a/data/templates/system/proxy.j2 b/data/templates/system/proxy.j2
index 215c4c5c2..0737cd3f8 100644
--- a/data/templates/system/proxy.j2
+++ b/data/templates/system/proxy.j2
@@ -1,4 +1,4 @@
-# generated by system-proxy.py
+### autogenerated by system_proxy.py ###
 {% if url is vyos_defined and port is vyos_defined %}
 {# remove http:// prefix so we can inject a username/password if present #}
 export http_proxy=http://{{ username ~ ':' ~ password ~ '@' if username is vyos_defined and password is vyos_defined }}{{ url | replace('http://', '') }}:{{ port }}
diff --git a/data/templates/system/sysctl.conf.j2 b/data/templates/system/sysctl.conf.j2
index 59a19e157..db699c3d8 100644
--- a/data/templates/system/sysctl.conf.j2
+++ b/data/templates/system/sysctl.conf.j2
@@ -1,7 +1,7 @@
-# autogenerated by system_sysctl.py

-

-{% if parameter is vyos_defined %}

-{%     for k, v in parameter.items() %}

-{{ k }} = {{ v.value }}

-{%     endfor %}

-{% endif %}

+# autogenerated by system_sysctl.py
+
+{% if parameter is vyos_defined %}
+{%     for k, v in parameter.items() %}
+{{ k }} = {{ v.value }}
+{%     endfor %}
+{% endif %}
diff --git a/data/templates/telegraf/telegraf.j2 b/data/templates/telegraf/telegraf.j2
index 5852d6232..9623bdec6 100644
--- a/data/templates/telegraf/telegraf.j2
+++ b/data/templates/telegraf/telegraf.j2
@@ -90,6 +90,8 @@
 [[inputs.diskio]]
 [[inputs.mem]]
 [[inputs.net]]
+    ignore_protocol_stats = true
+[[inputs.nstat]]
 [[inputs.system]]
 [[inputs.netstat]]
 [[inputs.processes]]
diff --git a/data/templates/tftp-server/default.j2 b/data/templates/tftp-server/default.j2
index b2676e0aa..d9ce847de 100644
--- a/data/templates/tftp-server/default.j2
+++ b/data/templates/tftp-server/default.j2
@@ -1,5 +1,5 @@
 {# j2lint: disable=jinja-variable-format #}
-### Autogenerated by tftp_server.py ###
+### Autogenerated by service_tftp-server.py ###
 DAEMON_ARGS="--listen --user tftp --address {{ listen_address }} {{ "--create --umask 000" if allow_upload is vyos_defined }} --secure {{ directory }}"
 {% if vrf is vyos_defined %}
 VRF_ARGS="ip vrf exec {{ vrf }}"
diff --git a/data/templates/vpp/override.conf.j2 b/data/templates/vpp/override.conf.j2
deleted file mode 100644
index a2c2b04ed..000000000
--- a/data/templates/vpp/override.conf.j2
+++ /dev/null
@@ -1,14 +0,0 @@
-[Unit]
-After=
-After=vyos-router.service
-ConditionPathExists=
-ConditionPathExists=/run/vpp/vpp.conf
-
-[Service]
-EnvironmentFile=
-ExecStart=
-ExecStart=/usr/bin/vpp -c /run/vpp/vpp.conf
-WorkingDirectory=
-WorkingDirectory=/run/vpp
-Restart=always
-RestartSec=10
diff --git a/data/templates/vpp/startup.conf.j2 b/data/templates/vpp/startup.conf.j2
deleted file mode 100644
index f33539fba..000000000
--- a/data/templates/vpp/startup.conf.j2
+++ /dev/null
@@ -1,116 +0,0 @@
-# Generated by /usr/libexec/vyos/conf_mode/vpp.py
-
-unix {
-    nodaemon
-    log /var/log/vpp.log
-    full-coredump
-    cli-listen /run/vpp/cli.sock
-    gid vpp
-    # exec /etc/vpp/bootstrap.vpp
-{% if unix is vyos_defined %}
-{%     if unix.poll_sleep_usec is vyos_defined %}
-    poll-sleep-usec {{ unix.poll_sleep_usec }}
-{%     endif %}
-{% endif %}
-}
-
-{% if cpu is vyos_defined %}
-cpu {
-{%     if cpu.main_core is vyos_defined %}
-    main-core {{ cpu.main_core }}
-{%     endif %}
-{%     if cpu.corelist_workers is vyos_defined %}
-    corelist-workers {{ cpu.corelist_workers | join(',') }}
-{%     endif %}
-{%     if cpu.skip_cores is vyos_defined %}
-    skip-cores {{ cpu.skip_cores }}
-{%     endif %}
-{%     if cpu.workers is vyos_defined %}
-    workers {{ cpu.workers }}
-{%     endif %}
-}
-{% endif %}
-
-{# ip heap-size does not work now (23.06-rc2~1-g3a4e62ad4) #}
-{# vlib_call_all_config_functions: unknown input `ip  heap-size 32M ' #}
-{% if ip is vyos_defined %}
-#ip {
-#{%     if ip.heap_size is vyos_defined %}
-#    heap-size {{ ip.heap_size }}M
-#{%     endif %}
-#}
-{% endif %}
-
-{% if ip6 is vyos_defined %}
-ip6 {
-{%     if ip6.hash_buckets is vyos_defined %}
-    hash-buckets {{ ip6.hash_buckets }}
-{%     endif %}
-{%     if ip6.heap_size is vyos_defined %}
-    heap-size {{ ip6.heap_size }}M
-{%     endif %}
-}
-{% endif %}
-
-{% if l2learn is vyos_defined %}
-l2learn {
-{%     if l2learn.limit is vyos_defined %}
-    limit {{ l2learn.limit }}
-{%     endif %}
-}
-{% endif %}
-
-{% if logging is vyos_defined %}
-logging {
-{%     if logging.default_log_level is vyos_defined %}
-    default-log-level {{ logging.default_log_level }}
-{%     endif %}
-}
-{% endif %}
-
-{% if physmem is vyos_defined %}
-physmem {
-{%     if physmem.max_size is vyos_defined %}
-    max-size {{ physmem.max_size.upper() }}
-{%     endif %}
-}
-{% endif %}
-
-plugins {
-    path /usr/lib/x86_64-linux-gnu/vpp_plugins/
-    plugin default { disable }
-    plugin dpdk_plugin.so { enable }
-    plugin linux_cp_plugin.so { enable }
-    plugin linux_nl_plugin.so { enable }
-}
-
-linux-cp {
-    lcp-sync
-    lcp-auto-subint
-}
-
-dpdk {
-    # Whitelist the fake PCI address 0000:00:00.0
-    # This prevents all devices from being added to VPP-DPDK by default
-    dev 0000:00:00.0
-{% for iface, iface_config in interface.items() %}
-{%     if iface_config.pci is vyos_defined %}
-    dev {{ iface_config.pci }} {
-        name {{ iface }}
-{%         if iface_config.num_rx_desc is vyos_defined %}
-        num-rx-desc {{ iface_config.num_rx_desc }}
-{%         endif %}
-{%         if iface_config.num_tx_desc is vyos_defined %}
-        num-tx-desc {{ iface_config.num_tx_desc }}
-{%         endif %}
-{%         if iface_config.num_rx_queues is vyos_defined %}
-        num-rx-queues {{ iface_config.num_rx_queues }}
-{%         endif %}
-{%         if iface_config.num_tx_queues is vyos_defined %}
-        num-tx-queues {{ iface_config.num_tx_queues }}
-{%         endif %}
-        }
-{%     endif %}
-{% endfor %}
-    uio-bind-force
-}
diff --git a/data/templates/wifi/hostapd.conf.j2 b/data/templates/wifi/hostapd.conf.j2
index c3f32da72..83009242b 100644
--- a/data/templates/wifi/hostapd.conf.j2
+++ b/data/templates/wifi/hostapd.conf.j2
@@ -1,5 +1,5 @@
 {# j2lint: disable=operator-enclosed-by-spaces #}
-### Autogenerated by interfaces-wireless.py ###
+### Autogenerated by interfaces_wireless.py ###
 {% if description is vyos_defined %}
 # Description: {{ description }}
 # User-friendly description of device; up to 32 octets encoded in UTF-8
diff --git a/data/templates/wifi/wpa_supplicant.conf.j2 b/data/templates/wifi/wpa_supplicant.conf.j2
index 01e0d632f..ac857a04a 100644
--- a/data/templates/wifi/wpa_supplicant.conf.j2
+++ b/data/templates/wifi/wpa_supplicant.conf.j2
@@ -1,4 +1,4 @@
-### Autogenerated by interfaces-macsec.py ###
+### Autogenerated by interfaces_wireless.py ###
 
 # see full documentation:
 # https://w1.fi/cgit/hostap/plain/wpa_supplicant/wpa_supplicant.conf
diff --git a/debian/control b/debian/control
index ee45a5fe3..871a1f0f7 100644
--- a/debian/control
+++ b/debian/control
@@ -39,6 +39,7 @@ Depends:
   beep,
   bmon,
   bsdmainutils,
+  certbot,
   charon-systemd,
   conntrack,
   conntrackd,
@@ -48,7 +49,8 @@ Depends:
   cron,
   curl,
   dbus,
-  ddclient (>= 3.9.1),
+  ddclient (>= 3.11.1),
+  dmidecode,
   dropbear,
   easy-rsa,
   etherwake,
@@ -62,6 +64,7 @@ Depends:
   frr-snmp,
   fuse-overlayfs,
   libpam-google-authenticator,
+  git,
   grc,
   haproxy,
   hostapd,
@@ -78,6 +81,7 @@ Depends:
   isc-dhcp-relay,
   isc-dhcp-server,
   iw,
+  jool,
   keepalived (>=2.0.5),
   lcdproc,
   lcdproc-extra-drivers,
@@ -91,7 +95,6 @@ Depends:
   libqmi-utils,
   libstrongswan-extra-plugins (>=5.9),
   libstrongswan-standard-plugins (>=5.9),
-  libvppinfra [amd64],
   libvyosconfig0,
   linux-cpupower,
   lldpd,
@@ -126,7 +129,6 @@ Depends:
   pppoe,
   procps,
   python3,
-  python3-certbot-nginx,
   python3-cryptography,
   python3-hurry.filesize,
   python3-inotify,
@@ -145,7 +147,6 @@ Depends:
   python3-tabulate,
   python3-vici (>= 5.7.2),
   python3-voluptuous,
-  python3-vpp-api [amd64],
   python3-xmltodict,
   python3-zmq,
   qrencode,
@@ -180,9 +181,6 @@ Depends:
   uidmap,
   usb-modeswitch,
   usbutils,
-  vpp [amd64],
-  vpp-plugin-core [amd64],
-  vpp-plugin-dpdk [amd64],
   vyatta-bash,
   vyatta-cfg,
   vyos-http-api-tools,
diff --git a/debian/vyos-1x.links b/debian/vyos-1x.links
index 0e2d1b841..402c91306 100644
--- a/debian/vyos-1x.links
+++ b/debian/vyos-1x.links
@@ -1 +1,2 @@
 /etc/netplug/linkup.d/vyos-python-helper /etc/netplug/linkdown.d/vyos-python-helper
+/usr/libexec/vyos/system/standalone_root_pw_reset /opt/vyatta/sbin/standalone_root_pw_reset
diff --git a/debian/vyos-1x.postinst b/debian/vyos-1x.postinst
index b43416152..f7ebec8bc 100644
--- a/debian/vyos-1x.postinst
+++ b/debian/vyos-1x.postinst
@@ -21,22 +21,9 @@ if ! grep -q '^openvpn' /etc/passwd; then
     adduser --quiet --firstuid 100 --system --group --shell /usr/sbin/nologin openvpn
 fi
 
-# Enable 2FA/MFA support for SSH and local logins
-for file in /etc/pam.d/sshd /etc/pam.d/login
-do
-    PAM_CONFIG="# Check 2FA/MFA authentication token if enabled (per user)\nauth       required     pam_google_authenticator.so nullok forward_pass\n"
-    grep -qF -- "pam_google_authenticator.so" $file || \
-    sed -i "/^# Standard Un\*x authentication\./i${PAM_CONFIG}" $file
-done
-
-# We do not make use of a TACACS UNIX group - drop it
-if grep -q '^tacacs' /etc/group; then
-    delgroup tacacs
-fi
-
-# Both RADIUS and TACACS users belong to aaa group - this must be added first
-if ! grep -q '^aaa' /etc/group; then
-    addgroup --firstgid 1000 --quiet aaa
+# We need to have a group for RADIUS service users to use it inside PAM rules
+if ! grep -q '^radius' /etc/group; then
+    addgroup --firstgid 1000 --quiet radius
 fi
 
 # Remove TACACS user added by base package - we use our own UID range and group
@@ -53,6 +40,11 @@ if grep -q '^tacacs' /etc/passwd; then
     fi
 fi
 
+# Remove TACACS+ PAM default profile
+if [[ -e /usr/share/pam-configs/tacplus ]]; then
+    rm /usr/share/pam-configs/tacplus
+fi
+
 # Add TACACS system users required for TACACS based system authentication
 if ! grep -q '^tacacs' /etc/passwd; then
     # Add the tacacs group and all 16 possible tacacs privilege-level users to
@@ -64,14 +56,13 @@ if ! grep -q '^tacacs' /etc/passwd; then
     level=0
     vyos_group=vyattaop
     while [ $level -lt 16 ]; do
-        adduser --quiet --system --firstuid 900 --disabled-login --ingroup users \
+        adduser --quiet --system --firstuid 900 --disabled-login --ingroup tacacs \
             --no-create-home --gecos "TACACS+ mapped user at privilege level ${level}" \
             --shell /bin/vbash tacacs${level}
         adduser --quiet tacacs${level} frrvty
         adduser --quiet tacacs${level} adm
         adduser --quiet tacacs${level} dip
         adduser --quiet tacacs${level} users
-        adduser --quiet tacacs${level} aaa
         if [ $level -lt 15 ]; then
             adduser --quiet tacacs${level} vyattaop
             adduser --quiet tacacs${level} operator
@@ -82,12 +73,12 @@ if ! grep -q '^tacacs' /etc/passwd; then
             adduser --quiet tacacs${level} frr
         fi
         level=$(( level+1 ))
-    done 2>&1 | grep -v 'User tacacs${level} already exists'
+    done 2>&1 | grep -v "User tacacs${level} already exists"
 fi
 
 # Add RADIUS operator user for RADIUS authenticated users to map to
 if ! grep -q '^radius_user' /etc/passwd; then
-    adduser --quiet --firstuid 1000 --disabled-login --ingroup users \
+    adduser --quiet --firstuid 1000 --disabled-login --ingroup radius \
         --no-create-home --gecos "RADIUS mapped user at privilege level operator" \
         --shell /sbin/radius_shell radius_user
     adduser --quiet radius_user frrvty
@@ -96,12 +87,11 @@ if ! grep -q '^radius_user' /etc/passwd; then
     adduser --quiet radius_user adm
     adduser --quiet radius_user dip
     adduser --quiet radius_user users
-    adduser --quiet radius_user aaa
 fi
 
 # Add RADIUS admin user for RADIUS authenticated users to map to
 if ! grep -q '^radius_priv_user' /etc/passwd; then
-    adduser --quiet --firstuid 1000 --disabled-login --ingroup users \
+    adduser --quiet --firstuid 1000 --disabled-login --ingroup radius \
         --no-create-home --gecos "RADIUS mapped user at privilege level admin" \
         --shell /sbin/radius_shell radius_priv_user
     adduser --quiet radius_priv_user frrvty
@@ -112,7 +102,6 @@ if ! grep -q '^radius_priv_user' /etc/passwd; then
     adduser --quiet radius_priv_user disk
     adduser --quiet radius_priv_user users
     adduser --quiet radius_priv_user frr
-    adduser --quiet radius_priv_user aaa
 fi
 
 # add hostsd group for vyos-hostsd
@@ -175,7 +164,7 @@ fi
 DELETE="/etc/logrotate.d/conntrackd.distrib /etc/init.d/conntrackd /etc/default/conntrackd
         /etc/default/pmacctd /etc/pmacct
         /etc/networks_list /etc/networks_whitelist /etc/fastnetmon.conf
-        /etc/ntp.conf /etc/default/ssh
+        /etc/ntp.conf /etc/default/ssh /etc/avahi/avahi-daemon.conf /etc/avahi/hosts
         /etc/powerdns /etc/default/pdns-recursor
         /etc/ppp/ip-up.d/0000usepeerdns /etc/ppp/ip-down.d/0000usepeerdns"
 for tmp in $DELETE; do
@@ -203,15 +192,3 @@ systemctl enable vyos-config-cloud-init.service
 
 # Update XML cache
 python3 /usr/lib/python3/dist-packages/vyos/xml_ref/update_cache.py
-
-# T1797: disable VPP support for rolling release, should be used by developers
-# only (in the initial phase). If you wan't to enable VPP use the below command
-# on your VyOS installation:
-#
-# sudo mv /opt/vyatta/share/vyatta-cfg/vpp /opt/vyatta/share/vyatta-cfg/templates/vpp
-if [ -d /opt/vyatta/share/vyatta-cfg/templates/vpp ]; then
-    if [ -d /opt/vyatta/share/vyatta-cfg/vpp ]; then
-        rm -rf /opt/vyatta/share/vyatta-cfg/vpp
-    fi
-    mv /opt/vyatta/share/vyatta-cfg/templates/vpp /opt/vyatta/share/vyatta-cfg/vpp
-fi
diff --git a/debian/vyos-1x.preinst b/debian/vyos-1x.preinst
index e355ffa84..fbfc85566 100644
--- a/debian/vyos-1x.preinst
+++ b/debian/vyos-1x.preinst
@@ -2,11 +2,10 @@ dpkg-divert --package vyos-1x --add --no-rename /etc/securetty
 dpkg-divert --package vyos-1x --add --no-rename /etc/security/capability.conf
 dpkg-divert --package vyos-1x --add --no-rename /lib/systemd/system/lcdproc.service
 dpkg-divert --package vyos-1x --add --no-rename /etc/logrotate.d/conntrackd
-dpkg-divert --package vyos-1x --add --no-rename /usr/share/pam-configs/radius
-dpkg-divert --package vyos-1x --add --no-rename /usr/share/pam-configs/tacplus
 dpkg-divert --package vyos-1x --add --no-rename /etc/rsyslog.conf
 dpkg-divert --package vyos-1x --add --no-rename /etc/skel/.bashrc
 dpkg-divert --package vyos-1x --add --no-rename /etc/skel/.profile
-dpkg-divert --package vyos-1x --add --no-rename /etc/sysctl.d/80-vpp.conf
 dpkg-divert --package vyos-1x --add --no-rename /etc/netplug/netplugd.conf
 dpkg-divert --package vyos-1x --add --no-rename /etc/netplug/netplug
+dpkg-divert --package vyos-1x --add --no-rename /etc/rsyslog.d/45-frr.conf
+dpkg-divert --package vyos-1x --add --no-rename /lib/udev/rules.d/99-systemd.rules
diff --git a/git b/git
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/git
diff --git a/interface-definitions/dns-domain-name.xml.in b/interface-definitions/dns-domain-name.xml.in
deleted file mode 100644
index ef34ecbf5..000000000
--- a/interface-definitions/dns-domain-name.xml.in
+++ /dev/null
@@ -1,114 +0,0 @@
-<?xml version="1.0"?>
-<interfaceDefinition>
-  <node name="system">
-    <children>
-      <leafNode name="name-server" owner="${vyos_conf_scripts_dir}/host_name.py">
-        <properties>
-          <help>System Domain Name Servers (DNS)</help>
-          <priority>400</priority>
-          <completionHelp>
-            <script>${vyos_completion_dir}/list_interfaces</script>
-          </completionHelp>
-          <valueHelp>
-            <format>ipv4</format>
-            <description>Domain Name Server IPv4 address</description>
-          </valueHelp>
-          <valueHelp>
-            <format>ipv6</format>
-            <description>Domain Name Server IPv6 address</description>
-          </valueHelp>
-          <valueHelp>
-            <format>txt</format>
-            <description>Use Domain Name Server from DHCP interface</description>
-          </valueHelp>
-          <multi/>
-          <constraint>
-            <validator name="ip-address"/>
-            #include <include/constraint/interface-name.xml.i>
-          </constraint>
-        </properties>
-      </leafNode>
-      <!-- script does not use XML defaults so far -->
-      <leafNode name="host-name" owner="${vyos_conf_scripts_dir}/host_name.py">
-        <properties>
-          <help>System host name (default: vyos)</help>
-          <constraint>
-            #include <include/constraint/host-name.xml.i>
-          </constraint>
-        </properties>
-      </leafNode>
-      <leafNode name="domain-name" owner="${vyos_conf_scripts_dir}/host_name.py">
-        <properties>
-          <help>System domain name</help>
-          <constraint>
-            <validator name="fqdn"/>
-          </constraint>
-        </properties>
-      </leafNode>
-      <node name="domain-search" owner="${vyos_conf_scripts_dir}/host_name.py">
-        <properties>
-          <help>Domain Name Server (DNS) domain completion order</help>
-          <priority>400</priority>
-        </properties>
-        <children>
-          <leafNode name="domain">
-            <properties>
-              <help>DNS domain completion order</help>
-              <constraint>
-                <regex>[-a-zA-Z0-9.]+</regex>
-              </constraint>
-              <constraintErrorMessage>Invalid domain name</constraintErrorMessage>
-              <multi/>
-            </properties>
-          </leafNode>
-        </children>
-      </node>
-      <node name="static-host-mapping" owner="${vyos_conf_scripts_dir}/host_name.py">
-        <properties>
-          <help>Map host names to addresses</help>
-          <priority>400</priority>
-        </properties>
-        <children>
-          <tagNode name="host-name">
-            <properties>
-              <help>Host name for static address mapping</help>
-              <constraint>
-                #include <include/constraint/host-name.xml.i>
-              </constraint>
-              <constraintErrorMessage>Host-name must be alphanumeric and can contain hyphens</constraintErrorMessage>
-            </properties>
-            <children>
-              <leafNode name="alias">
-                <properties>
-                  <help>Alias for this address</help>
-                  <constraint>
-                    <regex>.{1,63}</regex>
-                  </constraint>
-                  <constraintErrorMessage>invalid alias hostname, needs to be between 1 and 63 charactes</constraintErrorMessage>
-                  <multi />
-                </properties>
-              </leafNode>
-              <leafNode name="inet">
-                <properties>
-                  <help>IP Address</help>
-                  <valueHelp>
-                    <format>ipv4</format>
-                    <description>IPv4 address</description>
-                  </valueHelp>
-                  <valueHelp>
-                    <format>ipv6</format>
-                    <description>IPv6 address</description>
-                  </valueHelp>
-                  <constraint>
-                    <validator name="ip-address"/>
-                  </constraint>
-                  <multi/>
-                </properties>
-              </leafNode>
-            </children>
-          </tagNode>
-        </children>
-      </node>
-    </children>
-  </node>
-</interfaceDefinition>
diff --git a/interface-definitions/dns-dynamic.xml.in b/interface-definitions/dns-dynamic.xml.in
deleted file mode 100644
index a0720f3aa..000000000
--- a/interface-definitions/dns-dynamic.xml.in
+++ /dev/null
@@ -1,173 +0,0 @@
-<?xml version="1.0"?>
-<interfaceDefinition>
-  <node name="service">
-    <children>
-      <node name="dns">
-        <properties>
-          <help>Domain Name System (DNS) related services</help>
-        </properties>
-        <children>
-          <node name="dynamic" owner="${vyos_conf_scripts_dir}/dns_dynamic.py">
-            <properties>
-              <help>Dynamic DNS</help>
-            </properties>
-            <children>
-              <tagNode name="address">
-                <properties>
-                  <help>Obtain IP address to send Dynamic DNS update for</help>
-                  <valueHelp>
-                    <format>txt</format>
-                    <description>Use interface to obtain the IP address</description>
-                  </valueHelp>
-                  <valueHelp>
-                    <format>web</format>
-                    <description>Use HTTP(S) web request to obtain the IP address</description>
-                  </valueHelp>
-                  <completionHelp>
-                    <script>${vyos_completion_dir}/list_interfaces</script>
-                    <list>web</list>
-                  </completionHelp>
-                  <constraint>
-                    #include <include/constraint/interface-name.xml.i>
-                    <regex>web</regex>
-                  </constraint>
-                </properties>
-                <children>
-                  <node name="web-options">
-                    <properties>
-                      <help>Options when using HTTP(S) web request to obtain the IP address</help>
-                    </properties>
-                    <children>
-                      #include <include/url.xml.i>
-                      <leafNode name="skip">
-                        <properties>
-                          <help>Pattern to skip from the HTTP(S) respose</help>
-                          <valueHelp>
-                            <format>txt</format>
-                            <description>Pattern to skip from the HTTP(S) respose to extract the external IP address</description>
-                          </valueHelp>
-                        </properties>
-                      </leafNode>
-                    </children>
-                  </node>
-                  <tagNode name="rfc2136">
-                    <properties>
-                      <help>RFC2136 nsupdate configuration</help>
-                      <valueHelp>
-                        <format>txt</format>
-                        <description>RFC2136 nsupdate service name</description>
-                      </valueHelp>
-                    </properties>
-                    <children>
-                      #include <include/generic-description.xml.i>
-                      #include <include/dns/dynamic-service-host-name-server.xml.i>
-                      <leafNode name="key">
-                        <properties>
-                          <help>File containing the TSIG secret key shared with remote DNS server</help>
-                          <valueHelp>
-                            <format>filename</format>
-                            <description>File in /config/auth directory</description>
-                          </valueHelp>
-                          <constraint>
-                            <validator name="file-path" argument="--strict --parent-dir /config/auth"/>
-                          </constraint>
-                        </properties>
-                      </leafNode>
-                      #include <include/dns/time-to-live.xml.i>
-                      <leafNode name="zone">
-                        <properties>
-                          <help>Forwarding zone to be updated</help>
-                          <valueHelp>
-                            <format>txt</format>
-                            <description>RFC2136 Zone to be updated</description>
-                          </valueHelp>
-                          <constraint>
-                            <validator name="fqdn"/>
-                          </constraint>
-                        </properties>
-                      </leafNode>
-                    </children>
-                  </tagNode>
-                  <tagNode name="service">
-                    <properties>
-                      <help>Dynamic DNS configuration</help>
-                      <valueHelp>
-                        <format>txt</format>
-                        <description>Dynamic DNS service name</description>
-                      </valueHelp>
-                    </properties>
-                    <children>
-                      #include <include/generic-description.xml.i>
-                      #include <include/dns/dynamic-service-host-name-server.xml.i>
-                      #include <include/generic-username.xml.i>
-                      #include <include/generic-password.xml.i>
-                      <leafNode name="protocol">
-                        <properties>
-                          <help>ddclient protocol used for Dynamic DNS service</help>
-                          <completionHelp>
-                            <script>${vyos_completion_dir}/list_ddclient_protocols.sh</script>
-                          </completionHelp>
-                          <constraint>
-                            <validator name="ddclient-protocol"/>
-                          </constraint>
-                        </properties>
-                      </leafNode>
-                      <leafNode name="zone">
-                        <properties>
-                          <help>DNS zone to update (not used by all protocols)</help>
-                          <valueHelp>
-                            <format>txt</format>
-                            <description>Name of DNS zone</description>
-                          </valueHelp>
-                        </properties>
-                      </leafNode>
-                      <leafNode name="ip-version">
-                        <properties>
-                          <help>IP address version to use</help>
-                          <valueHelp>
-                            <format>_ipv4</format>
-                            <description>Use only IPv4 address</description>
-                          </valueHelp>
-                          <valueHelp>
-                            <format>_ipv6</format>
-                            <description>Use only IPv6 address</description>
-                          </valueHelp>
-                          <valueHelp>
-                            <format>both</format>
-                            <description>Use both IPv4 and IPv6 address</description>
-                          </valueHelp>
-                          <completionHelp>
-                            <list>ipv4 ipv6 both</list>
-                          </completionHelp>
-                          <constraint>
-                            <regex>(ipv[46]|both)</regex>
-                          </constraint>
-                          <constraintErrorMessage>IP Version must be literal 'ipv4', 'ipv6' or 'both'</constraintErrorMessage>
-                        </properties>
-                        <defaultValue>ipv4</defaultValue>
-                      </leafNode>
-                    </children>
-                  </tagNode>
-                </children>
-              </tagNode>
-              <leafNode name="timeout">
-                <properties>
-                  <help>Time in seconds to wait between DNS updates</help>
-                  <valueHelp>
-                    <format>u32:60-3600</format>
-                    <description>Time in seconds</description>
-                  </valueHelp>
-                  <constraint>
-                    <validator name="numeric" argument="--range 60-3600"/>
-                  </constraint>
-                  <constraintErrorMessage>Timeout must be between 60 and 3600 seconds</constraintErrorMessage>
-                </properties>
-                <defaultValue>300</defaultValue>
-              </leafNode>
-            </children>
-          </node>
-        </children>
-      </node>
-    </children>
-  </node>
-</interfaceDefinition>
diff --git a/interface-definitions/firewall.xml.in b/interface-definitions/firewall.xml.in
index 127f4b7e7..a4023058f 100644
--- a/interface-definitions/firewall.xml.in
+++ b/interface-definitions/firewall.xml.in
@@ -7,6 +7,46 @@
     </properties>
     <children>
       #include <include/firewall/global-options.xml.i>
+      <tagNode name="flowtable">
+        <properties>
+          <help>Flowtable</help>
+          <constraint>
+            <regex>[a-zA-Z0-9][\w\-\.]*</regex>
+          </constraint>
+        </properties>
+        <children>
+          #include <include/generic-description.xml.i>
+          <leafNode name="interface">
+            <properties>
+              <help>Interfaces to use this flowtable</help>
+              <completionHelp>
+                <script>${vyos_completion_dir}/list_interfaces</script>
+              </completionHelp>
+              <multi/>
+            </properties>
+          </leafNode>
+          <leafNode name="offload">
+            <properties>
+              <help>Offloading method</help>
+              <completionHelp>
+                <list>hardware software</list>
+              </completionHelp>
+              <valueHelp>
+                <format>hardware</format>
+                <description>Hardware offload</description>
+              </valueHelp>
+              <valueHelp>
+                <format>software</format>
+                <description>Software offload</description>
+              </valueHelp>
+              <constraint>
+                <regex>(hardware|software)</regex>
+              </constraint>
+            </properties>
+            <defaultValue>software</defaultValue>
+          </leafNode>
+        </children>
+      </tagNode>
       <node name="group">
         <properties>
           <help>Firewall group</help>
@@ -284,6 +324,15 @@
           </tagNode>
         </children>
       </node>
+      <node name="bridge">
+        <properties>
+          <help>Bridge firewall</help>
+        </properties>
+        <children>
+          #include <include/firewall/bridge-hook-forward.xml.i>
+          #include <include/firewall/bridge-custom-name.xml.i>
+        </children>
+      </node>
       <node name="ipv4">
         <properties>
           <help>IPv4 firewall</help>
@@ -306,6 +355,148 @@
           #include <include/firewall/ipv6-custom-name.xml.i>
         </children>
       </node>
+      <tagNode name="zone">
+        <properties>
+          <help>Zone-policy</help>
+          <valueHelp>
+            <format>txt</format>
+            <description>Zone name</description>
+          </valueHelp>
+          <constraint>
+            <regex>[a-zA-Z0-9][\w\-\.]*</regex>
+          </constraint>
+        </properties>
+        <children>
+          #include <include/generic-description.xml.i>
+          #include <include/firewall/default-log.xml.i>
+          <leafNode name="default-action">
+            <properties>
+              <help>Default-action for traffic coming into this zone</help>
+              <completionHelp>
+                <list>drop reject</list>
+              </completionHelp>
+              <valueHelp>
+                <format>drop</format>
+                <description>Drop silently</description>
+              </valueHelp>
+              <valueHelp>
+                <format>reject</format>
+                <description>Drop and notify source</description>
+              </valueHelp>
+              <constraint>
+                <regex>(drop|reject)</regex>
+              </constraint>
+            </properties>
+            <defaultValue>drop</defaultValue>
+          </leafNode>
+          <tagNode name="from">
+            <properties>
+              <help>Zone from which to filter traffic</help>
+              <completionHelp>
+                <path>firewall zone</path>
+              </completionHelp>
+            </properties>
+            <children>
+              <node name="firewall">
+                <properties>
+                  <help>Firewall options</help>
+                </properties>
+                <children>
+                  <leafNode name="ipv6-name">
+                    <properties>
+                      <help>IPv6 firewall ruleset</help>
+                      <completionHelp>
+                        <path>firewall ipv6 name</path>
+                      </completionHelp>
+                    </properties>
+                  </leafNode>
+                  <leafNode name="name">
+                    <properties>
+                      <help>IPv4 firewall ruleset</help>
+                      <completionHelp>
+                        <path>firewall ipv4 name</path>
+                      </completionHelp>
+                    </properties>
+                  </leafNode>
+                </children>
+              </node>
+            </children>
+          </tagNode>
+          <leafNode name="interface">
+            <properties>
+              <help>Interface associated with zone</help>
+              <valueHelp>
+                <format>txt</format>
+                <description>Interface associated with zone</description>
+              </valueHelp>
+              <valueHelp>
+                <format>vrf</format>
+                <description>VRF associated with zone</description>
+              </valueHelp>
+              <completionHelp>
+                <script>${vyos_completion_dir}/list_interfaces</script>
+                <path>vrf name</path>
+              </completionHelp>
+              <multi/>
+            </properties>
+          </leafNode>
+          <node name="intra-zone-filtering">
+            <properties>
+              <help>Intra-zone filtering</help>
+            </properties>
+            <children>
+              <leafNode name="action">
+                <properties>
+                  <help>Action for intra-zone traffic</help>
+                  <completionHelp>
+                    <list>accept drop</list>
+                  </completionHelp>
+                  <valueHelp>
+                    <format>accept</format>
+                    <description>Accept traffic</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>drop</format>
+                    <description>Drop silently</description>
+                  </valueHelp>
+                  <constraint>
+                    <regex>(accept|drop)</regex>
+                  </constraint>
+                </properties>
+              </leafNode>
+              <node name="firewall">
+                <properties>
+                  <help>Use the specified firewall chain</help>
+                </properties>
+                <children>
+                  <leafNode name="ipv6-name">
+                    <properties>
+                      <help>IPv6 firewall ruleset</help>
+                      <completionHelp>
+                        <path>firewall ipv6 name</path>
+                      </completionHelp>
+                    </properties>
+                  </leafNode>
+                  <leafNode name="name">
+                    <properties>
+                      <help>IPv4 firewall ruleset</help>
+                      <completionHelp>
+                        <path>firewall ipv4 name</path>
+                      </completionHelp>
+                    </properties>
+                  </leafNode>
+                </children>
+              </node>
+            </children>
+          </node>
+          <leafNode name="local-zone">
+            <properties>
+              <help>Zone to be local-zone</help>
+              <valueless/>
+            </properties>
+          </leafNode>
+        </children>
+      </tagNode>
     </children>
   </node>
 </interfaceDefinition>
diff --git a/interface-definitions/high-availability.xml.in b/interface-definitions/high-availability.xml.in
index 4f55916fa..aa23888a4 100644
--- a/interface-definitions/high-availability.xml.in
+++ b/interface-definitions/high-availability.xml.in
@@ -12,6 +12,12 @@
           <help>Virtual Router Redundancy Protocol settings</help>
         </properties>
         <children>
+          <leafNode name="snmp">
+            <properties>
+              <valueless/>
+              <help>Enable SNMP</help>
+            </properties>
+          </leafNode>
           <node name="global-parameters">
             <properties>
               <help>VRRP global parameters</help>
diff --git a/interface-definitions/include/accel-ppp/auth-protocols.xml.i b/interface-definitions/include/accel-ppp/auth-protocols.xml.i
index d43266152..4ab4753bb 100644
--- a/interface-definitions/include/accel-ppp/auth-protocols.xml.i
+++ b/interface-definitions/include/accel-ppp/auth-protocols.xml.i
@@ -1,7 +1,7 @@
 <!-- include start from accel-ppp/auth-protocols.xml.i -->
 <leafNode name="protocols">
   <properties>
-    <help>Authentication protocol for remote access peer SSTP VPN</help>
+    <help>Authentication protocol for remote access peer</help>
     <completionHelp>
       <list>pap chap mschap mschap-v2</list>
     </completionHelp>
diff --git a/interface-definitions/include/accel-ppp/client-ip-pool-name.xml.i b/interface-definitions/include/accel-ppp/client-ip-pool-name.xml.i
deleted file mode 100644
index b442a15b9..000000000
--- a/interface-definitions/include/accel-ppp/client-ip-pool-name.xml.i
+++ /dev/null
@@ -1,30 +0,0 @@
-<!-- include start from accel-ppp/client-ip-pool-name.xml.i -->
-<tagNode name="name">
-  <properties>
-    <help>Pool name</help>
-    <valueHelp>
-      <format>txt</format>
-      <description>Name of IP pool</description>
-    </valueHelp>
-    <constraint>
-      <regex>[-_a-zA-Z0-9.]+</regex>
-    </constraint>
-  </properties>
-  <children>
-    #include <include/accel-ppp/gateway-address.xml.i>
-    #include <include/accel-ppp/client-ip-pool-subnet-single.xml.i>
-    <leafNode name="next-pool">
-      <properties>
-        <help>Next pool name</help>
-        <valueHelp>
-          <format>txt</format>
-          <description>Name of IP pool</description>
-        </valueHelp>
-        <constraint>
-          <regex>[-_a-zA-Z0-9.]+</regex>
-        </constraint>
-      </properties>
-    </leafNode>
-  </children>
-</tagNode>
-<!-- include end -->
diff --git a/interface-definitions/include/accel-ppp/client-ip-pool-start-stop.xml.i b/interface-definitions/include/accel-ppp/client-ip-pool-start-stop.xml.i
deleted file mode 100644
index 5f4132d13..000000000
--- a/interface-definitions/include/accel-ppp/client-ip-pool-start-stop.xml.i
+++ /dev/null
@@ -1,18 +0,0 @@
-<!-- include start from accel-ppp/client-ip-pool-start-stop.xml.i -->
-<leafNode name="start">
-  <properties>
-    <help>First IP address in the pool</help>
-    <constraint>
-      <validator name="ipv4-address"/>
-    </constraint>
-  </properties>
-</leafNode>
-<leafNode name="stop">
-  <properties>
-    <help>Last IP address in the pool</help>
-    <constraint>
-      <validator name="ipv4-address"/>
-    </constraint>
-  </properties>
-</leafNode>
-<!-- include end -->
diff --git a/interface-definitions/include/accel-ppp/client-ip-pool-subnet-single.xml.i b/interface-definitions/include/accel-ppp/client-ip-pool-subnet-single.xml.i
deleted file mode 100644
index b93ba67d8..000000000
--- a/interface-definitions/include/accel-ppp/client-ip-pool-subnet-single.xml.i
+++ /dev/null
@@ -1,16 +0,0 @@
-<!-- include start from accel-ppp/client-ip-pool-subnet-single.xml.i -->
-<leafNode name="subnet">
-  <properties>
-    <help>Client IP subnet (CIDR notation)</help>
-    <valueHelp>
-      <format>ipv4net</format>
-      <description>IPv4 address and prefix length</description>
-    </valueHelp>
-    <constraint>
-      <validator name="ipv4-prefix"/>
-      <validator name="ipv4-host"/>
-    </constraint>
-    <constraintErrorMessage>Not a valid IP address or prefix</constraintErrorMessage>
-  </properties>
-</leafNode>
-<!-- include end -->
diff --git a/interface-definitions/include/accel-ppp/client-ip-pool-subnet.xml.i b/interface-definitions/include/accel-ppp/client-ip-pool-subnet.xml.i
deleted file mode 100644
index 2dc71d3f9..000000000
--- a/interface-definitions/include/accel-ppp/client-ip-pool-subnet.xml.i
+++ /dev/null
@@ -1,16 +0,0 @@
-<!-- include start from accel-ppp/client-ip-pool-subnet.xml.i -->
-<leafNode name="subnet">
-  <properties>
-    <help>Client IP subnet (CIDR notation)</help>
-    <valueHelp>
-      <format>ipv4net</format>
-      <description>IPv4 address and prefix length</description>
-    </valueHelp>
-    <constraint>
-      <validator name="ipv4-prefix"/>
-    </constraint>
-    <constraintErrorMessage>Not a valid CIDR formatted prefix</constraintErrorMessage>
-    <multi />
-  </properties>
-</leafNode>
-<!-- include end -->
diff --git a/interface-definitions/include/accel-ppp/client-ip-pool.xml.i b/interface-definitions/include/accel-ppp/client-ip-pool.xml.i
new file mode 100644
index 000000000..71fe69f8d
--- /dev/null
+++ b/interface-definitions/include/accel-ppp/client-ip-pool.xml.i
@@ -0,0 +1,46 @@
+<!-- include start from accel-ppp/client-ip-pool.xml.i -->
+<tagNode name="client-ip-pool">
+  <properties>
+    <help>Client IP pool</help>
+    <valueHelp>
+      <format>txt</format>
+      <description>Name of IP pool</description>
+    </valueHelp>
+    <constraint>
+      #include <include/constraint/alpha-numeric-hyphen-underscore-dot.xml.i>
+    </constraint>
+  </properties>
+  <children>
+    <leafNode name="range">
+      <properties>
+        <help>Range of IP addresses</help>
+        <valueHelp>
+          <format>ipv4net</format>
+          <description>IPv4 prefix</description>
+        </valueHelp>
+        <valueHelp>
+          <format>ipv4range</format>
+          <description>IPv4 address range inside /24 network</description>
+        </valueHelp>
+        <constraint>
+          <validator name="ipv4-prefix"/>
+          <validator name="ipv4-host"/>
+          <validator name="ipv4-range-mask"  argument="-m 24 -r"/>
+        </constraint>
+      </properties>
+    </leafNode>
+    <leafNode name="next-pool">
+      <properties>
+        <help>Next pool name</help>
+        <valueHelp>
+          <format>txt</format>
+          <description>Name of IP pool</description>
+        </valueHelp>
+        <constraint>
+          #include <include/constraint/alpha-numeric-hyphen-underscore-dot.xml.i>
+        </constraint>
+      </properties>
+    </leafNode>
+  </children>
+</tagNode>
+<!-- include end -->
diff --git a/interface-definitions/include/accel-ppp/default-pool.xml.i b/interface-definitions/include/accel-ppp/default-pool.xml.i
new file mode 100644
index 000000000..a08b066b1
--- /dev/null
+++ b/interface-definitions/include/accel-ppp/default-pool.xml.i
@@ -0,0 +1,14 @@
+<!-- include start from accel-ppp/default-pool.xml.i -->
+<leafNode name="default-pool">
+  <properties>
+    <help>Default client IP pool name</help>
+    <valueHelp>
+      <format>txt</format>
+      <description>Default IP pool</description>
+    </valueHelp>
+    <constraint>
+      #include <include/constraint/alpha-numeric-hyphen-underscore-dot.xml.i>
+    </constraint>
+  </properties>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/include/accel-ppp/gateway-address-multi.xml.i b/interface-definitions/include/accel-ppp/gateway-address-multi.xml.i
new file mode 100644
index 000000000..dcc58b97a
--- /dev/null
+++ b/interface-definitions/include/accel-ppp/gateway-address-multi.xml.i
@@ -0,0 +1,17 @@
+<!-- include start from accel-ppp/gateway-address-multi.xml.i -->
+<leafNode name="gateway-address">
+  <properties>
+    <help>Gateway IP address</help>
+    <constraintErrorMessage>invalid IPv4 address</constraintErrorMessage>
+    <valueHelp>
+      <format>ipv4net</format>
+      <description>Default Gateway, mask send to the client</description>
+    </valueHelp>
+    <constraint>
+      <validator name="ipv4-prefix"/>
+      <validator name="ipv4-host"/>
+    </constraint>
+    <multi/>
+  </properties>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/include/accel-ppp/max-concurrent-sessions.xml.i b/interface-definitions/include/accel-ppp/max-concurrent-sessions.xml.i
new file mode 100644
index 000000000..f6ef41019
--- /dev/null
+++ b/interface-definitions/include/accel-ppp/max-concurrent-sessions.xml.i
@@ -0,0 +1,15 @@
+<!-- include start from accel-ppp/max-concurrent-sessions.xml.i -->
+<leafNode name="max-concurrent-sessions">
+  <properties>
+    <help>Maximum number of concurrent session start attempts</help>
+    <valueHelp>
+      <format>u32:0-65535</format>
+      <description>Maximum number of concurrent session start attempts</description>
+    </valueHelp>
+    <constraint>
+      <validator name="numeric" argument="--allow-range --range 0-65535"/>
+    </constraint>
+    <constraintErrorMessage>Maximum concurent sessions must be in range 0-65535</constraintErrorMessage>
+  </properties>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/include/accel-ppp/mtu-128-16384.xml.i b/interface-definitions/include/accel-ppp/mtu-128-16384.xml.i
index b4008a63b..5661bdc05 100644
--- a/interface-definitions/include/accel-ppp/mtu-128-16384.xml.i
+++ b/interface-definitions/include/accel-ppp/mtu-128-16384.xml.i
@@ -1,7 +1,7 @@
 <!-- include start from accel-ppp/mtu-128-16384.xml.i -->
 <leafNode name="mtu">
   <properties>
-    <help>Maximum Transmission Unit (MTU) - default 1492</help>
+    <help>Maximum Transmission Unit (MTU)</help>
     <constraint>
       <validator name="numeric" argument="--range 128-16384"/>
     </constraint>
diff --git a/interface-definitions/include/accel-ppp/radius-additions-rate-limit.xml.i b/interface-definitions/include/accel-ppp/radius-additions-rate-limit.xml.i
index b8dbe73b2..c0367b891 100644
--- a/interface-definitions/include/accel-ppp/radius-additions-rate-limit.xml.i
+++ b/interface-definitions/include/accel-ppp/radius-additions-rate-limit.xml.i
@@ -13,12 +13,6 @@
     <leafNode name="vendor">
       <properties>
         <help>Vendor dictionary</help>
-        <completionHelp>
-          <list>alcatel cisco microsoft mikrotik</list>
-        </completionHelp>
-        <constraint>
-          <validator name="accel-radius-dictionary" />
-        </constraint>
       </properties>
     </leafNode>
     <leafNode name="enable">
diff --git a/interface-definitions/include/bgp/afi-route-map-export-import.xml.i b/interface-definitions/include/bgp/afi-route-map-export-import.xml.i
index c218937c8..388991241 100644
--- a/interface-definitions/include/bgp/afi-route-map-export-import.xml.i
+++ b/interface-definitions/include/bgp/afi-route-map-export-import.xml.i
@@ -10,7 +10,7 @@
       <description>Route map name</description>
     </valueHelp>
     <constraint>
-      <regex>[-_a-zA-Z0-9.]+</regex>
+      #include <include/constraint/alpha-numeric-hyphen-underscore-dot.xml.i>
     </constraint>
     <constraintErrorMessage>Name of route-map can only contain alpha-numeric letters, hyphen and underscores</constraintErrorMessage>
   </properties>
@@ -26,7 +26,7 @@
       <description>Route map name</description>
     </valueHelp>
     <constraint>
-      <regex>[-_a-zA-Z0-9.]+</regex>
+      #include <include/constraint/alpha-numeric-hyphen-underscore-dot.xml.i>
     </constraint>
     <constraintErrorMessage>Name of route-map can only contain alpha-numeric letters, hyphen and underscores</constraintErrorMessage>
   </properties>
diff --git a/interface-definitions/include/bgp/bmp-monitor-afi-policy.xml.i b/interface-definitions/include/bgp/bmp-monitor-afi-policy.xml.i
new file mode 100644
index 000000000..261d60232
--- /dev/null
+++ b/interface-definitions/include/bgp/bmp-monitor-afi-policy.xml.i
@@ -0,0 +1,14 @@
+<!-- include start from bgp/bmp-monitor-afi-policy.xml.i -->
+<leafNode name="pre-policy">
+  <properties>
+    <help>Send state before policy and filter processing</help>
+    <valueless/>
+  </properties>
+</leafNode>
+<leafNode name="post-policy">
+  <properties>
+    <help>Send state with policy and filters applied</help>
+    <valueless/>
+  </properties>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/include/bgp/neighbor-afi-ipv4-ipv6-common.xml.i b/interface-definitions/include/bgp/neighbor-afi-ipv4-ipv6-common.xml.i
index 75221a348..c8ad68700 100644
--- a/interface-definitions/include/bgp/neighbor-afi-ipv4-ipv6-common.xml.i
+++ b/interface-definitions/include/bgp/neighbor-afi-ipv4-ipv6-common.xml.i
@@ -1,4 +1,5 @@
 <!-- include start from bgp/neighbor-afi-ipv4-ipv6-common.xml.i -->
+
 <leafNode name="addpath-tx-all">
   <properties>
     <help>Use addpath to advertise all paths to a neighbor</help>
@@ -27,7 +28,7 @@
           <description>Route map name</description>
         </valueHelp>
         <constraint>
-          <regex>[-_a-zA-Z0-9.]+</regex>
+          #include <include/constraint/alpha-numeric-hyphen-underscore-dot.xml.i>
         </constraint>
         <constraintErrorMessage>Name of route-map can only contain alpha-numeric letters, hyphen and underscores</constraintErrorMessage>
       </properties>
@@ -43,7 +44,7 @@
           <description>Route map name</description>
         </valueHelp>
         <constraint>
-          <regex>[-_a-zA-Z0-9.]+</regex>
+          #include <include/constraint/alpha-numeric-hyphen-underscore-dot.xml.i>
         </constraint>
         <constraintErrorMessage>Name of route-map can only contain alpha-numeric letters, hyphen and underscores</constraintErrorMessage>
       </properties>
@@ -59,7 +60,7 @@
           <description>Route map name</description>
         </valueHelp>
         <constraint>
-          <regex>[-_a-zA-Z0-9.]+</regex>
+          #include <include/constraint/alpha-numeric-hyphen-underscore-dot.xml.i>
         </constraint>
         <constraintErrorMessage>Name of route-map can only contain alpha-numeric letters, hyphen and underscores</constraintErrorMessage>
       </properties>
@@ -156,12 +157,19 @@
   </properties>
 </leafNode>
 #include <include/bgp/afi-nexthop-self.xml.i>
-<leafNode name="remove-private-as">
+<node name="remove-private-as">
   <properties>
     <help>Remove private AS numbers from AS path in outbound route updates</help>
-    <valueless/>
   </properties>
-</leafNode>
+  <children>
+    <leafNode name="all">
+      <properties>
+        <help>Remove private AS numbers to all AS numbers in outbound route updates</help>
+        <valueless/>
+      </properties>
+    </leafNode>
+  </children>
+</node>
 #include <include/bgp/afi-route-map.xml.i>
 #include <include/bgp/afi-route-reflector-client.xml.i>
 #include <include/bgp/afi-route-server-client.xml.i>
@@ -177,7 +185,7 @@
       <description>Route map name</description>
     </valueHelp>
     <constraint>
-      <regex>[-_a-zA-Z0-9.]+</regex>
+      #include <include/constraint/alpha-numeric-hyphen-underscore-dot.xml.i>
     </constraint>
     <constraintErrorMessage>Name of route-map can only contain alpha-numeric letters, hyphen and underscores</constraintErrorMessage>
   </properties>
diff --git a/interface-definitions/include/bgp/neighbor-capability.xml.i b/interface-definitions/include/bgp/neighbor-capability.xml.i
index 2bbfadf1f..c5ed3c840 100644
--- a/interface-definitions/include/bgp/neighbor-capability.xml.i
+++ b/interface-definitions/include/bgp/neighbor-capability.xml.i
@@ -16,6 +16,12 @@
         <valueless/>
       </properties>
     </leafNode>
+    <leafNode name="software-version">
+      <properties>
+        <help>Advertise Software Version capability to the peer</help>
+        <valueless/>
+      </properties>
+    </leafNode>
   </children>
 </node>
 <!-- include end -->
diff --git a/interface-definitions/include/bgp/neighbor-path-attribute.xml.i b/interface-definitions/include/bgp/neighbor-path-attribute.xml.i
index f4f2fcfa9..30568d8c6 100644
--- a/interface-definitions/include/bgp/neighbor-path-attribute.xml.i
+++ b/interface-definitions/include/bgp/neighbor-path-attribute.xml.i
@@ -16,6 +16,18 @@
         </constraint>
       </properties>
     </leafNode>
+    <leafNode name="treat-as-withdraw">
+      <properties>
+        <help>Treat-as-withdraw any incoming BGP UPDATE messages that contain the specified attribute</help>
+        <valueHelp>
+          <format>u32:1-255</format>
+          <description>Attribute number</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 1-255"/>
+        </constraint>
+      </properties>
+    </leafNode>
   </children>
 </node>
 <!-- include end -->
diff --git a/interface-definitions/include/bgp/protocol-common-config.xml.i b/interface-definitions/include/bgp/protocol-common-config.xml.i
index 504385b53..bb35efe94 100644
--- a/interface-definitions/include/bgp/protocol-common-config.xml.i
+++ b/interface-definitions/include/bgp/protocol-common-config.xml.i
@@ -343,6 +343,7 @@
             #include <include/route-map.xml.i>
           </children>
         </tagNode>
+          #include <include/bgp/afi-maximum-paths.xml.i>
       </children>
     </node>
     <node name="ipv4-flowspec">
@@ -805,6 +806,76 @@
             <valueless/>
           </properties>
         </leafNode>
+        <node name="default-originate">
+          <properties>
+            <help>Originate a default route</help>
+          </properties>
+          <children>
+            <leafNode name="ipv4">
+              <properties>
+                <help>IPv4 address family</help>
+                <valueless/>
+              </properties>
+            </leafNode>
+            <leafNode name="ipv6">
+              <properties>
+                <help>IPv6 address family</help>
+                <valueless/>
+              </properties>
+            </leafNode>
+          </children>
+        </node>
+        <leafNode name="disable-ead-evi-rx">
+          <properties>
+            <help>Activate PE on EAD-ES even if EAD-EVI is not received</help>
+            <valueless/>
+          </properties>
+        </leafNode>
+        <leafNode name="disable-ead-evi-tx">
+          <properties>
+            <help>Do not advertise EAD-EVI for local ESs</help>
+            <valueless/>
+          </properties>
+        </leafNode>
+        <node name="ead-es-frag">
+          <properties>
+            <help>EAD ES fragment config</help>
+          </properties>
+          <children>
+            <leafNode name="evi-limit">
+              <properties>
+                <help>EVIs per-fragment</help>
+                <valueHelp>
+                  <format>u32:1-1000</format>
+                  <description>limit</description>
+                </valueHelp>
+                <constraint>
+                  <validator name="numeric" argument="--range 1-1000"/>
+                </constraint>
+              </properties>
+            </leafNode>
+          </children>
+        </node>
+        <node name="ead-es-route-target">
+          <properties>
+            <help>EAD ES Route Target</help>
+          </properties>
+          <children>
+            <leafNode name="export">
+              <properties>
+                <help>Route Target export</help>
+                <valueHelp>
+                  <format>txt</format>
+                  <description>Route target (A.B.C.D:MN|EF:OPQR|GHJK:MN)</description>
+                </valueHelp>
+                <constraint>
+                  <validator name="bgp-rd-rt" argument="--route-target-multi"/>
+                </constraint>
+                <multi/>
+              </properties>
+            </leafNode>
+          </children>
+        </node>
         <node name="flooding">
           <properties>
             <help>Specify handling for BUM packets</help>
@@ -838,6 +909,92 @@
     </node>
   </children>
 </node>
+<node name="bmp">
+  <properties>
+    <help>BGP Monitoring Protocol (BMP)</help>
+  </properties>
+  <children>
+    <leafNode name="mirror-buffer-limit">
+      <properties>
+        <help>Maximum memory used for buffered mirroring messages (in bytes)</help>
+        <valueHelp>
+          <format>u32:0-4294967294</format>
+          <description>Limit in bytes</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 0-4294967294"/>
+        </constraint>
+      </properties>
+    </leafNode>
+    <tagNode name="target">
+      <properties>
+        <help>BMP target</help>
+      </properties>
+      <children>
+        #include <include/address-ipv4-ipv6-single.xml.i>
+        #include <include/port-number.xml.i>
+        <leafNode name="port">
+          <defaultValue>5000</defaultValue>
+        </leafNode>
+        <leafNode name="min-retry">
+          <properties>
+            <help>Minimum connection retry interval (in milliseconds)</help>
+            <valueHelp>
+              <format>u32:100-86400000</format>
+              <description>Minimum connection retry interval</description>
+            </valueHelp>
+            <constraint>
+              <validator name="numeric" argument="--range 100-86400000"/>
+            </constraint>
+          </properties>
+          <defaultValue>1000</defaultValue>
+        </leafNode>
+        <leafNode name="max-retry">
+          <properties>
+            <help>Maximum connection retry interval</help>
+            <valueHelp>
+              <format>u32:100-4294967295</format>
+              <description>Maximum connection retry interval</description>
+            </valueHelp>
+            <constraint>
+              <validator name="numeric" argument="--range 100-86400000"/>
+            </constraint>
+          </properties>
+          <defaultValue>2000</defaultValue>
+        </leafNode>
+        <leafNode name="mirror">
+          <properties>
+            <help>Send BMP route mirroring messages</help>
+            <valueless/>
+          </properties>
+        </leafNode>
+        <node name="monitor">
+          <properties>
+            <help>Send BMP route monitoring messages</help>
+          </properties>
+          <children>
+            <node name="ipv4-unicast">
+              <properties>
+                <help>Address family IPv4 unicast</help>
+              </properties>
+              <children>
+                #include <include/bgp/bmp-monitor-afi-policy.xml.i>
+              </children>
+            </node>
+            <node name="ipv6-unicast">
+              <properties>
+                <help>Address family IPv6 unicast</help>
+              </properties>
+              <children>
+                #include <include/bgp/bmp-monitor-afi-policy.xml.i>
+              </children>
+            </node>
+          </children>
+        </node>
+      </children>
+    </tagNode>
+  </children>
+</node>
 <tagNode name="interface">
   <properties>
     <help>Configure interface related parameters, e.g. MPLS</help>
@@ -1541,8 +1698,10 @@
       </properties>
       <children>
         #include <include/bgp/neighbor-afi-ipv4-unicast.xml.i>
+        #include <include/bgp/neighbor-afi-ipv4-labeled-unicast.xml.i>
         #include <include/bgp/neighbor-afi-ipv4-vpn.xml.i>
         #include <include/bgp/neighbor-afi-ipv6-unicast.xml.i>
+        #include <include/bgp/neighbor-afi-ipv6-labeled-unicast.xml.i>
         #include <include/bgp/neighbor-afi-ipv6-vpn.xml.i>
         #include <include/bgp/neighbor-afi-l2vpn-evpn.xml.i>
       </children>
@@ -1568,6 +1727,66 @@
     #include <include/port-number.xml.i>
   </children>
 </tagNode>
+<node name="srv6">
+  <properties>
+    <help>Segment-Routing SRv6 configuration</help>
+  </properties>
+  <children>
+    <leafNode name="locator">
+      <properties>
+        <help>Specify SRv6 locator</help>
+        <valueHelp>
+          <format>txt</format>
+          <description>SRv6 locator name</description>
+        </valueHelp>
+        <constraint>
+          #include <include/constraint/alpha-numeric-hyphen-underscore.xml.i>
+        </constraint>
+      </properties>
+    </leafNode>
+  </children>
+</node>
+<node name="sid">
+  <properties>
+    <help>SID value for VRF</help>
+  </properties>
+  <children>
+    <node name="vpn">
+      <properties>
+        <help>Between current VRF and VPN</help>
+      </properties>
+      <children>
+        <node name="per-vrf">
+          <properties>
+            <help>SID per-VRF (both IPv4 and IPv6 address families)</help>
+          </properties>
+          <children>
+            <leafNode name="export">
+              <properties>
+                <help>For routes leaked from current VRF to VPN</help>
+                <completionHelp>
+                  <list>auto</list>
+                </completionHelp>
+                <valueHelp>
+                  <format>u32:1-1048575</format>
+                  <description>SID allocation index</description>
+                </valueHelp>
+                <valueHelp>
+                  <format>auto</format>
+                  <description>Automatically assign a label</description>
+                </valueHelp>
+                <constraint>
+                  <regex>auto</regex>
+                  <validator name="numeric" argument="--range 1-1048575"/>
+                </constraint>
+              </properties>
+            </leafNode>
+          </children>
+        </node>
+      </children>
+    </node>
+  </children>
+</node>
 <node name="timers">
   <properties>
     <help>BGP protocol timers</help>
diff --git a/interface-definitions/include/constraint/alpha-numeric-hyphen-underscore-dot.xml.i b/interface-definitions/include/constraint/alpha-numeric-hyphen-underscore-dot.xml.i
new file mode 100644
index 000000000..7aeb85260
--- /dev/null
+++ b/interface-definitions/include/constraint/alpha-numeric-hyphen-underscore-dot.xml.i
@@ -0,0 +1,3 @@
+<!-- include start from constraint/alpha-numeric-hyphen-underscore-dot.xml.i -->
+<regex>[-_a-zA-Z0-9.]+</regex>
+<!-- include end -->
diff --git a/interface-definitions/include/constraint/alpha-numeric-hyphen-underscore.xml.i b/interface-definitions/include/constraint/alpha-numeric-hyphen-underscore.xml.i
index ba097c6b5..399f2e1da 100644
--- a/interface-definitions/include/constraint/alpha-numeric-hyphen-underscore.xml.i
+++ b/interface-definitions/include/constraint/alpha-numeric-hyphen-underscore.xml.i
@@ -1,3 +1,3 @@
-<!-- include start from include/constraint/alpha-numeric-hyphen-underscore.xml.i -->
+<!-- include start from constraint/alpha-numeric-hyphen-underscore.xml.i -->
 <regex>[-_a-zA-Z0-9]+</regex>
 <!-- include end -->
diff --git a/interface-definitions/include/constraint/dhcp-client-string-option.xml.i b/interface-definitions/include/constraint/dhcp-client-string-option.xml.i
new file mode 100644
index 000000000..88257a9bb
--- /dev/null
+++ b/interface-definitions/include/constraint/dhcp-client-string-option.xml.i
@@ -0,0 +1,4 @@
+<!-- include start from constraint/dhcp-client-string-option.xml.i -->
+<regex>[-_a-zA-Z0-9\s]+</regex>
+<regex>([a-fA-F0-9][a-fA-F0-9]:){2,}[a-fA-F0-9][a-fA-F0-9]</regex>
+<!-- include end -->
diff --git a/interface-definitions/include/constraint/email.xml.i b/interface-definitions/include/constraint/email.xml.i
new file mode 100644
index 000000000..b19a88d64
--- /dev/null
+++ b/interface-definitions/include/constraint/email.xml.i
@@ -0,0 +1,3 @@
+<!-- include start from constraint/email.xml.i -->
+<regex>[^\s@]+@([^\s@.,]+\.)+[^\s@.,]{2,}</regex>
+<!-- include end -->
diff --git a/interface-definitions/include/constraint/host-name.xml.i b/interface-definitions/include/constraint/host-name.xml.i
index cc9740c16..5943772a2 100644
--- a/interface-definitions/include/constraint/host-name.xml.i
+++ b/interface-definitions/include/constraint/host-name.xml.i
@@ -1,3 +1,3 @@
-<!-- include start from constraint/host-name.xml.i -->

-<regex>[A-Za-z0-9][-.A-Za-z0-9]*[A-Za-z0-9]</regex>

-<!-- include end -->

+<!-- include start from constraint/host-name.xml.i -->
+<regex>[A-Za-z0-9][-.A-Za-z0-9]*[A-Za-z0-9]</regex>
+<!-- include end -->
diff --git a/interface-definitions/include/constraint/interface-name-with-wildcard-and-inverted.xml.i b/interface-definitions/include/constraint/interface-name-with-wildcard-and-inverted.xml.i
deleted file mode 100644
index 6a39041a3..000000000
--- a/interface-definitions/include/constraint/interface-name-with-wildcard-and-inverted.xml.i
+++ /dev/null
@@ -1,4 +0,0 @@
-<!-- include start from constraint/interface-name-with-wildcard-and-inverted.xml.i -->
-<regex>(\!?)(bond|br|dum|en|ersp|eth|gnv|ifb|lan|l2tp|l2tpeth|macsec|peth|ppp|pppoe|pptp|sstp|tun|veth|vti|vtun|vxlan|wg|wlan|wwan)([0-9]?)(\*?)(.+)?|(\!?)lo</regex>
-<validator name="file-path --lookup-path /sys/class/net --directory"/>
-<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/include/constraint/interface-name.xml.i b/interface-definitions/include/constraint/interface-name.xml.i
index 1b14eabf5..3e7c4e667 100644
--- a/interface-definitions/include/constraint/interface-name.xml.i
+++ b/interface-definitions/include/constraint/interface-name.xml.i
@@ -1,4 +1,4 @@
 <!-- include start from constraint/interface-name.xml.i -->
-<regex>(bond|br|dum|en|ersp|eth|gnv|ifb|lan|l2tp|l2tpeth|macsec|peth|ppp|pppoe|pptp|sstp|tun|veth|vti|vtun|vxlan|wg|wlan|wwan)[0-9]+(.\d+)?|lo</regex>
+<regex>(bond|br|dum|en|ersp|eth|gnv|ifb|ipoe|lan|l2tp|l2tpeth|macsec|peth|ppp|pppoe|pptp|sstp|sstpc|tun|veth|vti|vtun|vxlan|wg|wlan|wwan)[0-9]+(.\d+)?|lo</regex>
 <validator name="file-path --lookup-path /sys/class/net --directory"/>
 <!-- include end -->
diff --git a/interface-definitions/include/dns/dynamic-service-host-name-server.xml.i b/interface-definitions/include/dns/dynamic-service-host-name-server.xml.i
deleted file mode 100644
index ee1af2a36..000000000
--- a/interface-definitions/include/dns/dynamic-service-host-name-server.xml.i
+++ /dev/null
@@ -1,34 +0,0 @@
-<!-- include start from dns/dynamic-service-host-name-server.xml.i -->
-<leafNode name="host-name">
-  <properties>
-    <help>Hostname to register with Dynamic DNS service</help>
-    <constraint>
-        #include <include/constraint/host-name.xml.i>
-    </constraint>
-    <constraintErrorMessage>Host-name must be alphanumeric and can contain hyphens</constraintErrorMessage>
-    <multi/>
-  </properties>
-</leafNode>
-<leafNode name="server">
-  <properties>
-    <help>Remote Dynamic DNS server to send updates to</help>
-    <valueHelp>
-      <format>ipv4</format>
-      <description>IPv4 address of the remote server</description>
-    </valueHelp>
-    <valueHelp>
-      <format>ipv6</format>
-      <description>IPv6 address of the remote server</description>
-    </valueHelp>
-    <valueHelp>
-      <format>hostname</format>
-      <description>Fully qualified domain name of the remote server</description>
-    </valueHelp>
-    <constraint>
-      <validator name="ip-address"/>
-      <validator name="fqdn"/>
-    </constraint>
-    <constraintErrorMessage>Remote server must be IP address or fully qualified domain name</constraintErrorMessage>
-  </properties>
-</leafNode>
-<!-- include end -->
diff --git a/interface-definitions/include/dns/time-to-live.xml.i b/interface-definitions/include/dns/time-to-live.xml.i
index 5c1a1472d..000eea108 100644
--- a/interface-definitions/include/dns/time-to-live.xml.i
+++ b/interface-definitions/include/dns/time-to-live.xml.i
@@ -10,6 +10,5 @@
       <validator name="numeric" argument="--range 0-2147483647"/>
     </constraint>
   </properties>
-  <defaultValue>300</defaultValue>
 </leafNode>
 <!-- include end -->
diff --git a/interface-definitions/include/firewall/action-forward.xml.i b/interface-definitions/include/firewall/action-forward.xml.i
new file mode 100644
index 000000000..87da72c97
--- /dev/null
+++ b/interface-definitions/include/firewall/action-forward.xml.i
@@ -0,0 +1,45 @@
+<!-- include start from firewall/action-forward.xml.i -->
+<leafNode name="action">
+  <properties>
+    <help>Rule action</help>
+    <completionHelp>
+      <list>accept continue jump reject return drop queue offload</list>
+    </completionHelp>
+    <valueHelp>
+      <format>accept</format>
+      <description>Accept matching entries</description>
+    </valueHelp>
+    <valueHelp>
+      <format>continue</format>
+      <description>Continue parsing next rule</description>
+    </valueHelp>
+    <valueHelp>
+      <format>jump</format>
+      <description>Jump to another chain</description>
+    </valueHelp>
+    <valueHelp>
+      <format>reject</format>
+      <description>Reject matching entries</description>
+    </valueHelp>
+    <valueHelp>
+      <format>return</format>
+      <description>Return from the current chain and continue at the next rule of the last chain</description>
+    </valueHelp>
+    <valueHelp>
+      <format>drop</format>
+      <description>Drop matching entries</description>
+    </valueHelp>
+    <valueHelp>
+      <format>queue</format>
+      <description>Enqueue packet to userspace</description>
+    </valueHelp>
+    <valueHelp>
+      <format>offload</format>
+      <description>Offload packet via flowtable</description>
+    </valueHelp>
+    <constraint>
+      <regex>(accept|continue|jump|reject|return|drop|queue|offload)</regex>
+    </constraint>
+  </properties>
+</leafNode>
+<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/include/firewall/action-l2.xml.i b/interface-definitions/include/firewall/action-l2.xml.i
new file mode 100644
index 000000000..43fd211b4
--- /dev/null
+++ b/interface-definitions/include/firewall/action-l2.xml.i
@@ -0,0 +1,37 @@
+<!-- include start from firewall/action-l2.xml.i -->
+<leafNode name="action">
+  <properties>
+    <help>Rule action</help>
+    <completionHelp>
+      <list>accept continue jump return drop queue</list>
+    </completionHelp>
+    <valueHelp>
+      <format>accept</format>
+      <description>Accept matching entries</description>
+    </valueHelp>
+    <valueHelp>
+      <format>continue</format>
+      <description>Continue parsing next rule</description>
+    </valueHelp>
+    <valueHelp>
+      <format>jump</format>
+      <description>Jump to another chain</description>
+    </valueHelp>
+    <valueHelp>
+      <format>return</format>
+      <description>Return from the current chain and continue at the next rule of the last chain</description>
+    </valueHelp>
+    <valueHelp>
+      <format>drop</format>
+      <description>Drop matching entries</description>
+    </valueHelp>
+    <valueHelp>
+      <format>queue</format>
+      <description>Enqueue packet to userspace</description>
+    </valueHelp>
+    <constraint>
+      <regex>(accept|continue|jump|return|drop|queue)</regex>
+    </constraint>
+  </properties>
+</leafNode>
+<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/include/firewall/action.xml.i b/interface-definitions/include/firewall/action.xml.i
index 7c6e33839..5dd1bfaff 100644
--- a/interface-definitions/include/firewall/action.xml.i
+++ b/interface-definitions/include/firewall/action.xml.i
@@ -3,13 +3,17 @@
   <properties>
     <help>Rule action</help>
     <completionHelp>
-      <list>accept jump reject return drop queue</list>
+      <list>accept continue jump reject return drop queue offload</list>
     </completionHelp>
     <valueHelp>
       <format>accept</format>
       <description>Accept matching entries</description>
     </valueHelp>
     <valueHelp>
+      <format>continue</format>
+      <description>Continue parsing next rule</description>
+    </valueHelp>
+    <valueHelp>
       <format>jump</format>
       <description>Jump to another chain</description>
     </valueHelp>
@@ -29,8 +33,12 @@
       <format>queue</format>
       <description>Enqueue packet to userspace</description>
     </valueHelp>
+    <valueHelp>
+      <format>offload</format>
+      <description>Offload packet via flowtable</description>
+    </valueHelp>
     <constraint>
-      <regex>(accept|jump|reject|return|drop|queue)</regex>
+      <regex>(accept|continue|jump|reject|return|drop|queue|offload)</regex>
     </constraint>
   </properties>
 </leafNode>
diff --git a/interface-definitions/include/firewall/bridge-custom-name.xml.i b/interface-definitions/include/firewall/bridge-custom-name.xml.i
new file mode 100644
index 000000000..654493c0e
--- /dev/null
+++ b/interface-definitions/include/firewall/bridge-custom-name.xml.i
@@ -0,0 +1,39 @@
+<!-- include start from firewall/bridge-custom-name.xml.i -->
+<tagNode name="name">
+  <properties>
+    <help>Bridge custom firewall</help>
+    <constraint>
+      <regex>[a-zA-Z0-9][\w\-\.]*</regex>
+    </constraint>
+  </properties>
+  <children>
+    #include <include/firewall/default-action.xml.i>
+    #include <include/firewall/default-log.xml.i>
+    #include <include/generic-description.xml.i>
+    <leafNode name="default-jump-target">
+      <properties>
+        <help>Set jump target. Action jump must be defined in default-action to use this setting</help>
+        <completionHelp>
+          <path>firewall bridge name</path>
+        </completionHelp>
+      </properties>
+    </leafNode>
+    <tagNode name="rule">
+      <properties>
+        <help>Bridge Firewall forward filter rule number</help>
+        <valueHelp>
+          <format>u32:1-999999</format>
+          <description>Number for this firewall rule</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 1-999999"/>
+        </constraint>
+        <constraintErrorMessage>Firewall rule number must be between 1 and 999999</constraintErrorMessage>
+      </properties>
+      <children>
+        #include <include/firewall/common-rule-bridge.xml.i>
+      </children>
+    </tagNode>
+  </children>
+</tagNode>
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/bridge-hook-forward.xml.i b/interface-definitions/include/firewall/bridge-hook-forward.xml.i
new file mode 100644
index 000000000..99f66ec77
--- /dev/null
+++ b/interface-definitions/include/firewall/bridge-hook-forward.xml.i
@@ -0,0 +1,35 @@
+<!-- include start from firewall/bridge-hook-forward.xml.i -->
+<node name="forward">
+  <properties>
+    <help>Bridge forward firewall</help>
+  </properties>
+  <children>
+    <node name="filter">
+      <properties>
+        <help>Bridge firewall forward filter</help>
+      </properties>
+      <children>
+        #include <include/firewall/default-action-base-chains.xml.i>
+        #include <include/firewall/default-log.xml.i>
+        #include <include/generic-description.xml.i>
+        <tagNode name="rule">
+          <properties>
+            <help>Bridge Firewall forward filter rule number</help>
+            <valueHelp>
+              <format>u32:1-999999</format>
+              <description>Number for this firewall rule</description>
+            </valueHelp>
+            <constraint>
+              <validator name="numeric" argument="--range 1-999999"/>
+            </constraint>
+            <constraintErrorMessage>Firewall rule number must be between 1 and 999999</constraintErrorMessage>
+          </properties>
+          <children>
+            #include <include/firewall/common-rule-bridge.xml.i>
+          </children>
+        </tagNode>
+      </children>
+    </node>
+  </children>
+</node>
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/common-rule-bridge.xml.i b/interface-definitions/include/firewall/common-rule-bridge.xml.i
new file mode 100644
index 000000000..dcdd970ac
--- /dev/null
+++ b/interface-definitions/include/firewall/common-rule-bridge.xml.i
@@ -0,0 +1,34 @@
+<!-- include start from firewall/common-rule-bridge.xml.i -->
+#include <include/firewall/action-l2.xml.i>
+#include <include/firewall/nft-queue.xml.i>
+<node name="destination">
+  <properties>
+    <help>Destination parameters</help>
+  </properties>
+  <children>
+    #include <include/firewall/mac-address.xml.i>
+  </children>
+</node>
+#include <include/generic-disable-node.xml.i>
+<leafNode name="jump-target">
+  <properties>
+    <help>Set jump target. Action jump must be defined to use this setting</help>
+    <completionHelp>
+      <path>firewall bridge name</path>
+    </completionHelp>
+  </properties>
+</leafNode>
+#include <include/firewall/log.xml.i>
+#include <include/firewall/log-options.xml.i>
+<node name="source">
+  <properties>
+    <help>Source parameters</help>
+  </properties>
+  <children>
+    #include <include/firewall/mac-address.xml.i>
+  </children>
+</node>
+#include <include/firewall/inbound-interface.xml.i>
+#include <include/firewall/outbound-interface.xml.i>
+#include <include/firewall/match-vlan.xml.i>
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/common-rule-inet.xml.i b/interface-definitions/include/firewall/common-rule-inet.xml.i
index 7a2eb86d4..3b5cb724d 100644
--- a/interface-definitions/include/firewall/common-rule-inet.xml.i
+++ b/interface-definitions/include/firewall/common-rule-inet.xml.i
@@ -3,14 +3,11 @@
 #include <include/generic-description.xml.i>
 #include <include/firewall/dscp.xml.i>
 #include <include/firewall/packet-options.xml.i>
+#include <include/firewall/firewall-mark.xml.i>
 #include <include/firewall/connection-mark.xml.i>
+#include <include/firewall/conntrack-helper.xml.i>
 #include <include/firewall/nft-queue.xml.i>
-<leafNode name="disable">
-  <properties>
-    <help>Option to disable firewall rule</help>
-    <valueless/>
-  </properties>
-</leafNode>
+#include <include/generic-disable-node.xml.i>
 <node name="fragment">
   <properties>
     <help>IP fragment match</help>
@@ -80,45 +77,8 @@
     </leafNode>
   </children>
 </node>
-<leafNode name="log">
-  <properties>
-    <help>Option to log packets matching rule</help>
-    <completionHelp>
-      <list>enable disable</list>
-    </completionHelp>
-    <valueHelp>
-      <format>enable</format>
-      <description>Enable log</description>
-    </valueHelp>
-    <valueHelp>
-      <format>disable</format>
-      <description>Disable log</description>
-    </valueHelp>
-    <constraint>
-      <regex>(enable|disable)</regex>
-    </constraint>
-  </properties>
-</leafNode>
-<leafNode name="log">
-  <properties>
-    <help>Option to log packets matching rule</help>
-    <completionHelp>
-      <list>enable disable</list>
-    </completionHelp>
-    <valueHelp>
-      <format>enable</format>
-      <description>Enable log</description>
-    </valueHelp>
-    <valueHelp>
-      <format>disable</format>
-      <description>Disable log</description>
-    </valueHelp>
-    <constraint>
-      <regex>(enable|disable)</regex>
-    </constraint>
-  </properties>
-</leafNode>
-#include <include/firewall/rule-log-options.xml.i>
+#include <include/firewall/log.xml.i>
+#include <include/firewall/log-options.xml.i>
 <node name="connection-status">
   <properties>
     <help>Connection status</help>
@@ -219,89 +179,7 @@
     </leafNode>
   </children>
 </node>
-<node name="state">
-  <properties>
-    <help>Session state</help>
-  </properties>
-  <children>
-    <leafNode name="established">
-      <properties>
-        <help>Established state</help>
-        <completionHelp>
-          <list>enable disable</list>
-        </completionHelp>
-        <valueHelp>
-          <format>enable</format>
-          <description>Enable</description>
-        </valueHelp>
-        <valueHelp>
-          <format>disable</format>
-          <description>Disable</description>
-        </valueHelp>
-        <constraint>
-          <regex>(enable|disable)</regex>
-        </constraint>
-      </properties>
-    </leafNode>
-    <leafNode name="invalid">
-      <properties>
-        <help>Invalid state</help>
-        <completionHelp>
-          <list>enable disable</list>
-        </completionHelp>
-        <valueHelp>
-          <format>enable</format>
-          <description>Enable</description>
-        </valueHelp>
-        <valueHelp>
-          <format>disable</format>
-          <description>Disable</description>
-        </valueHelp>
-        <constraint>
-          <regex>(enable|disable)</regex>
-        </constraint>
-      </properties>
-    </leafNode>
-    <leafNode name="new">
-      <properties>
-        <help>New state</help>
-        <completionHelp>
-          <list>enable disable</list>
-        </completionHelp>
-        <valueHelp>
-          <format>enable</format>
-          <description>Enable</description>
-        </valueHelp>
-        <valueHelp>
-          <format>disable</format>
-          <description>Disable</description>
-        </valueHelp>
-        <constraint>
-          <regex>(enable|disable)</regex>
-        </constraint>
-      </properties>
-    </leafNode>
-    <leafNode name="related">
-      <properties>
-        <help>Related state</help>
-        <completionHelp>
-          <list>enable disable</list>
-        </completionHelp>
-        <valueHelp>
-          <format>enable</format>
-          <description>Enable</description>
-        </valueHelp>
-        <valueHelp>
-          <format>disable</format>
-          <description>Disable</description>
-        </valueHelp>
-        <constraint>
-          <regex>(enable|disable)</regex>
-        </constraint>
-      </properties>
-    </leafNode>
-  </children>
-</node>
+#include <include/firewall/state.xml.i>
 #include <include/firewall/tcp-flags.xml.i>
 <node name="time">
   <properties>
diff --git a/interface-definitions/include/firewall/common-rule-ipv4-raw.xml.i b/interface-definitions/include/firewall/common-rule-ipv4-raw.xml.i
index a1071a09a..b253ee048 100644
--- a/interface-definitions/include/firewall/common-rule-ipv4-raw.xml.i
+++ b/interface-definitions/include/firewall/common-rule-ipv4-raw.xml.i
@@ -144,7 +144,7 @@
     </constraint>
   </properties>
 </leafNode>
-#include <include/firewall/rule-log-options.xml.i>
+#include <include/firewall/log-options.xml.i>
 <node name="connection-status">
   <properties>
     <help>Connection status</help>
diff --git a/interface-definitions/include/firewall/common-rule.xml.i b/interface-definitions/include/firewall/common-rule.xml.i
deleted file mode 100644
index 7417a3c58..000000000
--- a/interface-definitions/include/firewall/common-rule.xml.i
+++ /dev/null
@@ -1,386 +0,0 @@
-<!-- include start from firewall/common-rule.xml.i -->
-#include <include/firewall/action.xml.i>
-#include <include/generic-description.xml.i>
-<node name="destination">
-  <properties>
-    <help>Destination parameters</help>
-  </properties>
-  <children>
-    #include <include/firewall/mac-address.xml.i>
-  </children>
-</node>
-<leafNode name="disable">
-  <properties>
-    <help>Option to disable firewall rule</help>
-    <valueless/>
-  </properties>
-</leafNode>
-<node name="fragment">
-  <properties>
-    <help>IP fragment match</help>
-  </properties>
-  <children>
-    <leafNode name="match-frag">
-      <properties>
-        <help>Second and further fragments of fragmented packets</help>
-        <valueless/>
-      </properties>
-    </leafNode>
-    <leafNode name="match-non-frag">
-      <properties>
-        <help>Head fragments or unfragmented packets</help>
-        <valueless/>
-      </properties>
-    </leafNode>
-  </children>
-</node>
-<node name="inbound-interface">
-  <properties>
-    <help>Match inbound-interface</help>
-  </properties>
-  <children>
-    #include <include/firewall/match-interface.xml.i>
-  </children>
-</node>
-<node name="outbound-interface">
-  <properties>
-    <help>Match outbound-interface</help>
-  </properties>
-  <children>
-    #include <include/firewall/match-interface.xml.i>
-  </children>
-</node>
-<node name="ipsec">
-  <properties>
-    <help>Inbound IPsec packets</help>
-  </properties>
-  <children>
-    <leafNode name="match-ipsec">
-      <properties>
-        <help>Inbound IPsec packets</help>
-        <valueless/>
-      </properties>
-    </leafNode>
-    <leafNode name="match-none">
-      <properties>
-        <help>Inbound non-IPsec packets</help>
-        <valueless/>
-      </properties>
-    </leafNode>
-  </children>
-</node>
-<node name="limit">
-  <properties>
-    <help>Rate limit using a token bucket filter</help>
-  </properties>
-  <children>
-    <leafNode name="burst">
-      <properties>
-        <help>Maximum number of packets to allow in excess of rate</help>
-        <valueHelp>
-          <format>u32:0-4294967295</format>
-          <description>Maximum number of packets to allow in excess of rate</description>
-        </valueHelp>
-        <constraint>
-          <validator name="numeric" argument="--range 0-4294967295"/>
-        </constraint>
-      </properties>
-    </leafNode>
-    <leafNode name="rate">
-      <properties>
-        <help>Maximum average matching rate</help>
-        <valueHelp>
-          <format>txt</format>
-          <description>integer/unit (Example: 5/minute)</description>
-        </valueHelp>
-        <constraint>
-          <regex>\d+/(second|minute|hour|day)</regex>
-        </constraint>
-      </properties>
-    </leafNode>
-  </children>
-</node>
-<leafNode name="log">
-  <properties>
-    <help>Option to log packets matching rule</help>
-    <completionHelp>
-      <list>enable disable</list>
-    </completionHelp>
-    <valueHelp>
-      <format>enable</format>
-      <description>Enable log</description>
-    </valueHelp>
-    <valueHelp>
-      <format>disable</format>
-      <description>Disable log</description>
-    </valueHelp>
-    <constraint>
-      <regex>(enable|disable)</regex>
-    </constraint>
-  </properties>
-</leafNode>
-#include <include/firewall/rule-log-options.xml.i>
-<node name="connection-status">
-  <properties>
-    <help>Connection status</help>
-  </properties>
-  <children>
-    <leafNode name="nat">
-      <properties>
-        <help>NAT connection status</help>
-        <completionHelp>
-          <list>destination source</list>
-        </completionHelp>
-        <valueHelp>
-          <format>destination</format>
-          <description>Match connections that are subject to destination NAT</description>
-        </valueHelp>
-        <valueHelp>
-          <format>source</format>
-          <description>Match connections that are subject to source NAT</description>
-        </valueHelp>
-        <constraint>
-          <regex>^(destination|source)$</regex>
-        </constraint>
-      </properties>
-    </leafNode>
-  </children>
-</node>
-<leafNode name="protocol">
-  <properties>
-    <help>Protocol to match (protocol name, number, or "all")</help>
-    <completionHelp>
-      <script>${vyos_completion_dir}/list_protocols.sh</script>
-      <list>all tcp_udp</list>
-    </completionHelp>
-    <valueHelp>
-      <format>all</format>
-      <description>All IP protocols</description>
-    </valueHelp>
-    <valueHelp>
-      <format>tcp_udp</format>
-      <description>Both TCP and UDP</description>
-    </valueHelp>
-    <valueHelp>
-      <format>u32:0-255</format>
-      <description>IP protocol number</description>
-    </valueHelp>
-    <valueHelp>
-      <format>&lt;protocol&gt;</format>
-      <description>IP protocol name</description>
-    </valueHelp>
-    <valueHelp>
-      <format>!&lt;protocol&gt;</format>
-      <description>IP protocol name</description>
-    </valueHelp>
-    <constraint>
-      <validator name="ip-protocol"/>
-    </constraint>
-  </properties>
-</leafNode>
-<node name="recent">
-  <properties>
-    <help>Parameters for matching recently seen sources</help>
-  </properties>
-  <children>
-    <leafNode name="count">
-      <properties>
-        <help>Source addresses seen more than N times</help>
-        <valueHelp>
-          <format>u32:1-255</format>
-          <description>Source addresses seen more than N times</description>
-        </valueHelp>
-        <constraint>
-          <validator name="numeric" argument="--range 1-255"/>
-        </constraint>
-      </properties>
-    </leafNode>
-    <leafNode name="time">
-      <properties>
-        <help>Source addresses seen in the last second/minute/hour</help>
-        <completionHelp>
-          <list>second minute hour</list>
-        </completionHelp>
-        <valueHelp>
-          <format>second</format>
-          <description>Source addresses seen COUNT times in the last second</description>
-        </valueHelp>
-        <valueHelp>
-          <format>minute</format>
-          <description>Source addresses seen COUNT times in the last minute</description>
-        </valueHelp>
-        <valueHelp>
-          <format>hour</format>
-          <description>Source addresses seen COUNT times in the last hour</description>
-        </valueHelp>
-        <constraint>
-          <regex>(second|minute|hour)</regex>
-        </constraint>
-      </properties>
-    </leafNode>
-  </children>
-</node>
-<node name="source">
-  <properties>
-    <help>Source parameters</help>
-  </properties>
-  <children>
-    #include <include/firewall/address.xml.i>
-    #include <include/firewall/source-destination-group.xml.i>
-    #include <include/firewall/mac-address.xml.i>
-    #include <include/firewall/port.xml.i>
-  </children>
-</node>
-<node name="state">
-  <properties>
-    <help>Session state</help>
-  </properties>
-  <children>
-    <leafNode name="established">
-      <properties>
-        <help>Established state</help>
-        <completionHelp>
-          <list>enable disable</list>
-        </completionHelp>
-        <valueHelp>
-          <format>enable</format>
-          <description>Enable</description>
-        </valueHelp>
-        <valueHelp>
-          <format>disable</format>
-          <description>Disable</description>
-        </valueHelp>
-        <constraint>
-          <regex>(enable|disable)</regex>
-        </constraint>
-      </properties>
-    </leafNode>
-    <leafNode name="invalid">
-      <properties>
-        <help>Invalid state</help>
-        <completionHelp>
-          <list>enable disable</list>
-        </completionHelp>
-        <valueHelp>
-          <format>enable</format>
-          <description>Enable</description>
-        </valueHelp>
-        <valueHelp>
-          <format>disable</format>
-          <description>Disable</description>
-        </valueHelp>
-        <constraint>
-          <regex>(enable|disable)</regex>
-        </constraint>
-      </properties>
-    </leafNode>
-    <leafNode name="new">
-      <properties>
-        <help>New state</help>
-        <completionHelp>
-          <list>enable disable</list>
-        </completionHelp>
-        <valueHelp>
-          <format>enable</format>
-          <description>Enable</description>
-        </valueHelp>
-        <valueHelp>
-          <format>disable</format>
-          <description>Disable</description>
-        </valueHelp>
-        <constraint>
-          <regex>(enable|disable)</regex>
-        </constraint>
-      </properties>
-    </leafNode>
-    <leafNode name="related">
-      <properties>
-        <help>Related state</help>
-        <completionHelp>
-          <list>enable disable</list>
-        </completionHelp>
-        <valueHelp>
-          <format>enable</format>
-          <description>Enable</description>
-        </valueHelp>
-        <valueHelp>
-          <format>disable</format>
-          <description>Disable</description>
-        </valueHelp>
-        <constraint>
-          <regex>(enable|disable)</regex>
-        </constraint>
-      </properties>
-    </leafNode>
-  </children>
-</node>
-#include <include/firewall/tcp-flags.xml.i>
-<node name="time">
-  <properties>
-    <help>Time to match rule</help>
-  </properties>
-  <children>
-    <leafNode name="startdate">
-      <properties>
-        <help>Date to start matching rule</help>
-        <valueHelp>
-          <format>txt</format>
-          <description>Enter date using following notation - YYYY-MM-DD</description>
-        </valueHelp>
-        <constraint>
-          <regex>(\d{4}\-\d{2}\-\d{2})</regex>
-        </constraint>
-      </properties>
-    </leafNode>
-    <leafNode name="starttime">
-      <properties>
-        <help>Time of day to start matching rule</help>
-        <valueHelp>
-          <format>txt</format>
-          <description>Enter time using using 24 hour notation - hh:mm:ss</description>
-        </valueHelp>
-        <constraint>
-          <regex>([0-2][0-9](\:[0-5][0-9]){1,2})</regex>
-        </constraint>
-      </properties>
-    </leafNode>
-    <leafNode name="stopdate">
-      <properties>
-        <help>Date to stop matching rule</help>
-        <valueHelp>
-          <format>txt</format>
-          <description>Enter date using following notation - YYYY-MM-DD</description>
-        </valueHelp>
-        <constraint>
-          <regex>(\d{4}\-\d{2}\-\d{2})</regex>
-        </constraint>
-      </properties>
-    </leafNode>
-    <leafNode name="stoptime">
-      <properties>
-        <help>Time of day to stop matching rule</help>
-        <valueHelp>
-          <format>txt</format>
-          <description>Enter time using using 24 hour notation - hh:mm:ss</description>
-        </valueHelp>
-        <constraint>
-          <regex>([0-2][0-9](\:[0-5][0-9]){1,2})</regex>
-        </constraint>
-      </properties>
-    </leafNode>
-    <leafNode name="weekdays">
-      <properties>
-        <help>Comma separated weekdays to match rule on</help>
-        <valueHelp>
-          <format>txt</format>
-          <description>Name of day (Monday, Tuesday, Wednesday, Thursdays, Friday, Saturday, Sunday)</description>
-        </valueHelp>
-        <valueHelp>
-          <format>u32:0-6</format>
-          <description>Day number (0 = Sunday ... 6 = Saturday)</description>
-        </valueHelp>
-      </properties>
-    </leafNode>
-  </children>
-</node>
-<!-- include end -->
diff --git a/interface-definitions/include/firewall/conntrack-helper.xml.i b/interface-definitions/include/firewall/conntrack-helper.xml.i
new file mode 100644
index 000000000..ee17f2c61
--- /dev/null
+++ b/interface-definitions/include/firewall/conntrack-helper.xml.i
@@ -0,0 +1,42 @@
+<!-- include start from firewall/conntrack-helper.xml.i -->
+<leafNode name="conntrack-helper">
+  <properties>
+    <help>Match related traffic from conntrack helpers</help>
+    <completionHelp>
+      <list>ftp h323 pptp nfs sip tftp sqlnet</list>
+    </completionHelp>
+    <valueHelp>
+      <format>ftp</format>
+      <description>Related traffic from FTP helper</description>
+    </valueHelp>
+    <valueHelp>
+      <format>h323</format>
+      <description>Related traffic from H.323 helper</description>
+    </valueHelp>
+    <valueHelp>
+      <format>pptp</format>
+      <description>Related traffic from PPTP helper</description>
+    </valueHelp>
+    <valueHelp>
+      <format>nfs</format>
+      <description>Related traffic from NFS helper</description>
+    </valueHelp>
+    <valueHelp>
+      <format>sip</format>
+      <description>Related traffic from SIP helper</description>
+    </valueHelp>
+    <valueHelp>
+      <format>tftp</format>
+      <description>Related traffic from TFTP helper</description>
+    </valueHelp>
+    <valueHelp>
+      <format>sqlnet</format>
+      <description>Related traffic from SQLNet helper</description>
+    </valueHelp>
+    <constraint>
+      <regex>(ftp|h323|pptp|nfs|sip|tftp|sqlnet)</regex>
+    </constraint>
+    <multi/>
+  </properties>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/default-action-bridge.xml.i b/interface-definitions/include/firewall/default-action-bridge.xml.i
new file mode 100644
index 000000000..577165976
--- /dev/null
+++ b/interface-definitions/include/firewall/default-action-bridge.xml.i
@@ -0,0 +1,34 @@
+<!-- include start from firewall/default-action-bridge.xml.i -->
+<leafNode name="default-action">
+  <properties>
+    <help>Default action for rule-set</help>
+    <completionHelp>
+      <list>drop jump return accept continue</list>
+    </completionHelp>
+    <valueHelp>
+      <format>drop</format>
+      <description>Drop if no prior rules are hit</description>
+    </valueHelp>
+    <valueHelp>
+      <format>jump</format>
+      <description>Jump to another chain if no prior rules are hit</description>
+    </valueHelp>
+    <valueHelp>
+      <format>return</format>
+      <description>Return from the current chain and continue at the next rule of the last chain</description>
+    </valueHelp>
+    <valueHelp>
+      <format>accept</format>
+      <description>Accept if no prior rules are hit</description>
+    </valueHelp>
+    <valueHelp>
+      <format>continue</format>
+      <description>Continue parsing next rule</description>
+    </valueHelp>
+    <constraint>
+      <regex>(drop|jump|return|accept|continue)</regex>
+    </constraint>
+  </properties>
+  <defaultValue>drop</defaultValue>
+</leafNode>
+<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/include/firewall/default-action.xml.i b/interface-definitions/include/firewall/default-action.xml.i
index 80efaf335..6a49d800e 100644
--- a/interface-definitions/include/firewall/default-action.xml.i
+++ b/interface-definitions/include/firewall/default-action.xml.i
@@ -1,9 +1,9 @@
 <!-- include start from firewall/default-action.xml.i -->
 <leafNode name="default-action">
   <properties>
-    <help>Default-action for rule-set</help>
+    <help>Default action for rule-set</help>
     <completionHelp>
-      <list>drop jump reject return accept</list>
+      <list>drop jump reject return accept continue</list>
     </completionHelp>
     <valueHelp>
       <format>drop</format>
@@ -25,8 +25,12 @@
       <format>accept</format>
       <description>Accept if no prior rules are hit</description>
     </valueHelp>
+    <valueHelp>
+      <format>continue</format>
+      <description>Continue parsing next rule</description>
+    </valueHelp>
     <constraint>
-      <regex>(drop|jump|reject|return|accept)</regex>
+      <regex>(drop|jump|reject|return|accept|continue)</regex>
     </constraint>
   </properties>
   <defaultValue>drop</defaultValue>
diff --git a/interface-definitions/include/firewall/default-log.xml.i b/interface-definitions/include/firewall/default-log.xml.i
new file mode 100644
index 000000000..dceacdb89
--- /dev/null
+++ b/interface-definitions/include/firewall/default-log.xml.i
@@ -0,0 +1,8 @@
+<!-- include start from firewall/default-log.xml.i -->
+<leafNode name="default-log">
+  <properties>
+    <help>Log packets hitting default-action</help>
+    <valueless/>
+  </properties>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/enable-default-log.xml.i b/interface-definitions/include/firewall/enable-default-log.xml.i
deleted file mode 100644
index 0efd8341b..000000000
--- a/interface-definitions/include/firewall/enable-default-log.xml.i
+++ /dev/null
@@ -1,8 +0,0 @@
-<!-- include start from firewall/enable-default-log.xml.i -->
-<leafNode name="enable-default-log">
-  <properties>
-    <help>Log packets hitting default-action</help>
-    <valueless/>
-  </properties>
-</leafNode>
-<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/include/firewall/firewall-mark.xml.i b/interface-definitions/include/firewall/firewall-mark.xml.i
new file mode 100644
index 000000000..a4cee12d8
--- /dev/null
+++ b/interface-definitions/include/firewall/firewall-mark.xml.i
@@ -0,0 +1,26 @@
+<!-- include start from firewall/firewall-mark.xml.i -->
+<leafNode name="mark">
+  <properties>
+    <help>Firewall mark</help>
+    <valueHelp>
+      <format>u32:0-2147483647</format>
+      <description>Firewall mark to match</description>
+    </valueHelp>
+    <valueHelp>
+      <format>!u32:0-2147483647</format>
+      <description>Inverted Firewall mark to match</description>
+    </valueHelp>
+    <valueHelp>
+      <format>&lt;start-end&gt;</format>
+      <description>Firewall mark range to match</description>
+    </valueHelp>
+    <valueHelp>
+      <format>!&lt;start-end&gt;</format>
+      <description>Firewall mark inverted range to match</description>
+    </valueHelp>
+    <constraint>
+      <validator name="numeric-exclude" argument="--allow-range --range 0-2147483647"/>
+    </constraint>
+  </properties>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/global-options.xml.i b/interface-definitions/include/firewall/global-options.xml.i
index e655cd6ac..415d85f05 100644
--- a/interface-definitions/include/firewall/global-options.xml.i
+++ b/interface-definitions/include/firewall/global-options.xml.i
@@ -167,6 +167,43 @@
       </properties>
       <defaultValue>disable</defaultValue>
     </leafNode>
+    <node name="state-policy">
+      <properties>
+        <help>Global firewall state-policy</help>
+      </properties>
+      <children>
+        <node name="established">
+          <properties>
+            <help>Global firewall policy for packets part of an established connection</help>
+          </properties>
+          <children>
+            #include <include/firewall/action-accept-drop-reject.xml.i>
+            #include <include/firewall/log.xml.i>
+            #include <include/firewall/rule-log-level.xml.i>
+          </children>
+        </node>
+        <node name="invalid">
+          <properties>
+            <help>Global firewall policy for packets part of an invalid connection</help>
+          </properties>
+          <children>
+            #include <include/firewall/action-accept-drop-reject.xml.i>
+            #include <include/firewall/log.xml.i>
+            #include <include/firewall/rule-log-level.xml.i>
+          </children>
+        </node>
+        <node name="related">
+          <properties>
+            <help>Global firewall policy for packets part of a related connection</help>
+          </properties>
+          <children>
+            #include <include/firewall/action-accept-drop-reject.xml.i>
+            #include <include/firewall/log.xml.i>
+            #include <include/firewall/rule-log-level.xml.i>
+          </children>
+        </node>
+      </children>
+    </node>
     <leafNode name="syn-cookies">
       <properties>
         <help>Policy for using TCP SYN cookies with IPv4</help>
diff --git a/interface-definitions/include/firewall/inbound-interface-no-group.xml.i b/interface-definitions/include/firewall/inbound-interface-no-group.xml.i
new file mode 100644
index 000000000..bcd4c9570
--- /dev/null
+++ b/interface-definitions/include/firewall/inbound-interface-no-group.xml.i
@@ -0,0 +1,34 @@
+<!-- include start from firewall/inbound-interface-no-group.xml.i -->
+<node name="inbound-interface">
+  <properties>
+    <help>Match inbound-interface</help>
+  </properties>
+  <children>
+    <leafNode name="name">
+      <properties>
+        <help>Match interface</help>
+        <completionHelp>
+          <script>${vyos_completion_dir}/list_interfaces</script>
+          <path>vrf name</path>
+        </completionHelp>
+        <valueHelp>
+          <format>txt</format>
+          <description>Interface name</description>
+        </valueHelp>
+        <valueHelp>
+          <format>txt*</format>
+          <description>Interface name with wildcard</description>
+        </valueHelp>
+        <valueHelp>
+          <format>!txt</format>
+          <description>Inverted interface name to match</description>
+        </valueHelp>
+        <constraint>
+          <regex>(\!?)(bond|br|dum|en|ersp|eth|gnv|ifb|lan|l2tp|l2tpeth|macsec|peth|ppp|pppoe|pptp|sstp|tun|veth|vti|vtun|vxlan|wg|wlan|wwan)([0-9]?)(\*?)(.+)?|(\!?)lo</regex>
+          <validator name="vrf-name"/>
+        </constraint>
+      </properties>
+    </leafNode>
+  </children>
+</node>
+<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/include/firewall/ipv4-custom-name.xml.i b/interface-definitions/include/firewall/ipv4-custom-name.xml.i
index 9d6ecfaf2..8199d15fe 100644
--- a/interface-definitions/include/firewall/ipv4-custom-name.xml.i
+++ b/interface-definitions/include/firewall/ipv4-custom-name.xml.i
@@ -8,7 +8,7 @@
   </properties>
   <children>
     #include <include/firewall/default-action.xml.i>
-    #include <include/firewall/enable-default-log.xml.i>
+    #include <include/firewall/default-log.xml.i>
     #include <include/generic-description.xml.i>
     <leafNode name="default-jump-target">
       <properties>
@@ -33,9 +33,10 @@
       <children>
         #include <include/firewall/common-rule-ipv4.xml.i>
         #include <include/firewall/inbound-interface.xml.i>
+        #include <include/firewall/offload-target.xml.i>
         #include <include/firewall/outbound-interface.xml.i>
       </children>
     </tagNode>
   </children>
 </tagNode>
-<!-- include end -->
\ No newline at end of file
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/ipv4-hook-forward.xml.i b/interface-definitions/include/firewall/ipv4-hook-forward.xml.i
index 08ee96419..de2c70482 100644
--- a/interface-definitions/include/firewall/ipv4-hook-forward.xml.i
+++ b/interface-definitions/include/firewall/ipv4-hook-forward.xml.i
@@ -10,6 +10,7 @@
       </properties>
       <children>
         #include <include/firewall/default-action-base-chains.xml.i>
+        #include <include/firewall/default-log.xml.i>
         #include <include/generic-description.xml.i>
         <tagNode name="rule">
           <properties>
@@ -24,8 +25,10 @@
             <constraintErrorMessage>Firewall rule number must be between 1 and 999999</constraintErrorMessage>
           </properties>
           <children>
+            #include <include/firewall/action-forward.xml.i>
             #include <include/firewall/common-rule-ipv4.xml.i>
             #include <include/firewall/inbound-interface.xml.i>
+            #include <include/firewall/offload-target.xml.i>
             #include <include/firewall/outbound-interface.xml.i>
           </children>
         </tagNode>
@@ -33,4 +36,4 @@
     </node>
   </children>
 </node>
-<!-- include end -->
\ No newline at end of file
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/ipv4-hook-input.xml.i b/interface-definitions/include/firewall/ipv4-hook-input.xml.i
index 32b0ec94f..5d32657ea 100644
--- a/interface-definitions/include/firewall/ipv4-hook-input.xml.i
+++ b/interface-definitions/include/firewall/ipv4-hook-input.xml.i
@@ -10,6 +10,7 @@
       </properties>
       <children>
         #include <include/firewall/default-action-base-chains.xml.i>
+        #include <include/firewall/default-log.xml.i>
         #include <include/generic-description.xml.i>
         <tagNode name="rule">
           <properties>
@@ -32,4 +33,4 @@
     </node>
   </children>
 </node>
-<!-- include end -->
\ No newline at end of file
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/ipv4-hook-output.xml.i b/interface-definitions/include/firewall/ipv4-hook-output.xml.i
index d50d1e93b..2b537ce5e 100644
--- a/interface-definitions/include/firewall/ipv4-hook-output.xml.i
+++ b/interface-definitions/include/firewall/ipv4-hook-output.xml.i
@@ -10,6 +10,7 @@
       </properties>
       <children>
         #include <include/firewall/default-action-base-chains.xml.i>
+        #include <include/firewall/default-log.xml.i>
         #include <include/generic-description.xml.i>
         <tagNode name="rule">
           <properties>
@@ -32,4 +33,4 @@
     </node>
   </children>
 </node>
-<!-- include end -->
\ No newline at end of file
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/ipv6-custom-name.xml.i b/interface-definitions/include/firewall/ipv6-custom-name.xml.i
index 81610babf..5748b3927 100644
--- a/interface-definitions/include/firewall/ipv6-custom-name.xml.i
+++ b/interface-definitions/include/firewall/ipv6-custom-name.xml.i
@@ -8,7 +8,7 @@
   </properties>
   <children>
     #include <include/firewall/default-action.xml.i>
-    #include <include/firewall/enable-default-log.xml.i>
+    #include <include/firewall/default-log.xml.i>
     #include <include/generic-description.xml.i>
     <leafNode name="default-jump-target">
       <properties>
@@ -33,9 +33,10 @@
       <children>
         #include <include/firewall/common-rule-ipv6.xml.i>
         #include <include/firewall/inbound-interface.xml.i>
+        #include <include/firewall/offload-target.xml.i>
         #include <include/firewall/outbound-interface.xml.i>
       </children>
     </tagNode>
   </children>
 </tagNode>
-<!-- include end -->
\ No newline at end of file
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/ipv6-hook-forward.xml.i b/interface-definitions/include/firewall/ipv6-hook-forward.xml.i
index 20ab8dbe8..b53f09f59 100644
--- a/interface-definitions/include/firewall/ipv6-hook-forward.xml.i
+++ b/interface-definitions/include/firewall/ipv6-hook-forward.xml.i
@@ -10,6 +10,7 @@
       </properties>
       <children>
         #include <include/firewall/default-action-base-chains.xml.i>
+        #include <include/firewall/default-log.xml.i>
         #include <include/generic-description.xml.i>
         <tagNode name="rule">
           <properties>
@@ -24,8 +25,10 @@
             <constraintErrorMessage>Firewall rule number must be between 1 and 999999</constraintErrorMessage>
           </properties>
           <children>
+            #include <include/firewall/action-forward.xml.i>
             #include <include/firewall/common-rule-ipv6.xml.i>
             #include <include/firewall/inbound-interface.xml.i>
+            #include <include/firewall/offload-target.xml.i>
             #include <include/firewall/outbound-interface.xml.i>
           </children>
         </tagNode>
@@ -33,4 +36,4 @@
     </node>
   </children>
 </node>
-<!-- include end -->
\ No newline at end of file
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/ipv6-hook-input.xml.i b/interface-definitions/include/firewall/ipv6-hook-input.xml.i
index e34958f28..493611fb1 100644
--- a/interface-definitions/include/firewall/ipv6-hook-input.xml.i
+++ b/interface-definitions/include/firewall/ipv6-hook-input.xml.i
@@ -10,6 +10,7 @@
       </properties>
       <children>
         #include <include/firewall/default-action-base-chains.xml.i>
+        #include <include/firewall/default-log.xml.i>
         #include <include/generic-description.xml.i>
         <tagNode name="rule">
           <properties>
@@ -32,4 +33,4 @@
     </node>
   </children>
 </node>
-<!-- include end -->
\ No newline at end of file
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/ipv6-hook-output.xml.i b/interface-definitions/include/firewall/ipv6-hook-output.xml.i
index eb4ea7ac3..ffe1c72b8 100644
--- a/interface-definitions/include/firewall/ipv6-hook-output.xml.i
+++ b/interface-definitions/include/firewall/ipv6-hook-output.xml.i
@@ -10,6 +10,7 @@
       </properties>
       <children>
         #include <include/firewall/default-action-base-chains.xml.i>
+        #include <include/firewall/default-log.xml.i>
         #include <include/generic-description.xml.i>
         <tagNode name="rule">
           <properties>
@@ -32,4 +33,4 @@
     </node>
   </children>
 </node>
-<!-- include end -->
\ No newline at end of file
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/rule-log-options.xml.i b/interface-definitions/include/firewall/log-options.xml.i
index e8b0cdec3..e8b0cdec3 100644
--- a/interface-definitions/include/firewall/rule-log-options.xml.i
+++ b/interface-definitions/include/firewall/log-options.xml.i
diff --git a/interface-definitions/include/firewall/log.xml.i b/interface-definitions/include/firewall/log.xml.i
index 46d20c1df..795ed77be 100644
--- a/interface-definitions/include/firewall/log.xml.i
+++ b/interface-definitions/include/firewall/log.xml.i
@@ -1,15 +1,7 @@
 <!-- include start from firewall/log.xml.i -->
-<node name="log">
+<leafNode name="log">
   <properties>
-    <help>Option to log packets</help>
+    <help>Log packets hitting this rule</help>
+    <valueless/>
   </properties>
-  <children>
-    <leafNode name="enable">
-      <properties>
-        <help>Enable logging</help>
-        <valueless/>
-      </properties>
-    </leafNode>
-  </children>
-</node>
-<!-- include end -->
+</leafNode>
\ No newline at end of file
diff --git a/interface-definitions/include/firewall/match-interface.xml.i b/interface-definitions/include/firewall/match-interface.xml.i
index 7810f88ab..9f720ab37 100644
--- a/interface-definitions/include/firewall/match-interface.xml.i
+++ b/interface-definitions/include/firewall/match-interface.xml.i
@@ -1,9 +1,10 @@
 <!-- include start from firewall/match-interface.xml.i -->
-<leafNode name="interface-name">
+<leafNode name="name">
   <properties>
     <help>Match interface</help>
     <completionHelp>
       <script>${vyos_completion_dir}/list_interfaces</script>
+      <path>vrf name</path>
     </completionHelp>
     <valueHelp>
       <format>txt</format>
@@ -18,11 +19,12 @@
       <description>Inverted interface name to match</description>
     </valueHelp>
     <constraint>
-      #include <include/constraint/interface-name-with-wildcard-and-inverted.xml.i>
+      <regex>(\!?)(bond|br|dum|en|ersp|eth|gnv|ifb|lan|l2tp|l2tpeth|macsec|peth|ppp|pppoe|pptp|sstp|tun|veth|vti|vtun|vxlan|wg|wlan|wwan)([0-9]?)(\*?)(.+)?|(\!?)lo</regex>
+      <validator name="vrf-name"/>
     </constraint>
   </properties>
 </leafNode>
-<leafNode name="interface-group">
+<leafNode name="group">
   <properties>
     <help>Match interface-group</help>
     <completionHelp>
@@ -38,4 +40,4 @@
     </valueHelp>
   </properties>
 </leafNode>
-<!-- include end -->
\ No newline at end of file
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/match-vlan.xml.i b/interface-definitions/include/firewall/match-vlan.xml.i
new file mode 100644
index 000000000..d0820f7d8
--- /dev/null
+++ b/interface-definitions/include/firewall/match-vlan.xml.i
@@ -0,0 +1,41 @@
+<!-- include start from firewall/match-vlan.xml.i -->
+<node name="vlan">
+  <properties>
+    <help>VLAN parameters</help>
+  </properties>
+  <children>
+    <leafNode name="id">
+      <properties>
+        <help>VLAN id</help>
+        <valueHelp>
+          <format>u32:0-4096</format>
+          <description>VLAN id</description>
+        </valueHelp>
+        <valueHelp>
+          <format>&lt;start-end&gt;</format>
+          <description>VLAN id range to match</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--allow-range --range 0-4095"/>
+        </constraint>
+      </properties>
+    </leafNode>
+    <leafNode name="priority">
+      <properties>
+        <help>VLAN priority(pcp)</help>
+        <valueHelp>
+          <format>u32:0-7</format>
+          <description>VLAN priority</description>
+        </valueHelp>
+        <valueHelp>
+          <format>&lt;start-end&gt;</format>
+          <description>VLAN priority range to match</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--allow-range --range 0-7"/>
+        </constraint>
+      </properties>
+    </leafNode>
+  </children>
+</node>
+<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/include/firewall/offload-target.xml.i b/interface-definitions/include/firewall/offload-target.xml.i
new file mode 100644
index 000000000..b1ae39100
--- /dev/null
+++ b/interface-definitions/include/firewall/offload-target.xml.i
@@ -0,0 +1,10 @@
+<!-- include start from firewall/offload-target.xml.i -->
+<leafNode name="offload-target">
+  <properties>
+    <help>Set flowtable offload target. Action offload must be defined to use this setting</help>
+    <completionHelp>
+      <path>firewall flowtable</path>
+    </completionHelp>
+  </properties>
+</leafNode>
+<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/include/firewall/outbound-interface-no-group.xml.i b/interface-definitions/include/firewall/outbound-interface-no-group.xml.i
new file mode 100644
index 000000000..e3bace42d
--- /dev/null
+++ b/interface-definitions/include/firewall/outbound-interface-no-group.xml.i
@@ -0,0 +1,34 @@
+<!-- include start from firewall/outbound-interface-no-group.xml.i -->
+<node name="outbound-interface">
+  <properties>
+    <help>Match outbound-interface</help>
+  </properties>
+  <children>
+    <leafNode name="name">
+      <properties>
+        <help>Match interface</help>
+        <completionHelp>
+          <script>${vyos_completion_dir}/list_interfaces</script>
+          <path>vrf name</path>
+        </completionHelp>
+        <valueHelp>
+          <format>txt</format>
+          <description>Interface name</description>
+        </valueHelp>
+        <valueHelp>
+          <format>txt*</format>
+          <description>Interface name with wildcard</description>
+        </valueHelp>
+        <valueHelp>
+          <format>!txt</format>
+          <description>Inverted interface name to match</description>
+        </valueHelp>
+        <constraint>
+          <regex>(\!?)(bond|br|dum|en|ersp|eth|gnv|ifb|lan|l2tp|l2tpeth|macsec|peth|ppp|pppoe|pptp|sstp|tun|veth|vti|vtun|vxlan|wg|wlan|wwan)([0-9]?)(\*?)(.+)?|(\!?)lo</regex>
+          <validator name="vrf-name"/>
+        </constraint>
+      </properties>
+    </leafNode>
+  </children>
+</node>
+<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/include/firewall/state.xml.i b/interface-definitions/include/firewall/state.xml.i
new file mode 100644
index 000000000..47ce3c91d
--- /dev/null
+++ b/interface-definitions/include/firewall/state.xml.i
@@ -0,0 +1,30 @@
+<!-- include start from firewall/state.xml.i -->
+<leafNode name="state">
+  <properties>
+    <help>Session state</help>
+    <completionHelp>
+      <list>established invalid new related</list>
+    </completionHelp>
+    <valueHelp>
+      <format>established</format>
+      <description>Established state</description>
+    </valueHelp>
+    <valueHelp>
+      <format>invalid</format>
+      <description>Invalid state</description>
+    </valueHelp>
+    <valueHelp>
+      <format>new</format>
+      <description>New state</description>
+    </valueHelp>
+    <valueHelp>
+      <format>related</format>
+      <description>Related state</description>
+    </valueHelp>
+    <constraint>
+      <regex>(established|invalid|new|related)</regex>
+    </constraint>
+    <multi/>
+  </properties>
+</leafNode>
+<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/include/interface/dhcp-options.xml.i b/interface-definitions/include/interface/dhcp-options.xml.i
index 8027769ff..733512a98 100644
--- a/interface-definitions/include/interface/dhcp-options.xml.i
+++ b/interface-definitions/include/interface/dhcp-options.xml.i
@@ -7,6 +7,13 @@
     <leafNode name="client-id">
       <properties>
         <help>Identifier used by client to identify itself to the DHCP server</help>
+        <valueHelp>
+          <format>txt</format>
+          <description>DHCP option string</description>
+        </valueHelp>
+        <constraint>
+          #include <include/constraint/dhcp-client-string-option.xml.i>
+        </constraint>
       </properties>
     </leafNode>
     <leafNode name="host-name">
@@ -27,6 +34,25 @@
     <leafNode name="vendor-class-id">
       <properties>
         <help>Identify the vendor client type to the DHCP server</help>
+        <valueHelp>
+          <format>txt</format>
+          <description>DHCP option string</description>
+        </valueHelp>
+        <constraint>
+          #include <include/constraint/dhcp-client-string-option.xml.i>
+        </constraint>
+      </properties>
+    </leafNode>
+    <leafNode name="user-class">
+      <properties>
+        <help>Identify to the DHCP server, user configurable option</help>
+        <valueHelp>
+          <format>txt</format>
+          <description>DHCP option string</description>
+        </valueHelp>
+        <constraint>
+          #include <include/constraint/dhcp-client-string-option.xml.i>
+        </constraint>
       </properties>
     </leafNode>
     #include <include/interface/no-default-route.xml.i>
diff --git a/interface-definitions/include/interface/dhcpv6-options.xml.i b/interface-definitions/include/interface/dhcpv6-options.xml.i
index 5ca1d525f..68d1b172f 100644
--- a/interface-definitions/include/interface/dhcpv6-options.xml.i
+++ b/interface-definitions/include/interface/dhcpv6-options.xml.i
@@ -4,18 +4,7 @@
     <help>DHCPv6 client settings/options</help>
   </properties>
   <children>
-    <leafNode name="duid">
-      <properties>
-        <help>DHCP unique identifier (DUID) to be sent by dhcpv6 client</help>
-        <valueHelp>
-          <format>duid</format>
-          <description>DHCP unique identifier (DUID)</description>
-        </valueHelp>
-        <constraint>
-          <validator name="ipv6-duid"/>
-        </constraint>
-      </properties>
-    </leafNode>
+    #include <include/interface/duid.xml.i>
     <leafNode name="parameters-only">
       <properties>
         <help>Acquire only config parameters, no address</help>
diff --git a/interface-definitions/include/interface/duid.xml.i b/interface-definitions/include/interface/duid.xml.i
new file mode 100644
index 000000000..8d808696e
--- /dev/null
+++ b/interface-definitions/include/interface/duid.xml.i
@@ -0,0 +1,15 @@
+<!-- include start from interface/duid.xml.i -->
+<leafNode name="duid">
+  <properties>
+    <help>DHCP unique identifier (DUID) to be sent by client</help>
+    <valueHelp>
+      <format>duid</format>
+      <description>DHCP unique identifier</description>
+    </valueHelp>
+    <constraint>
+      <regex>([0-9A-Fa-f]{2}:){0,127}([0-9A-Fa-f]{2})</regex>
+    </constraint>
+    <constraintErrorMessage>Invalid DUID, must be in the format h[[:h]...]</constraintErrorMessage>
+  </properties>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/include/isis/level-1-2-leaf.xml.i b/interface-definitions/include/isis/level-1-2-leaf.xml.i
new file mode 100644
index 000000000..3703da1ed
--- /dev/null
+++ b/interface-definitions/include/isis/level-1-2-leaf.xml.i
@@ -0,0 +1,13 @@
+<!-- include start from isis/level-1-2-leaf.xml.i -->
+<leafNode name="level-1">
+  <properties>
+    <help>Match on IS-IS level-1 routes</help>
+    <valueless/>
+  </properties>
+</leafNode>
+<leafNode name="level-2">
+  <properties>
+    <help>Match on IS-IS level-2 routes</help>
+    <valueless/>
+  </properties>
+</leafNode>
\ No newline at end of file
diff --git a/interface-definitions/include/isis/lfa-local.xml.i b/interface-definitions/include/isis/lfa-local.xml.i
new file mode 100644
index 000000000..c5bf6a3eb
--- /dev/null
+++ b/interface-definitions/include/isis/lfa-local.xml.i
@@ -0,0 +1,128 @@
+<!-- include start from isis/lfa-local.xml.i -->
+<node name="local">
+  <properties>
+    <help>Local loop free alternate options</help>
+  </properties>
+  <children>
+    <node name="load-sharing">
+      <properties>
+        <help>Load share prefixes across multiple backups</help>
+      </properties>
+      <children>
+        <node name="disable">
+          <properties>
+            <help>Disable load sharing</help>
+          </properties>
+          <children>
+            #include <include/isis/level-1-2-leaf.xml.i>
+          </children>
+        </node>
+      </children>
+    </node>
+    <node name="priority-limit">
+      <properties>
+        <help>Limit backup computation up to the prefix priority</help>
+      </properties>
+      <children>
+        <node name="medium">
+          <properties>
+            <help>Compute for critical, high, and medium priority prefixes</help>
+          </properties>
+          <children>
+            #include <include/isis/level-1-2-leaf.xml.i>
+          </children>
+        </node>
+        <node name="high">
+          <properties>
+            <help>Compute for critical, and high priority prefixes</help>
+          </properties>
+          <children>
+            #include <include/isis/level-1-2-leaf.xml.i>
+          </children>
+        </node>
+        <node name="critical">
+          <properties>
+            <help>Compute for critical priority prefixes only</help>
+          </properties>
+          <children>
+            #include <include/isis/level-1-2-leaf.xml.i>
+          </children>
+        </node>
+      </children>
+    </node>
+    <node name="tiebreaker">
+      <properties>
+        <help>Configure tiebreaker for multiple backups</help>
+      </properties>
+      <children>
+        <node name="downstream">
+          <properties>
+            <help>Prefer backup path via downstream node</help>
+          </properties>
+          <children>
+            <tagNode name="index">
+              <properties>
+                <help>Set preference order among tiebreakers</help>
+                <valueHelp>
+                  <format>u32:1-255</format>
+                    <description>The index integer value</description>
+                </valueHelp>
+                <constraint>
+                  <validator name="numeric" argument="--range 1-255"/>
+                </constraint>
+              </properties>
+              <children>
+                #include <include/isis/level-1-2-leaf.xml.i>
+              </children>
+            </tagNode>
+          </children>
+        </node>
+        <node name="lowest-backup-metric">
+          <properties>
+            <help>Prefer backup path with lowest total metric</help>
+          </properties>
+          <children>
+            <tagNode name="index">
+              <properties>
+                <help>Set preference order among tiebreakers</help>
+                <valueHelp>
+                  <format>u32:1-255</format>
+                    <description>The index integer value</description>
+                </valueHelp>
+                <constraint>
+                  <validator name="numeric" argument="--range 1-255"/>
+                </constraint>
+              </properties>
+              <children>
+                #include <include/isis/level-1-2-leaf.xml.i>
+              </children>
+            </tagNode>
+          </children>
+        </node>
+        <node name="node-protecting">
+          <properties>
+            <help>Prefer node protecting backup path</help>
+          </properties>
+          <children>
+            <tagNode name="index">
+              <properties>
+                <help>Set preference order among tiebreakers</help>
+                <valueHelp>
+                  <format>u32:1-255</format>
+                    <description>The index integer value</description>
+                </valueHelp>
+                <constraint>
+                  <validator name="numeric" argument="--range 1-255"/>
+                </constraint>
+              </properties>
+              <children>
+                #include <include/isis/level-1-2-leaf.xml.i>
+              </children>
+            </tagNode>
+          </children>
+        </node>
+      </children>
+    </node>
+  </children>
+</node>
+<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/include/isis/lfa-protocol.xml.i b/interface-definitions/include/isis/lfa-protocol.xml.i
new file mode 100644
index 000000000..cfb1a6dc1
--- /dev/null
+++ b/interface-definitions/include/isis/lfa-protocol.xml.i
@@ -0,0 +1,11 @@
+<!-- include start from isis/lfa-protocol.xml.i -->
+<node name="lfa">
+  <properties>
+    <help>Loop free alternate functionality</help>
+  </properties>
+  <children>
+    #include <include/isis/lfa-remote.xml.i>
+    #include <include/isis/lfa-local.xml.i>
+  </children>
+</node>
+<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/include/isis/lfa-remote.xml.i b/interface-definitions/include/isis/lfa-remote.xml.i
new file mode 100644
index 000000000..8434e35bf
--- /dev/null
+++ b/interface-definitions/include/isis/lfa-remote.xml.i
@@ -0,0 +1,28 @@
+<!-- include start from isis/lfa-remote.xml.i -->
+<node name="remote">
+  <properties>
+    <help>Remote loop free alternate options</help>
+  </properties>
+  <children>
+    <tagNode name="prefix-list">
+      <properties>
+        <help>Filter PQ node router ID based on prefix list</help>
+        <completionHelp>
+          <path>policy prefix-list</path>
+        </completionHelp>
+        <valueHelp>
+          <format>txt</format>
+          <description>Name of IPv4/IPv6 prefix-list</description>
+        </valueHelp>
+        <constraint>
+          #include <include/constraint/alpha-numeric-hyphen-underscore.xml.i>
+        </constraint>
+        <constraintErrorMessage>Name of prefix-list can only contain alpha-numeric letters, hyphen and underscores</constraintErrorMessage>
+      </properties>
+      <children>
+        #include <include/isis/level-1-2-leaf.xml.i>
+      </children>
+    </tagNode>
+  </children>
+</node>
+<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/include/isis/protocol-common-config.xml.i b/interface-definitions/include/isis/protocol-common-config.xml.i
index 4ca7061db..404f03cb5 100644
--- a/interface-definitions/include/isis/protocol-common-config.xml.i
+++ b/interface-definitions/include/isis/protocol-common-config.xml.i
@@ -1,4 +1,16 @@
 <!-- include start from isis/protocol-common-config.xml.i -->
+<leafNode name="advertise-high-metrics">
+  <properties>
+    <help>Advertise high metric value on all interfaces</help>
+    <valueless/>
+  </properties>
+</leafNode>
+<leafNode name="advertise-passive-only">
+  <properties>
+    <help>Advertise prefixes of passive interfaces only</help>
+    <valueless/>
+  </properties>
+</leafNode>
 <node name="area-password">
   <properties>
     <help>Configure the authentication password for an area</help>
@@ -153,6 +165,14 @@
   </properties>
 </leafNode>
 #include <include/isis/ldp-sync-protocol.xml.i>
+<node name="fast-reroute">
+  <properties>
+    <help>IS-IS fast reroute configuration</help>
+  </properties>
+  <children>
+    #include <include/isis/lfa-protocol.xml.i>
+  </children>
+</node>
 <leafNode name="net">
   <properties>
     <help>A Network Entity Title for this process (ISO only)</help>
diff --git a/interface-definitions/include/nat-rule.xml.i b/interface-definitions/include/nat-rule.xml.i
index 6234e6195..deb13529d 100644
--- a/interface-definitions/include/nat-rule.xml.i
+++ b/interface-definitions/include/nat-rule.xml.i
@@ -34,12 +34,7 @@
         #include <include/firewall/nat-balance.xml.i>
       </children>
     </node>
-    <leafNode name="log">
-      <properties>
-        <help>NAT rule logging</help>
-        <valueless/>
-      </properties>
-    </leafNode>
+    #include <include/firewall/log.xml.i>
     <leafNode name="packet-type">
       <properties>
         <help>Packet type</help>
diff --git a/interface-definitions/include/nat64/protocol.xml.i b/interface-definitions/include/nat64/protocol.xml.i
new file mode 100644
index 000000000..a640873b5
--- /dev/null
+++ b/interface-definitions/include/nat64/protocol.xml.i
@@ -0,0 +1,27 @@
+<!-- include start from nat64/protocol.xml.i -->
+<node name="protocol">
+  <properties>
+    <help>Apply translation address to a specfic protocol</help>
+  </properties>
+  <children>
+    <leafNode name="tcp">
+      <properties>
+        <help>Transmission Control Protocol</help>
+        <valueless/>
+      </properties>
+    </leafNode>
+    <leafNode name="udp">
+      <properties>
+        <help>User Datagram Protocol</help>
+        <valueless/>
+      </properties>
+    </leafNode>
+    <leafNode name="icmp">
+      <properties>
+        <help>Internet Control Message Protocol</help>
+        <valueless/>
+      </properties>
+    </leafNode>
+  </children>
+</node>
+<!-- include end -->
diff --git a/interface-definitions/include/pim/bsm.xml.i b/interface-definitions/include/pim/bsm.xml.i
new file mode 100644
index 000000000..cc2cf14ca
--- /dev/null
+++ b/interface-definitions/include/pim/bsm.xml.i
@@ -0,0 +1,14 @@
+<!-- include start from pim/bsm.xml.i -->
+<leafNode name="no-bsm">
+  <properties>
+    <help>Do not process bootstrap messages</help>
+    <valueless/>
+  </properties>
+</leafNode>
+<leafNode name="no-unicast-bsm">
+  <properties>
+    <help>Do not process unicast bootstrap messages</help>
+    <valueless/>
+  </properties>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/include/pim/dr-priority.xml.i b/interface-definitions/include/pim/dr-priority.xml.i
new file mode 100644
index 000000000..e4b3067c2
--- /dev/null
+++ b/interface-definitions/include/pim/dr-priority.xml.i
@@ -0,0 +1,14 @@
+<!-- include start from pim/dr-priority.xml.i -->
+<leafNode name="dr-priority">
+  <properties>
+    <help>Designated router election priority</help>
+    <valueHelp>
+      <format>u32:1-4294967295</format>
+      <description>DR Priority</description>
+    </valueHelp>
+    <constraint>
+      <validator name="numeric" argument="--range 1-4294967295"/>
+    </constraint>
+  </properties>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/include/pim/hello.xml.i b/interface-definitions/include/pim/hello.xml.i
new file mode 100644
index 000000000..0c7601be7
--- /dev/null
+++ b/interface-definitions/include/pim/hello.xml.i
@@ -0,0 +1,14 @@
+<!-- include start from pim/hello.xml.i -->
+<leafNode name="hello">
+  <properties>
+    <help>Hello Interval</help>
+    <valueHelp>
+      <format>u32:1-180</format>
+      <description>Hello Interval in seconds</description>
+    </valueHelp>
+    <constraint>
+      <validator name="numeric" argument="--range 1-180"/>
+    </constraint>
+  </properties>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/include/pim/join-prune-interval.xml.i b/interface-definitions/include/pim/join-prune-interval.xml.i
new file mode 100644
index 000000000..882787d3f
--- /dev/null
+++ b/interface-definitions/include/pim/join-prune-interval.xml.i
@@ -0,0 +1,15 @@
+<!-- include start from pim/join-prune-interval.xml.i -->
+<leafNode name="join-prune-interval">
+  <properties>
+    <help>Join prune send interval</help>
+    <valueHelp>
+      <format>u32:1-65535</format>
+      <description>Interval in seconds</description>
+    </valueHelp>
+    <constraint>
+      <validator name="numeric" argument="--range 1-65535"/>
+    </constraint>
+  </properties>
+  <defaultValue>60</defaultValue>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/include/pim/keep-alive-timer.xml.i b/interface-definitions/include/pim/keep-alive-timer.xml.i
new file mode 100644
index 000000000..0dd27d6e7
--- /dev/null
+++ b/interface-definitions/include/pim/keep-alive-timer.xml.i
@@ -0,0 +1,14 @@
+<!-- include start from pim/keep-alive-timer.xml.i -->
+<leafNode name="keep-alive-timer">
+  <properties>
+    <help>Keep alive Timer</help>
+    <valueHelp>
+      <format>u32:1-65535</format>
+      <description>Keep alive Timer in seconds</description>
+    </valueHelp>
+    <constraint>
+      <validator name="numeric" argument="--range 1-65535"/>
+    </constraint>
+  </properties>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/include/pim/packets.xml.i b/interface-definitions/include/pim/packets.xml.i
new file mode 100644
index 000000000..1dc00c971
--- /dev/null
+++ b/interface-definitions/include/pim/packets.xml.i
@@ -0,0 +1,15 @@
+<!-- include start from pim/packets.xml.i -->
+<leafNode name="packets">
+  <properties>
+    <help>Packets to process at once</help>
+    <valueHelp>
+      <format>u32:1-255</format>
+      <description>Number of packets</description>
+    </valueHelp>
+    <constraint>
+      <validator name="numeric" argument="--range 1-255"/>
+    </constraint>
+  </properties>
+  <defaultValue>3</defaultValue>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/include/pim/passive.xml.i b/interface-definitions/include/pim/passive.xml.i
new file mode 100644
index 000000000..e4e9ca0b1
--- /dev/null
+++ b/interface-definitions/include/pim/passive.xml.i
@@ -0,0 +1,8 @@
+<!-- include start from pim/passive.xml.i -->
+<leafNode name="passive">
+  <properties>
+    <help>Disable sending and receiving PIM control packets on the interface</help>
+    <valueless/>
+  </properties>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/include/pim/register-suppress-time.xml.i b/interface-definitions/include/pim/register-suppress-time.xml.i
new file mode 100644
index 000000000..919945b52
--- /dev/null
+++ b/interface-definitions/include/pim/register-suppress-time.xml.i
@@ -0,0 +1,14 @@
+<!-- include start from pim/register-suppress-time.xml.i -->
+<leafNode name="register-suppress-time">
+  <properties>
+    <help>Register suppress timer</help>
+    <valueHelp>
+      <format>u32:1-65535</format>
+      <description>Timer in seconds</description>
+    </valueHelp>
+    <constraint>
+      <validator name="numeric" argument="--range 1-65535"/>
+    </constraint>
+  </properties>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/include/pki/certificate-multi.xml.i b/interface-definitions/include/pki/certificate-multi.xml.i
new file mode 100644
index 000000000..c49c5d9b2
--- /dev/null
+++ b/interface-definitions/include/pki/certificate-multi.xml.i
@@ -0,0 +1,15 @@
+<!-- include start from pki/certificate-multi.xml.i -->
+<leafNode name="certificate">
+  <properties>
+    <help>Certificate in PKI configuration</help>
+    <completionHelp>
+      <path>pki certificate</path>
+    </completionHelp>
+    <valueHelp>
+      <format>txt</format>
+      <description>Name of certificate in PKI configuration</description>
+    </valueHelp>
+    <multi/>
+  </properties>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/include/pki/dh-params.xml.i b/interface-definitions/include/pki/dh-params.xml.i
new file mode 100644
index 000000000..a422df832
--- /dev/null
+++ b/interface-definitions/include/pki/dh-params.xml.i
@@ -0,0 +1,10 @@
+<!-- include start from pki/certificate-multi.xml.i -->
+<leafNode name="dh-params">
+  <properties>
+    <help>Diffie Hellman parameters (server only)</help>
+    <completionHelp>
+      <path>pki dh</path>
+    </completionHelp>
+  </properties>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/include/policy/local-route_rule_ipv4_address.xml.i b/interface-definitions/include/policy/local-route_rule_ipv4_address.xml.i
new file mode 100644
index 000000000..ffe73ee32
--- /dev/null
+++ b/interface-definitions/include/policy/local-route_rule_ipv4_address.xml.i
@@ -0,0 +1,20 @@
+<!-- include start from policy/local-route_rule_ipv4_address.xml.i -->
+<leafNode name="address">
+  <properties>
+    <help>IPv4 address or prefix</help>
+    <valueHelp>
+      <format>ipv4</format>
+      <description>Address to match against</description>
+    </valueHelp>
+    <valueHelp>
+      <format>ipv4net</format>
+      <description>Prefix to match against</description>
+    </valueHelp>
+    <constraint>
+      <validator name="ipv4-address"/>
+      <validator name="ip-prefix"/>
+    </constraint>
+    <multi/>
+  </properties>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/include/policy/local-route_rule_ipv6_address.xml.i b/interface-definitions/include/policy/local-route_rule_ipv6_address.xml.i
new file mode 100644
index 000000000..d8fb6c074
--- /dev/null
+++ b/interface-definitions/include/policy/local-route_rule_ipv6_address.xml.i
@@ -0,0 +1,20 @@
+<!-- include start from policy/local-route_rule_ipv6_address.xml.i -->
+<leafNode name="address">
+  <properties>
+    <help>IPv6 address or prefix</help>
+    <valueHelp>
+      <format>ipv6</format>
+      <description>Address to match against</description>
+    </valueHelp>
+    <valueHelp>
+      <format>ipv6net</format>
+      <description>Prefix to match against</description>
+    </valueHelp>
+    <constraint>
+      <validator name="ipv6-address"/>
+      <validator name="ipv6-prefix"/>
+    </constraint>
+    <multi/>
+  </properties>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/include/policy/local-route_rule_protocol.xml.i b/interface-definitions/include/policy/local-route_rule_protocol.xml.i
new file mode 100644
index 000000000..57582eb37
--- /dev/null
+++ b/interface-definitions/include/policy/local-route_rule_protocol.xml.i
@@ -0,0 +1,21 @@
+<!-- include start from policy/local-route_rule_protocol.xml.i -->
+<leafNode name="protocol">
+  <properties>
+    <help>Protocol to match (protocol name or number)</help>
+    <completionHelp>
+      <script>${vyos_completion_dir}/list_protocols.sh</script>
+    </completionHelp>
+    <valueHelp>
+      <format>u32:0-255</format>
+      <description>IP protocol number</description>
+    </valueHelp>
+    <valueHelp>
+      <format>&lt;protocol&gt;</format>
+      <description>IP protocol name</description>
+    </valueHelp>
+    <constraint>
+      <validator name="ip-protocol"/>
+    </constraint>
+  </properties>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/include/policy/prefix-list.xml.i b/interface-definitions/include/policy/prefix-list.xml.i
new file mode 100644
index 000000000..5d7980ee2
--- /dev/null
+++ b/interface-definitions/include/policy/prefix-list.xml.i
@@ -0,0 +1,14 @@
+<!-- include start from policy/prefix-list.xml.i -->
+<leafNode name="prefix-list">
+  <properties>
+    <help>Prefix-list to use</help>
+    <valueHelp>
+      <format>txt</format>
+      <description>Prefix-list to apply (IPv4)</description>
+    </valueHelp>
+    <completionHelp>
+      <path>policy prefix-list</path>
+    </completionHelp>
+  </properties>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/include/policy/prefix-list6.xml.i b/interface-definitions/include/policy/prefix-list6.xml.i
new file mode 100644
index 000000000..101702f1f
--- /dev/null
+++ b/interface-definitions/include/policy/prefix-list6.xml.i
@@ -0,0 +1,14 @@
+<!-- include start from policy/prefix-list6.xml.i -->
+<leafNode name="prefix-list6">
+  <properties>
+    <help>Prefix-list to use</help>
+    <valueHelp>
+      <format>txt</format>
+      <description>Prefix-list to apply (IPv6)</description>
+    </valueHelp>
+    <completionHelp>
+      <path>policy prefix-list6</path>
+    </completionHelp>
+  </properties>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/include/policy/route-common.xml.i b/interface-definitions/include/policy/route-common.xml.i
index 216ec9bea..cbe356408 100644
--- a/interface-definitions/include/policy/route-common.xml.i
+++ b/interface-definitions/include/policy/route-common.xml.i
@@ -1,360 +1,256 @@
-<!-- include start from policy/route-common.xml.i -->

-#include <include/policy/route-rule-action.xml.i>

-#include <include/generic-description.xml.i>

-<leafNode name="disable">

-  <properties>

-    <help>Option to disable firewall rule</help>

-    <valueless/>

-  </properties>

-</leafNode>

-<node name="fragment">

-  <properties>

-    <help>IP fragment match</help>

-  </properties>

-  <children>

-    <leafNode name="match-frag">

-      <properties>

-        <help>Second and further fragments of fragmented packets</help>

-        <valueless/>

-      </properties>

-    </leafNode>

-    <leafNode name="match-non-frag">

-      <properties>

-        <help>Head fragments or unfragmented packets</help>

-        <valueless/>

-      </properties>

-    </leafNode>

-  </children>

-</node>

-<node name="ipsec">

-  <properties>

-    <help>Inbound IPsec packets</help>

-  </properties>

-  <children>

-    <leafNode name="match-ipsec">

-      <properties>

-        <help>Inbound IPsec packets</help>

-        <valueless/>

-      </properties>

-    </leafNode>

-    <leafNode name="match-none">

-      <properties>

-        <help>Inbound non-IPsec packets</help>

-        <valueless/>

-      </properties>

-    </leafNode>

-  </children>

-</node>

-<node name="limit">

-  <properties>

-    <help>Rate limit using a token bucket filter</help>

-  </properties>

-  <children>

-    <leafNode name="burst">

-      <properties>

-        <help>Maximum number of packets to allow in excess of rate</help>

-        <valueHelp>

-          <format>u32:0-4294967295</format>

-          <description>Maximum number of packets to allow in excess of rate</description>

-        </valueHelp>

-        <constraint>

-          <validator name="numeric" argument="--range 0-4294967295"/>

-        </constraint>

-      </properties>

-    </leafNode>

-    <leafNode name="rate">

-      <properties>

-        <help>Maximum average matching rate</help>

-        <valueHelp>

-          <format>u32:0-4294967295</format>

-          <description>Maximum average matching rate</description>

-        </valueHelp>

-        <constraint>

-          <validator name="numeric" argument="--range 0-4294967295"/>

-        </constraint>

-      </properties>

-    </leafNode>

-  </children>

-</node>

-<leafNode name="log">

-  <properties>

-    <help>Option to log packets matching rule</help>

-    <completionHelp>

-      <list>enable disable</list>

-    </completionHelp>

-    <valueHelp>

-      <format>enable</format>

-      <description>Enable log</description>

-    </valueHelp>

-    <valueHelp>

-      <format>disable</format>

-      <description>Disable log</description>

-    </valueHelp>

-    <constraint>

-      <regex>(enable|disable)</regex>

-    </constraint>

-  </properties>

-</leafNode>

-<leafNode name="protocol">

-  <properties>

-    <help>Protocol to match (protocol name, number, or "all")</help>

-    <completionHelp>

-      <script>cat /etc/protocols | sed -e '/^#.*/d' | awk '{ print $1 }'</script>

-    </completionHelp>

-    <valueHelp>

-      <format>all</format>

-      <description>All IP protocols</description>

-    </valueHelp>

-    <valueHelp>

-      <format>tcp_udp</format>

-      <description>Both TCP and UDP</description>

-    </valueHelp>

-    <valueHelp>

-      <format>0-255</format>

-      <description>IP protocol number</description>

-    </valueHelp>

-    <valueHelp>

-      <format>!&lt;protocol&gt;</format>

-      <description>IP protocol number</description>

-    </valueHelp>

-    <constraint>

-      <validator name="ip-protocol"/>

-    </constraint>

-  </properties>

-  <defaultValue>all</defaultValue>

-</leafNode>

-<node name="recent">

-  <properties>

-    <help>Parameters for matching recently seen sources</help>

-  </properties>

-  <children>

-    <leafNode name="count">

-      <properties>

-        <help>Source addresses seen more than N times</help>

-        <valueHelp>

-          <format>u32:1-255</format>

-          <description>Source addresses seen more than N times</description>

-        </valueHelp>

-        <constraint>

-          <validator name="numeric" argument="--range 1-255"/>

-        </constraint>

-      </properties>

-    </leafNode>

-    <leafNode name="time">

-      <properties>

-        <help>Source addresses seen in the last N seconds</help>

-        <valueHelp>

-          <format>u32:0-4294967295</format>

-          <description>Source addresses seen in the last N seconds</description>

-        </valueHelp>

-        <constraint>

-          <validator name="numeric" argument="--range 0-4294967295"/>

-        </constraint>

-      </properties>

-    </leafNode>

-  </children>

-</node>

-<node name="set">

-  <properties>

-    <help>Packet modifications</help>

-  </properties>

-  <children>

-    <leafNode name="connection-mark">

-      <properties>

-        <help>Connection marking</help>

-        <valueHelp>

-          <format>u32:0-2147483647</format>

-          <description>Connection marking</description>

-        </valueHelp>

-        <constraint>

-          <validator name="numeric" argument="--range 0-2147483647"/>

-        </constraint>

-      </properties>

-    </leafNode>

-    <leafNode name="dscp">

-      <properties>

-        <help>Packet Differentiated Services Codepoint (DSCP)</help>

-        <valueHelp>

-          <format>u32:0-63</format>

-          <description>DSCP number</description>

-        </valueHelp>

-        <constraint>

-          <validator name="numeric" argument="--range 0-63"/>

-        </constraint>

-      </properties>

-    </leafNode>

-    <leafNode name="mark">

-      <properties>

-        <help>Packet marking</help>

-        <valueHelp>

-          <format>u32:1-2147483647</format>

-          <description>Packet marking</description>

-        </valueHelp>

-        <constraint>

-          <validator name="numeric" argument="--range 1-2147483647"/>

-        </constraint>

-      </properties>

-    </leafNode>

-    <leafNode name="table">

-      <properties>

-        <help>Routing table to forward packet with</help>

-        <valueHelp>

-          <format>u32:1-200</format>

-          <description>Table number</description>

-        </valueHelp>

-        <valueHelp>

-          <format>main</format>

-          <description>Main table</description>

-        </valueHelp>

-        <constraint>

-          <validator name="numeric" argument="--range 1-200"/>

-          <regex>(main)</regex>

-        </constraint>

-        <completionHelp>

-          <list>main</list>

-          <path>protocols static table</path>

-        </completionHelp>

-      </properties>

-    </leafNode>

-    <leafNode name="tcp-mss">

-      <properties>

-        <help>TCP Maximum Segment Size</help>

-        <valueHelp>

-          <format>u32:500-1460</format>

-          <description>Explicitly set TCP MSS value</description>

-        </valueHelp>

-        <constraint>

-          <validator name="numeric" argument="--range 500-1460"/>

-        </constraint>

-      </properties>

-    </leafNode>

-  </children>

-</node>

-<node name="state">

-  <properties>

-    <help>Session state</help>

-  </properties>

-  <children>

-    <leafNode name="established">

-      <properties>

-        <help>Established state</help>

-        <completionHelp>

-          <list>enable disable</list>

-        </completionHelp>

-        <valueHelp>

-          <format>enable</format>

-          <description>Enable</description>

-        </valueHelp>

-        <valueHelp>

-          <format>disable</format>

-          <description>Disable</description>

-        </valueHelp>

-        <constraint>

-          <regex>(enable|disable)</regex>

-        </constraint>

-      </properties>

-    </leafNode>

-    <leafNode name="invalid">

-      <properties>

-        <help>Invalid state</help>

-        <completionHelp>

-          <list>enable disable</list>

-        </completionHelp>

-        <valueHelp>

-          <format>enable</format>

-          <description>Enable</description>

-        </valueHelp>

-        <valueHelp>

-          <format>disable</format>

-          <description>Disable</description>

-        </valueHelp>

-        <constraint>

-          <regex>(enable|disable)</regex>

-        </constraint>

-      </properties>

-    </leafNode>

-    <leafNode name="new">

-      <properties>

-        <help>New state</help>

-        <completionHelp>

-          <list>enable disable</list>

-        </completionHelp>

-        <valueHelp>

-          <format>enable</format>

-          <description>Enable</description>

-        </valueHelp>

-        <valueHelp>

-          <format>disable</format>

-          <description>Disable</description>

-        </valueHelp>

-        <constraint>

-          <regex>(enable|disable)</regex>

-        </constraint>

-      </properties>

-    </leafNode>

-    <leafNode name="related">

-      <properties>

-        <help>Related state</help>

-        <completionHelp>

-          <list>enable disable</list>

-        </completionHelp>

-        <valueHelp>

-          <format>enable</format>

-          <description>Enable</description>

-        </valueHelp>

-        <valueHelp>

-          <format>disable</format>

-          <description>Disable</description>

-        </valueHelp>

-        <constraint>

-          <regex>(enable|disable)</regex>

-        </constraint>

-      </properties>

-    </leafNode>

-  </children>

-</node>

-#include <include/firewall/tcp-flags.xml.i>

-<node name="time">

-  <properties>

-    <help>Time to match rule</help>

-  </properties>

-  <children>

-    <leafNode name="monthdays">

-      <properties>

-        <help>Monthdays to match rule on</help>

-      </properties>

-    </leafNode>

-    <leafNode name="startdate">

-      <properties>

-        <help>Date to start matching rule</help>

-      </properties>

-    </leafNode>

-    <leafNode name="starttime">

-      <properties>

-        <help>Time of day to start matching rule</help>

-      </properties>

-    </leafNode>

-    <leafNode name="stopdate">

-      <properties>

-        <help>Date to stop matching rule</help>

-      </properties>

-    </leafNode>

-    <leafNode name="stoptime">

-      <properties>

-        <help>Time of day to stop matching rule</help>

-      </properties>

-    </leafNode>

-    <leafNode name="utc">

-      <properties>

-        <help>Interpret times for startdate, stopdate, starttime and stoptime to be UTC</help>

-        <valueless/>

-      </properties>

-    </leafNode>

-    <leafNode name="weekdays">

-      <properties>

-        <help>Weekdays to match rule on</help>

-      </properties>

-    </leafNode>

-  </children>

-</node>

-<!-- include end -->

+<!-- include start from policy/route-common.xml.i -->
+#include <include/policy/route-rule-action.xml.i>
+#include <include/generic-description.xml.i>
+#include <include/firewall/firewall-mark.xml.i>
+#include <include/generic-disable-node.xml.i>
+<node name="fragment">
+  <properties>
+    <help>IP fragment match</help>
+  </properties>
+  <children>
+    <leafNode name="match-frag">
+      <properties>
+        <help>Second and further fragments of fragmented packets</help>
+        <valueless/>
+      </properties>
+    </leafNode>
+    <leafNode name="match-non-frag">
+      <properties>
+        <help>Head fragments or unfragmented packets</help>
+        <valueless/>
+      </properties>
+    </leafNode>
+  </children>
+</node>
+<node name="ipsec">
+  <properties>
+    <help>Inbound IPsec packets</help>
+  </properties>
+  <children>
+    <leafNode name="match-ipsec">
+      <properties>
+        <help>Inbound IPsec packets</help>
+        <valueless/>
+      </properties>
+    </leafNode>
+    <leafNode name="match-none">
+      <properties>
+        <help>Inbound non-IPsec packets</help>
+        <valueless/>
+      </properties>
+    </leafNode>
+  </children>
+</node>
+<node name="limit">
+  <properties>
+    <help>Rate limit using a token bucket filter</help>
+  </properties>
+  <children>
+    <leafNode name="burst">
+      <properties>
+        <help>Maximum number of packets to allow in excess of rate</help>
+        <valueHelp>
+          <format>u32:0-4294967295</format>
+          <description>Maximum number of packets to allow in excess of rate</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 0-4294967295"/>
+        </constraint>
+      </properties>
+    </leafNode>
+    <leafNode name="rate">
+      <properties>
+        <help>Maximum average matching rate</help>
+        <valueHelp>
+          <format>u32:0-4294967295</format>
+          <description>Maximum average matching rate</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 0-4294967295"/>
+        </constraint>
+      </properties>
+    </leafNode>
+  </children>
+</node>
+#include <include/firewall/log.xml.i>
+<leafNode name="protocol">
+  <properties>
+    <help>Protocol to match (protocol name, number, or "all")</help>
+    <completionHelp>
+      <script>cat /etc/protocols | sed -e '/^#.*/d' | awk '{ print $1 }'</script>
+    </completionHelp>
+    <valueHelp>
+      <format>all</format>
+      <description>All IP protocols</description>
+    </valueHelp>
+    <valueHelp>
+      <format>tcp_udp</format>
+      <description>Both TCP and UDP</description>
+    </valueHelp>
+    <valueHelp>
+      <format>0-255</format>
+      <description>IP protocol number</description>
+    </valueHelp>
+    <valueHelp>
+      <format>!&lt;protocol&gt;</format>
+      <description>IP protocol number</description>
+    </valueHelp>
+    <constraint>
+      <validator name="ip-protocol"/>
+    </constraint>
+  </properties>
+  <defaultValue>all</defaultValue>
+</leafNode>
+<node name="recent">
+  <properties>
+    <help>Parameters for matching recently seen sources</help>
+  </properties>
+  <children>
+    <leafNode name="count">
+      <properties>
+        <help>Source addresses seen more than N times</help>
+        <valueHelp>
+          <format>u32:1-255</format>
+          <description>Source addresses seen more than N times</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 1-255"/>
+        </constraint>
+      </properties>
+    </leafNode>
+    <leafNode name="time">
+      <properties>
+        <help>Source addresses seen in the last N seconds</help>
+        <valueHelp>
+          <format>u32:0-4294967295</format>
+          <description>Source addresses seen in the last N seconds</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 0-4294967295"/>
+        </constraint>
+      </properties>
+    </leafNode>
+  </children>
+</node>
+<node name="set">
+  <properties>
+    <help>Packet modifications</help>
+  </properties>
+  <children>
+    <leafNode name="connection-mark">
+      <properties>
+        <help>Connection marking</help>
+        <valueHelp>
+          <format>u32:0-2147483647</format>
+          <description>Connection marking</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 0-2147483647"/>
+        </constraint>
+      </properties>
+    </leafNode>
+    <leafNode name="dscp">
+      <properties>
+        <help>Packet Differentiated Services Codepoint (DSCP)</help>
+        <valueHelp>
+          <format>u32:0-63</format>
+          <description>DSCP number</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 0-63"/>
+        </constraint>
+      </properties>
+    </leafNode>
+    <leafNode name="mark">
+      <properties>
+        <help>Packet marking</help>
+        <valueHelp>
+          <format>u32:1-2147483647</format>
+          <description>Packet marking</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 1-2147483647"/>
+        </constraint>
+      </properties>
+    </leafNode>
+    <leafNode name="table">
+      <properties>
+        <help>Routing table to forward packet with</help>
+        <valueHelp>
+          <format>u32:1-200</format>
+          <description>Table number</description>
+        </valueHelp>
+        <valueHelp>
+          <format>main</format>
+          <description>Main table</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 1-200"/>
+          <regex>(main)</regex>
+        </constraint>
+        <completionHelp>
+          <list>main</list>
+          <path>protocols static table</path>
+        </completionHelp>
+      </properties>
+    </leafNode>
+    <leafNode name="tcp-mss">
+      <properties>
+        <help>TCP Maximum Segment Size</help>
+        <valueHelp>
+          <format>u32:500-1460</format>
+          <description>Explicitly set TCP MSS value</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 500-1460"/>
+        </constraint>
+      </properties>
+    </leafNode>
+  </children>
+</node>
+#include <include/firewall/state.xml.i>
+#include <include/firewall/tcp-flags.xml.i>
+<node name="time">
+  <properties>
+    <help>Time to match rule</help>
+  </properties>
+  <children>
+    <leafNode name="monthdays">
+      <properties>
+        <help>Monthdays to match rule on</help>
+      </properties>
+    </leafNode>
+    <leafNode name="startdate">
+      <properties>
+        <help>Date to start matching rule</help>
+      </properties>
+    </leafNode>
+    <leafNode name="starttime">
+      <properties>
+        <help>Time of day to start matching rule</help>
+      </properties>
+    </leafNode>
+    <leafNode name="stopdate">
+      <properties>
+        <help>Date to stop matching rule</help>
+      </properties>
+    </leafNode>
+    <leafNode name="stoptime">
+      <properties>
+        <help>Time of day to stop matching rule</help>
+      </properties>
+    </leafNode>
+    <leafNode name="utc">
+      <properties>
+        <help>Interpret times for startdate, stopdate, starttime and stoptime to be UTC</help>
+        <valueless/>
+      </properties>
+    </leafNode>
+    <leafNode name="weekdays">
+      <properties>
+        <help>Weekdays to match rule on</help>
+      </properties>
+    </leafNode>
+  </children>
+</node>
+<!-- include end -->
diff --git a/interface-definitions/include/protocol-tcp-udp.xml.i b/interface-definitions/include/protocol-tcp-udp.xml.i
index d7e6752ad..c186c026a 100644
--- a/interface-definitions/include/protocol-tcp-udp.xml.i
+++ b/interface-definitions/include/protocol-tcp-udp.xml.i
@@ -1,22 +1,22 @@
-<!-- include start from snmp/protocol.xml.i -->

-<leafNode name="protocol">

-  <properties>

-    <help>Protocol to be used (TCP/UDP)</help>

-    <completionHelp>

-      <list>udp tcp</list>

-    </completionHelp>

-    <valueHelp>

-      <format>udp</format>

-      <description>Listen protocol UDP</description>

-    </valueHelp>

-    <valueHelp>

-      <format>tcp</format>

-      <description>Listen protocol TCP</description>

-    </valueHelp>

-    <constraint>

-      <regex>(udp|tcp)</regex>

-    </constraint>

-  </properties>

-  <defaultValue>udp</defaultValue>

-</leafNode>

-<!-- include end -->

+<!-- include start from snmp/protocol.xml.i -->
+<leafNode name="protocol">
+  <properties>
+    <help>Protocol to be used (TCP/UDP)</help>
+    <completionHelp>
+      <list>udp tcp</list>
+    </completionHelp>
+    <valueHelp>
+      <format>udp</format>
+      <description>Listen protocol UDP</description>
+    </valueHelp>
+    <valueHelp>
+      <format>tcp</format>
+      <description>Listen protocol TCP</description>
+    </valueHelp>
+    <constraint>
+      <regex>(udp|tcp)</regex>
+    </constraint>
+  </properties>
+  <defaultValue>udp</defaultValue>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/include/radius-server-ipv4-ipv6.xml.i b/interface-definitions/include/radius-server-ipv4-ipv6.xml.i
index efd418bb2..e454b9025 100644
--- a/interface-definitions/include/radius-server-ipv4-ipv6.xml.i
+++ b/interface-definitions/include/radius-server-ipv4-ipv6.xml.i
@@ -25,26 +25,26 @@
         #include <include/radius-server-auth-port.xml.i>
       </children>
     </tagNode>
-    <leafNode name="source-address">
+    #include <include/source-address-ipv4-ipv6-multi.xml.i>
+    <leafNode name="security-mode">
       <properties>
-        <help>Source IP address used to initiate connection</help>
+        <help>Security mode for RADIUS authentication</help>
         <completionHelp>
-          <script>${vyos_completion_dir}/list_local_ips.sh --both</script>
+          <list>mandatory optional</list>
         </completionHelp>
         <valueHelp>
-          <format>ipv4</format>
-          <description>IPv4 source address</description>
+          <format>mandatory</format>
+          <description>Deny access immediately if RADIUS answers with Access-Reject</description>
         </valueHelp>
         <valueHelp>
-          <format>ipv6</format>
-          <description>IPv6 source address</description>
+          <format>optional</format>
+          <description>Pass to the next authentication method if RADIUS answers with Access-Reject</description>
         </valueHelp>
         <constraint>
-          <validator name="ipv4-address"/>
-          <validator name="ipv6-address"/>
+          <regex>(mandatory|optional)</regex>
         </constraint>
-        <multi/>
       </properties>
+      <defaultValue>optional</defaultValue>
     </leafNode>
   </children>
 </node>
diff --git a/interface-definitions/include/rip/interface.xml.i b/interface-definitions/include/rip/interface.xml.i
index 8007f0208..7c64d0708 100644
--- a/interface-definitions/include/rip/interface.xml.i
+++ b/interface-definitions/include/rip/interface.xml.i
@@ -19,12 +19,7 @@
         <help>Split horizon parameters</help>
       </properties>
       <children>
-        <leafNode name="disable">
-          <properties>
-            <help>Disable split horizon on specified interface</help>
-            <valueless/>
-          </properties>
-        </leafNode>
+        #include <include/generic-disable-node.xml.i>
         <leafNode name="poison-reverse">
           <properties>
             <help>Disable split horizon on specified interface</help>
diff --git a/interface-definitions/include/rip/version.xml.i b/interface-definitions/include/rip/version.xml.i
index a35350aee..61458b28e 100644
--- a/interface-definitions/include/rip/version.xml.i
+++ b/interface-definitions/include/rip/version.xml.i
@@ -1,18 +1,18 @@
-<!-- include start from rip/version.xml.i -->

-<leafNode name="version">

-  <properties>

-    <help>Limit RIP protocol version</help>

-    <valueHelp>

-      <format>1</format>

-      <description>Allow RIPv1 only</description>

-    </valueHelp>

-    <valueHelp>

-      <format>2</format>

-      <description>Allow RIPv2 only</description>

-    </valueHelp>

-    <constraint>

-      <validator name="numeric" argument="--range 1-2"/>

-    </constraint>

-  </properties>

-</leafNode>

-<!-- include end -->

+<!-- include start from rip/version.xml.i -->
+<leafNode name="version">
+  <properties>
+    <help>Limit RIP protocol version</help>
+    <valueHelp>
+      <format>1</format>
+      <description>Allow RIPv1 only</description>
+    </valueHelp>
+    <valueHelp>
+      <format>2</format>
+      <description>Allow RIPv2 only</description>
+    </valueHelp>
+    <constraint>
+      <validator name="numeric" argument="--range 1-2"/>
+    </constraint>
+  </properties>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/include/route-map.xml.i b/interface-definitions/include/route-map.xml.i
index 019868373..e49c388d6 100644
--- a/interface-definitions/include/route-map.xml.i
+++ b/interface-definitions/include/route-map.xml.i
@@ -10,7 +10,7 @@
       <description>Route map name</description>
     </valueHelp>
     <constraint>
-      <regex>[-_a-zA-Z0-9.]+</regex>
+      #include <include/constraint/alpha-numeric-hyphen-underscore-dot.xml.i>
     </constraint>
     <constraintErrorMessage>Name of route-map can only contain alpha-numeric letters, hyphen and underscores</constraintErrorMessage>
   </properties>
diff --git a/interface-definitions/include/source-address-ipv4-ipv6-multi.xml.i b/interface-definitions/include/source-address-ipv4-ipv6-multi.xml.i
new file mode 100644
index 000000000..d56ca5be6
--- /dev/null
+++ b/interface-definitions/include/source-address-ipv4-ipv6-multi.xml.i
@@ -0,0 +1,22 @@
+<!-- include start from source-address-ipv4-ipv6-multi.xml.i -->
+<leafNode name="source-address">
+  <properties>
+    <help>Source IP address used to initiate connection</help>
+    <completionHelp>
+      <script>${vyos_completion_dir}/list_local_ips.sh --both</script>
+    </completionHelp>
+    <valueHelp>
+      <format>ipv4</format>
+      <description>IPv4 source address</description>
+    </valueHelp>
+    <valueHelp>
+      <format>ipv6</format>
+      <description>IPv6 source address</description>
+    </valueHelp>
+    <constraint>
+      <validator name="ip-address"/>
+    </constraint>
+    <multi/>
+  </properties>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/include/source-address-ipv4-multi.xml.i b/interface-definitions/include/source-address-ipv4-multi.xml.i
new file mode 100644
index 000000000..319a118f3
--- /dev/null
+++ b/interface-definitions/include/source-address-ipv4-multi.xml.i
@@ -0,0 +1,18 @@
+<!-- include start from source-address-ipv4-multi.xml.i -->
+<leafNode name="source-address">
+  <properties>
+    <help>IPv4 source address used to initiate connection</help>
+    <completionHelp>
+      <script>${vyos_completion_dir}/list_local_ips.sh --ipv4</script>
+    </completionHelp>
+    <valueHelp>
+      <format>ipv4</format>
+      <description>IPv4 source address</description>
+    </valueHelp>
+    <constraint>
+      <validator name="ipv4-address"/>
+    </constraint>
+    <multi/>
+  </properties>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/include/url-http-https.xml.i b/interface-definitions/include/url-http-https.xml.i
new file mode 100644
index 000000000..f763c2bb2
--- /dev/null
+++ b/interface-definitions/include/url-http-https.xml.i
@@ -0,0 +1,15 @@
+<!-- include start from url-http-https.xml.i -->
+<leafNode name="url">
+  <properties>
+    <help>Remote URL</help>
+    <valueHelp>
+      <format>url</format>
+      <description>Remote HTTP(S) URL</description>
+    </valueHelp>
+    <constraint>
+      <validator name="url" argument="--scheme http --scheme https"/>
+    </constraint>
+    <constraintErrorMessage>Invalid HTTP(S) URL format</constraintErrorMessage>
+  </properties>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/include/url.xml.i b/interface-definitions/include/url.xml.i
deleted file mode 100644
index caa6f67bd..000000000
--- a/interface-definitions/include/url.xml.i
+++ /dev/null
@@ -1,15 +0,0 @@
-<!-- include start from url.xml.i -->
-<leafNode name="url">
-  <properties>
-    <help>Remote URL</help>
-    <valueHelp>
-      <format>url</format>
-      <description>Remote URL</description>
-    </valueHelp>
-    <constraint>
-      <regex>^https?:\/\/?[a-z0-9]+([\-\.]{1}[a-z0-9]+)*(\:[0-9]+)*(\/.*)?</regex>
-    </constraint>
-    <constraintErrorMessage>Incorrect URL format</constraintErrorMessage>
-  </properties>
-</leafNode>
-<!-- include end -->
diff --git a/interface-definitions/include/version/cluster-version.xml.i b/interface-definitions/include/version/cluster-version.xml.i
index 621996df4..402fe36c5 100644
--- a/interface-definitions/include/version/cluster-version.xml.i
+++ b/interface-definitions/include/version/cluster-version.xml.i
@@ -1,3 +1,3 @@
 <!-- include start from include/version/cluster-version.xml.i -->
-<syntaxVersion component='cluster' version='1'></syntaxVersion>
+<syntaxVersion component='cluster' version='2'></syntaxVersion>
 <!-- include end -->
diff --git a/interface-definitions/include/version/dns-dynamic-version.xml.i b/interface-definitions/include/version/dns-dynamic-version.xml.i
index b25fc6e76..773a6ab51 100644
--- a/interface-definitions/include/version/dns-dynamic-version.xml.i
+++ b/interface-definitions/include/version/dns-dynamic-version.xml.i
@@ -1,3 +1,3 @@
 <!-- include start from include/version/dns-dynamic-version.xml.i -->
-<syntaxVersion component='dns-dynamic' version='1'></syntaxVersion>
+<syntaxVersion component='dns-dynamic' version='3'></syntaxVersion>
 <!-- include end -->
diff --git a/interface-definitions/include/version/firewall-version.xml.i b/interface-definitions/include/version/firewall-version.xml.i
index dd21bfaca..6702ee041 100644
--- a/interface-definitions/include/version/firewall-version.xml.i
+++ b/interface-definitions/include/version/firewall-version.xml.i
@@ -1,3 +1,3 @@
 <!-- include start from include/version/firewall-version.xml.i -->
-<syntaxVersion component='firewall' version='11'></syntaxVersion>
+<syntaxVersion component='firewall' version='14'></syntaxVersion>
 <!-- include end -->
diff --git a/interface-definitions/include/version/https-version.xml.i b/interface-definitions/include/version/https-version.xml.i
index 111076974..525314dbd 100644
--- a/interface-definitions/include/version/https-version.xml.i
+++ b/interface-definitions/include/version/https-version.xml.i
@@ -1,3 +1,3 @@
 <!-- include start from include/version/https-version.xml.i -->
-<syntaxVersion component='https' version='4'></syntaxVersion>
+<syntaxVersion component='https' version='6'></syntaxVersion>
 <!-- include end -->
diff --git a/interface-definitions/include/version/interfaces-version.xml.i b/interface-definitions/include/version/interfaces-version.xml.i
index 3d11ce888..f01fe1983 100644
--- a/interface-definitions/include/version/interfaces-version.xml.i
+++ b/interface-definitions/include/version/interfaces-version.xml.i
@@ -1,3 +1,3 @@
 <!-- include start from include/version/interfaces-version.xml.i -->
-<syntaxVersion component='interfaces' version='30'></syntaxVersion>
-<!-- include end -->
+<syntaxVersion component='interfaces' version='32'></syntaxVersion>
+<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/include/version/ipoe-server-version.xml.i b/interface-definitions/include/version/ipoe-server-version.xml.i
index 00d2544e6..e5983ab39 100644
--- a/interface-definitions/include/version/ipoe-server-version.xml.i
+++ b/interface-definitions/include/version/ipoe-server-version.xml.i
@@ -1,3 +1,3 @@
 <!-- include start from include/version/ipoe-server-version.xml.i -->
-<syntaxVersion component='ipoe-server' version='1'></syntaxVersion>
+<syntaxVersion component='ipoe-server' version='2'></syntaxVersion>
 <!-- include end -->
diff --git a/interface-definitions/include/version/l2tp-version.xml.i b/interface-definitions/include/version/l2tp-version.xml.i
index 86114d676..f4507d93b 100644
--- a/interface-definitions/include/version/l2tp-version.xml.i
+++ b/interface-definitions/include/version/l2tp-version.xml.i
@@ -1,3 +1,3 @@
 <!-- include start from include/version/l2tp-version.xml.i -->
-<syntaxVersion component='l2tp' version='4'></syntaxVersion>
+<syntaxVersion component='l2tp' version='6'></syntaxVersion>
 <!-- include end -->
diff --git a/interface-definitions/include/version/lldp-version.xml.i b/interface-definitions/include/version/lldp-version.xml.i
index 0deb73279..b41d80451 100644
--- a/interface-definitions/include/version/lldp-version.xml.i
+++ b/interface-definitions/include/version/lldp-version.xml.i
@@ -1,3 +1,3 @@
 <!-- include start from include/version/lldp-version.xml.i -->
-<syntaxVersion component='lldp' version='1'></syntaxVersion>
+<syntaxVersion component='lldp' version='2'></syntaxVersion>
 <!-- include end -->
diff --git a/interface-definitions/include/version/nat-version.xml.i b/interface-definitions/include/version/nat-version.xml.i
index 027216a07..656da6e14 100644
--- a/interface-definitions/include/version/nat-version.xml.i
+++ b/interface-definitions/include/version/nat-version.xml.i
@@ -1,3 +1,3 @@
 <!-- include start from include/version/nat-version.xml.i -->
-<syntaxVersion component='nat' version='5'></syntaxVersion>
+<syntaxVersion component='nat' version='7'></syntaxVersion>
 <!-- include end -->
diff --git a/interface-definitions/include/version/nat66-version.xml.i b/interface-definitions/include/version/nat66-version.xml.i
index 7b7123dcc..43a54c969 100644
--- a/interface-definitions/include/version/nat66-version.xml.i
+++ b/interface-definitions/include/version/nat66-version.xml.i
@@ -1,3 +1,3 @@
 <!-- include start from include/version/nat66-version.xml.i -->
-<syntaxVersion component='nat66' version='1'></syntaxVersion>
+<syntaxVersion component='nat66' version='3'></syntaxVersion>
 <!-- include end -->
diff --git a/interface-definitions/include/version/pim-version.xml.i b/interface-definitions/include/version/pim-version.xml.i
new file mode 100644
index 000000000..24cc38cdf
--- /dev/null
+++ b/interface-definitions/include/version/pim-version.xml.i
@@ -0,0 +1,3 @@
+<!-- include start from include/version/pim-version.xml.i -->
+<syntaxVersion component='pim' version='1'></syntaxVersion>
+<!-- include end -->
diff --git a/interface-definitions/include/version/policy-version.xml.i b/interface-definitions/include/version/policy-version.xml.i
index f1494eaa3..db727fea9 100644
--- a/interface-definitions/include/version/policy-version.xml.i
+++ b/interface-definitions/include/version/policy-version.xml.i
@@ -1,3 +1,3 @@
 <!-- include start from include/version/policy-version.xml.i -->
-<syntaxVersion component='policy' version='5'></syntaxVersion>
+<syntaxVersion component='policy' version='8'></syntaxVersion>
 <!-- include end -->
diff --git a/interface-definitions/include/version/pppoe-server-version.xml.i b/interface-definitions/include/version/pppoe-server-version.xml.i
index 6bdd8d75c..deed702f0 100644
--- a/interface-definitions/include/version/pppoe-server-version.xml.i
+++ b/interface-definitions/include/version/pppoe-server-version.xml.i
@@ -1,3 +1,3 @@
 <!-- include start from include/version/pppoe-server-version.xml.i -->
-<syntaxVersion component='pppoe-server' version='6'></syntaxVersion>
+<syntaxVersion component='pppoe-server' version='7'></syntaxVersion>
 <!-- include end -->
diff --git a/interface-definitions/include/version/pptp-version.xml.i b/interface-definitions/include/version/pptp-version.xml.i
index 0296c44e9..4386cedbd 100644
--- a/interface-definitions/include/version/pptp-version.xml.i
+++ b/interface-definitions/include/version/pptp-version.xml.i
@@ -1,3 +1,3 @@
 <!-- include start from include/version/pptp-version.xml.i -->
-<syntaxVersion component='pptp' version='2'></syntaxVersion>
+<syntaxVersion component='pptp' version='3'></syntaxVersion>
 <!-- include end -->
diff --git a/interface-definitions/include/version/sstp-version.xml.i b/interface-definitions/include/version/sstp-version.xml.i
index 79b43a3e7..3ac54a3de 100644
--- a/interface-definitions/include/version/sstp-version.xml.i
+++ b/interface-definitions/include/version/sstp-version.xml.i
@@ -1,3 +1,3 @@
 <!-- include start from include/version/sstp-version.xml.i -->
-<syntaxVersion component='sstp' version='4'></syntaxVersion>
+<syntaxVersion component='sstp' version='5'></syntaxVersion>
 <!-- include end -->
diff --git a/interface-definitions/include/version/system-version.xml.i b/interface-definitions/include/version/system-version.xml.i
index 73df8bd8e..fcb24abe2 100644
--- a/interface-definitions/include/version/system-version.xml.i
+++ b/interface-definitions/include/version/system-version.xml.i
@@ -1,3 +1,3 @@
 <!-- include start from include/version/system-version.xml.i -->
-<syntaxVersion component='system' version='26'></syntaxVersion>
+<syntaxVersion component='system' version='27'></syntaxVersion>
 <!-- include end -->
diff --git a/interface-definitions/interfaces-bonding.xml.in b/interface-definitions/interfaces_bonding.xml.in
index 427e04a54..62ee0bdc7 100644
--- a/interface-definitions/interfaces-bonding.xml.in
+++ b/interface-definitions/interfaces_bonding.xml.in
@@ -2,7 +2,7 @@
 <interfaceDefinition>
   <node name="interfaces">
     <children>
-      <tagNode name="bonding" owner="${vyos_conf_scripts_dir}/interfaces-bonding.py">
+      <tagNode name="bonding" owner="${vyos_conf_scripts_dir}/interfaces_bonding.py">
         <properties>
           <help>Bonding Interface/Link Aggregation</help>
           <priority>320</priority>
@@ -56,6 +56,60 @@
           #include <include/interface/disable.xml.i>
           #include <include/interface/vrf.xml.i>
           #include <include/interface/mirror.xml.i>
+          <node name="evpn">
+            <properties>
+              <help>EVPN Multihoming</help>
+            </properties>
+            <children>
+              <leafNode name="es-df-pref">
+                <properties>
+                  <help>Preference value used for designated forwarder (DF) election</help>
+                  <valueHelp>
+                    <format>u32:1-65535</format>
+                    <description>DF Preference value</description>
+                  </valueHelp>
+                  <constraint>
+                    <validator name="numeric" argument="--range 1-65535"/>
+                  </constraint>
+                </properties>
+              </leafNode>
+              <leafNode name="es-id">
+                <properties>
+                  <help>Ethernet segment identifier</help>
+                  <valueHelp>
+                    <format>u32:1-16777215</format>
+                    <description>Local discriminator</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>txt</format>
+                    <description>10-byte ID - 00:11:22:33:44:55:AA:BB:CC:DD</description>
+                  </valueHelp>
+                  <constraint>
+                    <validator name="numeric" argument="--range 1-65535"/>
+                    <regex>([0-9A-Fa-f][0-9A-Fa-f]:){9}[0-9A-Fa-f][0-9A-Fa-f]</regex>
+                  </constraint>
+                </properties>
+              </leafNode>
+              <leafNode name="es-sys-mac">
+                <properties>
+                  <help>Ethernet segment system MAC</help>
+                  <valueHelp>
+                    <format>macaddr</format>
+                    <description>MAC address</description>
+                  </valueHelp>
+                  <constraint>
+                    <validator name="mac-address"/>
+                  </constraint>
+                </properties>
+              </leafNode>
+              <leafNode name="uplink">
+                <properties>
+                  <help>Uplink to the VXLAN core</help>
+                  <valueless/>
+                </properties>
+              </leafNode>
+            </children>
+          </node>
           <leafNode name="hash-policy">
             <properties>
               <help>Bonding transmit hash policy</help>
diff --git a/interface-definitions/interfaces-bridge.xml.in b/interface-definitions/interfaces_bridge.xml.in
index fcfb8686c..d4d277cfc 100644
--- a/interface-definitions/interfaces-bridge.xml.in
+++ b/interface-definitions/interfaces_bridge.xml.in
@@ -2,7 +2,7 @@
 <interfaceDefinition>
   <node name="interfaces">
     <children>
-      <tagNode name="bridge" owner="${vyos_conf_scripts_dir}/interfaces-bridge.py">
+      <tagNode name="bridge" owner="${vyos_conf_scripts_dir}/interfaces_bridge.py">
         <properties>
           <help>Bridge Interface</help>
           <priority>310</priority>
@@ -123,6 +123,9 @@
                   <completionHelp>
                     <script>${vyos_completion_dir}/list_interfaces --bridgeable</script>
                   </completionHelp>
+                  <constraint>
+                    #include <include/constraint/interface-name.xml.i>
+                  </constraint>
                 </properties>
                 <children>
                   <leafNode name="native-vlan">
diff --git a/interface-definitions/interfaces-dummy.xml.in b/interface-definitions/interfaces_dummy.xml.in
index 00784fcdf..ef8ee78e7 100644
--- a/interface-definitions/interfaces-dummy.xml.in
+++ b/interface-definitions/interfaces_dummy.xml.in
@@ -2,7 +2,7 @@
 <interfaceDefinition>
   <node name="interfaces">
     <children>
-      <tagNode name="dummy" owner="${vyos_conf_scripts_dir}/interfaces-dummy.py">
+      <tagNode name="dummy" owner="${vyos_conf_scripts_dir}/interfaces_dummy.py">
         <properties>
           <help>Dummy Interface</help>
           <priority>300</priority>
diff --git a/interface-definitions/interfaces-ethernet.xml.in b/interface-definitions/interfaces_ethernet.xml.in
index 3669336fd..4e55bac7c 100644
--- a/interface-definitions/interfaces-ethernet.xml.in
+++ b/interface-definitions/interfaces_ethernet.xml.in
@@ -5,7 +5,7 @@
       <help>Network interfaces</help>
     </properties>
     <children>
-      <tagNode name="ethernet" owner="${vyos_conf_scripts_dir}/interfaces-ethernet.py">
+      <tagNode name="ethernet" owner="${vyos_conf_scripts_dir}/interfaces_ethernet.py">
         <properties>
           <help>Ethernet Interface</help>
           <priority>318</priority>
@@ -80,6 +80,12 @@
                   <valueless/>
                 </properties>
               </leafNode>
+              <leafNode name="hw-tc-offload">
+                <properties>
+                  <help>Enable Hardware Flow Offload</help>
+                  <valueless/>
+                </properties>
+              </leafNode>
               <leafNode name="lro">
                 <properties>
                   <help>Enable Large Receive Offload</help>
diff --git a/interface-definitions/interfaces-geneve.xml.in b/interface-definitions/interfaces_geneve.xml.in
index 29b563a09..c94113271 100644
--- a/interface-definitions/interfaces-geneve.xml.in
+++ b/interface-definitions/interfaces_geneve.xml.in
@@ -2,7 +2,7 @@
 <interfaceDefinition>
   <node name="interfaces">
     <children>
-      <tagNode name="geneve" owner="${vyos_conf_scripts_dir}/interfaces-geneve.py">
+      <tagNode name="geneve" owner="${vyos_conf_scripts_dir}/interfaces_geneve.py">
         <properties>
           <help>Generic Network Virtualization Encapsulation (GENEVE) Interface</help>
           <priority>460</priority>
diff --git a/interface-definitions/interfaces-input.xml.in b/interface-definitions/interfaces_input.xml.in
index d90cf936f..771c47e42 100644
--- a/interface-definitions/interfaces-input.xml.in
+++ b/interface-definitions/interfaces_input.xml.in
@@ -2,7 +2,7 @@
 <interfaceDefinition>
   <node name="interfaces">
     <children>
-      <tagNode name="input" owner="${vyos_conf_scripts_dir}/interfaces-input.py">
+      <tagNode name="input" owner="${vyos_conf_scripts_dir}/interfaces_input.py">
         <properties>
           <help>Input Functional Block (IFB) interface name</help>
           <!-- before real devices that redirect -->
diff --git a/interface-definitions/interfaces-l2tpv3.xml.in b/interface-definitions/interfaces_l2tpv3.xml.in
index 1f0dd3d19..5f816c956 100644
--- a/interface-definitions/interfaces-l2tpv3.xml.in
+++ b/interface-definitions/interfaces_l2tpv3.xml.in
@@ -2,7 +2,7 @@
 <interfaceDefinition>
   <node name="interfaces">
     <children>
-      <tagNode name="l2tpv3" owner="${vyos_conf_scripts_dir}/interfaces-l2tpv3.py">
+      <tagNode name="l2tpv3" owner="${vyos_conf_scripts_dir}/interfaces_l2tpv3.py">
         <properties>
           <help>Layer 2 Tunnel Protocol Version 3 (L2TPv3) Interface</help>
           <priority>485</priority>
diff --git a/interface-definitions/interfaces-loopback.xml.in b/interface-definitions/interfaces_loopback.xml.in
index fe0944467..09b4a00cf 100644
--- a/interface-definitions/interfaces-loopback.xml.in
+++ b/interface-definitions/interfaces_loopback.xml.in
@@ -2,7 +2,7 @@
 <interfaceDefinition>
   <node name="interfaces">
     <children>
-      <tagNode name="loopback" owner="${vyos_conf_scripts_dir}/interfaces-loopback.py">
+      <tagNode name="loopback" owner="${vyos_conf_scripts_dir}/interfaces_loopback.py">
         <properties>
           <help>Loopback Interface</help>
           <priority>300</priority>
diff --git a/interface-definitions/interfaces-macsec.xml.in b/interface-definitions/interfaces_macsec.xml.in
index 766b0bede..d825f8262 100644
--- a/interface-definitions/interfaces-macsec.xml.in
+++ b/interface-definitions/interfaces_macsec.xml.in
@@ -2,7 +2,7 @@
 <interfaceDefinition>
   <node name="interfaces">
     <children>
-      <tagNode name="macsec" owner="${vyos_conf_scripts_dir}/interfaces-macsec.py">
+      <tagNode name="macsec" owner="${vyos_conf_scripts_dir}/interfaces_macsec.py">
         <properties>
           <help>MACsec Interface (802.1ae)</help>
           <priority>461</priority>
diff --git a/interface-definitions/interfaces-openvpn.xml.in b/interface-definitions/interfaces_openvpn.xml.in
index 831659250..f7e8f8b9f 100644
--- a/interface-definitions/interfaces-openvpn.xml.in
+++ b/interface-definitions/interfaces_openvpn.xml.in
@@ -2,7 +2,7 @@
 <interfaceDefinition>
   <node name="interfaces">
     <children>
-      <tagNode name="openvpn" owner="${vyos_conf_scripts_dir}/interfaces-openvpn.py">
+      <tagNode name="openvpn" owner="${vyos_conf_scripts_dir}/interfaces_openvpn.py">
         <properties>
           <help>OpenVPN Tunnel Interface</help>
           <priority>460</priority>
@@ -736,14 +736,7 @@
               </leafNode>
               #include <include/pki/certificate.xml.i>
               #include <include/pki/ca-certificate-multi.xml.i>
-              <leafNode name="dh-params">
-                <properties>
-                  <help>Diffie Hellman parameters (server only)</help>
-                  <completionHelp>
-                    <path>pki dh</path>
-                  </completionHelp>
-                </properties>
-              </leafNode>
+              #include <include/pki/dh-params.xml.i>
               <leafNode name="crypt-key">
                 <properties>
                   <help>Static key to use to authenticate control channel</help>
diff --git a/interface-definitions/interfaces-pppoe.xml.in b/interface-definitions/interfaces_pppoe.xml.in
index b78f92c85..56660bc15 100644
--- a/interface-definitions/interfaces-pppoe.xml.in
+++ b/interface-definitions/interfaces_pppoe.xml.in
@@ -2,7 +2,7 @@
 <interfaceDefinition>
   <node name="interfaces">
     <children>
-      <tagNode name="pppoe" owner="${vyos_conf_scripts_dir}/interfaces-pppoe.py">
+      <tagNode name="pppoe" owner="${vyos_conf_scripts_dir}/interfaces_pppoe.py">
         <properties>
           <help>Point-to-Point Protocol over Ethernet (PPPoE) Interface</help>
           <priority>322</priority>
@@ -109,6 +109,19 @@
           <leafNode name="mtu">
             <defaultValue>1492</defaultValue>
           </leafNode>
+          <leafNode name="mru">
+            <properties>
+              <help>Maximum Receive Unit (MRU) (default: MTU value)</help>
+              <valueHelp>
+                <format>u32:128-16384</format>
+                <description>Maximum Receive Unit in byte</description>
+              </valueHelp>
+              <constraint>
+                <validator name="numeric" argument="--range 128-16384"/>
+              </constraint>
+              <constraintErrorMessage>MRU must be between 128 and 16384</constraintErrorMessage>
+            </properties>
+          </leafNode>
           #include <include/interface/no-peer-dns.xml.i>
           <leafNode name="remote-address">
             <properties>
diff --git a/interface-definitions/interfaces-pseudo-ethernet.xml.in b/interface-definitions/interfaces_pseudo-ethernet.xml.in
index 5c73825c3..031af3563 100644
--- a/interface-definitions/interfaces-pseudo-ethernet.xml.in
+++ b/interface-definitions/interfaces_pseudo-ethernet.xml.in
@@ -2,7 +2,7 @@
 <interfaceDefinition>
   <node name="interfaces">
     <children>
-      <tagNode name="pseudo-ethernet" owner="${vyos_conf_scripts_dir}/interfaces-pseudo-ethernet.py">
+      <tagNode name="pseudo-ethernet" owner="${vyos_conf_scripts_dir}/interfaces_pseudo-ethernet.py">
         <properties>
           <help>Pseudo Ethernet Interface (Macvlan)</help>
           <priority>321</priority>
diff --git a/interface-definitions/interfaces-sstpc.xml.in b/interface-definitions/interfaces_sstpc.xml.in
index b569e9bde..b7c49446f 100644
--- a/interface-definitions/interfaces-sstpc.xml.in
+++ b/interface-definitions/interfaces_sstpc.xml.in
@@ -2,7 +2,7 @@
 <interfaceDefinition>
   <node name="interfaces">
     <children>
-      <tagNode name="sstpc" owner="${vyos_conf_scripts_dir}/interfaces-sstpc.py">
+      <tagNode name="sstpc" owner="${vyos_conf_scripts_dir}/interfaces_sstpc.py">
         <properties>
           <help>Secure Socket Tunneling Protocol (SSTP) client Interface</help>
           <priority>460</priority>
diff --git a/interface-definitions/interfaces-tunnel.xml.in b/interface-definitions/interfaces_tunnel.xml.in
index 58f95dddb..99d9b34c6 100644
--- a/interface-definitions/interfaces-tunnel.xml.in
+++ b/interface-definitions/interfaces_tunnel.xml.in
@@ -2,7 +2,7 @@
 <interfaceDefinition>
   <node name="interfaces">
     <children>
-      <tagNode name="tunnel" owner="${vyos_conf_scripts_dir}/interfaces-tunnel.py">
+      <tagNode name="tunnel" owner="${vyos_conf_scripts_dir}/interfaces_tunnel.py">
         <properties>
           <help>Tunnel interface</help>
           <priority>380</priority>
diff --git a/interface-definitions/interfaces-virtual-ethernet.xml.in b/interface-definitions/interfaces_virtual-ethernet.xml.in
index 1daa764d4..fc1b319b5 100644
--- a/interface-definitions/interfaces-virtual-ethernet.xml.in
+++ b/interface-definitions/interfaces_virtual-ethernet.xml.in
@@ -2,14 +2,14 @@
 <interfaceDefinition>
   <node name="interfaces">
     <children>
-      <tagNode name="virtual-ethernet" owner="${vyos_conf_scripts_dir}/interfaces-virtual-ethernet.py">
+      <tagNode name="virtual-ethernet" owner="${vyos_conf_scripts_dir}/interfaces_virtual-ethernet.py">
         <properties>
           <help>Virtual Ethernet (veth) Interface</help>
           <priority>300</priority>
           <constraint>
             <regex>veth[0-9]+</regex>
           </constraint>
-          <constraintErrorMessage>Virutal Ethernet interface must be named vethN</constraintErrorMessage>
+          <constraintErrorMessage>Virtual Ethernet interface must be named vethN</constraintErrorMessage>
           <valueHelp>
             <format>vethN</format>
             <description>Virtual Ethernet interface name</description>
diff --git a/interface-definitions/interfaces-vti.xml.in b/interface-definitions/interfaces_vti.xml.in
index b116f7386..158d9afd0 100644
--- a/interface-definitions/interfaces-vti.xml.in
+++ b/interface-definitions/interfaces_vti.xml.in
@@ -2,7 +2,7 @@
 <interfaceDefinition>
   <node name="interfaces">
     <children>
-      <tagNode name="vti" owner="${vyos_conf_scripts_dir}/interfaces-vti.py">
+      <tagNode name="vti" owner="${vyos_conf_scripts_dir}/interfaces_vti.py">
         <properties>
           <help>Virtual Tunnel Interface (XFRM)</help>
           <priority>381</priority>
diff --git a/interface-definitions/interfaces-vxlan.xml.in b/interface-definitions/interfaces_vxlan.xml.in
index fb60c93d0..504c08e7e 100644
--- a/interface-definitions/interfaces-vxlan.xml.in
+++ b/interface-definitions/interfaces_vxlan.xml.in
@@ -2,7 +2,7 @@
 <interfaceDefinition>
   <node name="interfaces">
     <children>
-      <tagNode name="vxlan" owner="${vyos_conf_scripts_dir}/interfaces-vxlan.py">
+      <tagNode name="vxlan" owner="${vyos_conf_scripts_dir}/interfaces_vxlan.py">
         <properties>
           <help>Virtual Extensible LAN (VXLAN) Interface</help>
           <priority>460</priority>
@@ -19,12 +19,6 @@
           #include <include/interface/address-ipv4-ipv6.xml.i>
           #include <include/generic-description.xml.i>
           #include <include/interface/disable.xml.i>
-          <leafNode name="external">
-            <properties>
-              <help>Use external control plane</help>
-              <valueless/>
-            </properties>
-          </leafNode>
           <leafNode name="gpe">
             <properties>
               <help>Enable Generic Protocol extension (VXLAN-GPE)</help>
@@ -54,9 +48,6 @@
           #include <include/interface/mac.xml.i>
           #include <include/interface/mtu-1200-16000.xml.i>
           #include <include/interface/mirror.xml.i>
-          <leafNode name="mtu">
-            <defaultValue>1450</defaultValue>
-          </leafNode>
           <node name="parameters">
             <properties>
               <help>VXLAN tunnel parameters</help>
@@ -83,17 +74,35 @@
                   #include <include/interface/parameters-flowlabel.xml.i>
                 </children>
               </node>
+              <leafNode name="external">
+                <properties>
+                  <help>Use external control plane</help>
+                  <valueless/>
+                </properties>
+              </leafNode>
               <leafNode name="nolearning">
                 <properties>
                   <help>Do not add unknown addresses into forwarding database</help>
                   <valueless/>
                 </properties>
               </leafNode>
+              <leafNode name="neighbor-suppress">
+                <properties>
+                  <help>Enable neighbor discovery (ARP and ND) suppression</help>
+                  <valueless/>
+                </properties>
+              </leafNode>
+              <leafNode name="vni-filter">
+                <properties>
+                  <help>Enable VNI filter support</help>
+                  <valueless/>
+                </properties>
+              </leafNode>
             </children>
           </node>
           #include <include/port-number.xml.i>
           <leafNode name="port">
-            <defaultValue>8472</defaultValue>
+            <defaultValue>4789</defaultValue>
           </leafNode>
           #include <include/source-address-ipv4-ipv6.xml.i>
           #include <include/source-interface.xml.i>
@@ -101,6 +110,22 @@
           #include <include/interface/redirect.xml.i>
           #include <include/interface/vrf.xml.i>
           #include <include/vni.xml.i>
+          <tagNode name="vlan-to-vni">
+            <properties>
+              <help>Configuring VLAN-to-VNI mappings for EVPN-VXLAN</help>
+              <valueHelp>
+                <format>u32:0-4094</format>
+                <description>Virtual Local Area Network (VLAN) ID</description>
+              </valueHelp>
+              <constraint>
+                <validator name="numeric" argument="--range 0-4094"/>
+              </constraint>
+              <constraintErrorMessage>VLAN ID must be between 0 and 4094</constraintErrorMessage>
+            </properties>
+            <children>
+              #include <include/vni.xml.i>
+            </children>
+            </tagNode>
         </children>
       </tagNode>
     </children>
diff --git a/interface-definitions/interfaces-wireguard.xml.in b/interface-definitions/interfaces_wireguard.xml.in
index 3c79cef28..fba1064ef 100644
--- a/interface-definitions/interfaces-wireguard.xml.in
+++ b/interface-definitions/interfaces_wireguard.xml.in
@@ -2,7 +2,7 @@
 <interfaceDefinition>
   <node name="interfaces">
     <children>
-      <tagNode name="wireguard" owner="${vyos_conf_scripts_dir}/interfaces-wireguard.py">
+      <tagNode name="wireguard" owner="${vyos_conf_scripts_dir}/interfaces_wireguard.py">
         <properties>
           <help>WireGuard Interface</help>
           <priority>379</priority>
@@ -44,9 +44,9 @@
             <properties>
               <help>Base64 encoded private key</help>
               <constraint>
-                <regex>[0-9a-zA-Z\+/]{43}=</regex>
+                <validator name="base64"/>
               </constraint>
-              <constraintErrorMessage>Key is not valid 44-character (32-bytes) base64</constraintErrorMessage>
+              <constraintErrorMessage>Key is not base64-encoded</constraintErrorMessage>
             </properties>
           </leafNode>
           <tagNode name="peer">
@@ -64,18 +64,18 @@
                 <properties>
                   <help>base64 encoded public key</help>
                   <constraint>
-                    <regex>[0-9a-zA-Z\+/]{43}=</regex>
+                    <validator name="base64"/>
                   </constraint>
-                  <constraintErrorMessage>Key is not valid 44-character (32-bytes) base64</constraintErrorMessage>
+                  <constraintErrorMessage>Key is not base64-encoded</constraintErrorMessage>
                 </properties>
               </leafNode>
               <leafNode name="preshared-key">
                 <properties>
                   <help>base64 encoded preshared key</help>
                   <constraint>
-                    <regex>[0-9a-zA-Z\+/]{43}=</regex>
+                    <validator name="base64"/>
                   </constraint>
-                  <constraintErrorMessage>Key is not valid 44-character (32-bytes) base64</constraintErrorMessage>
+                  <constraintErrorMessage>Key is not base64-encoded</constraintErrorMessage>
                 </properties>
               </leafNode>
               <leafNode name="allowed-ips">
diff --git a/interface-definitions/interfaces-wireless.xml.in b/interface-definitions/interfaces_wireless.xml.in
index 88b858c07..b5da0a556 100644
--- a/interface-definitions/interfaces-wireless.xml.in
+++ b/interface-definitions/interfaces_wireless.xml.in
@@ -2,7 +2,7 @@
 <interfaceDefinition>
   <node name="interfaces">
     <children>
-      <tagNode name="wireless" owner="${vyos_conf_scripts_dir}/interfaces-wireless.py">
+      <tagNode name="wireless" owner="${vyos_conf_scripts_dir}/interfaces_wireless.py">
         <properties>
           <help>Wireless (WiFi/WLAN) Network Interface</help>
           <priority>318</priority>
diff --git a/interface-definitions/interfaces-wwan.xml.in b/interface-definitions/interfaces_wwan.xml.in
index 5fa3be8db..1580c3bcb 100644
--- a/interface-definitions/interfaces-wwan.xml.in
+++ b/interface-definitions/interfaces_wwan.xml.in
@@ -2,7 +2,7 @@
 <interfaceDefinition>
   <node name="interfaces">
     <children>
-      <tagNode name="wwan" owner="${vyos_conf_scripts_dir}/interfaces-wwan.py">
+      <tagNode name="wwan" owner="${vyos_conf_scripts_dir}/interfaces_wwan.py">
         <properties>
           <help>Wireless Modem (WWAN) Interface</help>
           <priority>350</priority>
diff --git a/interface-definitions/load-balancing-haproxy.xml.in b/interface-definitions/load-balancing_reverse-proxy.xml.in
index f955a2fb7..2c2742dff 100644
--- a/interface-definitions/load-balancing-haproxy.xml.in
+++ b/interface-definitions/load-balancing_reverse-proxy.xml.in
@@ -2,7 +2,7 @@
 <interfaceDefinition>
   <node name="load-balancing">
     <children>
-      <node name="reverse-proxy" owner="${vyos_conf_scripts_dir}/load-balancing-haproxy.py">
+      <node name="reverse-proxy" owner="${vyos_conf_scripts_dir}/load-balancing_reverse-proxy.py">
         <properties>
           <help>Configure reverse-proxy</help>
         </properties>
@@ -49,7 +49,7 @@
                   <help>SSL Certificate, SSL Key and CA</help>
                 </properties>
                 <children>
-                  #include <include/pki/certificate.xml.i>
+                  #include <include/pki/certificate-multi.xml.i>
                 </children>
               </node>
             </children>
@@ -124,6 +124,12 @@
                       </constraint>
                     </properties>
                   </leafNode>
+                  <leafNode name="backup">
+                    <properties>
+                      <help>Use backup server if other servers are not available</help>
+                      <valueless/>
+                    </properties>
+                  </leafNode>
                   <leafNode name="check">
                     <properties>
                       <help>Active health check backend server</help>
diff --git a/interface-definitions/load-balancing-wan.xml.in b/interface-definitions/load-balancing_wan.xml.in
index c12cab22a..e117fd1b2 100644
--- a/interface-definitions/load-balancing-wan.xml.in
+++ b/interface-definitions/load-balancing_wan.xml.in
@@ -6,7 +6,7 @@
       <priority>900</priority>
     </properties>
     <children>
-      <node name="wan" owner="${vyos_conf_scripts_dir}/load-balancing-wan.py">
+      <node name="wan" owner="${vyos_conf_scripts_dir}/load-balancing_wan.py">
         <properties>
           <help>Configure Wide Area Network (WAN) load-balancing</help>
         </properties>
diff --git a/interface-definitions/nat.xml.in b/interface-definitions/nat.xml.in
index a06ceefb6..0a639bd80 100644
--- a/interface-definitions/nat.xml.in
+++ b/interface-definitions/nat.xml.in
@@ -14,7 +14,7 @@
           #include <include/nat-rule.xml.i>
           <tagNode name="rule">
             <children>
-              #include <include/inbound-interface.xml.i>
+              #include <include/firewall/inbound-interface.xml.i>
               <node name="translation">
                 <properties>
                   <help>Inside NAT IP (destination NAT only)</help>
@@ -77,7 +77,7 @@
               <constraintErrorMessage>NAT rule number must be between 1 and 999999</constraintErrorMessage>
             </properties>
             <children>
-              #include <include/nat-interface.xml.i>
+              #include <include/firewall/outbound-interface.xml.i>
               <node name="translation">
                 <properties>
                   <help>Outside NAT IP (source NAT only)</help>
diff --git a/interface-definitions/nat64.xml.in b/interface-definitions/nat64.xml.in
new file mode 100644
index 000000000..dfdd295d2
--- /dev/null
+++ b/interface-definitions/nat64.xml.in
@@ -0,0 +1,116 @@
+<?xml version="1.0"?>
+<interfaceDefinition>
+  <node name="nat64" owner="${vyos_conf_scripts_dir}/nat64.py">
+    <properties>
+      <help>IPv6-to-IPv4 Network Address Translation (NAT64) Settings</help>
+      <priority>501</priority>
+    </properties>
+    <children>
+      <node name="source">
+        <properties>
+          <help>IPv6 source to IPv4 destination address translation</help>
+        </properties>
+        <children>
+          <tagNode name="rule">
+            <properties>
+              <help>Source NAT64 rule number</help>
+              <valueHelp>
+                <format>u32:1-999999</format>
+                <description>Number for this rule</description>
+              </valueHelp>
+              <constraint>
+                <validator name="numeric" argument="--range 1-999999"/>
+              </constraint>
+              <constraintErrorMessage>NAT64 rule number must be between 1 and 999999</constraintErrorMessage>
+            </properties>
+            <children>
+              #include <include/generic-description.xml.i>
+              #include <include/generic-disable-node.xml.i>
+              <node name="match">
+                <properties>
+                  <help>Match</help>
+                </properties>
+                <children>
+                  <leafNode name="mark">
+                    <properties>
+                      <help>Match fwmark value</help>
+                      <valueHelp>
+                        <format>u32:1-2147483647</format>
+                        <description>Fwmark value to match against</description>
+                      </valueHelp>
+                      <constraint>
+                        <validator name="numeric" argument="--range 1-2147483647"/>
+                      </constraint>
+                    </properties>
+                  </leafNode>
+                </children>
+              </node>
+              <node name="source">
+                <properties>
+                  <help>IPv6 source prefix options</help>
+                </properties>
+                <children>
+                  <leafNode name="prefix">
+                    <properties>
+                      <help>IPv6 prefix to be translated</help>
+                      <valueHelp>
+                        <format>ipv6net</format>
+                        <description>IPv6 prefix</description>
+                      </valueHelp>
+                      <constraint>
+                        <validator name="ipv6-prefix"/>
+                      </constraint>
+                    </properties>
+                  </leafNode>
+                </children>
+              </node>
+              <node name="translation">
+                <properties>
+                  <help>Translated IPv4 address options</help>
+                </properties>
+                <children>
+                  <tagNode name="pool">
+                    <properties>
+                      <help>Translation IPv4 pool number</help>
+                      <valueHelp>
+                        <format>u32:1-999999</format>
+                        <description>Number for this rule</description>
+                      </valueHelp>
+                      <constraint>
+                        <validator name="numeric" argument="--range 1-999999"/>
+                      </constraint>
+                      <constraintErrorMessage>NAT64 pool number must be between 1 and 999999</constraintErrorMessage>
+                    </properties>
+                    <children>
+                      #include <include/generic-description.xml.i>
+                      #include <include/generic-disable-node.xml.i>
+                      #include <include/nat-translation-port.xml.i>
+                      #include <include/nat64/protocol.xml.i>
+                      <leafNode name="address">
+                        <properties>
+                          <help>IPv4 address or prefix to translate to</help>
+                          <valueHelp>
+                            <format>ipv4</format>
+                            <description>IPv4 address</description>
+                          </valueHelp>
+                          <valueHelp>
+                            <format>ipv4net</format>
+                            <description>IPv4 prefix</description>
+                          </valueHelp>
+                          <constraint>
+                            <validator name="ipv4-address"/>
+                            <validator name="ipv4-prefix"/>
+                          </constraint>
+                        </properties>
+                      </leafNode>
+                    </children>
+                  </tagNode>
+                </children>
+              </node>
+            </children>
+          </tagNode>
+        </children>
+      </node>
+    </children>
+  </node>
+</interfaceDefinition>
diff --git a/interface-definitions/nat66.xml.in b/interface-definitions/nat66.xml.in
index 7a8970bdf..1518de8bd 100644
--- a/interface-definitions/nat66.xml.in
+++ b/interface-definitions/nat66.xml.in
@@ -25,27 +25,10 @@
             </properties>
             <children>
               #include <include/generic-description.xml.i>
-              <leafNode name="disable">
-                <properties>
-                  <help>Disable NAT66 rule</help>
-                  <valueless/>
-                </properties>
-              </leafNode>
+              #include <include/generic-disable-node.xml.i>
               #include <include/nat-exclude.xml.i>
-              <leafNode name="log">
-                <properties>
-                  <help>NAT66 rule logging</help>
-                  <valueless/>
-                </properties>
-              </leafNode>
-              <leafNode name="outbound-interface">
-                <properties>
-                  <help>Outbound interface of NAT66 traffic</help>
-                  <completionHelp>
-                    <script>${vyos_completion_dir}/list_interfaces</script>
-                  </completionHelp>
-                </properties>
-              </leafNode>
+              #include <include/firewall/log.xml.i>
+              #include <include/firewall/outbound-interface-no-group.xml.i>
               #include <include/nat/protocol.xml.i>
               <node name="destination">
                 <properties>
@@ -153,12 +136,7 @@
             </properties>
             <children>
               #include <include/generic-description.xml.i>
-              <leafNode name="disable">
-                <properties>
-                  <help>Disable NAT66 rule</help>
-                  <valueless/>
-                </properties>
-              </leafNode>
+              #include <include/generic-disable-node.xml.i>
               #include <include/nat-exclude.xml.i>
               <leafNode name="log">
                 <properties>
@@ -166,15 +144,7 @@
                   <valueless/>
                 </properties>
               </leafNode>
-              <leafNode name="inbound-interface">
-                <properties>
-                  <help>Inbound interface of NAT66 traffic</help>
-                  <completionHelp>
-                    <list>any</list>
-                    <script>${vyos_completion_dir}/list_interfaces</script>
-                  </completionHelp>
-                </properties>
-              </leafNode>
+              #include <include/firewall/inbound-interface-no-group.xml.i>
               #include <include/nat/protocol.xml.i>
               <node name="destination">
                 <properties>
diff --git a/interface-definitions/netns.xml.in b/interface-definitions/netns.xml.in
index 5d958968f..d5026bfae 100644
--- a/interface-definitions/netns.xml.in
+++ b/interface-definitions/netns.xml.in
@@ -3,7 +3,7 @@
   <node name="netns" owner="${vyos_conf_scripts_dir}/netns.py">
     <properties>
       <help>Network namespace</help>
-      <priority>291</priority>
+      <priority>10</priority>
     </properties>
     <children>
       <tagNode name="name">
diff --git a/interface-definitions/pki.xml.in b/interface-definitions/pki.xml.in
index a13a357fd..0ed199539 100644
--- a/interface-definitions/pki.xml.in
+++ b/interface-definitions/pki.xml.in
@@ -9,11 +9,18 @@
       <tagNode name="ca">
         <properties>
           <help>Certificate Authority</help>
+          <constraint>
+            #include <include/constraint/alpha-numeric-hyphen-underscore-dot.xml.i>
+          </constraint>
         </properties>
         <children>
           <leafNode name="certificate">
             <properties>
               <help>CA certificate in PEM format</help>
+              <constraint>
+                <validator name="base64"/>
+              </constraint>
+              <constraintErrorMessage>CA certificate is not base64-encoded</constraintErrorMessage>
             </properties>
           </leafNode>
           #include <include/generic-description.xml.i>
@@ -25,6 +32,10 @@
               <leafNode name="key">
                 <properties>
                   <help>CA private key in PEM format</help>
+                  <constraint>
+                    <validator name="base64"/>
+                  </constraint>
+                  <constraintErrorMessage>CA private key is not base64-encoded</constraintErrorMessage>
                 </properties>
               </leafNode>
               <leafNode name="password-protected">
@@ -38,6 +49,10 @@
           <leafNode name="crl">
             <properties>
               <help>Certificate revocation list in PEM format</help>
+              <constraint>
+                <validator name="base64"/>
+              </constraint>
+              <constraintErrorMessage>CRL is not base64-encoded</constraintErrorMessage>
               <multi/>
             </properties>
           </leafNode>
@@ -52,13 +67,74 @@
       <tagNode name="certificate">
         <properties>
           <help>Certificate</help>
+          <constraint>
+            #include <include/constraint/alpha-numeric-hyphen-underscore-dot.xml.i>
+          </constraint>
         </properties>
         <children>
           <leafNode name="certificate">
             <properties>
               <help>Certificate in PEM format</help>
+              <constraint>
+                <validator name="base64"/>
+              </constraint>
+              <constraintErrorMessage>Certificate is not base64-encoded</constraintErrorMessage>
             </properties>
           </leafNode>
+          <node name="acme">
+            <properties>
+              <help>Automatic Certificate Management Environment (ACME) request</help>
+            </properties>
+            <children>
+              #include <include/url-http-https.xml.i>
+              <leafNode name="url">
+                <defaultValue>https://acme-v02.api.letsencrypt.org/directory</defaultValue>
+              </leafNode>
+              <leafNode name="domain-name">
+                <properties>
+                  <help>Domain Name</help>
+                  <constraint>
+                    <validator name="fqdn"/>
+                  </constraint>
+                  <constraintErrorMessage>Invalid domain name (RFC 1123 section 2).\nMay only contain letters, numbers and .-_</constraintErrorMessage>
+                  <multi/>
+                </properties>
+              </leafNode>
+              <leafNode name="email">
+                <properties>
+                  <help>Email address to associate with certificate</help>
+                  <constraint>
+                    #include <include/constraint/email.xml.i>
+                  </constraint>
+                </properties>
+              </leafNode>
+              #include <include/listen-address-ipv4-single.xml.i>
+              <leafNode name="rsa-key-size">
+                <properties>
+                  <help>Size of the RSA key</help>
+                  <completionHelp>
+                    <list>2048 3072 4096</list>
+                  </completionHelp>
+                  <valueHelp>
+                    <format>2048</format>
+                    <description>RSA key length 2048 bit</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>3072</format>
+                    <description>RSA key length 3072 bit</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>4096</format>
+                    <description>RSA key length 4096 bit</description>
+                  </valueHelp>
+                  <constraint>
+                    <regex>(2048|3072|4096)</regex>
+                  </constraint>
+                </properties>
+                <defaultValue>2048</defaultValue>
+              </leafNode>
+            </children>
+          </node>
           #include <include/generic-description.xml.i>
           <node name="private">
             <properties>
@@ -68,6 +144,10 @@
               <leafNode name="key">
                 <properties>
                   <help>Certificate private key in PEM format</help>
+                  <constraint>
+                    <validator name="base64"/>
+                  </constraint>
+                  <constraintErrorMessage>Certificate private key is not base64-encoded</constraintErrorMessage>
                 </properties>
               </leafNode>
               <leafNode name="password-protected">
@@ -89,11 +169,18 @@
       <tagNode name="dh">
         <properties>
           <help>Diffie-Hellman parameters</help>
+          <constraint>
+            #include <include/constraint/alpha-numeric-hyphen-underscore-dot.xml.i>
+          </constraint>
         </properties>
         <children>
           <leafNode name="parameters">
             <properties>
               <help>DH parameters in PEM format</help>
+              <constraint>
+                <validator name="base64"/>
+              </constraint>
+              <constraintErrorMessage>DH parameters are not base64-encoded</constraintErrorMessage>
             </properties>
           </leafNode>
         </children>
@@ -111,6 +198,10 @@
               <leafNode name="key">
                 <properties>
                   <help>Public key in PEM format</help>
+                  <constraint>
+                    <validator name="base64"/>
+                  </constraint>
+                  <constraintErrorMessage>Public key is not base64-encoded</constraintErrorMessage>
                 </properties>
               </leafNode>
             </children>
@@ -123,6 +214,10 @@
               <leafNode name="key">
                 <properties>
                   <help>Private key in PEM format</help>
+                  <constraint>
+                    <validator name="base64"/>
+                  </constraint>
+                  <constraintErrorMessage>Private key is not base64-encoded</constraintErrorMessage>
                 </properties>
               </leafNode>
               <leafNode name="password-protected">
diff --git a/interface-definitions/policy.xml.in b/interface-definitions/policy.xml.in
index c470cfdb3..0d82cd3f8 100644
--- a/interface-definitions/policy.xml.in
+++ b/interface-definitions/policy.xml.in
@@ -476,7 +476,7 @@
             <description>Route map name</description>
           </valueHelp>
           <constraint>
-            <regex>[-_a-zA-Z0-9.]+</regex>
+            #include <include/constraint/alpha-numeric-hyphen-underscore-dot.xml.i>
           </constraint>
           <constraintErrorMessage>Name of route-map can only contain alpha-numeric letters, hyphen and underscores</constraintErrorMessage>
         </properties>
@@ -1446,9 +1446,18 @@
                         <format>u32:0-4294967295</format>
                         <description>Metric value</description>
                       </valueHelp>
+                      <valueHelp>
+                        <format>&lt;+/-rtt&gt;</format>
+                        <description>Add or subtract round trip time</description>
+                      </valueHelp>
+                      <valueHelp>
+                        <format>&lt;rtt&gt;</format>
+                        <description>Round trip time</description>
+                      </valueHelp>
                       <constraint>
                         <validator name="numeric" argument="--relative --"/>
                         <validator name="numeric" argument="--range 0-4294967295"/>
+                        <regex>^[+|-]?rtt$</regex>
                       </constraint>
                     </properties>
                   </leafNode>
diff --git a/interface-definitions/policy-local-route.xml.in b/interface-definitions/policy_local-route.xml.in
index 8619e839e..7a019154a 100644
--- a/interface-definitions/policy-local-route.xml.in
+++ b/interface-definitions/policy_local-route.xml.in
@@ -3,7 +3,7 @@
 <interfaceDefinition>
   <node name="policy">
     <children>
-      <node name="local-route" owner="${vyos_conf_scripts_dir}/policy-local-route.py">
+      <node name="local-route" owner="${vyos_conf_scripts_dir}/policy_local-route.py">
         <properties>
           <help>IPv4 policy route of local traffic</help>
           <priority>500</priority>
@@ -53,48 +53,31 @@
                   </constraint>
                 </properties>
               </leafNode>
-              <leafNode name="source">
+              #include <include/policy/local-route_rule_protocol.xml.i>
+              <node name="source">
                 <properties>
-                  <help>Source address or prefix</help>
-                  <valueHelp>
-                    <format>ipv4</format>
-                    <description>Address to match against</description>
-                  </valueHelp>
-                  <valueHelp>
-                    <format>ipv4net</format>
-                    <description>Prefix to match against</description>
-                  </valueHelp>
-                  <constraint>
-                    <validator name="ipv4-address"/>
-                    <validator name="ip-prefix"/>
-                  </constraint>
-                  <multi/>
+                  <help>Source parameters</help>
                 </properties>
-              </leafNode>
-              <leafNode name="destination">
+                <children>
+                  #include <include/policy/local-route_rule_ipv4_address.xml.i>
+                  #include <include/port-number.xml.i>
+                </children>
+              </node>
+              <node name="destination">
                 <properties>
-                  <help>Destination address or prefix</help>
-                  <valueHelp>
-                    <format>ipv4</format>
-                    <description>Address to match against</description>
-                  </valueHelp>
-                  <valueHelp>
-                    <format>ipv4net</format>
-                    <description>Prefix to match against</description>
-                  </valueHelp>
-                  <constraint>
-                    <validator name="ipv4-address"/>
-                    <validator name="ip-prefix"/>
-                  </constraint>
-                  <multi/>
+                  <help>Destination parameters</help>
                 </properties>
-              </leafNode>
+                <children>
+                  #include <include/policy/local-route_rule_ipv4_address.xml.i>
+                  #include <include/port-number.xml.i>
+                </children>
+              </node>
               #include <include/interface/inbound-interface.xml.i>
             </children>
           </tagNode>
         </children>
       </node>
-      <node name="local-route6" owner="${vyos_conf_scripts_dir}/policy-local-route.py">
+      <node name="local-route6" owner="${vyos_conf_scripts_dir}/policy_local-route.py">
         <properties>
           <help>IPv6 policy route of local traffic</help>
           <priority>500</priority>
@@ -144,42 +127,25 @@
                   </constraint>
                 </properties>
               </leafNode>
-              <leafNode name="source">
+              #include <include/policy/local-route_rule_protocol.xml.i>
+              <node name="source">
                 <properties>
-                  <help>Source address or prefix</help>
-                  <valueHelp>
-                    <format>ipv6</format>
-                    <description>Address to match against</description>
-                  </valueHelp>
-                  <valueHelp>
-                    <format>ipv6net</format>
-                    <description>Prefix to match against</description>
-                  </valueHelp>
-                  <constraint>
-                    <validator name="ipv6-address"/>
-                    <validator name="ipv6-prefix"/>
-                  </constraint>
-                  <multi/>
+                  <help>Source parameters</help>
                 </properties>
-              </leafNode>
-              <leafNode name="destination">
+                <children>
+                  #include <include/policy/local-route_rule_ipv6_address.xml.i>
+                  #include <include/port-number.xml.i>
+                </children>
+              </node>
+              <node name="destination">
                 <properties>
-                  <help>Destination address or prefix</help>
-                  <valueHelp>
-                    <format>ipv6</format>
-                    <description>Address to match against</description>
-                  </valueHelp>
-                  <valueHelp>
-                    <format>ipv6net</format>
-                    <description>Prefix to match against</description>
-                  </valueHelp>
-                  <constraint>
-                    <validator name="ipv6-address"/>
-                    <validator name="ipv6-prefix"/>
-                  </constraint>
-                  <multi/>
+                  <help>Destination parameters</help>
                 </properties>
-              </leafNode>
+                <children>
+                  #include <include/policy/local-route_rule_ipv6_address.xml.i>
+                  #include <include/port-number.xml.i>
+                </children>
+              </node>
               #include <include/interface/inbound-interface.xml.i>
             </children>
           </tagNode>
diff --git a/interface-definitions/policy-route.xml.in b/interface-definitions/policy_route.xml.in
index d4ec75786..9cc22540b 100644
--- a/interface-definitions/policy-route.xml.in
+++ b/interface-definitions/policy_route.xml.in
@@ -2,7 +2,7 @@
 <interfaceDefinition>
   <node name="policy">
     <children>
-      <tagNode name="route6" owner="${vyos_conf_scripts_dir}/policy-route.py">
+      <tagNode name="route6" owner="${vyos_conf_scripts_dir}/policy_route.py">
         <properties>
           <help>Policy route rule set name for IPv6</help>
           <constraint>
@@ -12,7 +12,7 @@
         </properties>
         <children>
           #include <include/generic-description.xml.i>
-          #include <include/firewall/enable-default-log.xml.i>
+          #include <include/firewall/default-log.xml.i>
           #include <include/generic-interface-multi-wildcard.xml.i>
           <tagNode name="rule">
             <properties>
@@ -57,7 +57,7 @@
           </tagNode>
         </children>
       </tagNode>
-      <tagNode name="route" owner="${vyos_conf_scripts_dir}/policy-route.py">
+      <tagNode name="route" owner="${vyos_conf_scripts_dir}/policy_route.py">
         <properties>
           <help>Policy route rule set name for IPv4</help>
           <constraint>
@@ -67,7 +67,7 @@
         </properties>
         <children>
           #include <include/generic-description.xml.i>
-          #include <include/firewall/enable-default-log.xml.i>
+          #include <include/firewall/default-log.xml.i>
           #include <include/generic-interface-multi-wildcard.xml.i>
           <tagNode name="rule">
             <properties>
diff --git a/interface-definitions/protocols-igmp.xml.in b/interface-definitions/protocols-igmp.xml.in
deleted file mode 100644
index a055db71e..000000000
--- a/interface-definitions/protocols-igmp.xml.in
+++ /dev/null
@@ -1,95 +0,0 @@
-<?xml version="1.0"?>
-<!-- Internet Group Management Protocol (IGMP) configuration -->
-<interfaceDefinition>
-  <node name="protocols">
-    <children>
-      <node name="igmp" owner="${vyos_conf_scripts_dir}/protocols_igmp.py">
-        <properties>
-          <help>Internet Group Management Protocol (IGMP)</help>
-        </properties>
-        <children>
-          <tagNode name="interface">
-            <properties>
-              <help>IGMP interface</help>
-              <completionHelp>
-                <script>${vyos_completion_dir}/list_interfaces</script>
-              </completionHelp>
-            </properties>
-            <children>
-              <tagNode name="join">
-                <properties>
-                  <help>IGMP join multicast group</help>
-                  <valueHelp>
-                    <format>ipv4</format>
-                    <description>Multicast group address</description>
-                  </valueHelp>
-                  <constraint>
-                    <validator name="ipv4-address"/>
-                  </constraint>
-                </properties>
-                <children>
-                  <leafNode name="source">
-                    <properties>
-                      <help>Source address</help>
-                      <valueHelp>
-                        <format>ipv4</format>
-                        <description>Source address</description>
-                      </valueHelp>
-                      <constraint>
-                        <validator name="ipv4-address"/>
-                      </constraint>
-                      <multi/>
-                    </properties>
-                  </leafNode>
-                </children>
-              </tagNode>
-              <leafNode name="version">
-                <properties>
-                  <help>IGMP version</help>
-                  <completionHelp>
-                    <list>2 3</list>
-                  </completionHelp>
-                  <valueHelp>
-                    <format>2</format>
-                    <description>IGMP version 2</description>
-                  </valueHelp>
-                 <valueHelp>
-                    <format>3</format>
-                    <description>IGMP version 3</description>
-                  </valueHelp>
-                  <constraint>
-                    <validator name="numeric" argument="--range 2-3"/>
-                  </constraint>
-                </properties>
-              </leafNode>
-              <leafNode name="query-interval">
-                <properties>
-                  <help>IGMP host query interval</help>
-                  <valueHelp>
-                    <format>u32:1-1800</format>
-                    <description>Query interval in seconds</description>
-                  </valueHelp>
-                  <constraint>
-                    <validator name="numeric" argument="--range 1-1800"/>
-                  </constraint>
-                </properties>
-              </leafNode>
-              <leafNode name="query-max-response-time">
-                <properties>
-                  <help>IGMP max query response time</help>
-                  <valueHelp>
-                    <format>u32:10-250</format>
-                    <description>Query response value in deci-seconds</description>
-                  </valueHelp>
-                  <constraint>
-                    <validator name="numeric" argument="--range 10-250"/>
-                  </constraint>
-                </properties>
-              </leafNode>
-            </children>
-          </tagNode>
-        </children>
-      </node>
-    </children>
-  </node>
-</interfaceDefinition>
diff --git a/interface-definitions/protocols-pim.xml.in b/interface-definitions/protocols-pim.xml.in
deleted file mode 100644
index e9475930c..000000000
--- a/interface-definitions/protocols-pim.xml.in
+++ /dev/null
@@ -1,96 +0,0 @@
-<?xml version="1.0"?>
-<!-- Protocol Independent Multicast (PIM) configuration -->
-<interfaceDefinition>
-  <node name="protocols">
-    <children>
-      <node name="pim" owner="${vyos_conf_scripts_dir}/protocols_pim.py">
-        <properties>
-          <help>Protocol Independent Multicast (PIM)</help>
-          <priority>400</priority>
-        </properties>
-        <children>
-          <tagNode name="interface">
-            <properties>
-              <help>PIM interface</help>
-              <completionHelp>
-                <script>${vyos_completion_dir}/list_interfaces</script>
-              </completionHelp>
-            </properties>
-            <children>
-              <leafNode name="dr-priority">
-                <properties>
-                  <help>Designated Router Election Priority</help>
-                  <valueHelp>
-                    <format>u32:1-4294967295</format>
-                    <description>Value of the new DR Priority</description>
-                  </valueHelp>
-                  <constraint>
-                    <validator name="numeric" argument="--range 1-4294967295"/>
-                  </constraint>
-                </properties>
-              </leafNode>
-              <leafNode name="hello">
-                <properties>
-                  <help>Hello Interval</help>
-                  <valueHelp>
-                    <format>u32:1-180</format>
-                    <description>Hello Interval in seconds</description>
-                  </valueHelp>
-                  <constraint>
-                    <validator name="numeric" argument="--range 1-180"/>
-                  </constraint>
-                </properties>
-              </leafNode>
-            </children>
-          </tagNode>
-          <node name="rp">
-            <properties>
-              <help>Rendezvous Point</help>
-            </properties>
-            <children>
-              <tagNode name="address">
-                <properties>
-                  <help>Rendezvous Point address</help>
-                  <valueHelp>
-                    <format>ipv4</format>
-                    <description>Rendezvous Point address</description>
-                  </valueHelp>
-                  <constraint>
-                    <validator name="ipv4-address"/>
-                  </constraint>
-                </properties>
-                <children>
-                  <leafNode name="group">
-                    <properties>
-                      <help>Group Address range</help>
-                      <valueHelp>
-                        <format>ipv4net</format>
-                        <description>Group Address range RFC 3171</description>
-                      </valueHelp>
-                      <constraint>
-                        <validator name="ip-prefix"/>
-                      </constraint>
-                      <multi/>
-                    </properties>
-                  </leafNode>
-                </children>
-              </tagNode>
-              <leafNode name="keep-alive-timer">
-                <properties>
-                  <help>Keep alive Timer</help>
-                  <valueHelp>
-                    <format>u32:31-60000</format>
-                    <description>Keep alive Timer in seconds</description>
-                  </valueHelp>
-                  <constraint>
-                    <validator name="numeric" argument="--range 31-60000"/>
-                  </constraint>
-                </properties>
-              </leafNode>
-            </children>
-          </node>
-        </children>
-      </node>
-    </children>
-  </node>
-</interfaceDefinition>
diff --git a/interface-definitions/protocols-babel.xml.in b/interface-definitions/protocols_babel.xml.in
index 49fffe230..49fffe230 100644
--- a/interface-definitions/protocols-babel.xml.in
+++ b/interface-definitions/protocols_babel.xml.in
diff --git a/interface-definitions/protocols-bfd.xml.in b/interface-definitions/protocols_bfd.xml.in
index 9048cf5c2..9048cf5c2 100644
--- a/interface-definitions/protocols-bfd.xml.in
+++ b/interface-definitions/protocols_bfd.xml.in
diff --git a/interface-definitions/protocols-bgp.xml.in b/interface-definitions/protocols_bgp.xml.in
index e1a822999..e1a822999 100644
--- a/interface-definitions/protocols-bgp.xml.in
+++ b/interface-definitions/protocols_bgp.xml.in
diff --git a/interface-definitions/protocols-eigrp.xml.in b/interface-definitions/protocols_eigrp.xml.in
index 88a881a1e..88a881a1e 100644
--- a/interface-definitions/protocols-eigrp.xml.in
+++ b/interface-definitions/protocols_eigrp.xml.in
diff --git a/interface-definitions/protocols-failover.xml.in b/interface-definitions/protocols_failover.xml.in
index c0caec68e..c0caec68e 100644
--- a/interface-definitions/protocols-failover.xml.in
+++ b/interface-definitions/protocols_failover.xml.in
diff --git a/interface-definitions/igmp-proxy.xml.in b/interface-definitions/protocols_igmp-proxy.xml.in
index 0eea85060..5cde484f5 100644
--- a/interface-definitions/igmp-proxy.xml.in
+++ b/interface-definitions/protocols_igmp-proxy.xml.in
@@ -3,7 +3,7 @@
 <interfaceDefinition>
   <node name="protocols">
     <children>
-      <node name="igmp-proxy" owner="${vyos_conf_scripts_dir}/igmp_proxy.py">
+      <node name="igmp-proxy" owner="${vyos_conf_scripts_dir}/protocols_igmp-proxy.py">
         <properties>
           <help>Internet Group Management Protocol (IGMP) proxy parameters</help>
           <priority>740</priority>
diff --git a/interface-definitions/protocols-isis.xml.in b/interface-definitions/protocols_isis.xml.in
index e0bc47bb9..e0bc47bb9 100644
--- a/interface-definitions/protocols-isis.xml.in
+++ b/interface-definitions/protocols_isis.xml.in
diff --git a/interface-definitions/protocols-mpls.xml.in b/interface-definitions/protocols_mpls.xml.in
index 831601fc6..831601fc6 100644
--- a/interface-definitions/protocols-mpls.xml.in
+++ b/interface-definitions/protocols_mpls.xml.in
diff --git a/interface-definitions/protocols-nhrp.xml.in b/interface-definitions/protocols_nhrp.xml.in
index d7663c095..d7663c095 100644
--- a/interface-definitions/protocols-nhrp.xml.in
+++ b/interface-definitions/protocols_nhrp.xml.in
diff --git a/interface-definitions/protocols-ospf.xml.in b/interface-definitions/protocols_ospf.xml.in
index b3c063d0d..b3c063d0d 100644
--- a/interface-definitions/protocols-ospf.xml.in
+++ b/interface-definitions/protocols_ospf.xml.in
diff --git a/interface-definitions/protocols-ospfv3.xml.in b/interface-definitions/protocols_ospfv3.xml.in
index 2b98ffa7b..2b98ffa7b 100644
--- a/interface-definitions/protocols-ospfv3.xml.in
+++ b/interface-definitions/protocols_ospfv3.xml.in
diff --git a/interface-definitions/protocols_pim.xml.in b/interface-definitions/protocols_pim.xml.in
new file mode 100644
index 000000000..4a20c0d9b
--- /dev/null
+++ b/interface-definitions/protocols_pim.xml.in
@@ -0,0 +1,210 @@
+<?xml version="1.0"?>
+<!-- Protocol Independent Multicast (PIM) configuration -->
+<interfaceDefinition>
+  <node name="protocols">
+    <children>
+      <node name="pim" owner="${vyos_conf_scripts_dir}/protocols_pim.py">
+        <properties>
+          <help>Protocol Independent Multicast (PIM) and IGMP</help>
+          <priority>400</priority>
+        </properties>
+        <children>
+          <tagNode name="interface">
+            <properties>
+              <help>PIM interface</help>
+              <completionHelp>
+                <script>${vyos_completion_dir}/list_interfaces</script>
+              </completionHelp>
+              <constraint>
+                #include <include/constraint/interface-name.xml.i>
+              </constraint>
+            </properties>
+            <children>
+            #include <include/bfd/bfd.xml.i>
+            #include <include/pim/bsm.xml.i>
+            #include <include/pim/dr-priority.xml.i>
+            #include <include/pim/hello.xml.i>
+            #include <include/pim/passive.xml.i>
+            #include <include/source-address-ipv4.xml.i>
+            <node name="igmp">
+              <properties>
+                <help>Internet Group Management Protocol (IGMP) options</help>
+              </properties>
+              <children>
+                #include <include/generic-disable-node.xml.i>
+                <tagNode name="join">
+                  <properties>
+                    <help>IGMP join multicast group</help>
+                    <valueHelp>
+                      <format>ipv4</format>
+                      <description>Multicast group address</description>
+                    </valueHelp>
+                    <constraint>
+                      <validator name="ipv4-address"/>
+                    </constraint>
+                  </properties>
+                  <children>
+                    #include <include/source-address-ipv4-multi.xml.i>
+                  </children>
+                </tagNode>
+                <leafNode name="query-interval">
+                  <properties>
+                    <help>IGMP host query interval</help>
+                    <valueHelp>
+                      <format>u32:1-1800</format>
+                      <description>Query interval in seconds</description>
+                    </valueHelp>
+                    <constraint>
+                      <validator name="numeric" argument="--range 1-1800"/>
+                    </constraint>
+                  </properties>
+                </leafNode>
+                <leafNode name="query-max-response-time">
+                  <properties>
+                    <help>IGMP max query response time</help>
+                    <valueHelp>
+                      <format>u32:10-250</format>
+                      <description>Query response value in deci-seconds</description>
+                    </valueHelp>
+                    <constraint>
+                      <validator name="numeric" argument="--range 10-250"/>
+                    </constraint>
+                  </properties>
+                </leafNode>
+                <leafNode name="version">
+                  <properties>
+                    <help>Interface IGMP version</help>
+                    <completionHelp>
+                      <list>2 3</list>
+                    </completionHelp>
+                    <valueHelp>
+                      <format>2</format>
+                      <description>IGMP version 2</description>
+                    </valueHelp>
+                    <valueHelp>
+                      <format>3</format>
+                      <description>IGMP version 3</description>
+                    </valueHelp>
+                    <constraint>
+                      <validator name="numeric" argument="--range 2-3"/>
+                    </constraint>
+                  </properties>
+                  <defaultValue>3</defaultValue>
+                  </leafNode>
+                </children>
+              </node>
+            </children>
+          </tagNode>
+          <node name="ecmp">
+            <properties>
+              <help>Enable PIM ECMP</help>
+            </properties>
+            <children>
+              <leafNode name="rebalance">
+                <properties>
+                  <help>Enable PIM ECMP Rebalance</help>
+                  <valueless/>
+                </properties>
+              </leafNode>
+            </children>
+          </node>
+          <node name="igmp">
+            <properties>
+              <help>Internet Group Management Protocol (IGMP) options</help>
+            </properties>
+            <children>
+              <leafNode name="watermark-warning">
+                <properties>
+                  <help>Configure group limit for watermark warning</help>
+                  <valueHelp>
+                    <format>u32:1-65535</format>
+                    <description>Group count to generate watermark warning</description>
+                  </valueHelp>
+                  <constraint>
+                    <validator name="numeric" argument="--range 1-65535"/>
+                  </constraint>
+                </properties>
+              </leafNode>
+            </children>
+          </node>
+          #include <include/pim/join-prune-interval.xml.i>
+          #include <include/pim/keep-alive-timer.xml.i>
+          #include <include/pim/packets.xml.i>
+          #include <include/pim/register-suppress-time.xml.i>
+          <node name="register-accept-list">
+            <properties>
+              <help>Only accept registers from a specific source prefix list</help>
+            </properties>
+            <children>
+              #include <include/policy/prefix-list.xml.i>
+            </children>
+          </node>
+          <node name="rp">
+            <properties>
+              <help>Rendezvous Point</help>
+            </properties>
+            <children>
+              <tagNode name="address">
+                <properties>
+                  <help>Rendezvous Point address</help>
+                  <valueHelp>
+                    <format>ipv4</format>
+                    <description>Rendezvous Point address</description>
+                  </valueHelp>
+                  <constraint>
+                    <validator name="ipv4-address"/>
+                  </constraint>
+                </properties>
+                <children>
+                  <leafNode name="group">
+                    <properties>
+                      <help>Group Address range</help>
+                      <valueHelp>
+                        <format>ipv4net</format>
+                        <description>Group Address range RFC 3171</description>
+                      </valueHelp>
+                      <constraint>
+                        <validator name="ip-prefix"/>
+                      </constraint>
+                      <multi/>
+                    </properties>
+                  </leafNode>
+                </children>
+              </tagNode>
+              #include <include/pim/keep-alive-timer.xml.i>
+            </children>
+          </node>
+          <leafNode name="no-v6-secondary">
+            <properties>
+              <help>Disable IPv6 secondary address in hello packets</help>
+              <valueless/>
+            </properties>
+          </leafNode>
+          <node name="spt-switchover">
+            <properties>
+              <help>Shortest-path tree (SPT) switchover</help>
+            </properties>
+            <children>
+              <node name="infinity-and-beyond">
+                <properties>
+                  <help>Never switch to SPT Tree</help>
+                </properties>
+                <children>
+                  #include <include/policy/prefix-list.xml.i>
+                </children>
+              </node>
+            </children>
+          </node>
+          <node name="ssm">
+            <properties>
+              <help>Source-Specific Multicast</help>
+            </properties>
+            <children>
+              #include <include/policy/prefix-list.xml.i>
+            </children>
+          </node>
+        </children>
+      </node>
+    </children>
+  </node>
+</interfaceDefinition>
diff --git a/interface-definitions/protocols_pim6.xml.in b/interface-definitions/protocols_pim6.xml.in
new file mode 100644
index 000000000..8bd3f3fee
--- /dev/null
+++ b/interface-definitions/protocols_pim6.xml.in
@@ -0,0 +1,179 @@
+<?xml version="1.0"?>
+<!-- Protocol Independent Multicast for IPv6 (PIMv6) configuration -->
+<interfaceDefinition>
+  <node name="protocols">
+    <children>
+      <node name="pim6" owner="${vyos_conf_scripts_dir}/protocols_pim6.py">
+        <properties>
+          <help>Protocol Independent Multicast for IPv6 (PIMv6) and MLD</help>
+          <priority>400</priority>
+        </properties>
+        <children>
+          <tagNode name="interface">
+            <properties>
+              <help>PIMv6 interface</help>
+              <completionHelp>
+                <script>${vyos_completion_dir}/list_interfaces</script>
+              </completionHelp>
+              <constraint>
+                #include <include/constraint/interface-name.xml.i>
+              </constraint>
+            </properties>
+            <children>
+              #include <include/pim/bsm.xml.i>
+              #include <include/pim/dr-priority.xml.i>
+              #include <include/pim/hello.xml.i>
+              #include <include/pim/passive.xml.i>
+              <node name="mld">
+                <properties>
+                  <help>Multicast Listener Discovery (MLD)</help>
+                </properties>
+                <children>
+                  #include <include/generic-disable-node.xml.i>
+                  <tagNode name="join">
+                    <properties>
+                      <help>MLD join multicast group</help>
+                      <valueHelp>
+                        <format>ipv6</format>
+                        <description>Multicast group address</description>
+                      </valueHelp>
+                      <constraint>
+                        <validator name="ipv6-address"/>
+                      </constraint>
+                    </properties>
+                    <children>
+                      <leafNode name="source">
+                        <properties>
+                          <help>Source address</help>
+                          <valueHelp>
+                            <format>ipv6</format>
+                            <description>Source address</description>
+                          </valueHelp>
+                          <completionHelp>
+                            <script>${vyos_completion_dir}/list_local_ips.sh --ipv6</script>
+                          </completionHelp>
+                          <constraint>
+                            <validator name="ipv6-address"/>
+                          </constraint>
+                          <multi/>
+                        </properties>
+                      </leafNode>
+                    </children>
+                  </tagNode>
+                  <leafNode name="last-member-query-count">
+                    <properties>
+                      <help>Last member query count</help>
+                      <valueHelp>
+                        <format>u32:1-255</format>
+                        <description>Count</description>
+                      </valueHelp>
+                      <constraint>
+                        <validator name="numeric" argument="--range 1-255"/>
+                      </constraint>
+                    </properties>
+                  </leafNode>
+                  <leafNode name="last-member-query-interval">
+                    <properties>
+                      <help>Last member query interval</help>
+                      <valueHelp>
+                        <format>u32:100-6553500</format>
+                        <description>Last member query interval in milliseconds</description>
+                      </valueHelp>
+                      <constraint>
+                        <validator name="numeric" argument="--range 100-6553500"/>
+                      </constraint>
+                    </properties>
+                  </leafNode>
+                  <leafNode name="interval">
+                    <properties>
+                      <help>Query interval</help>
+                      <valueHelp>
+                        <format>u32:1-65535</format>
+                        <description>Query interval in seconds</description>
+                      </valueHelp>
+                      <constraint>
+                        <validator name="numeric" argument="--range 1-65535"/>
+                      </constraint>
+                    </properties>
+                  </leafNode>
+                  <leafNode name="max-response-time">
+                    <properties>
+                      <help>Max query response time</help>
+                      <valueHelp>
+                        <format>u32:100-6553500</format>
+                        <description>Query response value in milliseconds</description>
+                      </valueHelp>
+                      <constraint>
+                        <validator name="numeric" argument="--range 100-6553500"/>
+                      </constraint>
+                    </properties>
+                  </leafNode>
+                  <leafNode name="version">
+                    <properties>
+                      <help>MLD version</help>
+                      <completionHelp>
+                        <list>1 2</list>
+                      </completionHelp>
+                      <valueHelp>
+                        <format>1</format>
+                        <description>MLD version 1</description>
+                      </valueHelp>
+                     <valueHelp>
+                        <format>2</format>
+                        <description>MLD version 2</description>
+                      </valueHelp>
+                      <constraint>
+                        <validator name="numeric" argument="--range 1-2"/>
+                      </constraint>
+                    </properties>
+                    <defaultValue>2</defaultValue>
+                  </leafNode>
+                </children>
+              </node>
+            </children>
+          </tagNode>
+          #include <include/pim/join-prune-interval.xml.i>
+          #include <include/pim/keep-alive-timer.xml.i>
+          #include <include/pim/packets.xml.i>
+          #include <include/pim/register-suppress-time.xml.i>
+          <node name="rp">
+            <properties>
+              <help>Rendezvous Point</help>
+            </properties>
+            <children>
+              <tagNode name="address">
+                <properties>
+                  <help>Rendezvous Point address</help>
+                  <valueHelp>
+                    <format>ipv6</format>
+                    <description>Rendezvous Point address</description>
+                  </valueHelp>
+                  <constraint>
+                    <validator name="ipv6-address"/>
+                  </constraint>
+                </properties>
+                <children>
+                  <leafNode name="group">
+                    <properties>
+                      <help>Group Address range</help>
+                      <valueHelp>
+                        <format>ipv6net</format>
+                        <description>Group Address range</description>
+                      </valueHelp>
+                      <constraint>
+                        <validator name="ipv6-prefix"/>
+                      </constraint>
+                      <multi/>
+                    </properties>
+                  </leafNode>
+                  #include <include/policy/prefix-list6.xml.i>
+                </children>
+              </tagNode>
+              #include <include/pim/keep-alive-timer.xml.i>
+            </children>
+          </node>
+        </children>
+      </node>
+    </children>
+  </node>
+</interfaceDefinition>
diff --git a/interface-definitions/protocols-rip.xml.in b/interface-definitions/protocols_rip.xml.in
index 0edd8f2ce..0edd8f2ce 100644
--- a/interface-definitions/protocols-rip.xml.in
+++ b/interface-definitions/protocols_rip.xml.in
diff --git a/interface-definitions/protocols-ripng.xml.in b/interface-definitions/protocols_ripng.xml.in
index 9d4d87422..9d4d87422 100644
--- a/interface-definitions/protocols-ripng.xml.in
+++ b/interface-definitions/protocols_ripng.xml.in
diff --git a/interface-definitions/protocols-rpki.xml.in b/interface-definitions/protocols_rpki.xml.in
index e9fd04b5f..e9fd04b5f 100644
--- a/interface-definitions/protocols-rpki.xml.in
+++ b/interface-definitions/protocols_rpki.xml.in
diff --git a/interface-definitions/protocols_segment-routing.xml.in b/interface-definitions/protocols_segment-routing.xml.in
new file mode 100644
index 000000000..c299f624e
--- /dev/null
+++ b/interface-definitions/protocols_segment-routing.xml.in
@@ -0,0 +1,137 @@
+<?xml version="1.0"?>
+<interfaceDefinition>
+  <node name="protocols">
+    <children>
+       <node name="segment-routing" owner="${vyos_conf_scripts_dir}/protocols_segment-routing.py">
+        <properties>
+          <help>Segment Routing</help>
+          <priority>900</priority>
+        </properties>
+        <children>
+          <tagNode name="interface">
+            <properties>
+              <help>Interface specific Segment Routing options</help>
+              <completionHelp>
+                <script>${vyos_completion_dir}/list_interfaces</script>
+              </completionHelp>
+              <valueHelp>
+                <format>txt</format>
+                <description>Interface name</description>
+              </valueHelp>
+              <constraint>
+                #include <include/constraint/interface-name.xml.i>
+              </constraint>
+            </properties>
+            <children>
+              <node name="srv6">
+                <properties>
+                  <help>Accept SR-enabled IPv6 packets on this interface</help>
+                </properties>
+                <children>
+                  <leafNode name="hmac">
+                    <properties>
+                      <help>Define HMAC policy for ingress SR-enabled packets on this interface</help>
+                      <completionHelp>
+                        <list>accept drop ignore</list>
+                      </completionHelp>
+                      <valueHelp>
+                        <format>accept</format>
+                        <description>Accept packets without HMAC, validate packets with HMAC</description>
+                      </valueHelp>
+                      <valueHelp>
+                        <format>drop</format>
+                        <description>Drop packets without HMAC, validate packets with HMAC</description>
+                      </valueHelp>
+                      <valueHelp>
+                        <format>ignore</format>
+                        <description>Ignore HMAC field.</description>
+                      </valueHelp>
+                      <constraint>
+                        <regex>(accept|drop|ignore)</regex>
+                      </constraint>
+                    </properties>
+                    <defaultValue>accept</defaultValue>
+                  </leafNode>
+                </children>
+              </node>
+            </children>
+          </tagNode>
+          <node name="srv6">
+            <properties>
+              <help>Segment-Routing SRv6 configuration</help>
+            </properties>
+            <children>
+              <tagNode name="locator">
+                <properties>
+                  <help>Segment Routing SRv6 locator</help>
+                  <constraint>
+                    #include <include/constraint/alpha-numeric-hyphen-underscore.xml.i>
+                  </constraint>
+                </properties>
+                <children>
+                  <leafNode name="behavior-usid">
+                    <properties>
+                      <help>Set SRv6 behavior uSID</help>
+                      <valueless/>
+                    </properties>
+                  </leafNode>
+                  <leafNode name="prefix">
+                    <properties>
+                      <help>SRv6 locator prefix</help>
+                      <valueHelp>
+                        <format>ipv6net</format>
+                        <description>SRv6 locator prefix</description>
+                      </valueHelp>
+                      <constraint>
+                        <validator name="ipv6-prefix"/>
+                      </constraint>
+                    </properties>
+                  </leafNode>
+                  <leafNode name="block-len">
+                    <properties>
+                      <help>Configure SRv6 locator block length in bits</help>
+                      <valueHelp>
+                        <format>u32:16-64</format>
+                        <description>Specify SRv6 locator block length in bits</description>
+                      </valueHelp>
+                      <constraint>
+                        <validator name="numeric" argument="--range 16-64"/>
+                      </constraint>
+                    </properties>
+                    <defaultValue>40</defaultValue>
+                  </leafNode>
+                  <leafNode name="func-bits">
+                    <properties>
+                      <help>Configure SRv6 locator function length in bits</help>
+                      <valueHelp>
+                        <format>u32:0-64</format>
+                        <description>Specify SRv6 locator function length in bits</description>
+                      </valueHelp>
+                      <constraint>
+                        <validator name="numeric" argument="--range 0-64"/>
+                      </constraint>
+                    </properties>
+                    <defaultValue>16</defaultValue>
+                  </leafNode>
+                  <leafNode name="node-len">
+                    <properties>
+                      <help>Configure SRv6 locator node length in bits</help>
+                      <valueHelp>
+                        <format>u32:16-64</format>
+                        <description>Configure SRv6 locator node length in bits</description>
+                      </valueHelp>
+                      <constraint>
+                        <validator name="numeric" argument="--range 16-64"/>
+                      </constraint>
+                    </properties>
+                    <defaultValue>24</defaultValue>
+                  </leafNode>
+                </children>
+              </tagNode>
+            </children>
+          </node>
+        </children>
+      </node>
+    </children>
+  </node>
+</interfaceDefinition>
diff --git a/interface-definitions/protocols-static.xml.in b/interface-definitions/protocols_static.xml.in
index ca4ca2d74..ca4ca2d74 100644
--- a/interface-definitions/protocols-static.xml.in
+++ b/interface-definitions/protocols_static.xml.in
diff --git a/interface-definitions/protocols-static-arp.xml.in b/interface-definitions/protocols_static_arp.xml.in
index 4b338df63..05c69f1ed 100644
--- a/interface-definitions/protocols-static-arp.xml.in
+++ b/interface-definitions/protocols_static_arp.xml.in
@@ -4,7 +4,7 @@
     <children>
       <node name="static">
         <children>
-          <node name="arp" owner="${vyos_conf_scripts_dir}/arp.py">
+          <node name="arp" owner="${vyos_conf_scripts_dir}/protocols_static_arp.py">
             <properties>
               <help>Static ARP translation</help>
             </properties>
diff --git a/interface-definitions/protocols-multicast.xml.in b/interface-definitions/protocols_static_multicast.xml.in
index c8e28ed35..c8e28ed35 100644
--- a/interface-definitions/protocols-multicast.xml.in
+++ b/interface-definitions/protocols_static_multicast.xml.in
diff --git a/interface-definitions/protocols_static_neighbor-proxy.xml.in b/interface-definitions/protocols_static_neighbor-proxy.xml.in
new file mode 100644
index 000000000..1c8433a39
--- /dev/null
+++ b/interface-definitions/protocols_static_neighbor-proxy.xml.in
@@ -0,0 +1,48 @@
+<?xml version="1.0"?>
+<interfaceDefinition>
+  <node name="protocols">
+    <children>
+      <node name="static">
+        <children>
+          <node name="neighbor-proxy" owner="${vyos_conf_scripts_dir}/protocols_static_neighbor-proxy.py">
+            <properties>
+              <help>Neighbor proxy parameters</help>
+            </properties>
+            <children>
+              <tagNode name="arp">
+                <properties>
+                  <help>IP address for selective ARP proxy</help>
+                  <valueHelp>
+                    <format>ipv4</format>
+                    <description>IPv4 destination address allowed for proxy-arp</description>
+                  </valueHelp>
+                  <constraint>
+                    <validator name="ipv4-address"/>
+                  </constraint>
+                </properties>
+                <children>
+                  #include <include/generic-interface-multi.xml.i>
+                </children>
+              </tagNode>
+              <tagNode name="nd">
+                <properties>
+                  <help>IPv6 address for selective NDP proxy</help>
+                  <valueHelp>
+                    <format>ipv6</format>
+                    <description>IPv6 destination address</description>
+                  </valueHelp>
+                  <constraint>
+                    <validator name="ipv6-address"/>
+                  </constraint>
+                </properties>
+                <children>
+                  #include <include/generic-interface-multi.xml.i>
+                </children>
+              </tagNode>
+            </children>
+          </node>
+        </children>
+      </node>
+    </children>
+  </node>
+</interfaceDefinition>
diff --git a/interface-definitions/bcast-relay.xml.in b/interface-definitions/service_broadcast-relay.xml.in
index e2993f3f3..2e4330e20 100644
--- a/interface-definitions/bcast-relay.xml.in
+++ b/interface-definitions/service_broadcast-relay.xml.in
@@ -2,7 +2,7 @@
 <interfaceDefinition>
   <node name="service">
     <children>
-      <node name="broadcast-relay" owner="${vyos_conf_scripts_dir}/bcast_relay.py">
+      <node name="broadcast-relay" owner="${vyos_conf_scripts_dir}/service_broadcast-relay.py">
         <properties>
           <help>UDP broadcast relay service</help>
           <priority>990</priority>
diff --git a/interface-definitions/service-config-sync.xml.in b/interface-definitions/service_config-sync.xml.in
index e804e17f7..9955acfee 100644
--- a/interface-definitions/service-config-sync.xml.in
+++ b/interface-definitions/service_config-sync.xml.in
@@ -2,7 +2,7 @@
 <interfaceDefinition>
   <node name="service">
     <children>
-      <node name="config-sync" owner="${vyos_conf_scripts_dir}/service_config_sync.py">
+      <node name="config-sync" owner="${vyos_conf_scripts_dir}/service_config-sync.py">
         <properties>
           <help>Configuration synchronization</help>
         </properties>
diff --git a/interface-definitions/service-conntrack-sync.xml.in b/interface-definitions/service_conntrack-sync.xml.in
index 50a4bf62f..46dc8adc0 100644
--- a/interface-definitions/service-conntrack-sync.xml.in
+++ b/interface-definitions/service_conntrack-sync.xml.in
@@ -2,7 +2,7 @@
 <interfaceDefinition>
   <node name="service">
     <children>
-      <node name="conntrack-sync" owner="${vyos_conf_scripts_dir}/conntrack_sync.py">
+      <node name="conntrack-sync" owner="${vyos_conf_scripts_dir}/service_conntrack-sync.py">
         <properties>
           <help>Connection tracking synchronization</help>
           <!-- before VRRP / HA -->
diff --git a/interface-definitions/service-console-server.xml.in b/interface-definitions/service_console-server.xml.in
index fc6dbe954..fc6dbe954 100644
--- a/interface-definitions/service-console-server.xml.in
+++ b/interface-definitions/service_console-server.xml.in
diff --git a/interface-definitions/dhcp-relay.xml.in b/interface-definitions/service_dhcp-relay.xml.in
index 42715c9bb..9fdd9581d 100644
--- a/interface-definitions/dhcp-relay.xml.in
+++ b/interface-definitions/service_dhcp-relay.xml.in
@@ -3,7 +3,7 @@
 <interfaceDefinition>
   <node name="service">
     <children>
-      <node name="dhcp-relay" owner="${vyos_conf_scripts_dir}/dhcp_relay.py">
+      <node name="dhcp-relay" owner="${vyos_conf_scripts_dir}/service_dhcp-relay.py">
         <properties>
           <help>Host Configuration Protocol (DHCP) relay agent</help>
           <priority>910</priority>
diff --git a/interface-definitions/dhcp-server.xml.in b/interface-definitions/service_dhcp-server.xml.in
index 583de7ba9..a3c48afca 100644
--- a/interface-definitions/dhcp-server.xml.in
+++ b/interface-definitions/service_dhcp-server.xml.in
@@ -3,7 +3,7 @@
 <interfaceDefinition>
   <node name="service">
     <children>
-      <node name="dhcp-server" owner="${vyos_conf_scripts_dir}/dhcp_server.py">
+      <node name="dhcp-server" owner="${vyos_conf_scripts_dir}/service_dhcp-server.py">
         <properties>
           <help>Dynamic Host Configuration Protocol (DHCP) for DHCP server</help>
           <priority>911</priority>
@@ -38,7 +38,7 @@
                 <properties>
                   <help>Peer name used to identify connection</help>
                   <constraint>
-                    <regex>[-_a-zA-Z0-9.]+</regex>
+                    #include <include/constraint/alpha-numeric-hyphen-underscore-dot.xml.i>
                   </constraint>
                   <constraintErrorMessage>Invalid failover peer name. May only contain letters, numbers and .-_</constraintErrorMessage>
                 </properties>
@@ -88,7 +88,7 @@
             <properties>
               <help>Name of DHCP shared network</help>
               <constraint>
-                <regex>[-_a-zA-Z0-9.]+</regex>
+                #include <include/constraint/alpha-numeric-hyphen-underscore-dot.xml.i>
               </constraint>
               <constraintErrorMessage>Invalid shared network name. May only contain letters, numbers and .-_</constraintErrorMessage>
             </properties>
@@ -274,7 +274,7 @@
                     <properties>
                       <help>DHCP lease range</help>
                       <constraint>
-                        <regex>[-_a-zA-Z0-9.]+</regex>
+                        #include <include/constraint/alpha-numeric-hyphen-underscore-dot.xml.i>
                       </constraint>
                       <constraintErrorMessage>Invalid range name, may only be alphanumeric, dot and hyphen</constraintErrorMessage>
                     </properties>
diff --git a/interface-definitions/dhcpv6-relay.xml.in b/interface-definitions/service_dhcpv6-relay.xml.in
index a80317609..40679d1c2 100644
--- a/interface-definitions/dhcpv6-relay.xml.in
+++ b/interface-definitions/service_dhcpv6-relay.xml.in
@@ -3,7 +3,7 @@
 <interfaceDefinition>
   <node name="service">
     <children>
-      <node name="dhcpv6-relay" owner="${vyos_conf_scripts_dir}/dhcpv6_relay.py">
+      <node name="dhcpv6-relay" owner="${vyos_conf_scripts_dir}/service_dhcpv6-relay.py">
         <properties>
           <help>DHCPv6 Relay Agent parameters</help>
           <priority>900</priority>
diff --git a/interface-definitions/dhcpv6-server.xml.in b/interface-definitions/service_dhcpv6-server.xml.in
index 9dff68a24..b838f42e0 100644
--- a/interface-definitions/dhcpv6-server.xml.in
+++ b/interface-definitions/service_dhcpv6-server.xml.in
@@ -2,7 +2,7 @@
 <interfaceDefinition>
   <node name="service">
     <children>
-      <node name="dhcpv6-server" owner="${vyos_conf_scripts_dir}/dhcpv6_server.py">
+      <node name="dhcpv6-server" owner="${vyos_conf_scripts_dir}/service_dhcpv6-server.py">
         <properties>
           <help>DHCP for IPv6 (DHCPv6) server</help>
           <priority>900</priority>
@@ -34,7 +34,7 @@
             <properties>
               <help>DHCPv6 shared network name</help>
               <constraint>
-                <regex>[-_a-zA-Z0-9.]+</regex>
+                #include <include/constraint/alpha-numeric-hyphen-underscore-dot.xml.i>
               </constraint>
               <constraintErrorMessage>Invalid DHCPv6 shared network name. May only contain letters, numbers and .-_</constraintErrorMessage>
             </properties>
@@ -176,7 +176,7 @@
                     <properties>
                       <help>NIS domain name for client to use</help>
                       <constraint>
-                        <regex>[-_a-zA-Z0-9.]+</regex>
+                        #include <include/constraint/alpha-numeric-hyphen-underscore-dot.xml.i>
                       </constraint>
                       <constraintErrorMessage>Invalid NIS domain name</constraintErrorMessage>
                     </properties>
@@ -198,7 +198,7 @@
                     <properties>
                       <help>NIS+ domain name for client to use</help>
                       <constraint>
-                        <regex>[-_a-zA-Z0-9.]+</regex>
+                        #include <include/constraint/alpha-numeric-hyphen-underscore-dot.xml.i>
                       </constraint>
                       <constraintErrorMessage>Invalid NIS+ domain name. May only contain letters, numbers and .-_</constraintErrorMessage>
                     </properties>
diff --git a/interface-definitions/service_dns_dynamic.xml.in b/interface-definitions/service_dns_dynamic.xml.in
new file mode 100644
index 000000000..d1b0e90bb
--- /dev/null
+++ b/interface-definitions/service_dns_dynamic.xml.in
@@ -0,0 +1,213 @@
+<?xml version="1.0"?>
+<interfaceDefinition>
+  <node name="service">
+    <children>
+      <node name="dns">
+        <properties>
+          <help>Domain Name System (DNS) related services</help>
+        </properties>
+        <children>
+          <node name="dynamic" owner="${vyos_conf_scripts_dir}/service_dns_dynamic.py">
+            <properties>
+              <help>Dynamic DNS</help>
+              <priority>990</priority>
+            </properties>
+            <children>
+              <tagNode name="name">
+                <properties>
+                  <help>Dynamic DNS configuration</help>
+                  <valueHelp>
+                    <format>txt</format>
+                    <description>Dynamic DNS service name</description>
+                  </valueHelp>
+                  <constraint>
+                    #include <include/constraint/alpha-numeric-hyphen-underscore.xml.i>
+                  </constraint>
+                  <constraintErrorMessage>Dynamic DNS service name must be alphanumeric and can contain hyphens and underscores</constraintErrorMessage>
+                </properties>
+                <children>
+                  #include <include/generic-description.xml.i>
+                  <leafNode name="protocol">
+                    <properties>
+                      <help>ddclient protocol used for Dynamic DNS service</help>
+                      <completionHelp>
+                        <script>${vyos_completion_dir}/list_ddclient_protocols.sh</script>
+                      </completionHelp>
+                      <constraint>
+                        <validator name="ddclient-protocol"/>
+                      </constraint>
+                    </properties>
+                  </leafNode>
+                  <leafNode name="address">
+                    <properties>
+                      <help>Obtain IP address to send Dynamic DNS update for</help>
+                      <valueHelp>
+                        <format>txt</format>
+                        <description>Use interface to obtain the IP address</description>
+                      </valueHelp>
+                      <valueHelp>
+                        <format>web</format>
+                        <description>Use HTTP(S) web request to obtain the IP address</description>
+                      </valueHelp>
+                      <completionHelp>
+                        <script>${vyos_completion_dir}/list_interfaces</script>
+                        <list>web</list>
+                      </completionHelp>
+                      <constraint>
+                        #include <include/constraint/interface-name.xml.i>
+                        <regex>web</regex>
+                      </constraint>
+                    </properties>
+                  </leafNode>
+                  <node name="web-options">
+                    <properties>
+                      <help>Options when using HTTP(S) web request to obtain the IP address</help>
+                    </properties>
+                    <children>
+                      #include <include/url-http-https.xml.i>
+                      <leafNode name="skip">
+                        <properties>
+                          <help>Pattern to skip from the HTTP(S) respose</help>
+                          <valueHelp>
+                            <format>txt</format>
+                            <description>Pattern to skip from the HTTP(S) respose to extract the external IP address</description>
+                          </valueHelp>
+                        </properties>
+                      </leafNode>
+                    </children>
+                  </node>
+                  <leafNode name="ip-version">
+                    <properties>
+                      <help>IP address version to use</help>
+                      <valueHelp>
+                        <format>_ipv4</format>
+                        <description>Use only IPv4 address</description>
+                      </valueHelp>
+                      <valueHelp>
+                        <format>_ipv6</format>
+                        <description>Use only IPv6 address</description>
+                      </valueHelp>
+                      <valueHelp>
+                        <format>both</format>
+                        <description>Use both IPv4 and IPv6 address</description>
+                      </valueHelp>
+                      <completionHelp>
+                        <list>ipv4 ipv6 both</list>
+                      </completionHelp>
+                      <constraint>
+                        <regex>(ipv[46]|both)</regex>
+                      </constraint>
+                      <constraintErrorMessage>IP Version must be literal 'ipv4', 'ipv6' or 'both'</constraintErrorMessage>
+                    </properties>
+                    <defaultValue>ipv4</defaultValue>
+                  </leafNode>
+                  <leafNode name="host-name">
+                    <properties>
+                      <help>Hostname to register with Dynamic DNS service</help>
+                      <constraint>
+                          #include <include/constraint/host-name.xml.i>
+                          <regex>(\@|\*)[-.A-Za-z0-9]*</regex>
+                      </constraint>
+                      <constraintErrorMessage>Host-name must be alphanumeric, can contain hyphens and can be prefixed with '@' or '*'</constraintErrorMessage>
+                      <multi/>
+                    </properties>
+                  </leafNode>
+                  <leafNode name="server">
+                    <properties>
+                      <help>Remote Dynamic DNS server to send updates to</help>
+                      <valueHelp>
+                        <format>ipv4</format>
+                        <description>IPv4 address of the remote server</description>
+                      </valueHelp>
+                      <valueHelp>
+                        <format>ipv6</format>
+                        <description>IPv6 address of the remote server</description>
+                      </valueHelp>
+                      <valueHelp>
+                        <format>hostname</format>
+                        <description>Fully qualified domain name of the remote server</description>
+                      </valueHelp>
+                      <constraint>
+                        <validator name="ip-address"/>
+                        <validator name="fqdn"/>
+                      </constraint>
+                      <constraintErrorMessage>Remote server must be IP address or fully qualified domain name</constraintErrorMessage>
+                    </properties>
+                  </leafNode>
+                  <leafNode name="zone">
+                    <properties>
+                      <help>DNS zone to be updated</help>
+                      <valueHelp>
+                        <format>txt</format>
+                        <description>Name of DNS zone</description>
+                      </valueHelp>
+                      <constraint>
+                        <validator name="fqdn"/>
+                      </constraint>
+                    </properties>
+                  </leafNode>
+                  #include <include/generic-username.xml.i>
+                  #include <include/generic-password.xml.i>
+                  <leafNode name="key">
+                    <properties>
+                      <help>File containing TSIG authentication key for RFC2136 nsupdate on remote DNS server</help>
+                      <valueHelp>
+                        <format>filename</format>
+                        <description>File in /config/auth directory</description>
+                      </valueHelp>
+                      <constraint>
+                        <validator name="file-path" argument="--strict --parent-dir /config/auth"/>
+                      </constraint>
+                    </properties>
+                  </leafNode>
+                  #include <include/dns/time-to-live.xml.i>
+                  <leafNode name="wait-time">
+                    <properties>
+                      <help>Time in seconds to wait between update attempts</help>
+                      <valueHelp>
+                        <format>u32:60-86400</format>
+                        <description>Time in seconds</description>
+                      </valueHelp>
+                      <constraint>
+                        <validator name="numeric" argument="--range 60-86400"/>
+                      </constraint>
+                      <constraintErrorMessage>Wait time must be between 60 and 86400 seconds</constraintErrorMessage>
+                    </properties>
+                  </leafNode>
+                  <leafNode name="expiry-time">
+                    <properties>
+                      <help>Time in seconds for the hostname to be marked expired in cache</help>
+                      <valueHelp>
+                        <format>u32:300-2160000</format>
+                        <description>Time in seconds</description>
+                      </valueHelp>
+                      <constraint>
+                        <validator name="numeric" argument="--range 300-2160000"/>
+                      </constraint>
+                      <constraintErrorMessage>Expiry time must be between 300 and 2160000 seconds</constraintErrorMessage>
+                    </properties>
+                  </leafNode>
+                </children>
+              </tagNode>
+              <leafNode name="interval">
+                <properties>
+                  <help>Interval in seconds to wait between Dynamic DNS updates</help>
+                  <valueHelp>
+                    <format>u32:60-3600</format>
+                    <description>Time in seconds</description>
+                  </valueHelp>
+                  <constraint>
+                    <validator name="numeric" argument="--range 60-3600"/>
+                  </constraint>
+                  <constraintErrorMessage>Interval must be between 60 and 3600 seconds</constraintErrorMessage>
+                </properties>
+                <defaultValue>300</defaultValue>
+              </leafNode>
+              #include <include/interface/vrf.xml.i>
+            </children>
+          </node>
+        </children>
+      </node>
+    </children>
+  </node>
+</interfaceDefinition>
diff --git a/interface-definitions/dns-forwarding.xml.in b/interface-definitions/service_dns_forwarding.xml.in
index 86dc47a47..0f8863438 100644
--- a/interface-definitions/dns-forwarding.xml.in
+++ b/interface-definitions/service_dns_forwarding.xml.in
@@ -8,7 +8,7 @@
           <help>Domain Name System (DNS) related services</help>
         </properties>
         <children>
-          <node name="forwarding" owner="${vyos_conf_scripts_dir}/dns_forwarding.py">
+          <node name="forwarding" owner="${vyos_conf_scripts_dir}/service_dns_forwarding.py">
             <properties>
               <help>DNS forwarding</help>
               <priority>918</priority>
@@ -158,6 +158,9 @@
                             </properties>
                           </leafNode>
                           #include <include/dns/time-to-live.xml.i>
+                          <leafNode name="ttl">
+                              <defaultValue>300</defaultValue>
+                          </leafNode>
                           #include <include/generic-disable-node.xml.i>
                         </children>
                       </tagNode>
@@ -195,6 +198,9 @@
                             </properties>
                           </leafNode>
                           #include <include/dns/time-to-live.xml.i>
+                          <leafNode name="ttl">
+                              <defaultValue>300</defaultValue>
+                          </leafNode>
                           #include <include/generic-disable-node.xml.i>
                         </children>
                       </tagNode>
@@ -227,6 +233,9 @@
                             </properties>
                           </leafNode>
                           #include <include/dns/time-to-live.xml.i>
+                          <leafNode name="ttl">
+                              <defaultValue>300</defaultValue>
+                          </leafNode>
                           #include <include/generic-disable-node.xml.i>
                         </children>
                       </tagNode>
@@ -274,6 +283,9 @@
                             </children>
                           </tagNode>
                           #include <include/dns/time-to-live.xml.i>
+                          <leafNode name="ttl">
+                              <defaultValue>300</defaultValue>
+                          </leafNode>
                           #include <include/generic-disable-node.xml.i>
                         </children>
                       </tagNode>
@@ -302,6 +314,9 @@
                             </properties>
                           </leafNode>
                           #include <include/dns/time-to-live.xml.i>
+                          <leafNode name="ttl">
+                              <defaultValue>300</defaultValue>
+                          </leafNode>
                           #include <include/generic-disable-node.xml.i>
                         </children>
                       </tagNode>
@@ -334,6 +349,9 @@
                             </properties>
                           </leafNode>
                           #include <include/dns/time-to-live.xml.i>
+                          <leafNode name="ttl">
+                              <defaultValue>300</defaultValue>
+                          </leafNode>
                           #include <include/generic-disable-node.xml.i>
                         </children>
                       </tagNode>
@@ -364,6 +382,9 @@
                             </properties>
                           </leafNode>
                           #include <include/dns/time-to-live.xml.i>
+                          <leafNode name="ttl">
+                              <defaultValue>300</defaultValue>
+                          </leafNode>
                           #include <include/generic-disable-node.xml.i>
                         </children>
                       </tagNode>
@@ -393,6 +414,9 @@
                             </properties>
                           </leafNode>
                           #include <include/dns/time-to-live.xml.i>
+                          <leafNode name="ttl">
+                              <defaultValue>300</defaultValue>
+                          </leafNode>
                           #include <include/generic-disable-node.xml.i>
                         </children>
                       </tagNode>
@@ -477,6 +501,9 @@
                             </children>
                           </tagNode>
                           #include <include/dns/time-to-live.xml.i>
+                          <leafNode name="ttl">
+                              <defaultValue>300</defaultValue>
+                          </leafNode>
                           #include <include/generic-disable-node.xml.i>
                         </children>
                       </tagNode>
@@ -585,6 +612,9 @@
                             </children>
                           </tagNode>
                           #include <include/dns/time-to-live.xml.i>
+                          <leafNode name="ttl">
+                              <defaultValue>300</defaultValue>
+                          </leafNode>
                           #include <include/generic-disable-node.xml.i>
                         </children>
                       </tagNode>
@@ -640,6 +670,19 @@
                 </properties>
                 <defaultValue>3600</defaultValue>
               </leafNode>
+              <leafNode name="serve-stale-extension">
+                <properties>
+                  <help>Number of times the expired TTL of a record is extended by 30 seconds when serving stale</help>
+                  <valueHelp>
+                    <format>u32:0-65535</format>
+                    <description>Number of times to extend the TTL</description>
+                  </valueHelp>
+                  <constraint>
+                    <validator name="numeric" argument="--range 0-65535"/>
+                  </constraint>
+                </properties>
+                <defaultValue>0</defaultValue>
+              </leafNode>
               <leafNode name="timeout">
                 <properties>
                   <help>Number of milliseconds to wait for a remote authoritative server to respond</help>
@@ -654,32 +697,43 @@
                 <defaultValue>1500</defaultValue>
               </leafNode>
               #include <include/name-server-ipv4-ipv6-port.xml.i>
+              #include <include/source-address-ipv4-ipv6-multi.xml.i>
               <leafNode name="source-address">
+                <defaultValue>0.0.0.0 ::</defaultValue>
+              </leafNode>
+              <leafNode name="system">
                 <properties>
-                  <help>Local addresses from which to send DNS queries</help>
-                  <completionHelp>
-                    <script>${vyos_completion_dir}/list_local_ips.sh --both</script>
-                  </completionHelp>
+                  <help>Use system name servers</help>
+                  <valueless/>
+                </properties>
+              </leafNode>
+              <leafNode name="exclude-throttle-address">
+                <properties>
+                  <help>IP address or subnet</help>
                   <valueHelp>
                     <format>ipv4</format>
-                    <description>IPv4 address from which to send traffic</description>
+                    <description>IPv4 address to match</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>ipv4net</format>
+                    <description>IPv4 prefix to match</description>
                   </valueHelp>
                   <valueHelp>
                     <format>ipv6</format>
-                    <description>IPv6 address from which to send traffic</description>
+                    <description>IPv6 address</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>ipv6net</format>
+                    <description>IPv6 address</description>
                   </valueHelp>
                   <multi/>
                   <constraint>
-                    <validator name="ip-address"/>
+                    <validator name="ipv4-address"/>
+                    <validator name="ipv4-prefix"/>
+                    <validator name="ipv6-address"/>
+                    <validator name="ipv6-prefix"/>
                   </constraint>
                 </properties>
-                <defaultValue>0.0.0.0 ::</defaultValue>
-              </leafNode>
-              <leafNode name="system">
-                <properties>
-                  <help>Use system name servers</help>
-                  <valueless/>
-                </properties>
               </leafNode>
             </children>
           </node>
diff --git a/interface-definitions/service-event-handler.xml.in b/interface-definitions/service_event-handler.xml.in
index aef6bc1bc..2cee4f595 100644
--- a/interface-definitions/service-event-handler.xml.in
+++ b/interface-definitions/service_event-handler.xml.in
@@ -2,7 +2,7 @@
 <interfaceDefinition>
   <node name="service">
     <children>
-      <node name="event-handler" owner="${vyos_conf_scripts_dir}/service_event_handler.py">
+      <node name="event-handler" owner="${vyos_conf_scripts_dir}/service_event-handler.py">
         <properties>
           <help>Service event handler</help>
         </properties>
diff --git a/interface-definitions/https.xml.in b/interface-definitions/service_https.xml.in
index 5430193b5..b60c7ff2e 100644
--- a/interface-definitions/https.xml.in
+++ b/interface-definitions/service_https.xml.in
@@ -2,73 +2,17 @@
 <interfaceDefinition>
   <node name="service">
     <children>
-      <node name="https" owner="${vyos_conf_scripts_dir}/https.py">
+      <node name="https" owner="${vyos_conf_scripts_dir}/service_https.py">
         <properties>
           <help>HTTPS configuration</help>
           <priority>1001</priority>
         </properties>
         <children>
-          <tagNode name="virtual-host">
-            <properties>
-              <help>Identifier for virtual host</help>
-              <constraint>
-                <regex>[a-zA-Z0-9-_.:]{1,255}</regex>
-              </constraint>
-              <constraintErrorMessage>illegal characters in identifier or identifier longer than 255 characters</constraintErrorMessage>
-            </properties>
-            <children>
-              <leafNode name="listen-address">
-                <properties>
-                  <help>Address to listen for HTTPS requests</help>
-                  <completionHelp>
-                    <script>${vyos_completion_dir}/list_local_ips.sh --both</script>
-                  </completionHelp>
-                  <valueHelp>
-                    <format>ipv4</format>
-                   <description>HTTPS IPv4 address</description>
-                  </valueHelp>
-                  <valueHelp>
-                    <format>ipv6</format>
-                    <description>HTTPS IPv6 address</description>
-                  </valueHelp>
-                  <valueHelp>
-                    <format>'*'</format>
-                    <description>any</description>
-                  </valueHelp>
-                  <constraint>
-                    <validator name="ip-address"/>
-                    <regex>\*</regex>
-                  </constraint>
-                </properties>
-              </leafNode>
-              <leafNode name='listen-port'>
-                <properties>
-                  <help>Port to listen for HTTPS requests; default 443</help>
-                  <valueHelp>
-                    <format>u32:1-65535</format>
-                    <description>Numeric IP port</description>
-                  </valueHelp>
-                  <constraint>
-                    <validator name="numeric" argument="--range 1-65535"/>
-                  </constraint>
-                </properties>
-              </leafNode>
-              <leafNode name="server-name">
-                <properties>
-                  <help>Server names: exact, wildcard, or regex</help>
-                  <multi/>
-                </properties>
-              </leafNode>
-              #include <include/allow-client.xml.i>
-            </children>
-          </tagNode>
-          <node name="api" owner="${vyos_conf_scripts_dir}/http-api.py">
+          <node name="api">
             <properties>
               <help>VyOS HTTP API configuration</help>
-              <priority>1002</priority>
             </properties>
             <children>
-              #include <include/port-number.xml.i>
               <node name="keys">
                 <properties>
                   <help>HTTP API keys</help>
@@ -101,12 +45,6 @@
                   <hidden/>
                 </properties>
               </leafNode>
-              <leafNode name="socket">
-                <properties>
-                  <help>Run server on Unix domain socket</help>
-                  <valueless/>
-                </properties>
-              </leafNode>
               <node name="graphql">
                 <properties>
                   <help>GraphQL support</help>
@@ -188,19 +126,18 @@
               </node>
             </children>
           </node>
-          <node name="api-restrict">
+          #include <include/allow-client.xml.i>
+          <leafNode name="enable-http-redirect">
             <properties>
-              <help>Restrict api proxy to subset of virtual hosts</help>
+              <help>Enable HTTP to HTTPS redirect</help>
+              <valueless/>
             </properties>
-            <children>
-              <leafNode name="virtual-host">
-                <properties>
-                  <help>Restrict proxy to virtual host(s)</help>
-                  <multi/>
-                </properties>
-              </leafNode>
-            </children>
-          </node>
+          </leafNode>
+          #include <include/listen-address.xml.i>
+          #include <include/port-number.xml.i>
+          <leafNode name='port'>
+            <defaultValue>443</defaultValue>
+          </leafNode>
           <node name="certificates">
             <properties>
               <help>TLS certificates</help>
@@ -208,26 +145,30 @@
             <children>
               #include <include/pki/ca-certificate.xml.i>
               #include <include/pki/certificate.xml.i>
-              <node name="certbot" owner="${vyos_conf_scripts_dir}/le_cert.py">
-                <properties>
-                  <help>Request or apply a letsencrypt certificate for domain-name</help>
-                </properties>
-                <children>
-                  <leafNode name="domain-name">
-                    <properties>
-                      <help>Domain name(s) for which to obtain certificate</help>
-                      <multi/>
-                    </properties>
-                  </leafNode>
-                  <leafNode name="email">
-                    <properties>
-                      <help>Email address to associate with certificate</help>
-                    </properties>
-                  </leafNode>
-                </children>
-              </node>
+              #include <include/pki/dh-params.xml.i>
             </children>
           </node>
+          <leafNode name="tls-version">
+            <properties>
+              <help>Specify available TLS version(s)</help>
+              <completionHelp>
+                <list>1.2 1.3</list>
+              </completionHelp>
+              <valueHelp>
+                <format>1.2</format>
+                <description>TLSv1.2</description>
+              </valueHelp>
+              <valueHelp>
+                <format>1.3</format>
+                <description>TLSv1.3</description>
+              </valueHelp>
+              <constraint>
+                <regex>(1.2|1.3)</regex>
+              </constraint>
+              <multi/>
+            </properties>
+            <defaultValue>1.2 1.3</defaultValue>
+          </leafNode>
           #include <include/interface/vrf.xml.i>
         </children>
       </node>
diff --git a/interface-definitions/service-ids-ddos-protection.xml.in b/interface-definitions/service_ids_ddos-protection.xml.in
index 78463136b..3ef2640b3 100644
--- a/interface-definitions/service-ids-ddos-protection.xml.in
+++ b/interface-definitions/service_ids_ddos-protection.xml.in
@@ -7,7 +7,7 @@
           <help>Intrusion Detection System</help>
         </properties>
         <children>
-          <node name="ddos-protection" owner="${vyos_conf_scripts_dir}/service_ids_fastnetmon.py">
+          <node name="ddos-protection" owner="${vyos_conf_scripts_dir}/service_ids_ddos-protection.py">
             <properties>
               <help>FastNetMon detection and protection parameters</help>
               <priority>731</priority>
diff --git a/interface-definitions/service-ipoe-server.xml.in b/interface-definitions/service_ipoe-server.xml.in
index b6e6503d3..edfe6a34c 100644
--- a/interface-definitions/service-ipoe-server.xml.in
+++ b/interface-definitions/service_ipoe-server.xml.in
@@ -102,15 +102,10 @@
               #include <include/accel-ppp/vlan.xml.i>
             </children>
           </tagNode>
+          #include <include/accel-ppp/max-concurrent-sessions.xml.i>
           #include <include/name-server-ipv4-ipv6.xml.i>
-          <node name="client-ip-pool">
-            <properties>
-              <help>Client IP pools and gateway setting</help>
-            </properties>
-            <children>
-              #include <include/accel-ppp/client-ip-pool-name.xml.i>
-            </children>
-          </node>
+          #include <include/accel-ppp/client-ip-pool.xml.i>
+          #include <include/accel-ppp/gateway-address-multi.xml.i>
           #include <include/accel-ppp/client-ipv6-pool.xml.i>
           <node name="authentication">
             <properties>
@@ -187,6 +182,7 @@
               #include <include/accel-ppp/radius-additions.xml.i>
             </children>
           </node>
+          #include <include/accel-ppp/default-pool.xml.i>
         </children>
       </node>
     </children>
diff --git a/interface-definitions/lldp.xml.in b/interface-definitions/service_lldp.xml.in
index 738bb11c1..1a06e0cb3 100644
--- a/interface-definitions/lldp.xml.in
+++ b/interface-definitions/service_lldp.xml.in
@@ -2,7 +2,7 @@
 <interfaceDefinition>
   <node name="service">
     <children>
-      <node name="lldp" owner="${vyos_conf_scripts_dir}/lldp.py">
+      <node name="lldp" owner="${vyos_conf_scripts_dir}/service_lldp.py">
         <properties>
           <help>LLDP settings</help>
           <priority>985</priority>
@@ -175,19 +175,12 @@
               <multi/>
             </properties>
           </leafNode>
-          <node name="snmp">
+          <leafNode name="snmp">
             <properties>
-              <help>SNMP parameters for LLDP</help>
+              <help>Enable SNMP queries of the LLDP database</help>
+              <valueless/>
             </properties>
-            <children>
-              <leafNode name="enable">
-                <properties>
-                  <help>Enable SNMP queries of the LLDP database</help>
-                  <valueless/>
-                </properties>
-              </leafNode>
-            </children>
-          </node>
+          </leafNode>
         </children>
       </node>
     </children>
diff --git a/interface-definitions/service-mdns-repeater.xml.in b/interface-definitions/service_mdns_repeater.xml.in
index 653dbbbe4..5d6f61d74 100644
--- a/interface-definitions/service-mdns-repeater.xml.in
+++ b/interface-definitions/service_mdns_repeater.xml.in
@@ -7,7 +7,7 @@
           <help>Multicast DNS (mDNS) parameters</help>
         </properties>
         <children>
-          <node name="repeater" owner="${vyos_conf_scripts_dir}/service_mdns-repeater.py">
+          <node name="repeater" owner="${vyos_conf_scripts_dir}/service_mdns_repeater.py">
             <properties>
               <help>mDNS repeater configuration</help>
               <priority>990</priority>
@@ -15,6 +15,31 @@
             <children>
               #include <include/generic-disable-node.xml.i>
               #include <include/generic-interface-multi.xml.i>
+              <leafNode name="ip-version">
+                <properties>
+                  <help>IP address version to use</help>
+                  <valueHelp>
+                    <format>_ipv4</format>
+                    <description>Use only IPv4 address</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>_ipv6</format>
+                    <description>Use only IPv6 address</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>both</format>
+                    <description>Use both IPv4 and IPv6 address</description>
+                  </valueHelp>
+                  <completionHelp>
+                    <list>ipv4 ipv6 both</list>
+                  </completionHelp>
+                  <constraint>
+                    <regex>(ipv[46]|both)</regex>
+                  </constraint>
+                  <constraintErrorMessage>IP Version must be literal 'ipv4', 'ipv6' or 'both'</constraintErrorMessage>
+                </properties>
+                <defaultValue>both</defaultValue>
+              </leafNode>
               <leafNode name="browse-domain">
                 <properties>
                   <help>mDNS browsing domains in addition to the default one</help>
diff --git a/interface-definitions/service-monitoring-telegraf.xml.in b/interface-definitions/service_monitoring_telegraf.xml.in
index ae0bae900..4d694114a 100644
--- a/interface-definitions/service-monitoring-telegraf.xml.in
+++ b/interface-definitions/service_monitoring_telegraf.xml.in
@@ -53,7 +53,7 @@
                     </properties>
                     <defaultValue>main</defaultValue>
                   </leafNode>
-                  #include <include/url.xml.i>
+                  #include <include/url-http-https.xml.i>
                   #include <include/port-number.xml.i>
                   <leafNode name="port">
                     <defaultValue>8086</defaultValue>
@@ -145,7 +145,7 @@
                       <constraintErrorMessage>Table is limited to alphanumerical characters and can contain hyphen and underscores</constraintErrorMessage>
                     </properties>
                   </leafNode>
-                  #include <include/url.xml.i>
+                  #include <include/url-http-https.xml.i>
                 </children>
               </node>
               <leafNode name="source">
@@ -271,7 +271,7 @@
                       </leafNode>
                     </children>
                   </node>
-                  #include <include/url.xml.i>
+                  #include <include/url-http-https.xml.i>
                 </children>
               </node>
               #include <include/interface/vrf.xml.i>
diff --git a/interface-definitions/service-monitoring-zabbix-agent.xml.in b/interface-definitions/service_monitoring_zabbix-agent.xml.in
index 40f2df642..40f2df642 100644
--- a/interface-definitions/service-monitoring-zabbix-agent.xml.in
+++ b/interface-definitions/service_monitoring_zabbix-agent.xml.in
diff --git a/interface-definitions/service_ndp-proxy.xml.in b/interface-definitions/service_ndp-proxy.xml.in
new file mode 100644
index 000000000..9801c99ab
--- /dev/null
+++ b/interface-definitions/service_ndp-proxy.xml.in
@@ -0,0 +1,132 @@
+<?xml version="1.0"?>
+<interfaceDefinition>
+  <node name="service">
+    <children>
+      <node name="ndp-proxy" owner="${vyos_conf_scripts_dir}/service_ndp-proxy.py">
+        <properties>
+          <help>Neighbor Discovery Protocol (NDP) Proxy</help>
+        </properties>
+        <children>
+          <leafNode name="route-refresh">
+            <properties>
+              <help>Refresh interval for IPv6 routes</help>
+              <valueHelp>
+                <format>u32:10000-120000</format>
+                <description>Time in milliseconds</description>
+              </valueHelp>
+              <constraint>
+                <validator name="numeric" argument="--range 10000-120000"/>
+              </constraint>
+              <constraintErrorMessage>Route-refresh must be between 10000 and 120000 milliseconds</constraintErrorMessage>
+            </properties>
+            <defaultValue>30000</defaultValue>
+          </leafNode>
+          <tagNode name="interface">
+            <properties>
+              <help>NDP proxy listener interface</help>
+              <completionHelp>
+                <script>${vyos_completion_dir}/list_interfaces</script>
+              </completionHelp>
+              <constraint>
+                #include <include/constraint/interface-name.xml.i>
+              </constraint>
+            </properties>
+            <children>
+              #include <include/generic-disable-node.xml.i>
+              <leafNode name="enable-router-bit">
+                <properties>
+                  <help>Enable router bit in Neighbor Advertisement messages</help>
+                  <valueless/>
+                  </properties>
+                </leafNode>
+              <leafNode name="timeout">
+                <properties>
+                  <help>Timeout for Neighbor Advertisement after Neighbor Solicitation message</help>
+                  <valueHelp>
+                    <format>u32:500-120000</format>
+                    <description>Timeout in milliseconds</description>
+                  </valueHelp>
+                  <constraint>
+                    <validator name="numeric" argument="--range 500-120000"/>
+                  </constraint>
+                  <constraintErrorMessage>Timeout must be between 500 and 120000 milliseconds</constraintErrorMessage>
+                </properties>
+                <defaultValue>500</defaultValue>
+              </leafNode>
+              <leafNode name="ttl">
+                <properties>
+                  <help>Proxy entry cache Time-To-Live</help>
+                  <valueHelp>
+                    <format>u32:10000-120000</format>
+                    <description>Time in milliseconds</description>
+                  </valueHelp>
+                  <constraint>
+                    <validator name="numeric" argument="--range 10000-120000"/>
+                  </constraint>
+                  <constraintErrorMessage>TTL must be between 10000 and 120000 milliseconds</constraintErrorMessage>
+                </properties>
+                <defaultValue>30000</defaultValue>
+              </leafNode>
+              <tagNode name="prefix">
+                <properties>
+                  <help>Prefix target addresses are matched against</help>
+                  <valueHelp>
+                    <format>ipv6net</format>
+                    <description>IPv6 network prefix</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>ipv6</format>
+                    <description>IPv6 address</description>
+                  </valueHelp>
+                  <constraint>
+                    <validator name="ipv6-prefix"/>
+                    <validator name="ipv6-address"/>
+                  </constraint>
+                </properties>
+                <children>
+                  #include <include/generic-disable-node.xml.i>
+                  <leafNode name="mode">
+                    <properties>
+                      <help>Specify the running mode of the rule</help>
+                      <completionHelp>
+                        <list>static auto interface</list>
+                      </completionHelp>
+                      <valueHelp>
+                        <format>static</format>
+                        <description>Immediately answer any Neighbor Solicitation Messages</description>
+                      </valueHelp>
+                      <valueHelp>
+                        <format>auto</format>
+                        <description>Check for a matching route in /proc/net/ipv6_route</description>
+                      </valueHelp>
+                      <valueHelp>
+                        <format>interface</format>
+                        <description>Forward Neighbor Solicitation message through specified interface</description>
+                      </valueHelp>
+                      <constraint>
+                        <regex>(static|auto|interface)</regex>
+                      </constraint>
+                      <constraintErrorMessage>Mode must be either one of: static, auto or interface</constraintErrorMessage>
+                    </properties>
+                    <defaultValue>static</defaultValue>
+                  </leafNode>
+                  <leafNode name="interface">
+                    <properties>
+                      <help>Interface to forward Neighbor Solicitation message through. Required for "iface" mode</help>
+                      <completionHelp>
+                        <script>${vyos_completion_dir}/list_interfaces</script>
+                      </completionHelp>
+                      <constraint>
+                        #include <include/constraint/interface-name.xml.i>
+                      </constraint>
+                    </properties>
+                  </leafNode>
+                </children>
+              </tagNode>
+            </children>
+          </tagNode>
+        </children>
+      </node>
+    </children>
+  </node>
+</interfaceDefinition>
diff --git a/interface-definitions/ntp.xml.in b/interface-definitions/service_ntp.xml.in
index 4e874434b..65a45d7a1 100644
--- a/interface-definitions/ntp.xml.in
+++ b/interface-definitions/service_ntp.xml.in
@@ -3,7 +3,7 @@
 <interfaceDefinition>
   <node name="service">
     <children>
-      <node name="ntp" owner="${vyos_conf_scripts_dir}/ntp.py">
+      <node name="ntp" owner="${vyos_conf_scripts_dir}/service_ntp.py">
         <properties>
           <help>Network Time Protocol (NTP) configuration</help>
           <priority>900</priority>
diff --git a/interface-definitions/service-pppoe-server.xml.in b/interface-definitions/service_pppoe-server.xml.in
index 022ac2885..f1b369936 100644
--- a/interface-definitions/service-pppoe-server.xml.in
+++ b/interface-definitions/service_pppoe-server.xml.in
@@ -49,16 +49,7 @@
               </node>
             </children>
           </node>
-          <node name="client-ip-pool">
-            <properties>
-              <help>Pool of client IP addresses (must be within a /24)</help>
-            </properties>
-            <children>
-              #include <include/accel-ppp/client-ip-pool-start-stop.xml.i>
-              #include <include/accel-ppp/client-ip-pool-subnet.xml.i>
-              #include <include/accel-ppp/client-ip-pool-name.xml.i>
-            </children>
-          </node>
+          #include <include/accel-ppp/client-ip-pool.xml.i>
           #include <include/accel-ppp/client-ipv6-pool.xml.i>
           #include <include/name-server-ipv4-ipv6.xml.i>
           <tagNode name="interface">
@@ -73,6 +64,7 @@
             </children>
           </tagNode>
           #include <include/accel-ppp/gateway-address.xml.i>
+          #include <include/accel-ppp/max-concurrent-sessions.xml.i>
           #include <include/accel-ppp/mtu-128-16384.xml.i>
           <node name="limits">
             <properties>
@@ -281,6 +273,7 @@
               </leafNode>
             </children>
           </node>
+          #include <include/accel-ppp/default-pool.xml.i>
         </children>
       </node>
     </children>
diff --git a/interface-definitions/service-router-advert.xml.in b/interface-definitions/service_router-advert.xml.in
index 16c29022d..16c29022d 100644
--- a/interface-definitions/service-router-advert.xml.in
+++ b/interface-definitions/service_router-advert.xml.in
diff --git a/interface-definitions/salt-minion.xml.in b/interface-definitions/service_salt-minion.xml.in
index c3219cff3..eaa2899f4 100644
--- a/interface-definitions/salt-minion.xml.in
+++ b/interface-definitions/service_salt-minion.xml.in
@@ -2,7 +2,7 @@
 <interfaceDefinition>
   <node name="service">
     <children>
-      <node name="salt-minion" owner="${vyos_conf_scripts_dir}/salt-minion.py">
+      <node name="salt-minion" owner="${vyos_conf_scripts_dir}/service_salt-minion.py">
         <properties>
           <help>Salt Minion</help>
           <priority>500</priority>
diff --git a/interface-definitions/service-sla.xml.in b/interface-definitions/service_sla.xml.in
index 0c4f8a591..0c4f8a591 100644
--- a/interface-definitions/service-sla.xml.in
+++ b/interface-definitions/service_sla.xml.in
diff --git a/interface-definitions/snmp.xml.in b/interface-definitions/service_snmp.xml.in
index 0851b8389..e16e9daa1 100644
--- a/interface-definitions/snmp.xml.in
+++ b/interface-definitions/service_snmp.xml.in
@@ -3,7 +3,7 @@
 <interfaceDefinition>
   <node name="service">
     <children>
-      <node name="snmp" owner="${vyos_conf_scripts_dir}/snmp.py">
+      <node name="snmp" owner="${vyos_conf_scripts_dir}/service_snmp.py">
         <properties>
           <help>Simple Network Management Protocol (SNMP)</help>
           <priority>900</priority>
@@ -79,6 +79,101 @@
             </properties>
           </leafNode>
           #include <include/generic-description.xml.i>
+          <node name="mib">
+            <properties>
+              <help>Management information base (MIB)</help>
+            </properties>
+            <children>
+              <leafNode name="interface-max">
+                <properties>
+                  <help>Sets the maximum number of interfaces included in IF-MIB data collection</help>
+                  <valueHelp>
+                    <format>u32:1-4294967295</format>
+                    <description>Sets the maximum number of interfaces included in IF-MIB data collection</description>
+                  </valueHelp>
+                  <constraint>
+                    <validator name="numeric" argument="--range 1-4294967295"/>
+                  </constraint>
+                </properties>
+              </leafNode>
+              <leafNode name="interface">
+                <properties>
+                  <help>Sets the interface name prefix to include in the IF-MIB data collection</help>
+                  <completionHelp>
+                    <list>br bond dum eth gnv macsec peth sstpc tun veth vti vtun vxlan wg wlan wwan</list>
+                  </completionHelp>
+                  <valueHelp>
+                    <format>br</format>
+                    <description>Allow prefix for IF-MIB data collection</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>bond</format>
+                    <description>Allow prefix for IF-MIB data collection</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>dum</format>
+                    <description>Allow prefix for IF-MIB data collection</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>eth</format>
+                    <description>Allow prefix for IF-MIB data collection</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>gnv</format>
+                    <description>Allow prefix for IF-MIB data collection</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>macsec</format>
+                    <description>Allow prefix for IF-MIB data collection</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>peth</format>
+                    <description>Allow prefix for IF-MIB data collection</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>sstpc</format>
+                    <description>Allow prefix for IF-MIB data collection</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>tun</format>
+                    <description>Allow prefix for IF-MIB data collection</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>veth</format>
+                    <description>Allow prefix for IF-MIB data collection</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>vti</format>
+                    <description>Allow prefix for IF-MIB data collection</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>vtun</format>
+                    <description>Allow prefix for IF-MIB data collection</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>vxlan</format>
+                    <description>Allow prefix for IF-MIB data collection</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>wg</format>
+                    <description>Allow prefix for IF-MIB data collection</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>wlan</format>
+                    <description>Allow prefix for IF-MIB data collection</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>wwan</format>
+                    <description>Allow prefix for IF-MIB data collection</description>
+                  </valueHelp>
+                  <constraint>
+                    <regex>(br|bond|dum|eth|gnv|macsec|peth|sstpc|tun|veth|vti|vtun|vxlan|wg|wlan|wwan)</regex>
+                  </constraint>
+                  <multi/>
+                </properties>
+              </leafNode>
+            </children>
+          </node>
           <tagNode name="listen-address">
             <properties>
               <help>IP address to listen for incoming SNMP requests</help>
diff --git a/interface-definitions/ssh.xml.in b/interface-definitions/service_ssh.xml.in
index 2bcce2cf0..5c893bd35 100644
--- a/interface-definitions/ssh.xml.in
+++ b/interface-definitions/service_ssh.xml.in
@@ -5,7 +5,7 @@
       <help>System services</help>
     </properties>
     <children>
-      <node name="ssh" owner="${vyos_conf_scripts_dir}/ssh.py">
+      <node name="ssh" owner="${vyos_conf_scripts_dir}/service_ssh.py">
         <properties>
           <help>Secure Shell (SSH)</help>
           <priority>1000</priority>
diff --git a/interface-definitions/tftp-server.xml.in b/interface-definitions/service_tftp-server.xml.in
index 8ca4da883..e48b5a3f0 100644
--- a/interface-definitions/tftp-server.xml.in
+++ b/interface-definitions/service_tftp-server.xml.in
@@ -3,7 +3,7 @@
 <interfaceDefinition>
   <node name="service">
     <children>
-      <node name="tftp-server" owner="${vyos_conf_scripts_dir}/tftp_server.py">
+      <node name="tftp-server" owner="${vyos_conf_scripts_dir}/service_tftp-server.py">
         <properties>
           <help>Trivial File Transfer Protocol (TFTP) server</help>
           <priority>990</priority>
diff --git a/interface-definitions/service-upnp.xml.in b/interface-definitions/service_upnp.xml.in
index 20e01bfbd..20e01bfbd 100644
--- a/interface-definitions/service-upnp.xml.in
+++ b/interface-definitions/service_upnp.xml.in
diff --git a/interface-definitions/service-webproxy.xml.in b/interface-definitions/service_webproxy.xml.in
index b24997816..637d57891 100644
--- a/interface-definitions/service-webproxy.xml.in
+++ b/interface-definitions/service_webproxy.xml.in
@@ -353,7 +353,7 @@
                 <description>Object size in KB</description>
               </valueHelp>
               <constraint>
-                <validator name="numeric" argument="--range 1-100000"/>
+                <validator name="numeric" argument="--range 1-1000000"/>
               </constraint>
             </properties>
           </leafNode>
diff --git a/interface-definitions/system-acceleration-qat.xml.in b/interface-definitions/system_acceleration.xml.in
index 812484184..fb5c9d4ea 100644
--- a/interface-definitions/system-acceleration-qat.xml.in
+++ b/interface-definitions/system_acceleration.xml.in
@@ -2,7 +2,7 @@
 <interfaceDefinition>
   <node name="system">
     <children>
-      <node name="acceleration" owner="${vyos_conf_scripts_dir}/intel_qat.py">
+      <node name="acceleration" owner="${vyos_conf_scripts_dir}/system_acceleration.py">
         <properties>
           <help>Acceleration components</help>
           <priority>50</priority>
diff --git a/interface-definitions/system-config-mgmt.xml.in b/interface-definitions/system_config-management.xml.in
index de5a8cc16..7ae347955 100644
--- a/interface-definitions/system-config-mgmt.xml.in
+++ b/interface-definitions/system_config-management.xml.in
@@ -2,7 +2,7 @@
 <interfaceDefinition>
   <node name="system">
     <children>
-      <node name="config-management" owner="${vyos_conf_scripts_dir}/config_mgmt.py">
+      <node name="config-management" owner="${vyos_conf_scripts_dir}/system_config-management.py">
         <properties>
           <help>Configuration management settings</help>
           <priority>400</priority>
@@ -17,11 +17,36 @@
                 <properties>
                   <help>Commit archive location</help>
                   <valueHelp>
-                    <format>uri</format>
-                    <description>Uniform Resource Identifier</description>
+                    <format>http://&lt;user&gt;:&lt;passwd&gt;@&lt;host&gt;/&lt;path&gt;</format>
+                    <description/>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>https://&lt;user&gt;:&lt;passwd&gt;@&lt;host&gt;/&lt;path&gt;</format>
+                    <description/>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>ftp://&lt;user&gt;:&lt;passwd&gt;@&lt;host&gt;/&lt;path&gt;</format>
+                    <description/>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>sftp://&lt;user&gt;:&lt;passwd&gt;@&lt;host&gt;/&lt;path&gt;</format>
+                    <description/>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>scp://&lt;user&gt;:&lt;passwd&gt;@&lt;host&gt;/&lt;path&gt;</format>
+                    <description/>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>tftp://&lt;host&gt;/&lt;path&gt;</format>
+                    <description/>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>git+https://&lt;user&gt;:&lt;passwd&gt;@&lt;host&gt;/&lt;path&gt;</format>
+                    <description/>
                   </valueHelp>
                   <constraint>
                     <validator name="url --file-transport"/>
+                    <regex>(ssh|git|git\+(\w+)):\/\/.*</regex>
                   </constraint>
                   <multi/>
                 </properties>
diff --git a/interface-definitions/system-conntrack.xml.in b/interface-definitions/system_conntrack.xml.in
index 8dad048b8..ed5b7e8e0 100644
--- a/interface-definitions/system-conntrack.xml.in
+++ b/interface-definitions/system_conntrack.xml.in
@@ -2,7 +2,7 @@
 <interfaceDefinition>
   <node name="system">
     <children>
-      <node name="conntrack" owner="${vyos_conf_scripts_dir}/conntrack.py">
+      <node name="conntrack" owner="${vyos_conf_scripts_dir}/system_conntrack.py">
         <properties>
           <help>Connection Tracking Engine Options</help>
           <!-- Before NAT and conntrack-sync are configured -->
diff --git a/interface-definitions/system-console.xml.in b/interface-definitions/system_console.xml.in
index 5acd3e90b..5acd3e90b 100644
--- a/interface-definitions/system-console.xml.in
+++ b/interface-definitions/system_console.xml.in
diff --git a/interface-definitions/system_domain-name.xml.in b/interface-definitions/system_domain-name.xml.in
new file mode 100644
index 000000000..bfca9b8ce
--- /dev/null
+++ b/interface-definitions/system_domain-name.xml.in
@@ -0,0 +1,15 @@
+<?xml version="1.0"?>
+<interfaceDefinition>
+  <node name="system">
+    <children>
+      <leafNode name="domain-name" owner="${vyos_conf_scripts_dir}/system_host-name.py">
+        <properties>
+          <help>System domain name</help>
+          <constraint>
+            <validator name="fqdn"/>
+          </constraint>
+        </properties>
+      </leafNode>
+    </children>
+  </node>
+</interfaceDefinition>
diff --git a/interface-definitions/system_domain-search.xml.in b/interface-definitions/system_domain-search.xml.in
new file mode 100644
index 000000000..eb6c8a85c
--- /dev/null
+++ b/interface-definitions/system_domain-search.xml.in
@@ -0,0 +1,18 @@
+<?xml version="1.0"?>
+<interfaceDefinition>
+  <node name="system">
+    <children>
+      <leafNode name="domain-search" owner="${vyos_conf_scripts_dir}/system_host-name.py">
+        <properties>
+          <help>Domain Name Server (DNS) domain completion order</help>
+          <priority>400</priority>
+          <constraint>
+            <validator name="fqdn"/>
+          </constraint>
+          <constraintErrorMessage>Invalid domain name (RFC 1123 section 2).\nMay only contain letters, numbers and period.</constraintErrorMessage>
+          <multi/>
+        </properties>
+      </leafNode>
+    </children>
+  </node>
+</interfaceDefinition>
diff --git a/interface-definitions/flow-accounting-conf.xml.in b/interface-definitions/system_flow-accounting.xml.in
index 40a9bb423..83a2480a3 100644
--- a/interface-definitions/flow-accounting-conf.xml.in
+++ b/interface-definitions/system_flow-accounting.xml.in
@@ -3,7 +3,7 @@
 <interfaceDefinition>
   <node name="system">
     <children>
-      <node name="flow-accounting" owner="${vyos_conf_scripts_dir}/flow_accounting_conf.py">
+      <node name="flow-accounting" owner="${vyos_conf_scripts_dir}/system_flow-accounting.py">
         <properties>
           <help>Flow accounting settings</help>
           <priority>990</priority>
diff --git a/interface-definitions/system-frr.xml.in b/interface-definitions/system_frr.xml.in
index 9fe23ed75..76001b392 100644
--- a/interface-definitions/system-frr.xml.in
+++ b/interface-definitions/system_frr.xml.in
@@ -15,6 +15,20 @@
               <valueless/>
             </properties>
           </leafNode>
+          <leafNode name="descriptors">
+            <properties>
+              <help>Number of open file descriptors a process is allowed to use</help>
+              <valueHelp>
+                <format>u32:1024-8192</format>
+                <description>Number of file descriptors</description>
+              </valueHelp>
+              <constraint>
+                <validator name="numeric" argument="--range 1024-8192"/>
+              </constraint>
+              <constraintErrorMessage>Port number must be in range 1024 to 8192</constraintErrorMessage>
+            </properties>
+            <defaultValue>1024</defaultValue>
+          </leafNode>
           <leafNode name="irdp">
             <properties>
               <help>Enable ICMP Router Discovery Protocol support</help>
diff --git a/interface-definitions/system_host-name.xml.in b/interface-definitions/system_host-name.xml.in
new file mode 100644
index 000000000..423531a68
--- /dev/null
+++ b/interface-definitions/system_host-name.xml.in
@@ -0,0 +1,16 @@
+<?xml version="1.0"?>
+<interfaceDefinition>
+  <node name="system">
+    <children>
+      <!-- script does not use XML defaults so far -->
+      <leafNode name="host-name" owner="${vyos_conf_scripts_dir}/system_host-name.py">
+        <properties>
+          <help>System host name (default: vyos)</help>
+          <constraint>
+            #include <include/constraint/host-name.xml.i>
+          </constraint>
+        </properties>
+      </leafNode>
+    </children>
+  </node>
+</interfaceDefinition>
diff --git a/interface-definitions/system-ip.xml.in b/interface-definitions/system_ip.xml.in
index 6db4dbfc7..6e3b7d5d0 100644
--- a/interface-definitions/system-ip.xml.in
+++ b/interface-definitions/system_ip.xml.in
@@ -2,7 +2,7 @@
 <interfaceDefinition>
   <node name="system">
     <children>
-      <node name="ip" owner="${vyos_conf_scripts_dir}/system-ip.py">
+      <node name="ip" owner="${vyos_conf_scripts_dir}/system_ip.py">
         <properties>
           <help>IPv4 Settings</help>
           <!-- must be before any interface, check /opt/vyatta/sbin/priority.pl -->
diff --git a/interface-definitions/system-ipv6.xml.in b/interface-definitions/system_ipv6.xml.in
index e17e1c01c..8957cb6a7 100644
--- a/interface-definitions/system-ipv6.xml.in
+++ b/interface-definitions/system_ipv6.xml.in
@@ -2,7 +2,7 @@
 <interfaceDefinition>
   <node name="system">
     <children>
-      <node name="ipv6" owner="${vyos_conf_scripts_dir}/system-ipv6.py">
+      <node name="ipv6" owner="${vyos_conf_scripts_dir}/system_ipv6.py">
         <properties>
           <help>IPv6 Settings</help>
           <!-- must be before any interface, check /opt/vyatta/sbin/priority.pl -->
diff --git a/interface-definitions/system-lcd.xml.in b/interface-definitions/system_lcd.xml.in
index 0cf4de308..0cf4de308 100644
--- a/interface-definitions/system-lcd.xml.in
+++ b/interface-definitions/system_lcd.xml.in
diff --git a/interface-definitions/system-login.xml.in b/interface-definitions/system_login.xml.in
index 71db8b1d6..672c4afc8 100644
--- a/interface-definitions/system-login.xml.in
+++ b/interface-definitions/system_login.xml.in
@@ -2,7 +2,7 @@
 <interfaceDefinition>
   <node name="system">
     <children>
-      <node name="login" owner="${vyos_conf_scripts_dir}/system-login.py">
+      <node name="login" owner="${vyos_conf_scripts_dir}/system_login.py">
         <properties>
           <help>System User Login Configuration</help>
           <priority>400</priority>
@@ -244,21 +244,27 @@
                   </leafNode>
                 </children>
               </tagNode>
-              <leafNode name="source-address">
+              <leafNode name="security-mode">
                 <properties>
-                  <help>Source IP used to communicate with TACACS+ server</help>
+                  <help>Security mode for TACACS+ authentication</help>
                   <completionHelp>
-                    <script>${vyos_completion_dir}/list_local_ips.sh --ipv4</script>
+                    <list>mandatory optional</list>
                   </completionHelp>
                   <valueHelp>
-                    <format>ipv4</format>
-                    <description>IPv4 source address</description>
+                    <format>mandatory</format>
+                    <description>Deny access immediately if TACACS+ answers with REJECT</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>optional</format>
+                    <description>Pass to the next authentication method if TACACS+ answers with REJECT</description>
                   </valueHelp>
                   <constraint>
-                    <validator name="ipv4-address"/>
+                    <regex>(mandatory|optional)</regex>
                   </constraint>
                 </properties>
+                <defaultValue>optional</defaultValue>
               </leafNode>
+              #include <include/source-address-ipv4.xml.i>
               #include <include/radius-timeout.xml.i>
               #include <include/interface/vrf.xml.i>
             </children>
diff --git a/interface-definitions/system-login-banner.xml.in b/interface-definitions/system_login_banner.xml.in
index bdd0ad96a..211505ae4 100644
--- a/interface-definitions/system-login-banner.xml.in
+++ b/interface-definitions/system_login_banner.xml.in
@@ -2,13 +2,13 @@
 <interfaceDefinition>
   <node name="system">
     <children>
-      <node name="login" owner="${vyos_conf_scripts_dir}/system-login.py">
+      <node name="login" owner="${vyos_conf_scripts_dir}/system_login.py">
         <properties>
           <help>System User Login Configuration</help>
           <priority>400</priority>
         </properties>
         <children>
-          <node name="banner" owner="${vyos_conf_scripts_dir}/system-login-banner.py">
+          <node name="banner" owner="${vyos_conf_scripts_dir}/system_login_banner.py">
             <properties>
               <help>System login banners</help>
             </properties>
diff --git a/interface-definitions/system-logs.xml.in b/interface-definitions/system_logs.xml.in
index 1caa7abb6..b34cbdc39 100644
--- a/interface-definitions/system-logs.xml.in
+++ b/interface-definitions/system_logs.xml.in
@@ -2,7 +2,7 @@
 <interfaceDefinition>
   <node name="system">
     <children>
-      <node name="logs" owner="${vyos_conf_scripts_dir}/system-logs.py">
+      <node name="logs" owner="${vyos_conf_scripts_dir}/system_logs.py">
         <properties>
           <help>Logging options</help>
           <priority>9999</priority>
diff --git a/interface-definitions/system_name-server.xml.in b/interface-definitions/system_name-server.xml.in
new file mode 100644
index 000000000..2f750abfa
--- /dev/null
+++ b/interface-definitions/system_name-server.xml.in
@@ -0,0 +1,33 @@
+<?xml version="1.0"?>
+<interfaceDefinition>
+  <node name="system">
+    <children>
+      <leafNode name="name-server" owner="${vyos_conf_scripts_dir}/system_host-name.py">
+        <properties>
+          <help>System Domain Name Servers (DNS)</help>
+          <priority>400</priority>
+          <completionHelp>
+            <script>${vyos_completion_dir}/list_interfaces</script>
+          </completionHelp>
+          <valueHelp>
+            <format>ipv4</format>
+            <description>Domain Name Server IPv4 address</description>
+          </valueHelp>
+          <valueHelp>
+            <format>ipv6</format>
+            <description>Domain Name Server IPv6 address</description>
+          </valueHelp>
+          <valueHelp>
+            <format>txt</format>
+            <description>Use Domain Name Server from DHCP interface</description>
+          </valueHelp>
+          <multi/>
+          <constraint>
+            <validator name="ip-address"/>
+            #include <include/constraint/interface-name.xml.i>
+          </constraint>
+        </properties>
+      </leafNode>
+    </children>
+  </node>
+</interfaceDefinition>
diff --git a/interface-definitions/system-option.xml.in b/interface-definitions/system_option.xml.in
index b1b5f7fae..adb45bdcc 100644
--- a/interface-definitions/system-option.xml.in
+++ b/interface-definitions/system_option.xml.in
@@ -2,7 +2,7 @@
 <interfaceDefinition>
   <node name="system">
     <children>
-      <node name="option" owner="${vyos_conf_scripts_dir}/system-option.py">
+      <node name="option" owner="${vyos_conf_scripts_dir}/system_option.py">
         <properties>
           <help>System Options</help>
           <priority>9999</priority>
diff --git a/interface-definitions/system-proxy.xml.in b/interface-definitions/system_proxy.xml.in
index f7ab31d7e..214534dbb 100644
--- a/interface-definitions/system-proxy.xml.in
+++ b/interface-definitions/system_proxy.xml.in
@@ -2,7 +2,7 @@
 <interfaceDefinition>
   <node name="system">
     <children>
-      <node name="proxy" owner="${vyos_conf_scripts_dir}/system-proxy.py">
+      <node name="proxy" owner="${vyos_conf_scripts_dir}/system_proxy.py">
         <properties>
           <help>Sets a proxy for system wide use</help>
         </properties>
diff --git a/interface-definitions/system-sflow.xml.in b/interface-definitions/system_sflow.xml.in
index c5152abe9..c5152abe9 100644
--- a/interface-definitions/system-sflow.xml.in
+++ b/interface-definitions/system_sflow.xml.in
diff --git a/interface-definitions/system_static-host-mapping.xml.in b/interface-definitions/system_static-host-mapping.xml.in
new file mode 100644
index 000000000..492741f11
--- /dev/null
+++ b/interface-definitions/system_static-host-mapping.xml.in
@@ -0,0 +1,53 @@
+<?xml version="1.0"?>
+<interfaceDefinition>
+  <node name="system">
+    <children>
+      <node name="static-host-mapping" owner="${vyos_conf_scripts_dir}/system_host-name.py">
+        <properties>
+          <help>Map host names to addresses</help>
+          <priority>400</priority>
+        </properties>
+        <children>
+          <tagNode name="host-name">
+            <properties>
+              <help>Host name for static address mapping</help>
+              <constraint>
+                #include <include/constraint/host-name.xml.i>
+              </constraint>
+              <constraintErrorMessage>Host-name must be alphanumeric and can contain hyphens</constraintErrorMessage>
+            </properties>
+            <children>
+              <leafNode name="alias">
+                <properties>
+                  <help>Alias for this address</help>
+                  <constraint>
+                    <regex>.{1,63}</regex>
+                  </constraint>
+                  <constraintErrorMessage>invalid alias hostname, needs to be between 1 and 63 charactes</constraintErrorMessage>
+                  <multi />
+                </properties>
+              </leafNode>
+              <leafNode name="inet">
+                <properties>
+                  <help>IP Address</help>
+                  <valueHelp>
+                    <format>ipv4</format>
+                    <description>IPv4 address</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>ipv6</format>
+                    <description>IPv6 address</description>
+                  </valueHelp>
+                  <constraint>
+                    <validator name="ip-address"/>
+                  </constraint>
+                  <multi/>
+                </properties>
+              </leafNode>
+            </children>
+          </tagNode>
+        </children>
+      </node>
+    </children>
+  </node>
+</interfaceDefinition>
diff --git a/interface-definitions/system-sysctl.xml.in b/interface-definitions/system_sysctl.xml.in
index bf118c24b..bf118c24b 100644
--- a/interface-definitions/system-sysctl.xml.in
+++ b/interface-definitions/system_sysctl.xml.in
diff --git a/interface-definitions/system-syslog.xml.in b/interface-definitions/system_syslog.xml.in
index cd5c514a8..3343e2c59 100644
--- a/interface-definitions/system-syslog.xml.in
+++ b/interface-definitions/system_syslog.xml.in
@@ -2,7 +2,7 @@
 <interfaceDefinition>
   <node name="system">
     <children>
-      <node name="syslog" owner="${vyos_conf_scripts_dir}/system-syslog.py">
+      <node name="syslog" owner="${vyos_conf_scripts_dir}/system_syslog.py">
         <properties>
           <help>System logging</help>
           <priority>400</priority>
diff --git a/interface-definitions/cron.xml.in b/interface-definitions/system_task-scheduler.xml.in
index 58dcf64ac..597d58813 100644
--- a/interface-definitions/cron.xml.in
+++ b/interface-definitions/system_task-scheduler.xml.in
@@ -7,7 +7,7 @@
           <help>Task scheduler settings</help>
         </properties>
         <children>
-          <tagNode name="task" owner="${vyos_conf_scripts_dir}/task_scheduler.py">
+          <tagNode name="task" owner="${vyos_conf_scripts_dir}/system_task-scheduler.py">
             <properties>
               <help>Scheduled task</help>
               <valueHelp>
diff --git a/interface-definitions/system-time-zone.xml.in b/interface-definitions/system_time-zone.xml.in
index f6b291984..65cce9e95 100644
--- a/interface-definitions/system-time-zone.xml.in
+++ b/interface-definitions/system_time-zone.xml.in
@@ -2,7 +2,7 @@
 <interfaceDefinition>
   <node name="system">
     <children>
-      <leafNode name="time-zone" owner="${vyos_conf_scripts_dir}/system-timezone.py">
+      <leafNode name="time-zone" owner="${vyos_conf_scripts_dir}/system_timezone.py">
         <properties>
           <help>Local time zone (default UTC)</help>
           <priority>100</priority>
diff --git a/interface-definitions/system-update-check.xml.in b/interface-definitions/system_update-check.xml.in
index e4d7041ec..14570b039 100644
--- a/interface-definitions/system-update-check.xml.in
+++ b/interface-definitions/system_update-check.xml.in
@@ -2,7 +2,7 @@
 <interfaceDefinition>
   <node name="system">
     <children>
-      <node name="update-check" owner="${vyos_conf_scripts_dir}/system_update_check.py">
+      <node name="update-check" owner="${vyos_conf_scripts_dir}/system_update-check.py">
         <properties>
           <help>Check available update images</help>
           <priority>9999</priority>
@@ -14,7 +14,7 @@
               <valueless/>
             </properties>
           </leafNode>
-          #include <include/url.xml.i>
+          #include <include/url-http-https.xml.i>
         </children>
       </node>
     </children>
diff --git a/interface-definitions/vpn-ipsec.xml.in b/interface-definitions/vpn_ipsec.xml.in
index 64cfbda08..1847401b5 100644
--- a/interface-definitions/vpn-ipsec.xml.in
+++ b/interface-definitions/vpn_ipsec.xml.in
@@ -772,9 +772,13 @@
                         <properties>
                           <help>Client authentication mode</help>
                           <completionHelp>
-                            <list>eap-tls eap-mschapv2 eap-radius</list>
+                            <list>x509 eap-tls eap-mschapv2 eap-radius</list>
                           </completionHelp>
                           <valueHelp>
+                            <format>x509</format>
+                            <description>Use IPsec x.509 certificate authentication</description>
+                          </valueHelp>
+                          <valueHelp>
                             <format>eap-tls</format>
                             <description>Use EAP-TLS authentication</description>
                           </valueHelp>
@@ -787,7 +791,7 @@
                             <description>Use EAP-RADIUS authentication</description>
                           </valueHelp>
                           <constraint>
-                            <regex>(eap-tls|eap-mschapv2|eap-radius)</regex>
+                            <regex>(x509|eap-tls|eap-mschapv2|eap-radius)</regex>
                           </constraint>
                         </properties>
                         <defaultValue>eap-mschapv2</defaultValue>
diff --git a/interface-definitions/vpn-l2tp.xml.in b/interface-definitions/vpn_l2tp.xml.in
index ee0edc3e3..3e2d00e6b 100644
--- a/interface-definitions/vpn-l2tp.xml.in
+++ b/interface-definitions/vpn_l2tp.xml.in
@@ -13,7 +13,11 @@
               <help>Remote access L2TP VPN</help>
             </properties>
             <children>
+              #include <include/accel-ppp/max-concurrent-sessions.xml.i>
               #include <include/accel-ppp/mtu-128-16384.xml.i>
+              <leafNode name="mtu">
+                <defaultValue>1436</defaultValue>
+              </leafNode>
               <leafNode name="outside-address">
                 <properties>
                   <help>External IP address to which VPN clients will connect</help>
@@ -115,128 +119,22 @@
                 </children>
               </node>
               #include <include/accel-ppp/wins-server.xml.i>
-              <node name="client-ip-pool">
-                <properties>
-                  <help>Pool of client IP addresses (must be within a /24)</help>
-                </properties>
-                <children>
-                  #include <include/accel-ppp/client-ip-pool-start-stop.xml.i>
-                  #include <include/accel-ppp/client-ip-pool-subnet.xml.i>
-                </children>
-              </node>
+              #include <include/accel-ppp/client-ip-pool.xml.i>
               #include <include/accel-ppp/client-ipv6-pool.xml.i>
               #include <include/generic-description.xml.i>
               #include <include/dhcp-interface.xml.i>
-              <leafNode name="idle">
-                <properties>
-                  <help>PPP idle timeout</help>
-                  <valueHelp>
-                    <format>u32:30-86400</format>
-                    <description>PPP idle timeout in seconds</description>
-                  </valueHelp>
-                    <constraint>
-                      <validator name="numeric" argument="--range 30-86400"/>
-                    </constraint>
-                </properties>
-              </leafNode>
               <node name="authentication">
                 <properties>
                   <help>Authentication for remote access L2TP VPN</help>
                 </properties>
                 <children>
-                  <leafNode name="require">
-                    <properties>
-                      <help>Authentication protocol for remote access peer L2TP VPN</help>
-                      <valueHelp>
-                        <format>pap</format>
-                        <description>Require the peer to authenticate itself using PAP [Password Authentication Protocol].</description>
-                      </valueHelp>
-                      <valueHelp>
-                        <format>chap</format>
-                        <description>Require the peer to authenticate itself using CHAP [Challenge Handshake Authentication Protocol].</description>
-                      </valueHelp>
-                      <valueHelp>
-                        <format>mschap</format>
-                        <description>Require the peer to authenticate itself using CHAP [Challenge Handshake Authentication Protocol].</description>
-                      </valueHelp>
-                      <valueHelp>
-                        <format>mschap-v2</format>
-                        <description>Require the peer to authenticate itself using MS-CHAPv2 [Microsoft Challenge Handshake Authentication Protocol, Version 2].</description>
-                      </valueHelp>
-                      <constraint>
-                        <regex>(pap|chap|mschap|mschap-v2)</regex>
-                      </constraint>
-                      <completionHelp>
-                        <list>pap chap mschap mschap-v2</list>
-                      </completionHelp>
-                      <multi />
-                    </properties>
-                  </leafNode>
-                  #include <include/accel-ppp/ppp-mppe.xml.i>
+                  #include <include/accel-ppp/auth-protocols.xml.i>
                   #include <include/accel-ppp/auth-mode.xml.i>
                   #include <include/accel-ppp/auth-local-users.xml.i>
                   #include <include/radius-auth-server-ipv4.xml.i>
+                  #include <include/accel-ppp/radius-additions.xml.i>
                   <node name="radius">
                     <children>
-                      #include <include/accel-ppp/radius-accounting-interim-interval.xml.i>
-                      <tagNode name="server">
-                        <children>
-                          #include <include/accel-ppp/radius-additions-disable-accounting.xml.i>
-                          <leafNode name="fail-time">
-                            <properties>
-                              <help>Mark server unavailable for N seconds on failure</help>
-                              <valueHelp>
-                                <format>u32:0-600</format>
-                                <description>Fail time penalty</description>
-                              </valueHelp>
-                              <constraint>
-                                <validator name="numeric" argument="--range 0-600"/>
-                              </constraint>
-                              <constraintErrorMessage>Fail time must be between 0 and 600 seconds</constraintErrorMessage>
-                            </properties>
-                          </leafNode>
-                        </children>
-                      </tagNode>
-                      <leafNode name="timeout">
-                        <properties>
-                          <help>Timeout to wait response from server (seconds)</help>
-                        </properties>
-                      </leafNode>
-                      <leafNode name="acct-timeout">
-                        <properties>
-                          <help>Timeout to wait reply for Interim-Update packets</help>
-                        </properties>
-                      </leafNode>
-                      <leafNode name="max-try">
-                        <properties>
-                          <help>Maximum number of tries to send Access-Request/Accounting-Request queries</help>
-                        </properties>
-                      </leafNode>
-                      #include <include/radius-nas-identifier.xml.i>
-                      #include <include/radius-nas-ip-address.xml.i>
-                      <node name="dae-server">
-                        <properties>
-                          <help>IPv4 address and port to bind Dynamic Authorization Extension server (DM/CoA)</help>
-                        </properties>
-                        <children>
-                          <leafNode name="ip-address">
-                            <properties>
-                              <help>IP address for Dynamic Authorization Extension server (DM/CoA)</help>
-                            </properties>
-                          </leafNode>
-                          <leafNode name="port">
-                            <properties>
-                              <help>Port for Dynamic Authorization Extension server (DM/CoA)</help>
-                            </properties>
-                            <defaultValue>1700</defaultValue>
-                          </leafNode>
-                          <leafNode name="secret">
-                            <properties>
-                              <help>Secret for Dynamic Authorization Extension server (DM/CoA)</help>
-                            </properties>
-                          </leafNode>
-                        </children>
-                      </node>
                       #include <include/accel-ppp/radius-additions-rate-limit.xml.i>
                     </children>
                   </node>
@@ -247,11 +145,15 @@
                   <help>Advanced protocol options</help>
                 </properties>
                 <children>
-                  #include <include/accel-ppp/lcp-echo-interval-failure.xml.i>
+                  #include <include/accel-ppp/ppp-mppe.xml.i>
+                  #include <include/accel-ppp/ppp-options-ipv4.xml.i>
                   #include <include/accel-ppp/ppp-options-ipv6.xml.i>
                   #include <include/accel-ppp/ppp-options-ipv6-interface-id.xml.i>
+                  #include <include/accel-ppp/lcp-echo-interval-failure.xml.i>
+                  #include <include/accel-ppp/lcp-echo-timeout.xml.i>
                 </children>
               </node>
+              #include <include/accel-ppp/default-pool.xml.i>
             </children>
           </node>
         </children>
diff --git a/interface-definitions/vpn-openconnect.xml.in b/interface-definitions/vpn_openconnect.xml.in
index 75c64a99a..736084f8b 100644
--- a/interface-definitions/vpn-openconnect.xml.in
+++ b/interface-definitions/vpn_openconnect.xml.in
@@ -260,6 +260,12 @@
               </leafNode>
             </children>
           </node>
+          <leafNode name="http-security-headers">
+            <properties>
+              <help>Enable HTTP security headers</help>
+              <valueless/>
+            </properties>
+          </leafNode>
           <node name="ssl">
             <properties>
               <help>SSL Certificate, SSL Key and CA</help>
diff --git a/interface-definitions/vpn-pptp.xml.in b/interface-definitions/vpn_pptp.xml.in
index 5a8b4a78a..7bb8db798 100644
--- a/interface-definitions/vpn-pptp.xml.in
+++ b/interface-definitions/vpn_pptp.xml.in
@@ -13,7 +13,11 @@
               <help>Remote access PPTP VPN</help>
             </properties>
             <children>
+              #include <include/accel-ppp/max-concurrent-sessions.xml.i>
               #include <include/accel-ppp/mtu-128-16384.xml.i>
+              <leafNode name="mtu">
+                <defaultValue>1436</defaultValue>
+              </leafNode>
               <leafNode name="outside-address">
                 <properties>
                   <help>External IP address to which VPN clients will connect</help>
@@ -22,17 +26,10 @@
                   </constraint>
                 </properties>
               </leafNode>
+              #include <include/accel-ppp/gateway-address.xml.i>
               #include <include/name-server-ipv4.xml.i>
               #include <include/accel-ppp/wins-server.xml.i>
-              <node name="client-ip-pool">
-                <properties>
-                  <help>Pool of client IP addresses (must be within a /24)</help>
-                </properties>
-                <children>
-                  #include <include/accel-ppp/client-ip-pool-start-stop.xml.i>
-                </children>
-              </node>
-              #include <include/accel-ppp/gateway-address.xml.i>
+              #include <include/accel-ppp/client-ip-pool.xml.i>
               <node name="authentication">
                 <properties>
                   <help>Authentication for remote access PPTP VPN</help>
@@ -41,6 +38,9 @@
                   <leafNode name="require">
                     <properties>
                       <help>Authentication protocol for remote access peer PPTP VPN</help>
+                      <completionHelp>
+                        <list>pap chap mschap mschap-v2</list>
+                      </completionHelp>
                       <valueHelp>
                         <format>pap</format>
                         <description>Require the peer to authenticate itself using PAP [Password Authentication Protocol].</description>
@@ -57,7 +57,11 @@
                         <format>mschap-v2</format>
                         <description>Require the peer to authenticate itself using MS-CHAPv2 [Microsoft Challenge Handshake Authentication Protocol, Version 2].</description>
                       </valueHelp>
+                      <constraint>
+                        <regex>(pap|chap|mschap|mschap-v2)</regex>
+                      </constraint>
                     </properties>
+                    <defaultValue>mschap-v2</defaultValue>
                   </leafNode>
                   <leafNode name="mppe">
                     <properties>
@@ -81,6 +85,7 @@
                         <list>deny prefer require</list>
                       </completionHelp>
                     </properties>
+                    <defaultValue>prefer</defaultValue>
                   </leafNode>
                   #include <include/accel-ppp/auth-mode.xml.i>
                   <node name="local-users">
@@ -103,6 +108,7 @@
                             <properties>
                               <help>Static client IP address</help>
                             </properties>
+                            <defaultValue>*</defaultValue>
                           </leafNode>
                         </children>
                       </tagNode>
@@ -115,8 +121,19 @@
                   </node>
                   #include <include/radius-auth-server-ipv4.xml.i>
                   #include <include/accel-ppp/radius-additions.xml.i>
+                  <node name="radius">
+                    <children>
+                      <leafNode name="timeout">
+                        <defaultValue>30</defaultValue>
+                      </leafNode>
+                      <leafNode name="acct-timeout">
+                        <defaultValue>30</defaultValue>
+                      </leafNode>
+                    </children>
+                  </node>
                 </children>
               </node>
+              #include <include/accel-ppp/default-pool.xml.i>
             </children>
           </node>
         </children>
diff --git a/interface-definitions/vpn-sstp.xml.in b/interface-definitions/vpn_sstp.xml.in
index 9e912063f..a1b69f990 100644
--- a/interface-definitions/vpn-sstp.xml.in
+++ b/interface-definitions/vpn_sstp.xml.in
@@ -25,22 +25,17 @@
               </node>
             </children>
           </node>
+          #include <include/accel-ppp/max-concurrent-sessions.xml.i>
           #include <include/interface/mtu-68-1500.xml.i>
           #include <include/accel-ppp/gateway-address.xml.i>
           #include <include/name-server-ipv4-ipv6.xml.i>
-          <node name="client-ip-pool">
-            <properties>
-              <help>Client IP pools and gateway setting</help>
-            </properties>
-            <children>
-              #include <include/accel-ppp/client-ip-pool-subnet.xml.i>
-            </children>
-          </node>
+          #include <include/accel-ppp/client-ip-pool.xml.i>
           #include <include/accel-ppp/client-ipv6-pool.xml.i>
           #include <include/port-number.xml.i>
           <leafNode name="port">
             <defaultValue>443</defaultValue>
           </leafNode>
+          #include <include/accel-ppp/default-pool.xml.i>
           <node name="ppp-options">
             <properties>
               <help>PPP (Point-to-Point Protocol) settings</help>
diff --git a/interface-definitions/vpp.xml.in b/interface-definitions/vpp.xml.in
deleted file mode 100644
index 3f0758c0a..000000000
--- a/interface-definitions/vpp.xml.in
+++ /dev/null
@@ -1,342 +0,0 @@
-<?xml version="1.0"?>
-<interfaceDefinition>
-  <node name="vpp" owner="${vyos_conf_scripts_dir}/vpp.py">
-    <properties>
-      <help>Accelerated data-plane</help>
-      <priority>295</priority>
-    </properties>
-    <children>
-      <node name="cpu">
-        <properties>
-          <help>CPU settings</help>
-        </properties>
-        <children>
-          <leafNode name="corelist-workers">
-            <properties>
-              <help>List of cores worker threads</help>
-              <valueHelp>
-                <format>&lt;id&gt;</format>
-                <description>CPU core id</description>
-              </valueHelp>
-              <valueHelp>
-                <format>&lt;idN&gt;-&lt;idM&gt;</format>
-                <description>CPU core id range (use '-' as delimiter)</description>
-              </valueHelp>
-              <constraint>
-                <validator name="numeric" argument="--allow-range --range 0-512"/>
-              </constraint>
-              <constraintErrorMessage>not a valid CPU core value or range</constraintErrorMessage>
-              <multi/>
-            </properties>
-          </leafNode>
-          <leafNode name="main-core">
-            <properties>
-              <help>Main core</help>
-              <valueHelp>
-                <format>u32:0-512</format>
-                <description>Assign main thread to specific core</description>
-              </valueHelp>
-              <constraint>
-                <validator name="numeric" argument="--range 0-512"/>
-              </constraint>
-            </properties>
-          </leafNode>
-          <leafNode name="skip-cores">
-            <properties>
-              <help>Skip cores</help>
-              <valueHelp>
-                <format>u32:0-512</format>
-                <description>Skip cores</description>
-              </valueHelp>
-              <constraint>
-                <validator name="numeric" argument="--range 0-512"/>
-              </constraint>
-            </properties>
-          </leafNode>
-          <leafNode name="workers">
-            <properties>
-              <help>Create worker threads</help>
-              <valueHelp>
-                <format>u32:0-4294967295</format>
-                <description>Worker threads</description>
-              </valueHelp>
-              <constraint>
-                <validator name="numeric" argument="--range 0-512"/>
-              </constraint>
-            </properties>
-          </leafNode>
-        </children>
-      </node>
-      <tagNode name="interface">
-        <properties>
-          <help>Interface</help>
-          <valueHelp>
-            <format>ethN</format>
-            <description>Interface name</description>
-          </valueHelp>
-          <constraint>
-            <regex>((eth|lan)[0-9]+|(eno|ens|enp|enx).+)</regex>
-          </constraint>
-          <constraintErrorMessage>Invalid interface name</constraintErrorMessage>
-        </properties>
-        <children>
-          <leafNode name="num-rx-desc">
-            <properties>
-              <help>Number of receive ring descriptors</help>
-              <valueHelp>
-                <format>u32:256-8192</format>
-                <description>Number of receive ring descriptors</description>
-              </valueHelp>
-              <constraint>
-                <validator name="numeric" argument="--range 256-8192"/>
-              </constraint>
-            </properties>
-          </leafNode>
-          <leafNode name="num-tx-desc">
-            <properties>
-              <help>Number of tranceive ring descriptors</help>
-              <valueHelp>
-                <format>u32:256-8192</format>
-                <description>Number of tranceive ring descriptors</description>
-              </valueHelp>
-              <constraint>
-                <validator name="numeric" argument="--range 256-8192"/>
-              </constraint>
-            </properties>
-          </leafNode>
-          <leafNode name="num-rx-queues">
-            <properties>
-              <help>Number of receive ring descriptors</help>
-              <valueHelp>
-                <format>u32:256-8192</format>
-                <description>Number of receive queues</description>
-              </valueHelp>
-              <constraint>
-                <validator name="numeric" argument="--range 256-8192"/>
-              </constraint>
-            </properties>
-          </leafNode>
-          <leafNode name="num-tx-queues">
-            <properties>
-              <help>Number of tranceive ring descriptors</help>
-              <valueHelp>
-                <format>u32:256-8192</format>
-                <description>Number of tranceive queues</description>
-              </valueHelp>
-              <constraint>
-                <validator name="numeric" argument="--range 256-8192"/>
-              </constraint>
-            </properties>
-          </leafNode>
-          <leafNode name='pci'>
-            <properties>
-              <help>PCI address allocation</help>
-              <valueHelp>
-                <format>auto</format>
-                <description>Auto detect PCI address</description>
-              </valueHelp>
-              <valueHelp>
-                <format>&lt;xxxx:xx:xx.x&gt;</format>
-                <description>Set Peripheral Component Interconnect (PCI) address</description>
-              </valueHelp>
-              <constraint>
-                <regex>(auto|[0-9a-fA-F]{4}:[0-9a-fA-F]{2}:[0-9a-fA-F]{2}\.[0-9a-fA-F])</regex>
-              </constraint>
-            </properties>
-            <defaultValue>auto</defaultValue>
-          </leafNode>
-          <leafNode name="rx-mode">
-            <properties>
-              <help>Receive packet processing mode</help>
-              <completionHelp>
-                <list>polling interrupt adaptive</list>
-              </completionHelp>
-              <valueHelp>
-                <format>polling</format>
-                <description>Constantly check for new data</description>
-              </valueHelp>
-              <valueHelp>
-                <format>interrupt</format>
-                <description>Interrupt mode</description>
-              </valueHelp>
-              <valueHelp>
-                <format>adaptive</format>
-                <description>Adaptive mode</description>
-              </valueHelp>
-              <constraint>
-                <regex>(polling|interrupt|adaptive)</regex>
-              </constraint>
-            </properties>
-          </leafNode>
-        </children>
-      </tagNode>
-      <node name="ip">
-        <properties>
-          <help>IP settings</help>
-        </properties>
-        <children>
-          <leafNode name="heap-size">
-            <properties>
-              <help>IPv4 heap size</help>
-              <valueHelp>
-                <format>u32:0-4294967295</format>
-                <description>Amount of memory (in Mbytes) dedicated to the destination IP lookup table</description>
-              </valueHelp>
-              <constraint>
-                <validator name="numeric" argument="--range 1-4294967295"/>
-              </constraint>
-            </properties>
-            <defaultValue>32</defaultValue>
-          </leafNode>
-        </children>
-      </node>
-      <node name="ip6">
-        <properties>
-          <help>IPv6 settings</help>
-        </properties>
-        <children>
-          <leafNode name="heap-size">
-            <properties>
-              <help>IPv6 heap size</help>
-              <valueHelp>
-                <format>u32:0-4294967295</format>
-                <description>Amount of memory (in Mbytes) dedicated to the destination IP lookup table</description>
-              </valueHelp>
-              <constraint>
-                <validator name="numeric" argument="--range 1-4294967295"/>
-              </constraint>
-            </properties>
-            <defaultValue>32</defaultValue>
-          </leafNode>
-          <leafNode name="hash-buckets">
-            <properties>
-              <help>IPv6 forwarding table hash buckets</help>
-              <valueHelp>
-                <format>u32:1-4294967295</format>
-                <description>IPv6 forwarding table hash buckets</description>
-              </valueHelp>
-              <constraint>
-                <validator name="numeric" argument="--range 1-4294967295"/>
-              </constraint>
-            </properties>
-            <defaultValue>65536</defaultValue>
-          </leafNode>
-        </children>
-      </node>
-      <node name="l2learn">
-        <properties>
-          <help>Level 2 MAC address learning settings</help>
-        </properties>
-        <children>
-          <leafNode name="limit">
-            <properties>
-              <help>Number of MAC addresses in the L2 FIB</help>
-              <valueHelp>
-                <format>u32:1-4294967295</format>
-                <description>Number of concurent entries</description>
-              </valueHelp>
-              <constraint>
-                <validator name="numeric" argument="--range 1-4294967295"/>
-              </constraint>
-            </properties>
-            <defaultValue>4194304</defaultValue>
-          </leafNode>
-        </children>
-      </node>
-      <node name="logging">
-        <properties>
-          <help>Loggint settings</help>
-        </properties>
-        <children>
-          <leafNode name="default-log-level">
-            <properties>
-              <help>default-log-level</help>
-              <completionHelp>
-                <list>alert crit debug disabled emerg err info notice warn</list>
-              </completionHelp>
-              <valueHelp>
-                <format>alert</format>
-                <description>Alert</description>
-              </valueHelp>
-              <valueHelp>
-                <format>crit</format>
-                <description>Critical</description>
-              </valueHelp>
-              <valueHelp>
-                <format>debug</format>
-                <description>Debug</description>
-              </valueHelp>
-              <valueHelp>
-                <format>disabled</format>
-                <description>Disabled</description>
-              </valueHelp>
-              <valueHelp>
-                <format>emerg</format>
-                <description>Emergency</description>
-              </valueHelp>
-              <valueHelp>
-                <format>err</format>
-                <description>Error</description>
-              </valueHelp>
-              <valueHelp>
-                <format>info</format>
-                <description>Informational</description>
-              </valueHelp>
-              <valueHelp>
-                <format>notice</format>
-                <description>Notice</description>
-              </valueHelp>
-              <valueHelp>
-                <format>warn</format>
-                <description>Warning</description>
-              </valueHelp>
-              <constraint>
-                <regex>(alert|crit|debug|disabled|emerg|err|info|notice|warn)</regex>
-              </constraint>
-            </properties>
-          </leafNode>
-        </children>
-      </node>
-      <node name="physmem">
-        <properties>
-          <help>Memory settings</help>
-        </properties>
-        <children>
-          <leafNode name="max-size">
-            <properties>
-              <help>Set memory size for protectable memory allocator (pmalloc) memory space</help>
-              <valueHelp>
-                <format>&lt;number&gt;m</format>
-                <description>Megabyte</description>
-              </valueHelp>
-              <valueHelp>
-                <format>&lt;number&gt;g</format>
-                <description>Gigabyte</description>
-              </valueHelp>
-            </properties>
-          </leafNode>
-        </children>
-      </node>
-      <node name="unix">
-        <properties>
-          <help>Unix settings</help>
-        </properties>
-        <children>
-          <leafNode name="poll-sleep-usec">
-            <properties>
-              <help>Add a fixed-sleep between main loop poll</help>
-              <valueHelp>
-                <format>u32:0-4294967295</format>
-                <description>Number of receive queues</description>
-              </valueHelp>
-              <constraint>
-                <validator name="numeric" argument="--range 0-4294967295"/>
-              </constraint>
-            </properties>
-            <defaultValue>0</defaultValue>
-          </leafNode>
-        </children>
-      </node>
-    </children>
-  </node>
-</interfaceDefinition>
diff --git a/interface-definitions/vrf.xml.in b/interface-definitions/vrf.xml.in
index 3783785ce..e5ec539d3 100644
--- a/interface-definitions/vrf.xml.in
+++ b/interface-definitions/vrf.xml.in
@@ -4,7 +4,7 @@
     <properties>
       <help>Virtual Routing and Forwarding</help>
       <!-- must be before any interface, check /opt/vyatta/sbin/priority.pl -->
-      <priority>299</priority>
+      <priority>11</priority>
     </properties>
     <children>
       <leafNode name="bind-to-all">
diff --git a/interface-definitions/xml-component-version.xml.in b/interface-definitions/xml-component-version.xml.in
index 8c9e816d1..51a28ef57 100644
--- a/interface-definitions/xml-component-version.xml.in
+++ b/interface-definitions/xml-component-version.xml.in
@@ -29,6 +29,7 @@
   #include <include/version/ntp-version.xml.i>
   #include <include/version/openconnect-version.xml.i>
   #include <include/version/ospf-version.xml.i>
+  #include <include/version/pim-version.xml.i>
   #include <include/version/policy-version.xml.i>
   #include <include/version/pppoe-server-version.xml.i>
   #include <include/version/pptp-version.xml.i>
diff --git a/op-mode-definitions/add-system-image.xml.in b/op-mode-definitions/add-system-image.xml.in
deleted file mode 100644
index 67d8aa3b4..000000000
--- a/op-mode-definitions/add-system-image.xml.in
+++ /dev/null
@@ -1,62 +0,0 @@
-<?xml version="1.0"?>
-<interfaceDefinition>
-  <node name="add">
-    <children>
-      <node name="system">
-        <properties>
-          <help>Add item to a system facility</help>
-        </properties>
-        <children>
-          <tagNode name="image">
-            <properties>
-              <help>Add a new image to the system</help>
-              <completionHelp>
-                <list>/path/to/vyos-image.iso "http://example.com/vyos-image.iso"</list>
-              </completionHelp>
-            </properties>
-            <command>sudo ${vyatta_sbindir}/install-image --url "${4}"</command>
-            <children>
-              <tagNode name="vrf">
-                <properties>
-                  <help>Download image via specified VRF</help>
-                  <completionHelp>
-                    <path>vrf name</path>
-                  </completionHelp>
-                </properties>
-                <command>sudo ${vyatta_sbindir}/install-image --url "${4}" --vrf "${6}"</command>
-                <children>
-                  <tagNode name="username">
-                    <properties>
-                      <help>Username for authentication</help>
-                    </properties>
-                    <children>
-                      <tagNode name="password">
-                        <properties>
-                          <help>Password to use with authentication</help>
-                        </properties>
-                        <command>sudo ${vyatta_sbindir}/install-image --url "${4}" --vrf "${6}" --username "${8}" --password "${10}"</command>
-                      </tagNode>
-                    </children>
-                  </tagNode>
-                </children>
-              </tagNode>
-              <tagNode name="username">
-                <properties>
-                  <help>Username for authentication</help>
-                </properties>
-                <children>
-                  <tagNode name="password">
-                    <properties>
-                      <help>Password to use with authentication</help>
-                    </properties>
-                    <command>sudo ${vyatta_sbindir}/install-image --url "${4}" --username "${6}" --password "${8}"</command>
-                  </tagNode>
-                </children>
-              </tagNode>
-            </children>
-          </tagNode>
-        </children>
-      </node>
-    </children>
-  </node>
-</interfaceDefinition>
diff --git a/op-mode-definitions/dhcp.xml.in b/op-mode-definitions/dhcp.xml.in
index 6855fe447..9c2e2be76 100644
--- a/op-mode-definitions/dhcp.xml.in
+++ b/op-mode-definitions/dhcp.xml.in
@@ -42,6 +42,15 @@
                 </properties>
                 <command>${vyos_op_scripts_dir}/dhcp.py show_server_leases --family inet</command>
                 <children>
+                  <tagNode name="origin">
+                    <properties>
+                      <help>Show DHCP server leases granted by local or remote DHCP server</help>
+                      <completionHelp>
+                        <list>local remote</list>
+                      </completionHelp>
+                    </properties>
+                    <command>${vyos_op_scripts_dir}/dhcp.py show_server_leases --family inet --origin $6</command>
+                  </tagNode>
                   <tagNode name="pool">
                     <properties>
                       <help>Show DHCP server leases for a specific pool</help>
diff --git a/op-mode-definitions/disks.xml.in b/op-mode-definitions/disks.xml.in
index 117ac5065..8a1e2c86f 100644
--- a/op-mode-definitions/disks.xml.in
+++ b/op-mode-definitions/disks.xml.in
@@ -5,6 +5,26 @@
       <help>Format a device</help>
     </properties>
     <children>
+      <node name="by-id">
+        <properties>
+          <help>Find disk by ending of id string</help>
+        </properties>
+        <children>
+          <tagNode name="disk">
+            <properties>
+              <help>Format a disk drive</help>
+            </properties>
+            <children>
+              <tagNode name="like">
+                <properties>
+                  <help>Format this disk the same as another disk</help>
+                </properties>
+                <command>sudo ${vyos_op_scripts_dir}/format_disk.py --by-id --target $4 --proto $6</command>
+              </tagNode>
+            </children>
+          </tagNode>
+        </children>
+      </node>
       <tagNode name="disk">
         <properties>
           <help>Format a disk drive</help>
diff --git a/op-mode-definitions/firewall.xml.in b/op-mode-definitions/firewall.xml.in
index 0f296c272..4a7ffbb66 100644
--- a/op-mode-definitions/firewall.xml.in
+++ b/op-mode-definitions/firewall.xml.in
@@ -132,6 +132,58 @@
             </properties>
             <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show_group</command>
           </leafNode>
+          <node name="bridge">
+            <properties>
+              <help>Show bridge firewall</help>
+            </properties>
+            <children>
+              <node name="forward">
+                <properties>
+                  <help>Show bridge forward firewall ruleset</help>
+                </properties>
+                <children>
+                  <node name="filter">
+                    <properties>
+                      <help>Show bridge forward filter firewall ruleset</help>
+                    </properties>
+                    <children>
+                      <tagNode name="rule">
+                        <properties>
+                          <help>Show summary of bridge forward filter firewall rules</help>
+                          <completionHelp>
+                            <path>firewall bridge forward filter rule</path>
+                          </completionHelp>
+                        </properties>
+                        <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7</command>
+                      </tagNode>
+                    </children>
+                    <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5</command>
+                  </node>
+                </children>
+              </node>
+              <tagNode name="name">
+                <properties>
+                  <help>Show bridge custom firewall chains</help>
+                  <completionHelp>
+                    <path>firewall bridge name</path>
+                  </completionHelp>
+                </properties>
+                <children>
+                  <tagNode name="rule">
+                    <properties>
+                      <help>Show summary of bridge custom firewall ruleset</help>
+                      <completionHelp>
+                        <path>firewall bridge name ${COMP_WORDS[6]} rule</path>
+                      </completionHelp>
+                    </properties>
+                    <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7</command>
+                  </tagNode>
+                </children>
+                <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5</command>
+              </tagNode>
+            </children>
+            <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show_family --family $3</command>
+          </node>
           <node name="ipv6">
             <properties>
               <help>Show IPv6 firewall</help>
@@ -154,10 +206,10 @@
                             <path>firewall ipv6 forward filter rule</path>
                           </completionHelp>
                         </properties>
-                        <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --hook $4 --priority $5 --rule $7 --ipv6</command>
+                        <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7</command>
                       </tagNode>
                     </children>
-                    <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --hook $4 --priority $5 --ipv6</command>
+                    <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5</command>
                   </node>
                 </children>
               </node>
@@ -178,10 +230,10 @@
                             <path>firewall ipv6 input filter rule</path>
                           </completionHelp>
                         </properties>
-                        <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --hook $4 --priority $5 --rule $7 --ipv6</command>
+                        <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7</command>
                       </tagNode>
                     </children>
-                    <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --hook $4 --priority $5 --ipv6</command>
+                    <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5</command>
                   </node>
                 </children>
               </node>
@@ -202,10 +254,10 @@
                             <path>firewall ipv6 output filter rule</path>
                           </completionHelp>
                         </properties>
-                        <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --hook $4 --priority $5 --rule $7 --ipv6</command>
+                        <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7</command>
                       </tagNode>
                     </children>
-                    <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --hook $4 --priority $5 --ipv6</command>
+                    <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5</command>
                   </node>
                 </children>
               </node>
@@ -224,10 +276,10 @@
                         <path>firewall ipv6 ipv6-name ${COMP_WORDS[6]} rule</path>
                       </completionHelp>
                     </properties>
-                    <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --hook $4 --priority $5 --rule $7 --ipv6</command>
+                    <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7</command>
                   </tagNode>
                 </children>
-                <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --hook $4 --priority $5 --ipv6</command>
+                <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5</command>
               </tagNode>
             </children>
             <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show_family --family $3</command>
@@ -254,10 +306,10 @@
                             <path>firewall ipv4 forward filter rule</path>
                           </completionHelp>
                         </properties>
-                        <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --hook $4 --priority $5 --rule $7</command>
+                        <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7</command>
                       </tagNode>
                     </children>
-                    <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --hook $4 --priority $5</command>
+                    <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5</command>
                   </node>
                 </children>
               </node>
@@ -278,10 +330,10 @@
                             <path>firewall ipv4 input filter rule</path>
                           </completionHelp>
                         </properties>
-                        <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --hook $4 --priority $5 --rule $7</command>
+                        <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7</command>
                       </tagNode>
                     </children>
-                    <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --hook $4 --priority $5</command>
+                    <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5</command>
                   </node>
                 </children>
               </node>
@@ -302,10 +354,10 @@
                             <path>firewall ipv4 output filter rule</path>
                           </completionHelp>
                         </properties>
-                        <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --hook $4 --priority $5 --rule $7</command>
+                        <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7</command>
                       </tagNode>
                     </children>
-                    <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --hook $4 --priority $5</command>
+                    <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5</command>
                   </node>
                 </children>
               </node>
@@ -324,10 +376,10 @@
                         <path>firewall ipv4 name ${COMP_WORDS[6]} rule</path>
                       </completionHelp>
                     </properties>
-                    <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --hook $4 --priority $5 --rule $7</command>
+                    <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7</command>
                   </tagNode>
                 </children>
-                <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --hook $4 --priority $5</command>
+                <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5</command>
               </tagNode>
             </children>
           <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show_family --family $3</command>
diff --git a/op-mode-definitions/generate-system-login-user.xml.in b/op-mode-definitions/generate-system-login-user.xml.in
index 237a13610..6f65c12b3 100755
--- a/op-mode-definitions/generate-system-login-user.xml.in
+++ b/op-mode-definitions/generate-system-login-user.xml.in
@@ -1,90 +1,90 @@
-<?xml version="1.0"?>

-<interfaceDefinition>

-  <node name="generate">

-    <children>

-      <node name="system">

-        <properties>

-          <help>Generate system related parameters</help>

-        </properties>

-        <children>

-          <node name="login">

-            <properties>

-              <help>Generate system login related parameters</help>

-            </properties>

-            <children>

-              <tagNode name="username">

-                <properties>

-                  <help>Username used for authentication</help>

-                  <completionHelp>

-                    <list>&lt;username&gt;</list>

-                  </completionHelp>

-                </properties>

-                <children>

-                  <node name="otp-key">

-                    <properties>

-                      <help>Generate OpenConnect OTP token</help>

-                    </properties>

-                    <children>

-                      <node name="hotp-time">

-                        <properties>

-                          <help>HOTP time-based token</help>

-                        </properties>

-                        <command>sudo ${vyos_op_scripts_dir}/generate_system_login_user.py --username "$5"</command>

-                        <children>

-                          <tagNode name="rate-limit">

-                            <properties>

-                              <help>Duration of single time interval</help>

-                            </properties>

-                            <command>sudo ${vyos_op_scripts_dir}/generate_system_login_user.py --username "$5" --rate-limit "$9"</command>

-                            <children>

-                              <tagNode name="rate-time">

-                                <properties>

-                                  <help>The number of digits in the one-time password</help>

-                                </properties>

-                                <command>sudo ${vyos_op_scripts_dir}/generate_system_login_user.py --username "$5" --rate-limit "$9" --rate-time "${11}" </command>

-                                <children>

-                                  <tagNode name="window-size">

-                                    <properties>

-                                      <help>The number of digits in the one-time password</help>

-                                    </properties>

-                                    <command>sudo ${vyos_op_scripts_dir}/generate_system_login_user.py --username "$5" --rate-limit "$9" --rate-time "${11}" --window-size "${13}"</command>

-                                  </tagNode>

-                                </children>

-                              </tagNode>

-                            </children>

-                          </tagNode>

-                          <tagNode name="window-size">

-                            <properties>

-                              <help>The number of digits in the one-time password</help>

-                            </properties>

-                            <command>sudo ${vyos_op_scripts_dir}/generate_system_login_user.py --username "$5" --window-size "${9}"</command>

-                            <children>

-                              <tagNode name="rate-limit">

-                                <properties>

-                                  <help>Duration of single time interval</help>

-                                </properties>

-                                <command>sudo ${vyos_op_scripts_dir}/generate_system_login_user.py --username "$5" --rate-limit "${11}" --window-size "${9}"</command>

-                                <children>

-                                  <tagNode name="rate-time">

-                                    <properties>

-                                      <help>Duration of single time interval</help>

-                                    </properties>

-                                    <command>sudo ${vyos_op_scripts_dir}/generate_system_login_user.py --username "$5" --rate-limit "${11}" --rate-time "${13}" --window-size "${9}"</command>

-                                  </tagNode>

-                                </children>

-                              </tagNode>

-                            </children>

-                          </tagNode>

-                        </children>

-                      </node>

-                    </children>

-                  </node>

-                </children>

-              </tagNode>

-            </children>

-          </node>

-        </children>

-      </node>

-    </children>

-  </node>

-</interfaceDefinition>

+<?xml version="1.0"?>
+<interfaceDefinition>
+  <node name="generate">
+    <children>
+      <node name="system">
+        <properties>
+          <help>Generate system related parameters</help>
+        </properties>
+        <children>
+          <node name="login">
+            <properties>
+              <help>Generate system login related parameters</help>
+            </properties>
+            <children>
+              <tagNode name="username">
+                <properties>
+                  <help>Username used for authentication</help>
+                  <completionHelp>
+                    <path>system login user</path>
+                  </completionHelp>
+                </properties>
+                <children>
+                  <node name="otp-key">
+                    <properties>
+                      <help>Generate OpenConnect OTP token</help>
+                    </properties>
+                    <children>
+                      <node name="hotp-time">
+                        <properties>
+                          <help>HOTP time-based token</help>
+                        </properties>
+                        <command>sudo ${vyos_op_scripts_dir}/generate_system_login_user.py --username "$5"</command>
+                        <children>
+                          <tagNode name="rate-limit">
+                            <properties>
+                              <help>Duration of single time interval</help>
+                            </properties>
+                            <command>sudo ${vyos_op_scripts_dir}/generate_system_login_user.py --username "$5" --rate_limit "$9"</command>
+                            <children>
+                              <tagNode name="rate-time">
+                                <properties>
+                                  <help>The number of digits in the one-time password</help>
+                                </properties>
+                                <command>sudo ${vyos_op_scripts_dir}/generate_system_login_user.py --username "$5" --rate_limit "$9" --rate_time "${11}" </command>
+                                <children>
+                                  <tagNode name="window-size">
+                                    <properties>
+                                      <help>The number of digits in the one-time password</help>
+                                    </properties>
+                                    <command>sudo ${vyos_op_scripts_dir}/generate_system_login_user.py --username "$5" --rate_limit "$9" --rate_time "${11}" --window_size "${13}"</command>
+                                  </tagNode>
+                                </children>
+                              </tagNode>
+                            </children>
+                          </tagNode>
+                          <tagNode name="window-size">
+                            <properties>
+                              <help>The number of digits in the one-time password</help>
+                            </properties>
+                            <command>sudo ${vyos_op_scripts_dir}/generate_system_login_user.py --username "$5" --window_size "${9}"</command>
+                            <children>
+                              <tagNode name="rate-limit">
+                                <properties>
+                                  <help>Duration of single time interval</help>
+                                </properties>
+                                <command>sudo ${vyos_op_scripts_dir}/generate_system_login_user.py --username "$5" --rate_limit "${11}" --window_size "${9}"</command>
+                                <children>
+                                  <tagNode name="rate-time">
+                                    <properties>
+                                      <help>Duration of single time interval</help>
+                                    </properties>
+                                    <command>sudo ${vyos_op_scripts_dir}/generate_system_login_user.py --username "$5" --rate_limit "${11}" --rate_time "${13}" --window_size "${9}"</command>
+                                  </tagNode>
+                                </children>
+                              </tagNode>
+                            </children>
+                          </tagNode>
+                        </children>
+                      </node>
+                    </children>
+                  </node>
+                </children>
+              </tagNode>
+            </children>
+          </node>
+        </children>
+      </node>
+    </children>
+  </node>
+</interfaceDefinition>
diff --git a/op-mode-definitions/generate-wireguard.xml.in b/op-mode-definitions/generate-wireguard.xml.in
index 1dcafcd8b..5f2463d1a 100644
--- a/op-mode-definitions/generate-wireguard.xml.in
+++ b/op-mode-definitions/generate-wireguard.xml.in
@@ -4,7 +4,7 @@
     <children>
       <node name="wireguard">
         <properties>
-          <help>Generate WireGuard keys</help>
+          <help>Generate WireGuard client config QR code</help>
         </properties>
         <children>
           <tagNode name="client-config">
diff --git a/op-mode-definitions/generate_firewall_rule-resequence.xml.in b/op-mode-definitions/generate_firewall_rule-resequence.xml.in
new file mode 100644
index 000000000..66078deb9
--- /dev/null
+++ b/op-mode-definitions/generate_firewall_rule-resequence.xml.in
@@ -0,0 +1,42 @@
+<?xml version="1.0"?>
+<interfaceDefinition>
+  <node name="generate">
+    <children>
+      <node name="firewall">
+        <properties>
+          <help>Firewall</help>
+        </properties>
+        <children>
+          <node name="rule-resequence">
+            <properties>
+              <help>Resequence the firewall rules</help>
+            </properties>
+            <command>${vyos_op_scripts_dir}/generate_firewall_rule-resequence.py</command>
+            <children>
+              <tagNode name="start">
+                <properties>
+                  <help>Set the first sequence number</help>
+                  <completionHelp>
+                    <list>1-1000</list>
+                  </completionHelp>
+                </properties>
+                <command>${vyos_op_scripts_dir}/generate_firewall_rule-resequence.py --start $5</command>
+                <children>
+                  <tagNode name="step">
+                    <properties>
+                      <help>Step between rules</help>
+                      <completionHelp>
+                        <list>1-1000</list>
+                      </completionHelp>
+                    </properties>
+                    <command>${vyos_op_scripts_dir}/generate_firewall_rule-resequence.py --start $5 --step $7</command>
+                  </tagNode>
+                </children>
+              </tagNode>
+            </children>
+          </node>
+        </children>
+      </node>
+    </children>
+  </node>
+</interfaceDefinition>
diff --git a/op-mode-definitions/generate_tech-support_archive.xml.in b/op-mode-definitions/generate_tech-support_archive.xml.in
new file mode 100644
index 000000000..e95be3e28
--- /dev/null
+++ b/op-mode-definitions/generate_tech-support_archive.xml.in
@@ -0,0 +1,29 @@
+<?xml version="1.0"?>
+<interfaceDefinition>
+  <node name="generate">
+    <children>
+      <node name="tech-support">
+        <properties>
+          <help>Generate tech support info</help>
+        </properties>
+        <children>
+          <node name="archive">
+            <properties>
+              <help>Generate tech support archive</help>
+            </properties>
+            <command>sudo ${vyos_op_scripts_dir}/generate_tech-support_archive.py</command>
+          </node>
+          <tagNode name="archive">
+            <properties>
+              <help>Generate tech support archive to defined location</help>
+              <completionHelp>
+                <list> &lt;file&gt; &lt;scp://user:passwd@host&gt; &lt;ftp://user:passwd@host&gt;</list>
+              </completionHelp>
+            </properties>
+            <command>sudo ${vyos_op_scripts_dir}/generate_tech-support_archive.py $4</command>
+          </tagNode>
+        </children>
+      </node>
+    </children>
+  </node>
+</interfaceDefinition>
diff --git a/op-mode-definitions/include/bgp/show-bgp-common.xml.i b/op-mode-definitions/include/bgp/show-bgp-common.xml.i
index de794a879..d888bc3b0 100644
--- a/op-mode-definitions/include/bgp/show-bgp-common.xml.i
+++ b/op-mode-definitions/include/bgp/show-bgp-common.xml.i
@@ -107,6 +107,12 @@
             #include <include/vni-tagnode.xml.i>
           </children>
         </node>
+        <leafNode name="es-vrf">
+          <properties>
+            <help>Ethernet Segment per VRF</help>
+          </properties>
+          <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command>
+        </leafNode>
         <leafNode name="import-rt">
           <properties>
             <help>Show import route target</help>
@@ -136,11 +142,17 @@
             </leafNode>
           </children>
         </tagNode>
+        <leafNode name="next-hops">
+          <properties>
+            <help>EVPN Nexthops</help>
+          </properties>
+          <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command>
+        </leafNode>
         <tagNode name="rd">
           <properties>
-            <help>Show detailed BGP neighbor information</help>
+            <help>Display information for a route distinguisher</help>
             <completionHelp>
-              <list>ASN:NN IPADDRESS:NN</list>
+              <list>ASN:NN IPADDRESS:NN all</list>
             </completionHelp>
           </properties>
           <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command>
diff --git a/op-mode-definitions/include/isis-common.xml.i b/op-mode-definitions/include/isis-common.xml.i
index e94d868e8..493a56633 100644
--- a/op-mode-definitions/include/isis-common.xml.i
+++ b/op-mode-definitions/include/isis-common.xml.i
@@ -17,6 +17,33 @@
   </properties>
   <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command>
 </tagNode>
+<node name="fast-reroute">
+  <properties>
+    <help>Show IS-IS fast reroute/loop free alternate (lfa) information</help>
+  </properties>
+  <children>
+    <node name="summary">
+      <properties>
+        <help>Show summary of fast reroute/loop free alternate (lfa) information</help>
+      </properties>
+      <children>
+        <leafNode name="level-1">
+          <properties>
+            <help>Show level-1 specific fast reroute/loop free alternate (lfa) information</help>
+          </properties>
+          <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command>
+        </leafNode>
+        <leafNode name="level-2">
+          <properties>
+            <help>Show level-2 specific fast reroute/loop free alternate (lfa) information</help>
+          </properties>
+          <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command>
+        </leafNode>
+      </children>
+      <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command>
+    </node>
+  </children>
+</node>
 <leafNode name="hostname">
   <properties>
     <help>Show IS-IS dynamic hostname mapping</help>
diff --git a/op-mode-definitions/include/ospf/graceful-restart.xml.i b/op-mode-definitions/include/ospf/graceful-restart.xml.i
index 736d8f951..848b19828 100644
--- a/op-mode-definitions/include/ospf/graceful-restart.xml.i
+++ b/op-mode-definitions/include/ospf/graceful-restart.xml.i
@@ -1,6 +1,6 @@
 <node name="graceful-restart">
     <properties>
-      <help>Show IPv4 OSPF Graceful Restart</help>
+      <help>Show OSPF Graceful Restart</help>
     </properties>
     <children>
       <leafNode name="helper">
diff --git a/op-mode-definitions/mdns-reflector.xml.in b/op-mode-definitions/mdns-reflector.xml.in
new file mode 100644
index 000000000..a90d4d385
--- /dev/null
+++ b/op-mode-definitions/mdns-reflector.xml.in
@@ -0,0 +1,62 @@
+<?xml version="1.0"?>
+<interfaceDefinition>
+  <node name="monitor">
+    <children>
+      <node name="log">
+        <children>
+          <node name="mdns">
+            <properties>
+              <help>Monitor last lines of multicast Domain Name System related services</help>
+            </properties>
+            <children>
+              <node name="repeater">
+                <properties>
+                  <help>Monitor last lines of mDNS repeater service</help>
+                </properties>
+                <command>journalctl --no-hostname --follow --boot --unit avahi-daemon.service</command>
+              </node>
+            </children>
+          </node>
+        </children>
+      </node>
+    </children>
+  </node>
+  <node name="show">
+    <children>
+      <node name="log">
+        <children>
+          <node name="mdns">
+            <properties>
+              <help>Show log for multicast Domain Name System related services</help>
+            </properties>
+            <children>
+              <node name="repeater">
+                <properties>
+                  <help>Show log for mDNS repeater service</help>
+                </properties>
+                <command>journalctl --no-hostname --boot --unit avahi-daemon.service</command>
+              </node>
+            </children>
+          </node>
+        </children>
+      </node>
+    </children>
+  </node>
+  <node name="restart">
+    <children>
+      <node name="mdns">
+        <properties>
+          <help>Restart specific multicast Domain Name System service</help>
+        </properties>
+        <children>
+          <node name="repeater">
+            <properties>
+              <help>Restart mDNS repeater service</help>
+            </properties>
+            <command>sudo systemctl restart avahi-daemon.service</command>
+          </node>
+        </children>
+      </node>
+    </children>
+  </node>
+</interfaceDefinition>
diff --git a/op-mode-definitions/monitor-log.xml.in b/op-mode-definitions/monitor-log.xml.in
index 52b5b85d4..f01c715cb 100644
--- a/op-mode-definitions/monitor-log.xml.in
+++ b/op-mode-definitions/monitor-log.xml.in
@@ -30,6 +30,12 @@
               </leafNode>
             </children>
           </node>
+          <leafNode name="certbot">
+            <properties>
+              <help>Monitor last lines of certbot log</help>
+            </properties>
+            <command>if sudo test -f /var/log/letsencrypt/letsencrypt.log; then sudo tail --follow=name /var/log/letsencrypt/letsencrypt.log; else echo "Cerbot log does not exist"; fi</command>
+          </leafNode>
           <leafNode name="conntrack-sync">
             <properties>
               <help>Monitor last lines of conntrack-sync log</help>
@@ -120,6 +126,12 @@
             </properties>
             <command>journalctl --no-hostname --boot --follow --dmesg</command>
           </leafNode>
+          <leafNode name="ndp-proxy">
+            <properties>
+              <help>Monitor last lines of Neighbor Discovery Protocol (NDP) Proxy</help>
+            </properties>
+            <command>journalctl --no-hostname --boot --follow --unit ndppd.service</command>
+          </leafNode>
           <leafNode name="nhrp">
             <properties>
               <help>Monitor last lines of Next Hop Resolution Protocol log</help>
@@ -274,12 +286,20 @@
             </properties>
             <command>journalctl --no-hostname --boot --follow --unit snmpd.service</command>
           </leafNode>
-          <leafNode name="ssh">
+          <node name="ssh">
             <properties>
               <help>Monitor last lines of Secure Shell log</help>
             </properties>
             <command>journalctl --no-hostname --boot --follow --unit ssh.service</command>
-          </leafNode>
+            <children>
+              <node name="dynamic-protection">
+                <properties>
+                  <help>Monitor last lines of SSH guard log</help>
+                </properties>
+                <command>journalctl --no-hostname --boot --follow --unit sshguard.service</command>
+              </node>
+            </children>
+          </node>
           <leafNode name="vpn">
             <properties>
               <help>Monitor last lines of ALL Virtual Private Network services</help>
@@ -333,12 +353,6 @@
               </tagNode>
             </children>
           </node>
-          <leafNode name="vpp">
-            <properties>
-              <help>Monitor last lines of Vector Packet Processor log</help>
-            </properties>
-            <command>journalctl --no-hostname --boot --follow --unit vpp.service</command>
-          </leafNode>
           <leafNode name="vrrp">
             <properties>
               <help>Monitor last lines of Virtual Router Redundancy Protocol log</help>
diff --git a/op-mode-definitions/mtr.xml.in b/op-mode-definitions/mtr.xml.in
new file mode 100644
index 000000000..8239aec4c
--- /dev/null
+++ b/op-mode-definitions/mtr.xml.in
@@ -0,0 +1,47 @@
+<?xml version="1.0"?>
+<interfaceDefinition>
+  <node name="monitor">
+    <children>
+      <tagNode name="traceroute">
+        <properties>
+          <help>Monitor Traceroute and ping path to target</help>
+          <completionHelp>
+            <list>&lt;hostname&gt; &lt;x.x.x.x&gt; &lt;h:h:h:h:h:h:h:h&gt;</list>
+          </completionHelp>
+        </properties>
+        <command>${vyos_op_scripts_dir}/mtr.py ${@:3}</command>
+        <children>
+          <leafNode name="node.tag">
+            <properties>
+              <help>mtr options</help>
+              <completionHelp>
+                <script>${vyos_op_scripts_dir}/mtr.py --get-options-nested "${COMP_WORDS[@]}"</script>
+              </completionHelp>
+            </properties>
+            <command>${vyos_op_scripts_dir}/mtr.py ${@:3}</command>
+          </leafNode>
+        </children>
+      </tagNode>
+    </children>
+  </node>
+  <tagNode name="mtr">
+    <properties>
+      <help>Monitor Traceroute and ping path to target</help>
+      <completionHelp>
+        <list>&lt;hostname&gt; &lt;x.x.x.x&gt; &lt;h:h:h:h:h:h:h:h&gt;</list>
+      </completionHelp>
+    </properties>
+    <command>${vyos_op_scripts_dir}/mtr.py ${@:2}</command>
+    <children>
+      <leafNode name="node.tag">
+        <properties>
+          <help>Traceroute options</help>
+          <completionHelp>
+            <script>${vyos_op_scripts_dir}/mtr.py --get-options "${COMP_WORDS[@]}"</script>
+          </completionHelp>
+        </properties>
+        <command>${vyos_op_scripts_dir}/mtr.py ${@:2}</command>
+      </leafNode>
+    </children>
+  </tagNode>
+</interfaceDefinition>
diff --git a/op-mode-definitions/nat66.xml.in b/op-mode-definitions/nat66.xml.in
index 6a8a39000..4df20d847 100644
--- a/op-mode-definitions/nat66.xml.in
+++ b/op-mode-definitions/nat66.xml.in
@@ -16,7 +16,7 @@
                 <properties>
                   <help>Show configured source NAT66 rules</help>
                 </properties>
-                <command>${vyos_op_scripts_dir}/nat.py show_rules --direction source --family inet6</command>
+                <command>sudo ${vyos_op_scripts_dir}/nat.py show_rules --direction source --family inet6</command>
               </node>
               <node name="statistics">
                 <properties>
@@ -39,7 +39,7 @@
                     <command>sudo ${vyos_op_scripts_dir}/nat.py show_translations --direction source --family inet6 --address "$6"</command>
                   </tagNode>
                 </children>
-                <command>${vyos_op_scripts_dir}/nat.py show_translations --direction source --family inet6</command>
+                <command>sudo ${vyos_op_scripts_dir}/nat.py show_translations --direction source --family inet6</command>
               </node>
             </children>
           </node>
@@ -52,7 +52,7 @@
                 <properties>
                   <help>Show configured destination NAT66 rules</help>
                 </properties>
-                <command>${vyos_op_scripts_dir}/nat.py show_rules --direction destination --family inet6</command>
+                <command>sudo ${vyos_op_scripts_dir}/nat.py show_rules --direction destination --family inet6</command>
               </node>
               <node name="statistics">
                 <properties>
@@ -75,7 +75,7 @@
                     <command>sudo ${vyos_op_scripts_dir}/nat.py show_translations --direction destination --family inet6 --address "$6"</command>
                   </tagNode>
                 </children>
-                <command>${vyos_op_scripts_dir}/nat.py show_translations --direction destination --family inet6</command>
+                <command>sudo ${vyos_op_scripts_dir}/nat.py show_translations --direction destination --family inet6</command>
               </node>
             </children>
           </node>
diff --git a/op-mode-definitions/ntp.xml.in b/op-mode-definitions/ntp.xml.in
new file mode 100644
index 000000000..b8d0c43ec
--- /dev/null
+++ b/op-mode-definitions/ntp.xml.in
@@ -0,0 +1,49 @@
+<?xml version="1.0"?>
+<interfaceDefinition>
+  <node name="show">
+    <children>
+      <node name="ntp">
+        <properties>
+          <help>Show peer status of NTP daemon</help>
+        </properties>
+        <command>${vyos_op_scripts_dir}/show_ntp.sh --sourcestats</command>
+        <children>
+          <node name="system">
+            <properties>
+              <help>Show parameters about the system clock performance</help>
+            </properties>
+            <command>${vyos_op_scripts_dir}/show_ntp.sh --tracking</command>
+          </node>
+        </children>
+      </node>
+    </children>
+  </node>
+  <node name="force">
+    <children>
+      <node name="ntp">
+        <properties>
+          <help>NTP (Network Time Protocol) operations</help>
+        </properties>
+        <children>
+          <node name="synchronization">
+            <properties>
+              <help>Force NTP time synchronization</help>
+            </properties>
+            <children>
+              <tagNode name="vrf">
+                <properties>
+                  <help>Force NTP time synchronization in given VRF</help>
+                  <completionHelp>
+                    <path>vrf name</path>
+                  </completionHelp>
+                </properties>
+                <command>sudo ip vrf exec $5 chronyc makestep</command>
+              </tagNode>
+            </children>
+            <command>sudo chronyc makestep</command>
+          </node>
+        </children>
+      </node>
+    </children>
+  </node>
+</interfaceDefinition>
diff --git a/op-mode-definitions/pki.xml.in b/op-mode-definitions/pki.xml.in
index ca0eb3687..4b8d9c47a 100644
--- a/op-mode-definitions/pki.xml.in
+++ b/op-mode-definitions/pki.xml.in
@@ -574,4 +574,14 @@
       </node>
     </children>
   </node>
+  <node name="renew">
+    <children>
+      <leafNode name="certbot">
+        <properties>
+          <help>Start manual certbot renewal</help>
+        </properties>
+        <command>sudo systemctl start certbot.service</command>
+      </leafNode>
+    </children>
+  </node>
 </interfaceDefinition>
diff --git a/op-mode-definitions/raid.xml.in b/op-mode-definitions/raid.xml.in
new file mode 100644
index 000000000..5d0c9ef3d
--- /dev/null
+++ b/op-mode-definitions/raid.xml.in
@@ -0,0 +1,69 @@
+<?xml version="1.0"?>
+<interfaceDefinition>
+  <node name="add">
+    <children>
+      <tagNode name="raid">
+        <properties>
+          <help>Add a RAID set element</help>
+          <completionHelp>
+            <script>${vyos_completion_dir}/list_raidset.sh</script>
+          </completionHelp>
+        </properties>
+        <children>
+          <node name="by-id">
+            <properties>
+              <help>Add a member by disk id to a RAID set</help>
+            </properties>
+            <children>
+              <tagNode name="member">
+                <properties>
+                  <help>Add a member to a RAID set</help>
+                </properties>
+                <command>sudo ${vyos_op_scripts_dir}/raid.py add --raid-set-name $3 --by-id --member $6</command>
+              </tagNode>
+            </children>
+          </node>
+          <tagNode name="member">
+            <properties>
+              <help>Add a member to a RAID set</help>
+            </properties>
+            <command>sudo ${vyos_op_scripts_dir}/raid.py add --raid-set-name $3 --member $5</command>
+          </tagNode>
+        </children>
+      </tagNode>
+    </children>
+  </node>
+  <node name="delete">
+    <children>
+      <tagNode name="raid">
+        <properties>
+          <help>Add a RAID set element</help>
+          <completionHelp>
+            <script>${vyos_completion_dir}/list_raidset.sh</script>
+          </completionHelp>
+        </properties>
+        <children>
+          <node name="by-id">
+            <properties>
+              <help>Add a member by disk id to a RAID set</help>
+            </properties>
+            <children>
+              <tagNode name="member">
+                <properties>
+                  <help>Add a member to a RAID set</help>
+                </properties>
+                <command>sudo ${vyos_op_scripts_dir}/raid.py delete --raid-set-name $3 --by-id --member $6</command>
+              </tagNode>
+            </children>
+          </node>
+          <tagNode name="member">
+            <properties>
+              <help>Add a member to a RAID set</help>
+            </properties>
+            <command>sudo ${vyos_op_scripts_dir}/raid.py delete --raid-set-name $3 --member $5</command>
+          </tagNode>
+        </children>
+      </tagNode>
+    </children>
+  </node>
+</interfaceDefinition>
diff --git a/op-mode-definitions/restart-router-advert.xml.in b/op-mode-definitions/restart-router-advert.xml.in
new file mode 100644
index 000000000..304b4dfd3
--- /dev/null
+++ b/op-mode-definitions/restart-router-advert.xml.in
@@ -0,0 +1,13 @@
+<?xml version="1.0"?>
+<interfaceDefinition>
+  <node name="restart">
+    <children>
+      <node name="router-advert">
+        <properties>
+          <help>Restart IPv6 Router Advertisement service</help>
+        </properties>
+        <command>if cli-shell-api existsActive service router-advert; then sudo systemctl restart radvd.service; else echo "IPv6 Router Advertisement service not configured"; fi</command>
+      </node>
+    </children>
+  </node>
+</interfaceDefinition>
diff --git a/op-mode-definitions/show-bgp.xml.in b/op-mode-definitions/show-bgp.xml.in
index 3c212614c..8b1992432 100644
--- a/op-mode-definitions/show-bgp.xml.in
+++ b/op-mode-definitions/show-bgp.xml.in
@@ -100,6 +100,19 @@
             </children>
           </tagNode>
           #include <include/vtysh-generic-wide.xml.i>
+          <node name="segment-routing">
+            <properties>
+              <help>BGP Segment Routing</help>
+            </properties>
+            <children>
+              <leafNode name="srv6">
+                <properties>
+                  <help>BGP Segment Routing SRv6</help>
+                </properties>
+                <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command>
+              </leafNode>
+            </children>
+          </node>
         </children>
       </node>
     </children>
diff --git a/op-mode-definitions/show-bridge.xml.in b/op-mode-definitions/show-bridge.xml.in
index fad3f3418..5d8cc3847 100644
--- a/op-mode-definitions/show-bridge.xml.in
+++ b/op-mode-definitions/show-bridge.xml.in
@@ -21,6 +21,12 @@
               </leafNode>
             </children>
           </node>
+          <leafNode name="vni">
+            <properties>
+              <help>Virtual Network Identifier</help>
+            </properties>
+            <command>${vyos_op_scripts_dir}/bridge.py show_vni</command>
+          </leafNode>
         </children>
       </node>
       <leafNode name="bridge">
diff --git a/op-mode-definitions/show-interfaces-wireless.xml.in b/op-mode-definitions/show-interfaces-wireless.xml.in
index 27c0f43db..09c9a7895 100644
--- a/op-mode-definitions/show-interfaces-wireless.xml.in
+++ b/op-mode-definitions/show-interfaces-wireless.xml.in
@@ -20,7 +20,7 @@
                 <properties>
                   <help>Show wireless interface configuration</help>
                 </properties>
-                <command>${vyos_op_scripts_dir}/show_wireless.py --brief</command>
+                <command>${vyos_op_scripts_dir}/interfaces_wireless.py show_info</command>
               </leafNode>
             </children>
           </node>
@@ -35,15 +35,15 @@
             <children>
               <leafNode name="brief">
                 <properties>
-                  <help>Show summary of the specified wireless interface information</help>
+                  <help>Show brief summary of the specified wireless interface</help>
                 </properties>
                 <command>${vyos_op_scripts_dir}/interfaces.py show_summary --intf-name="$4" --intf-type=wireless</command>
               </leafNode>
               <node name="scan">
                 <properties>
-                  <help>Show summary of the specified wireless interface information</help>
+                  <help>Scan for networks via specified wireless interface</help>
                 </properties>
-                <command>sudo ${vyos_op_scripts_dir}/show_wireless.py --scan "$4"</command>
+                <command>sudo ${vyos_op_scripts_dir}/interfaces_wireless.py show_scan --intf-name="$4"</command>
                 <children>
                   <leafNode name="detail">
                     <properties>
@@ -57,7 +57,7 @@
                 <properties>
                   <help>Show specified Wireless interface information</help>
                 </properties>
-                <command>${vyos_op_scripts_dir}/show_wireless.py --stations "$4"</command>
+                <command>${vyos_op_scripts_dir}/interfaces_wireless.py show_stations --intf-name="$4"</command>
               </leafNode>
               <tagNode name="vif">
                 <properties>
diff --git a/op-mode-definitions/show-interfaces.xml.in b/op-mode-definitions/show-interfaces.xml.in
index dc61a6f5c..09466647d 100644
--- a/op-mode-definitions/show-interfaces.xml.in
+++ b/op-mode-definitions/show-interfaces.xml.in
@@ -6,7 +6,7 @@
         <properties>
           <help>Show network interface information</help>
         </properties>
-        <command>${vyos_op_scripts_dir}/interfaces.py show_summary</command>
+        <command>${vyos_op_scripts_dir}/interfaces.py show_summary_extended</command>
         <children>
           <leafNode name="counters">
             <properties>
@@ -20,6 +20,12 @@
             </properties>
             <command>${vyos_op_scripts_dir}/interfaces.py show</command>
           </leafNode>
+          <leafNode name="summary">
+            <properties>
+              <help>Show summary information of all interfaces</help>
+            </properties>
+            <command>${vyos_op_scripts_dir}/interfaces.py show_summary</command>
+          </leafNode>
         </children>
       </node>
     </children>
diff --git a/op-mode-definitions/show-ip-igmp.xml.in b/op-mode-definitions/show-ip-igmp.xml.in
index 855c5d508..1fd86ba54 100644
--- a/op-mode-definitions/show-ip-igmp.xml.in
+++ b/op-mode-definitions/show-ip-igmp.xml.in
@@ -13,31 +13,31 @@
                 <properties>
                   <help>IGMP groups information</help>
                 </properties>
-                <command>vtysh -c "show ip igmp groups"</command>
+                <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command>
               </leafNode>
-              <leafNode name="interfaces">
+              <leafNode name="interface">
                 <properties>
                   <help>IGMP interfaces information</help>
                 </properties>
-                <command>vtysh -c "show ip igmp interface"</command>
+                <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command>
               </leafNode>
               <leafNode name="join">
                 <properties>
                   <help>IGMP static join information</help>
                 </properties>
-                <command>vtysh -c "show ip igmp join"</command>
+                <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command>
               </leafNode>
               <leafNode name="sources">
                 <properties>
                   <help>IGMP sources information</help>
                 </properties>
-                <command>vtysh -c "show ip igmp sources"</command>
+                <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command>
               </leafNode>
               <leafNode name="statistics">
                 <properties>
                   <help>IGMP statistics</help>
                 </properties>
-                <command>vtysh -c "show ip igmp statistics"</command>
+                <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command>
               </leafNode>
             </children>
           </node>
diff --git a/op-mode-definitions/show-ip-pim.xml.in b/op-mode-definitions/show-ip-pim.xml.in
index fa317a944..9deba1f07 100644
--- a/op-mode-definitions/show-ip-pim.xml.in
+++ b/op-mode-definitions/show-ip-pim.xml.in
@@ -9,59 +9,143 @@
               <help>Show PIM (Protocol Independent Multicast) information</help>
             </properties>
             <children>
-              <leafNode name="interfaces">
+              <leafNode name="assert">
+                <properties>
+                  <help>PIM interfaces assert</help>
+                </properties>
+                <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command>
+              </leafNode>
+              <leafNode name="assert-internal">
+                <properties>
+                  <help>PIM interface internal assert state</help>
+                </properties>
+                <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command>
+              </leafNode>
+              <leafNode name="assert-metric">
+                <properties>
+                  <help>PIM interface assert metric</help>
+                </properties>
+                <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command>
+              </leafNode>
+              <leafNode name="assert-winner-metric">
+                <properties>
+                  <help>PIM interface assert winner metric</help>
+                </properties>
+                <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command>
+              </leafNode>
+              <leafNode name="bsm-database">
+                <properties>
+                  <help>PIM cached bsm packets information</help>
+                </properties>
+                <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command>
+              </leafNode>
+              <leafNode name="bsr">
+                <properties>
+                  <help>PIM boot-strap router information</help>
+                </properties>
+                <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command>
+              </leafNode>
+              <leafNode name="bsrp-info">
+                <properties>
+                  <help>PIM cached group-rp mappings information</help>
+                </properties>
+                <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command>
+              </leafNode>
+              <leafNode name="channel">
+                <properties>
+                  <help>PIM downstream channel info</help>
+                </properties>
+                <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command>
+              </leafNode>
+              <leafNode name="group-type">
+                <properties>
+                  <help>PIM multicast group type</help>
+                </properties>
+                <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command>
+              </leafNode>
+              <leafNode name="interface">
                 <properties>
                   <help>PIM interfaces information</help>
                 </properties>
-                <command>vtysh -c "show ip pim interface"</command>
+                <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command>
               </leafNode>
               <leafNode name="join">
                 <properties>
                   <help>PIM join information</help>
                 </properties>
-                <command>vtysh -c "show ip pim join"</command>
+                <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command>
+              </leafNode>
+              <leafNode name="local-membership">
+                <properties>
+                  <help>PIM interface local-membership</help>
+                </properties>
+                <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command>
               </leafNode>
               <leafNode name="neighbor">
                 <properties>
                   <help>PIM neighbor information</help>
                 </properties>
-                <command>vtysh -c "show ip pim neighbor"</command>
+                <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command>
               </leafNode>
               <leafNode name="nexthop">
                 <properties>
                   <help>PIM cached nexthop rpf information</help>
                 </properties>
-                <command>vtysh -c "show ip pim nexthop"</command>
+                <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command>
+              </leafNode>
+              <leafNode name="rp-info">
+                <properties>
+                  <help>PIM rendezvous point information</help>
+                </properties>
+                <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command>
+              </leafNode>
+              <leafNode name="rpf">
+                <properties>
+                  <help>PIM reverse path forwarding information</help>
+                </properties>
+                <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command>
+              </leafNode>
+              <leafNode name="secondary">
+                <properties>
+                  <help>PIM neighbor addresses</help>
+                </properties>
+                <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command>
               </leafNode>
               <leafNode name="state">
                 <properties>
                   <help>PIM state information</help>
                 </properties>
-                <command>vtysh -c "show ip pim state"</command>
+                <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command>
               </leafNode>
               <leafNode name="statistics">
                 <properties>
                   <help>PIM statistics</help>
                 </properties>
-                <command>vtysh -c "show ip pim statistics"</command>
+                <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command>
+              </leafNode>
+              <leafNode name="upstream">
+                <properties>
+                  <help>PIM upstream information</help>
+                </properties>
+                <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command>
               </leafNode>
-              <leafNode name="rp">
+              <leafNode name="upstream-join-desired">
                 <properties>
-                  <help>PIM RP (Rendevous Point) information</help>
+                  <help>PIM upstream join-desired</help>
                 </properties>
-                <command>vtysh -c "show ip pim rp-info"</command>
+                <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command>
               </leafNode>
-              <leafNode name="rpf">
+              <leafNode name="upstream-rpf">
                 <properties>
-                  <help>PIM cached source rpf information</help>
+                  <help>PIM upstream source reverse path forwarding</help>
                 </properties>
-                <command>vtysh -c "show ip pim rpf"</command>
+                <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command>
               </leafNode>
-              <leafNode name="upstream">
+              <leafNode name="vxlan-groups">
                 <properties>
-                  <help>PIM upstream information</help>
+                  <help>VXLAN BUM groups</help>
                 </properties>
-                <command>vtysh -c "show ip pim upstream"</command>
+                <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command>
               </leafNode>
             </children>
           </node>
diff --git a/op-mode-definitions/show-ip.xml.in b/op-mode-definitions/show-ip.xml.in
index d5dbb7850..3caf1f1ea 100644
--- a/op-mode-definitions/show-ip.xml.in
+++ b/op-mode-definitions/show-ip.xml.in
@@ -33,6 +33,12 @@
               </tagNode>
             </children>
           </node>
+          <leafNode name="nht">
+            <properties>
+              <help>Show IPv4 nexthop tracking table</help>
+            </properties>
+            <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command>
+          </leafNode>
         </children>
       </node>
     </children>
diff --git a/op-mode-definitions/show-ipv6-mld.xml.in b/op-mode-definitions/show-ipv6-mld.xml.in
new file mode 100644
index 000000000..5c719f700
--- /dev/null
+++ b/op-mode-definitions/show-ipv6-mld.xml.in
@@ -0,0 +1,42 @@
+<?xml version="1.0"?>
+<interfaceDefinition>
+  <node name="show">
+    <children>
+      <node name="ipv6">
+        <children>
+          <node name="mld">
+            <properties>
+              <help>Show MLD (Multicast Listener Discovery) information</help>
+            </properties>
+            <children>
+              <leafNode name="groups">
+                <properties>
+                  <help>MLD group information</help>
+                </properties>
+                <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command>
+              </leafNode>
+              <leafNode name="interface">
+                <properties>
+                  <help>MLD interface information</help>
+                </properties>
+                <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command>
+              </leafNode>
+              <leafNode name="joins">
+                <properties>
+                  <help>MLD joined groups and sources</help>
+                </properties>
+                <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command>
+              </leafNode>
+              <leafNode name="statistics">
+                <properties>
+                  <help>MLD statistics</help>
+                </properties>
+                <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command>
+              </leafNode>
+            </children>
+          </node>
+        </children>
+      </node>
+    </children>
+  </node>
+</interfaceDefinition>
diff --git a/op-mode-definitions/show-ipv6-pim.xml.in b/op-mode-definitions/show-ipv6-pim.xml.in
new file mode 100644
index 000000000..7cc3ce742
--- /dev/null
+++ b/op-mode-definitions/show-ipv6-pim.xml.in
@@ -0,0 +1,120 @@
+<?xml version="1.0"?>
+<interfaceDefinition>
+  <node name="show">
+    <children>
+      <node name="ipv6">
+        <children>
+          <node name="pim">
+            <properties>
+              <help>Show PIM (Protocol Independent Multicast) information</help>
+            </properties>
+            <children>
+              <leafNode name="bsm-database">
+                <properties>
+                  <help>PIM cached bsm packets information</help>
+                </properties>
+                <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command>
+              </leafNode>
+              <leafNode name="bsr">
+                <properties>
+                  <help>PIM boot-strap router information</help>
+                </properties>
+                <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command>
+              </leafNode>
+              <leafNode name="bsrp-info">
+                <properties>
+                  <help>PIM cached group-rp mappings information</help>
+                </properties>
+                <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command>
+              </leafNode>
+              <leafNode name="channel">
+                <properties>
+                  <help>PIM downstream channel info</help>
+                </properties>
+                <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command>
+              </leafNode>
+              <leafNode name="interface">
+                <properties>
+                  <help>PIM interfaces information</help>
+                </properties>
+                <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command>
+              </leafNode>
+              <leafNode name="join">
+                <properties>
+                  <help>PIM join information</help>
+                </properties>
+                <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command>
+              </leafNode>
+              <leafNode name="local-membership">
+                <properties>
+                  <help>PIM interface local-membership</help>
+                </properties>
+                <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command>
+              </leafNode>
+              <leafNode name="neighbor">
+                <properties>
+                  <help>PIM neighbor information</help>
+                </properties>
+                <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command>
+              </leafNode>
+              <leafNode name="nexthop">
+                <properties>
+                  <help>PIM cached nexthop rpf information</help>
+                </properties>
+                <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command>
+              </leafNode>
+              <leafNode name="rp-info">
+                <properties>
+                  <help>PIM rendezvous point information</help>
+                </properties>
+                <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command>
+              </leafNode>
+              <leafNode name="rpf">
+                <properties>
+                  <help>PIM reverse path forwarding information</help>
+                </properties>
+                <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command>
+              </leafNode>
+              <leafNode name="secondary">
+                <properties>
+                  <help>PIM neighbor addresses</help>
+                </properties>
+                <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command>
+              </leafNode>
+              <leafNode name="state">
+                <properties>
+                  <help>PIM state information</help>
+                </properties>
+                <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command>
+              </leafNode>
+              <leafNode name="statistics">
+                <properties>
+                  <help>PIM statistics</help>
+                </properties>
+                <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command>
+              </leafNode>
+              <leafNode name="upstream">
+                <properties>
+                  <help>PIM upstream information</help>
+                </properties>
+                <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command>
+              </leafNode>
+              <leafNode name="upstream-join-desired">
+                <properties>
+                  <help>PIM upstream join-desired</help>
+                </properties>
+                <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command>
+              </leafNode>
+              <leafNode name="upstream-rpf">
+                <properties>
+                  <help>PIM upstream source reverse path forwarding</help>
+                </properties>
+                <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command>
+              </leafNode>
+            </children>
+          </node>
+        </children>
+      </node>
+    </children>
+  </node>
+</interfaceDefinition>
diff --git a/op-mode-definitions/show-ipv6-route.xml.in b/op-mode-definitions/show-ipv6-route.xml.in
index 7df1a873a..d73fb46b4 100644
--- a/op-mode-definitions/show-ipv6-route.xml.in
+++ b/op-mode-definitions/show-ipv6-route.xml.in
@@ -82,6 +82,23 @@
                     </properties>
                     <command>${vyos_op_scripts_dir}/route.py show_summary --family inet6 --vrf $5</command>
                   </node>
+                  <node name="node.tag">
+                    <properties>
+                      <help>Show IPv6 routes of given address or prefix</help>
+                      <completionHelp>
+                        <list>&lt;h:h:h:h:h:h:h:h&gt; &lt;h:h:h:h:h:h:h:h/x&gt;</list>
+                      </completionHelp>
+                    </properties>
+                    <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command>
+                    <children>
+                      <node name="longer-prefixes">
+                        <properties>
+                          <help>Show longer prefixes of routes for given prefix</help>
+                        </properties>
+                        <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command>
+                      </node>
+                    </children>
+                  </node>
                   #include <include/show-route-bgp.xml.i>
                   #include <include/show-route-connected.xml.i>
                   #include <include/show-route-isis.xml.i>
@@ -103,6 +120,7 @@
                 <list>&lt;h:h:h:h:h:h:h:h&gt; &lt;h:h:h:h:h:h:h:h/x&gt;</list>
               </completionHelp>
             </properties>
+            <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command>
             <children>
               <node name="longer-prefixes">
                 <properties>
@@ -111,7 +129,6 @@
                 <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command>
               </node>
             </children>
-            <command>vtysh -c "show ipv6 route $4"</command>
           </tagNode>
         </children>
       </node>
diff --git a/op-mode-definitions/show-log.xml.in b/op-mode-definitions/show-log.xml.in
index 747622db6..432a21b59 100644
--- a/op-mode-definitions/show-log.xml.in
+++ b/op-mode-definitions/show-log.xml.in
@@ -38,6 +38,12 @@
             </properties>
             <command>journalctl --no-hostname --boot --quiet SYSLOG_FACILITY=10 SYSLOG_FACILITY=4</command>
           </leafNode>
+          <leafNode name="certbot">
+            <properties>
+              <help>Show log for certbot</help>
+            </properties>
+            <command>if sudo test -f /var/log/letsencrypt/letsencrypt.log; then sudo cat /var/log/letsencrypt/letsencrypt.log; else echo "Cerbot log does not exist"; fi</command>
+          </leafNode>
           <leafNode name="cluster">
             <properties>
               <help>Show log for Cluster</help>
@@ -244,6 +250,12 @@
             </properties>
             <command>egrep -i "kernel:.*\[NAT-[A-Z]{3,}-[0-9]+(-MASQ)?\]" $(find /var/log -maxdepth 1 -type f -name messages\* | sort -t. -k2nr)</command>
           </leafNode>
+          <leafNode name="ndp-proxy">
+            <properties>
+              <help>Show log for Neighbor Discovery Protocol (NDP) Proxy</help>
+            </properties>
+            <command>journalctl --no-hostname --boot --unit ndppd.service</command>
+          </leafNode>
           <leafNode name="nhrp">
             <properties>
               <help>Show log for Next Hop Resolution Protocol (NHRP)</help>
@@ -398,12 +410,20 @@
             </properties>
             <command>journalctl --no-hostname --boot --unit snmpd.service</command>
           </leafNode>
-          <leafNode name="ssh">
+          <node name="ssh">
             <properties>
               <help>Show log for Secure Shell (SSH)</help>
             </properties>
             <command>journalctl --no-hostname --boot --unit ssh.service</command>
-          </leafNode>
+            <children>
+              <node name="dynamic-protection">
+                <properties>
+                  <help>Show SSH guard log</help>
+                </properties>
+                <command>journalctl --no-hostname --boot --unit sshguard.service</command>
+              </node>
+            </children>
+          </node>
           <tagNode name="tail">
             <properties>
               <help>Show last n changes to messages</help>
@@ -472,12 +492,6 @@
               </tagNode>
             </children>
           </node>
-          <leafNode name="vpp">
-            <properties>
-              <help>Show log for Vector Packet Processor (VPP)</help>
-            </properties>
-            <command>journalctl --no-hostname --boot --unit vpp.service</command>
-          </leafNode>
           <leafNode name="vrrp">
             <properties>
               <help>Show log for Virtual Router Redundancy Protocol (VRRP)</help>
diff --git a/op-mode-definitions/show-ntp.xml.in b/op-mode-definitions/show-ntp.xml.in
deleted file mode 100644
index 0907722af..000000000
--- a/op-mode-definitions/show-ntp.xml.in
+++ /dev/null
@@ -1,21 +0,0 @@
-<?xml version="1.0"?>
-<interfaceDefinition>
-  <node name="show">
-    <children>
-      <node name="ntp">
-        <properties>
-          <help>Show peer status of NTP daemon</help>
-        </properties>
-        <command>${vyos_op_scripts_dir}/show_ntp.sh --sourcestats</command>
-        <children>
-          <node name="system">
-            <properties>
-              <help>Show parameters about the system clock performance</help>
-            </properties>
-            <command>${vyos_op_scripts_dir}/show_ntp.sh --tracking</command>
-          </node>
-        </children>
-      </node>
-    </children>
-  </node>
-</interfaceDefinition>
diff --git a/op-mode-definitions/show-segment-routing.xml.in b/op-mode-definitions/show-segment-routing.xml.in
new file mode 100644
index 000000000..ebdb51a61
--- /dev/null
+++ b/op-mode-definitions/show-segment-routing.xml.in
@@ -0,0 +1,27 @@
+<?xml version="1.0"?>
+<interfaceDefinition>
+  <node name="show">
+    <children>
+      <node name="segment-routing">
+        <properties>
+          <help>Show Segment Routing</help>
+        </properties>
+        <children>
+          <node name="srv6">
+            <properties>
+              <help>Segment Routing SRv6</help>
+            </properties>
+            <children>
+              <node name="locator">
+                <properties>
+                  <help>Locator Information</help>
+                </properties>
+                <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command>
+              </node>
+            </children>
+          </node>
+        </children>
+      </node>
+    </children>
+  </node>
+</interfaceDefinition>
diff --git a/op-mode-definitions/show-ssh.xml.in b/op-mode-definitions/show-ssh.xml.in
new file mode 100644
index 000000000..ca8e669b3
--- /dev/null
+++ b/op-mode-definitions/show-ssh.xml.in
@@ -0,0 +1,34 @@
+<?xml version="1.0"?>
+<interfaceDefinition>
+  <node name="show">
+    <children>
+      <node name="ssh">
+        <properties>
+          <help>Show SSH server information</help>
+        </properties>
+        <children>
+          <node name="dynamic-protection">
+            <properties>
+              <help>Show SSH server dynamic-protection blocked attackers</help>
+            </properties>
+            <command>sudo ${vyos_op_scripts_dir}/ssh.py show_dynamic_protection</command>
+          </node>
+          <node name="fingerprints">
+            <properties>
+              <help>Show SSH server public key fingerprints</help>
+            </properties>
+            <command>${vyos_op_scripts_dir}/ssh.py show_fingerprints</command>
+            <children>
+              <node name="ascii">
+                <properties>
+                  <help>Show visual ASCII art representation of the public key</help>
+                </properties>
+                <command>${vyos_op_scripts_dir}/ssh.py show_fingerprints --ascii</command>
+              </node>
+            </children>
+          </node>
+        </children>
+      </node>
+    </children>
+  </node>
+</interfaceDefinition>
diff --git a/op-mode-definitions/show-techsupport_report.xml.in b/op-mode-definitions/show-techsupport_report.xml.in
index aa51eacd9..ef051e940 100644
--- a/op-mode-definitions/show-techsupport_report.xml.in
+++ b/op-mode-definitions/show-techsupport_report.xml.in
@@ -3,6 +3,9 @@
   <node name="show">
     <children>
       <node name="tech-support">
+        <properties>
+          <help>Show tech-support report</help>
+        </properties>
         <children>
           <node name="report">
             <properties>
diff --git a/op-mode-definitions/show-vrf.xml.in b/op-mode-definitions/show-vrf.xml.in
index 9728eb1fa..c18649844 100644
--- a/op-mode-definitions/show-vrf.xml.in
+++ b/op-mode-definitions/show-vrf.xml.in
@@ -7,6 +7,14 @@
           <help>Show VRF (Virtual Routing and Forwarding) information</help>
         </properties>
         <command>${vyos_op_scripts_dir}/vrf.py show</command>
+        <children>
+          <leafNode name="vni">
+            <properties>
+              <help>Show information on VRF/VXLAN VNI mapping</help>
+            </properties>
+            <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command>
+          </leafNode>
+        </children>
       </node>
       <tagNode name="vrf">
         <properties>
@@ -23,6 +31,12 @@
             </properties>
             <command>ip vrf pids "$3"</command>
           </leafNode>
+          <leafNode name="vni">
+            <properties>
+              <help>Show VXLAN VNI association</help>
+            </properties>
+            <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command>
+          </leafNode>
         </children>
       </tagNode>
     </children>
diff --git a/op-mode-definitions/system-image.xml.in b/op-mode-definitions/system-image.xml.in
new file mode 100644
index 000000000..c131087be
--- /dev/null
+++ b/op-mode-definitions/system-image.xml.in
@@ -0,0 +1,201 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<interfaceDefinition>
+  <node name="add">
+    <properties>
+      <help>Add an object</help>
+    </properties>
+    <children>
+      <node name="system">
+        <properties>
+          <help>Add item to a system facility</help>
+        </properties>
+        <children>
+          <tagNode name="image">
+            <properties>
+              <help>Add a new image to the system</help>
+              <completionHelp>
+                <list>/path/to/vyos-image.iso "http://example.com/vyos-image.iso"</list>
+              </completionHelp>
+            </properties>
+            <command>sudo ${vyos_op_scripts_dir}/image_installer.py --action add --image-path "${4}"</command>
+            <children>
+              <tagNode name="vrf">
+                <properties>
+                  <help>Download image via specified VRF</help>
+                  <completionHelp>
+                    <path>vrf name</path>
+                  </completionHelp>
+                </properties>
+                <command>sudo ${vyos_op_scripts_dir}/image_installer.py --action add --image-path "${4}" --vrf "${6}"</command>
+                <children>
+                  <tagNode name="username">
+                    <properties>
+                      <help>Username for authentication</help>
+                    </properties>
+                    <children>
+                      <tagNode name="password">
+                        <properties>
+                          <help>Password to use with authentication</help>
+                        </properties>
+                        <command>sudo ${vyos_op_scripts_dir}/image_installer.py --action add --image-path "${4}" --vrf "${6}" --username "${8}" --password "${10}"</command>
+                      </tagNode>
+                    </children>
+                  </tagNode>
+                </children>
+              </tagNode>
+              <tagNode name="username">
+                <properties>
+                  <help>Username for authentication</help>
+                </properties>
+                <children>
+                  <tagNode name="password">
+                    <properties>
+                      <help>Password to use with authentication</help>
+                    </properties>
+                    <command>sudo ${vyos_op_scripts_dir}/image_installer.py --action add --image-path "${4}" --username "${6}" --password "${8}"</command>
+                  </tagNode>
+                </children>
+              </tagNode>
+            </children>
+          </tagNode>
+        </children>
+      </node>
+    </children>
+  </node>
+  <node name="set">
+    <properties>
+      <help>Install a new system</help>
+    </properties>
+    <children>
+      <node name="system">
+        <properties>
+          <help>Set system operational parameters</help>
+        </properties>
+        <children>
+          <node name="image">
+            <properties>
+              <help>Set system image parameters</help>
+            </properties>
+            <children>
+              <node name="default-boot">
+                <properties>
+                  <help>Set default image to boot.</help>
+                </properties>
+                <command>sudo ${vyos_op_scripts_dir}/image_manager.py --action set</command>
+              </node>
+              <tagNode name="default-boot">
+                <properties>
+                  <help>Set default image to boot.</help>
+                  <completionHelp>
+                    <script>sudo ${vyos_op_scripts_dir}/image_manager.py --action list</script>
+                  </completionHelp>
+                </properties>
+                <command>sudo ${vyos_op_scripts_dir}/image_manager.py --action set --image-name "${5}"</command>
+              </tagNode>
+            </children>
+          </node>
+        </children>
+      </node>
+    </children>
+  </node>
+  <node name="install">
+    <properties>
+      <help>Install a new system</help>
+    </properties>
+    <children>
+      <node name="image">
+        <properties>
+          <help>Install new system image to hard drive</help>
+        </properties>
+        <command>sudo ${vyos_op_scripts_dir}/image_installer.py --action install</command>
+      </node>
+    </children>
+  </node>
+  <node name="delete">
+    <properties>
+      <help>Delete an object</help>
+    </properties>
+    <children>
+      <node name="system">
+        <properties>
+          <help>Delete system objects</help>
+        </properties>
+        <children>
+          <node name="image">
+            <properties>
+              <help>Remove an installed image from the system</help>
+            </properties>
+            <command>sudo ${vyos_op_scripts_dir}/image_manager.py --action delete</command>
+          </node>
+          <tagNode name="image">
+            <properties>
+              <help>Remove an installed image from the system</help>
+              <completionHelp>
+                <script>sudo ${vyos_op_scripts_dir}/image_manager.py --action list</script>
+              </completionHelp>
+            </properties>
+            <command>sudo ${vyos_op_scripts_dir}/image_manager.py --action delete --image-name "${4}"</command>
+          </tagNode>
+        </children>
+      </node>
+    </children>
+  </node>
+  <node name="rename">
+    <properties>
+      <help>Rename an object</help>
+    </properties>
+    <children>
+      <node name="system">
+        <properties>
+          <help>Rename a system object</help>
+        </properties>
+        <children>
+          <tagNode name="image">
+            <properties>
+              <help>System image to rename</help>
+              <completionHelp>
+                <script>sudo ${vyos_op_scripts_dir}/image_manager.py --action list</script>
+              </completionHelp>
+            </properties>
+            <children>
+              <tagNode name="to">
+                <properties>
+                  <help>A new name for an image</help>
+                </properties>
+                <command>sudo ${vyos_op_scripts_dir}/image_manager.py --action rename --image-name "${4}" --image-new-name "${6}"</command>
+              </tagNode>
+            </children>
+          </tagNode>
+        </children>
+      </node>
+    </children>
+  </node>
+  <node name="show">
+    <properties>
+      <help>Rename an object</help>
+    </properties>
+    <children>
+      <node name="system">
+        <properties>
+          <help>Show system information</help>
+        </properties>
+        <children>
+          <node name="image">
+            <properties>
+              <help>Show installed VyOS images</help>
+            </properties>
+            <command>sudo ${vyos_op_scripts_dir}/image_info.py show_images_summary</command>
+            <children>
+              <node name="details">
+                <properties>
+                  <help>Show details about installed VyOS images</help>
+                </properties>
+                <command>sudo ${vyos_op_scripts_dir}/image_info.py show_images_details</command>
+              </node>
+            </children>
+          </node>
+        </children>
+      </node>
+    </children>
+  </node>
+</interfaceDefinition>
diff --git a/op-mode-definitions/vpn-ipsec.xml.in b/op-mode-definitions/vpn-ipsec.xml.in
index c7ba780a3..b551af2be 100644
--- a/op-mode-definitions/vpn-ipsec.xml.in
+++ b/op-mode-definitions/vpn-ipsec.xml.in
@@ -177,7 +177,7 @@
                 <properties>
                   <help>Show all the pre-shared key secrets</help>
                 </properties>
-                <command>sudo cat /etc/ipsec.secrets | sed 's/#.*//'</command>
+                <command>${vyos_op_scripts_dir}/ipsec.py show_psk</command>
               </node>
               <node name="status">
                 <properties>
diff --git a/op-mode-definitions/zone-policy.xml.in b/op-mode-definitions/zone-policy.xml.in
deleted file mode 100644
index 9d65ddd3d..000000000
--- a/op-mode-definitions/zone-policy.xml.in
+++ /dev/null
@@ -1,24 +0,0 @@
-<?xml version="1.0"?>
-<interfaceDefinition>
-  <node name="show">
-    <children>
-      <node name="zone-policy">
-        <properties>
-          <help>Show zone policy information</help>
-        </properties>
-        <children>
-          <tagNode name="zone">
-            <properties>
-              <help>Show summary of zone policy for a specific zone</help>
-              <completionHelp>
-                <path>firewall zone</path>
-              </completionHelp>
-            </properties>
-            <command>sudo ${vyos_op_scripts_dir}/zone.py show --zone $4</command>
-          </tagNode>
-        </children>
-        <command>sudo ${vyos_op_scripts_dir}/zone.py show</command>
-      </node>
-    </children>
-  </node>
-</interfaceDefinition>
diff --git a/python/vyos/accel_ppp_util.py b/python/vyos/accel_ppp_util.py
new file mode 100644
index 000000000..757d447a2
--- /dev/null
+++ b/python/vyos/accel_ppp_util.py
@@ -0,0 +1,193 @@
+# Copyright 2023 VyOS maintainers and contributors <maintainers@vyos.io>
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library.  If not, see <http://www.gnu.org/licenses/>.
+
+# The sole purpose of this module is to hold common functions used in
+# all kinds of implementations to verify the CLI configuration.
+# It is started by migrating the interfaces to the new get_config_dict()
+# approach which will lead to a lot of code that can be reused.
+
+# NOTE: imports should be as local as possible to the function which
+# makes use of it!
+
+from vyos import ConfigError
+from vyos.utils.dict import dict_search
+
+
+def get_pools_in_order(data: dict) -> list:
+    """Return a list of dictionaries representing pool data in the order
+    in which they should be allocated. Pool must be defined before we can
+    use it with 'next-pool' option.
+
+    Args:
+        data: A dictionary of pool data, where the keys are pool names and the
+        values are dictionaries containing the 'subnet' key and the optional
+        'next_pool' key.
+
+    Returns:
+        list: A list of dictionaries
+
+    Raises:
+        ValueError: If a 'next_pool' key references a pool name that
+                    has not been defined.
+        ValueError: If a circular reference is found in the 'next_pool' keys.
+
+    Example:
+        config_data = {
+        ... 'first-pool': {
+        ... 'next_pool': 'second-pool',
+        ... 'subnet': '192.0.2.0/25'
+        ... },
+        ... 'second-pool': {
+        ... 'next_pool': 'third-pool',
+        ... 'subnet': '203.0.113.0/25'
+        ... },
+        ... 'third-pool': {
+        ... 'subnet': '198.51.100.0/24'
+        ... },
+        ... 'foo': {
+        ... 'subnet': '100.64.0.0/24',
+        ... 'next_pool': 'second-pool'
+        ... }
+        ... }
+
+        % get_pools_in_order(config_data)
+        [{'third-pool': {'subnet': '198.51.100.0/24'}},
+        {'second-pool': {'next_pool': 'third-pool', 'subnet': '203.0.113.0/25'}},
+        {'first-pool': {'next_pool': 'second-pool', 'subnet': '192.0.2.0/25'}},
+        {'foo': {'next_pool': 'second-pool', 'subnet': '100.64.0.0/24'}}]
+    """
+    pools = []
+    unresolved_pools = {}
+
+    for pool, pool_config in data.items():
+        if "next_pool" not in pool_config or not pool_config["next_pool"]:
+            pools.insert(0, {pool: pool_config})
+        else:
+            unresolved_pools[pool] = pool_config
+
+    while unresolved_pools:
+        resolved_pools = []
+
+        for pool, pool_config in unresolved_pools.items():
+            next_pool_name = pool_config["next_pool"]
+
+            if any(p for p in pools if next_pool_name in p):
+                index = next(
+                    (i for i, p in enumerate(pools) if next_pool_name in p), None
+                )
+                pools.insert(index + 1, {pool: pool_config})
+                resolved_pools.append(pool)
+            elif next_pool_name in unresolved_pools:
+                # next pool not yet resolved
+                pass
+            else:
+                raise ConfigError(
+                    f"Pool '{next_pool_name}' not defined in configuration data"
+                )
+
+        if not resolved_pools:
+            raise ConfigError("Circular reference in configuration data")
+
+        for pool in resolved_pools:
+            unresolved_pools.pop(pool)
+
+    return pools
+
+
+def verify_accel_ppp_base_service(config, local_users=True):
+    """
+    Common helper function which must be used by all Accel-PPP services based
+    on get_config_dict()
+    """
+    # vertify auth settings
+    if local_users and dict_search("authentication.mode", config) == "local":
+        if (
+            dict_search("authentication.local_users", config) is None
+            or dict_search("authentication.local_users", config) == {}
+        ):
+            raise ConfigError(
+                "Authentication mode local requires local users to be configured!"
+            )
+
+        for user in dict_search("authentication.local_users.username", config):
+            user_config = config["authentication"]["local_users"]["username"][user]
+
+            if "password" not in user_config:
+                raise ConfigError(f'Password required for local user "{user}"')
+
+            if "rate_limit" in user_config:
+                # if up/download is set, check that both have a value
+                if not {"upload", "download"} <= set(user_config["rate_limit"]):
+                    raise ConfigError(
+                        f'User "{user}" has rate-limit configured for only one '
+                        "direction but both upload and download must be given!"
+                    )
+
+    elif dict_search("authentication.mode", config) == "radius":
+        if not dict_search("authentication.radius.server", config):
+            raise ConfigError("RADIUS authentication requires at least one server")
+
+        for server in dict_search("authentication.radius.server", config):
+            radius_config = config["authentication"]["radius"]["server"][server]
+            if "key" not in radius_config:
+                raise ConfigError(f'Missing RADIUS secret key for server "{server}"')
+
+    if "name_server_ipv4" in config:
+        if len(config["name_server_ipv4"]) > 2:
+            raise ConfigError(
+                "Not more then two IPv4 DNS name-servers " "can be configured"
+            )
+
+    if "name_server_ipv6" in config:
+        if len(config["name_server_ipv6"]) > 3:
+            raise ConfigError(
+                "Not more then three IPv6 DNS name-servers " "can be configured"
+            )
+
+    if "client_ipv6_pool" in config:
+        ipv6_pool = config["client_ipv6_pool"]
+        if "delegate" in ipv6_pool:
+            if "prefix" not in ipv6_pool:
+                raise ConfigError(
+                    'IPv6 "delegate" also requires "prefix" to be defined!'
+                )
+
+            for delegate in ipv6_pool["delegate"]:
+                if "delegation_prefix" not in ipv6_pool["delegate"][delegate]:
+                    raise ConfigError("delegation-prefix length required!")
+
+
+def verify_accel_ppp_ip_pool(vpn_config):
+    """
+    Common helper function which must be used by Accel-PPP
+    services (pptp, l2tp, sstp, pppoe) to verify client-ip-pool
+    """
+    if dict_search("client_ip_pool", vpn_config):
+        for pool_name, pool_config in vpn_config["client_ip_pool"].items():
+            next_pool = dict_search(f"next_pool", pool_config)
+            if next_pool:
+                if next_pool not in vpn_config["client_ip_pool"]:
+                    raise ConfigError(f'Next pool "{next_pool}" does not exist')
+                if not dict_search(f"range", pool_config):
+                    raise ConfigError(
+                        f'Pool "{pool_name}" does not contain range but next-pool exists'
+                    )
+
+    if not dict_search("gateway_address", vpn_config):
+        raise ConfigError("Server requires gateway-address to be configured!")
+    default_pool = dict_search("default_pool", vpn_config)
+    if default_pool:
+        if default_pool not in dict_search("client_ip_pool", vpn_config):
+            raise ConfigError(f'Default pool "{default_pool}" does not exists')
diff --git a/python/vyos/component_version.py b/python/vyos/component_version.py
index 84e0ae51a..9662ebfcf 100644
--- a/python/vyos/component_version.py
+++ b/python/vyos/component_version.py
@@ -90,31 +90,6 @@ def from_system():
     """
     return component_version()
 
-def legacy_from_system():
-    """
-    Get system component version dict from legacy location.
-    This is for a transitional sanity check; the directory will eventually
-    be removed.
-    """
-    system_versions = {}
-    legacy_dir = directories['current']
-
-    # To be removed:
-    if not os.path.isdir(legacy_dir):
-        return system_versions
-
-    try:
-        version_info = os.listdir(legacy_dir)
-    except OSError as err:
-        sys.exit(repr(err))
-
-    for info in version_info:
-        if re.match(r'[\w,-]+@\d+', info):
-            pair = info.split('@')
-            system_versions[pair[0]] = int(pair[1])
-
-    return system_versions
-
 def format_string(ver: dict) -> str:
     """
     Version dict to string.
diff --git a/python/vyos/config.py b/python/vyos/config.py
index 0ca41718f..bee85315d 100644
--- a/python/vyos/config.py
+++ b/python/vyos/config.py
@@ -29,7 +29,7 @@ There are multiple types of config tree nodes in VyOS, each requires
 its own set of operations.
 
 *Leaf nodes* (such as "address" in interfaces) can have values, but cannot
-have children. 
+have children.
 Leaf nodes can have one value, multiple values, or no values at all.
 
 For example, "system host-name" is a single-value leaf node,
@@ -92,6 +92,38 @@ def config_dict_merge(src: dict, dest: Union[dict, ConfigDict]) -> ConfigDict:
         dest = ConfigDict(dest)
     return ext_dict_merge(src, dest)
 
+def config_dict_mangle_acme(name, cli_dict):
+    """
+    Load CLI PKI dictionary and if an ACME certificate is used, load it's content
+    and place it into the CLI dictionary as it would be a "regular" CLI PKI based
+    certificate with private key
+    """
+    from vyos.base import ConfigError
+    from vyos.defaults import directories
+    from vyos.utils.file import read_file
+    from vyos.pki import encode_certificate
+    from vyos.pki import encode_private_key
+    from vyos.pki import load_certificate
+    from vyos.pki import load_private_key
+
+    try:
+        vyos_certbot_dir = directories['certbot']
+
+        if 'acme' in cli_dict:
+            tmp = read_file(f'{vyos_certbot_dir}/live/{name}/cert.pem')
+            tmp = load_certificate(tmp, wrap_tags=False)
+            cert_base64 = "".join(encode_certificate(tmp).strip().split("\n")[1:-1])
+
+            tmp = read_file(f'{vyos_certbot_dir}/live/{name}/privkey.pem')
+            tmp = load_private_key(tmp, wrap_tags=False)
+            key_base64 = "".join(encode_private_key(tmp).strip().split("\n")[1:-1])
+            # install ACME based PEM keys into "regular" CLI config keys
+            cli_dict.update({'certificate' : cert_base64, 'private' : {'key' : key_base64}})
+    except:
+        raise ConfigError(f'Unable to load ACME certificates for "{name}"!')
+
+    return cli_dict
+
 class Config(object):
     """
     The class of config access objects.
@@ -258,7 +290,9 @@ class Config(object):
     def get_config_dict(self, path=[], effective=False, key_mangling=None,
                         get_first_key=False, no_multi_convert=False,
                         no_tag_node_value_mangle=False,
-                        with_defaults=False, with_recursive_defaults=False):
+                        with_defaults=False,
+                        with_recursive_defaults=False,
+                        with_pki=False):
         """
         Args:
             path (str list): Configuration tree path, can be empty
@@ -274,6 +308,7 @@ class Config(object):
         del kwargs['no_multi_convert']
         del kwargs['with_defaults']
         del kwargs['with_recursive_defaults']
+        del kwargs['with_pki']
 
         lpath = self._make_path(path)
         root_dict = self.get_cached_root_dict(effective)
@@ -298,6 +333,18 @@ class Config(object):
         else:
             conf_dict = ConfigDict(conf_dict)
 
+        if with_pki and conf_dict:
+            pki_dict = self.get_config_dict(['pki'], key_mangling=('-', '_'),
+                                            no_tag_node_value_mangle=True,
+                                            get_first_key=True)
+            if pki_dict:
+                if 'certificate' in pki_dict:
+                    for certificate in pki_dict['certificate']:
+                        pki_dict['certificate'][certificate] = config_dict_mangle_acme(
+                            certificate, pki_dict['certificate'][certificate])
+
+                conf_dict['pki'] = pki_dict
+
         # save optional args for a call to get_config_defaults
         setattr(conf_dict, '_dict_kwargs', kwargs)
 
diff --git a/python/vyos/config_mgmt.py b/python/vyos/config_mgmt.py
index 0fc72e660..ff078649d 100644
--- a/python/vyos/config_mgmt.py
+++ b/python/vyos/config_mgmt.py
@@ -22,19 +22,24 @@ import logging
 from typing import Optional, Tuple, Union
 from filecmp import cmp
 from datetime import datetime
-from textwrap import dedent
+from textwrap import dedent, indent
 from pathlib import Path
 from tabulate import tabulate
+from shutil import copy, chown
+from urllib.parse import urlsplit, urlunsplit
 
 from vyos.config import Config
 from vyos.configtree import ConfigTree, ConfigTreeError, show_diff
+from vyos.load_config import load, LoadConfigError
 from vyos.defaults import directories
 from vyos.version import get_full_version_data
 from vyos.utils.io import ask_yes_no
+from vyos.utils.boot import boot_configuration_complete
 from vyos.utils.process import is_systemd_service_active
 from vyos.utils.process import rc_cmd
 
 SAVE_CONFIG = '/usr/libexec/vyos/vyos-save-config.py'
+config_json = '/run/vyatta/config/config.json'
 
 # created by vyatta-cfg-postinst
 commit_post_hook_dir = '/etc/commit/post-hooks.d'
@@ -62,8 +67,11 @@ formatter = logging.Formatter('%(funcName)s: %(levelname)s:%(message)s')
 ch.setFormatter(formatter)
 logger.addHandler(ch)
 
-def save_config(target):
-    cmd = f'{SAVE_CONFIG} {target}'
+def save_config(target, json_out=None):
+    if json_out is None:
+        cmd = f'{SAVE_CONFIG} {target}'
+    else:
+        cmd = f'{SAVE_CONFIG} {target} --write-json-file {json_out}'
     rc, out = rc_cmd(cmd)
     if rc != 0:
         logger.critical(f'save config failed: {out}')
@@ -118,6 +126,7 @@ class ConfigMgmt:
                                    get_first_key=True)
 
         self.max_revisions = int(d.get('commit_revisions', 0))
+        self.num_revisions = 0
         self.locations = d.get('commit_archive', {}).get('location', [])
         self.source_address = d.get('commit_archive',
                                     {}).get('source_address', '')
@@ -200,9 +209,9 @@ Proceed ?'''
             raise ConfigMgmtError(out)
 
         entry = self._read_tmp_log_entry()
-        self._add_log_entry(**entry)
 
         if self._archive_active_config():
+            self._add_log_entry(**entry)
             self._update_archive()
 
         msg = 'Reboot timer stopped'
@@ -223,12 +232,10 @@ Proceed ?'''
     def rollback(self, rev: int, no_prompt: bool=False) -> Tuple[str,int]:
         """Reboot to config revision 'rev'.
         """
-        from shutil import copy
-
         msg = ''
 
         if not self._check_revision_number(rev):
-            msg = f'Invalid revision number {rev}: must be 0 < rev < {maxrev}'
+            msg = f'Invalid revision number {rev}: must be 0 < rev < {self.num_revisions}'
             return msg, 1
 
         prompt_str = 'Proceed with reboot ?'
@@ -256,6 +263,23 @@ Proceed ?'''
 
         return msg, 0
 
+    def rollback_soft(self, rev: int):
+        """Rollback without reboot (rollback-soft)
+        """
+        msg = ''
+
+        if not self._check_revision_number(rev):
+            msg = f'Invalid revision number {rev}: must be 0 < rev < {self.num_revisions}'
+            return msg, 1
+
+        rollback_ct = self._get_config_tree_revision(rev)
+        try:
+            load(rollback_ct, switch='explicit')
+        except LoadConfigError as e:
+            raise ConfigMgmtError(e) from e
+
+        return msg, 0
+
     def compare(self, saved: bool=False, commands: bool=False,
                 rev1: Optional[int]=None,
                 rev2: Optional[int]=None) -> Tuple[str,int]:
@@ -326,6 +350,12 @@ Proceed ?'''
         """
         mask = os.umask(0o002)
         os.makedirs(archive_dir, exist_ok=True)
+        json_dir = os.path.dirname(config_json)
+        try:
+            os.makedirs(json_dir, exist_ok=True)
+            chown(json_dir, group='vyattacfg')
+        except OSError as e:
+            logger.warning(f'cannot create {json_dir}: {e}')
 
         self._add_logrotate_conf()
 
@@ -334,10 +364,10 @@ Proceed ?'''
             user = self._get_user()
             via = 'init'
             comment = ''
-            self._add_log_entry(user, via, comment)
             # add empty init config before boot-config load for revision
             # and diff consistency
             if self._archive_active_config():
+                self._add_log_entry(user, via, comment)
                 self._update_archive()
 
         os.umask(mask)
@@ -352,9 +382,8 @@ Proceed ?'''
             self._new_log_entry(tmp_file=tmp_log_entry)
             return
 
-        self._add_log_entry()
-
         if self._archive_active_config():
+            self._add_log_entry()
             self._update_archive()
 
     def commit_archive(self):
@@ -368,7 +397,13 @@ Proceed ?'''
         remote_file = f'config.boot-{hostname}.{timestamp}'
         source_address = self.source_address
 
+        if self.effective_locations:
+            print("Archiving config...")
         for location in self.effective_locations:
+            url = urlsplit(location)
+            _, _, netloc = url.netloc.rpartition("@")
+            redacted_location = urlunsplit(url._replace(netloc=netloc))
+            print(f"  {redacted_location}", end=" ", flush=True)
             upload(archive_config_file, f'{location}/{remote_file}',
                    source_host=source_address)
 
@@ -439,13 +474,10 @@ Proceed ?'''
 
     # utility functions
     #
-    @staticmethod
-    def _strip_version(s):
-        return re.split(r'(^//)', s, maxsplit=1, flags=re.MULTILINE)[0]
 
     def _get_saved_config_tree(self):
         with open(config_file) as f:
-            c = self._strip_version(f.read())
+            c = f.read()
         return ConfigTree(c)
 
     def _get_file_revision(self, rev: int):
@@ -457,7 +489,7 @@ Proceed ?'''
         return r
 
     def _get_config_tree_revision(self, rev: int):
-        c = self._strip_version(self._get_file_revision(rev))
+        c = self._get_file_revision(rev)
         return ConfigTree(c)
 
     def _add_logrotate_conf(self):
@@ -475,22 +507,37 @@ Proceed ?'''
         conf_file.chmod(0o644)
 
     def _archive_active_config(self) -> bool:
+        save_to_tmp = (boot_configuration_complete() or not
+                       os.path.isfile(archive_config_file))
         mask = os.umask(0o113)
 
         ext = os.getpid()
-        tmp_save = f'/tmp/config.boot.{ext}'
-        save_config(tmp_save)
+        cmp_saved = f'/tmp/config.boot.{ext}'
+        if save_to_tmp:
+            save_config(cmp_saved, json_out=config_json)
+        else:
+            copy(config_file, cmp_saved)
+
+        # on boot, we need to manually create the config.json file; after
+        # boot, it is written by save_config, above
+        if not os.path.exists(config_json):
+            ct = self._get_saved_config_tree()
+            try:
+                with open(config_json, 'w') as f:
+                    f.write(ct.to_json())
+                chown(config_json, group='vyattacfg')
+            except OSError as e:
+                logger.warning(f'cannot create {config_json}: {e}')
 
         try:
-            if cmp(tmp_save, archive_config_file, shallow=False):
-                # this will be the case on boot, as well as certain
-                # re-initialiation instances after delete/set
-                os.unlink(tmp_save)
+            if cmp(cmp_saved, archive_config_file, shallow=False):
+                os.unlink(cmp_saved)
+                os.umask(mask)
                 return False
         except FileNotFoundError:
             pass
 
-        rc, out = rc_cmd(f'sudo mv {tmp_save} {archive_config_file}')
+        rc, out = rc_cmd(f'sudo mv {cmp_saved} {archive_config_file}')
         os.umask(mask)
 
         if rc != 0:
@@ -522,9 +569,8 @@ Proceed ?'''
         return len(l)
 
     def _check_revision_number(self, rev: int) -> bool:
-        # exclude init revision:
-        maxrev = self._get_number_of_revisions()
-        if not 0 <= rev < maxrev - 1:
+        self.num_revisions = self._get_number_of_revisions()
+        if not 0 <= rev < self.num_revisions:
             return False
         return True
 
@@ -666,6 +712,11 @@ def run():
     rollback.add_argument('-y', dest='no_prompt', action='store_true',
                           help="Excute without prompt")
 
+    rollback_soft = subparsers.add_parser('rollback_soft',
+                                     help="Rollback to earlier config")
+    rollback_soft.add_argument('--rev', type=int,
+                          help="Revision number for rollback")
+
     compare = subparsers.add_parser('compare',
                                     help="Compare config files")
 
diff --git a/python/vyos/configdep.py b/python/vyos/configdep.py
index 7a8559839..8a28811eb 100644
--- a/python/vyos/configdep.py
+++ b/python/vyos/configdep.py
@@ -1,4 +1,4 @@
-# Copyright 2022 VyOS maintainers and contributors <maintainers@vyos.io>
+# Copyright 2023 VyOS maintainers and contributors <maintainers@vyos.io>
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -17,8 +17,10 @@ import os
 import json
 import typing
 from inspect import stack
+from graphlib import TopologicalSorter, CycleError
 
 from vyos.utils.system import load_as_module
+from vyos.configdict import dict_merge
 from vyos.defaults import directories
 from vyos.configsource import VyOSError
 from vyos import ConfigError
@@ -28,6 +30,9 @@ from vyos import ConfigError
 if typing.TYPE_CHECKING:
     from vyos.config import Config
 
+dependency_dir = os.path.join(directories['data'],
+                              'config-mode-dependencies')
+
 dependent_func: dict[str, list[typing.Callable]] = {}
 
 def canon_name(name: str) -> str:
@@ -38,14 +43,22 @@ def canon_name_of_path(path: str) -> str:
     return canon_name(script)
 
 def caller_name() -> str:
-    return stack()[-1].filename
+    return stack()[2].filename
 
-def read_dependency_dict() -> dict:
-    path = os.path.join(directories['data'],
-                        'config-mode-dependencies.json')
-    with open(path) as f:
-        d = json.load(f)
-    return d
+def read_dependency_dict(dependency_dir: str = dependency_dir) -> dict:
+    res = {}
+    for dep_file in os.listdir(dependency_dir):
+        if not dep_file.endswith('.json'):
+            continue
+        path = os.path.join(dependency_dir, dep_file)
+        with open(path) as f:
+            d = json.load(f)
+        if dep_file == 'vyos-1x.json':
+            res = dict_merge(res, d)
+        else:
+            res = dict_merge(d, res)
+
+    return res
 
 def get_dependency_dict(config: 'Config') -> dict:
     if hasattr(config, 'cached_dependency_dict'):
@@ -93,3 +106,37 @@ def call_dependents():
     while l:
         f = l.pop(0)
         f()
+
+def graph_from_dependency_dict(d: dict) -> dict:
+    g = {}
+    for k in list(d):
+        g[k] = set()
+        # add the dependencies for every sub-case; should there be cases
+        # that are mutally exclusive in the future, the graphs will be
+        # distinguished
+        for el in list(d[k]):
+            g[k] |= set(d[k][el])
+
+    return g
+
+def is_acyclic(d: dict) -> bool:
+    g = graph_from_dependency_dict(d)
+    ts = TopologicalSorter(g)
+    try:
+        # get node iterator
+        order = ts.static_order()
+        # try iteration
+        _ = [*order]
+    except CycleError:
+        return False
+
+    return True
+
+def check_dependency_graph(dependency_dir: str = dependency_dir,
+                           supplement: str = None) -> bool:
+    d = read_dependency_dict(dependency_dir=dependency_dir)
+    if supplement is not None:
+        with open(supplement) as f:
+            d = dict_merge(json.load(f), d)
+
+    return is_acyclic(d)
diff --git a/python/vyos/configdict.py b/python/vyos/configdict.py
index 71a06b625..4111d7271 100644
--- a/python/vyos/configdict.py
+++ b/python/vyos/configdict.py
@@ -104,6 +104,10 @@ def list_diff(first, second):
     return [item for item in first if item not in second]
 
 def is_node_changed(conf, path):
+   """
+   Check if any key under path has been changed and return True.
+   If nothing changed, return false
+   """
    from vyos.configdiff import get_config_diff
    D = get_config_diff(conf, key_mangling=('-', '_'))
    return D.is_node_changed(path)
@@ -139,17 +143,30 @@ def leaf_node_changed(conf, path):
 
     return None
 
-def node_changed(conf, path, key_mangling=None, recursive=False):
+def node_changed(conf, path, key_mangling=None, recursive=False, expand_nodes=None) -> list:
     """
-    Check if a leaf node was altered. If it has been altered - values has been
-    changed, or it was added/removed, we will return the old value. If nothing
-    has been changed, None is returned
+    Check if node under path (or anything under path if recursive=True) was changed. By default
+    we only check if a node or subnode (recursive) was deleted from path. If expand_nodes
+    is set to Diff.ADD we can also check if something was added to the path.
+
+    If nothing changed, an empty list is returned.
     """
-    from vyos.configdiff import get_config_diff, Diff
+    from vyos.configdiff import get_config_diff
+    from vyos.configdiff import Diff
+    # to prevent circular dependencies we assign the default here
+    if not expand_nodes: expand_nodes = Diff.DELETE
     D = get_config_diff(conf, key_mangling)
-    # get_child_nodes() will return dict_keys(), mangle this into a list with PEP448
-    keys = D.get_child_nodes_diff(path, expand_nodes=Diff.DELETE, recursive=recursive)['delete'].keys()
-    return list(keys)
+    # get_child_nodes_diff() will return dict_keys()
+    tmp = D.get_child_nodes_diff(path, expand_nodes=expand_nodes, recursive=recursive)
+    output = []
+    if expand_nodes & Diff.DELETE:
+        output.extend(list(tmp['delete'].keys()))
+    if expand_nodes & Diff.ADD:
+        output.extend(list(tmp['add'].keys()))
+
+    # remove duplicate keys from list, this happens when a node (e.g. description) is altered
+    output = list(dict.fromkeys(output))
+    return output
 
 def get_removed_vlans(conf, path, dict):
     """
@@ -258,10 +275,10 @@ def has_address_configured(conf, intf):
     old_level = conf.get_level()
     conf.set_level([])
 
-    intfpath = 'interfaces ' + Section.get_config_path(intf)
-    if ( conf.exists(f'{intfpath} address') or
-            conf.exists(f'{intfpath} ipv6 address autoconf') or
-            conf.exists(f'{intfpath} ipv6 address eui64') ):
+    intfpath = ['interfaces', Section.get_config_path(intf)]
+    if (conf.exists([intfpath, 'address']) or
+        conf.exists([intfpath, 'ipv6', 'address', 'autoconf']) or
+        conf.exists([intfpath, 'ipv6', 'address', 'eui64'])):
         ret = True
 
     conf.set_level(old_level)
@@ -279,8 +296,7 @@ def has_vrf_configured(conf, intf):
     old_level = conf.get_level()
     conf.set_level([])
 
-    tmp = ['interfaces', Section.get_config_path(intf), 'vrf']
-    if conf.exists(tmp):
+    if conf.exists(['interfaces', Section.get_config_path(intf), 'vrf']):
         ret = True
 
     conf.set_level(old_level)
@@ -298,8 +314,7 @@ def has_vlan_subinterface_configured(conf, intf):
     ret = False
 
     intfpath = ['interfaces', Section.section(intf), intf]
-    if ( conf.exists(intfpath + ['vif']) or
-            conf.exists(intfpath + ['vif-s'])):
+    if (conf.exists(intfpath + ['vif']) or conf.exists(intfpath + ['vif-s'])):
         ret = True
 
     return ret
@@ -412,7 +427,7 @@ def get_pppoe_interfaces(conf, vrf=None):
 
     return pppoe_interfaces
 
-def get_interface_dict(config, base, ifname='', recursive_defaults=True):
+def get_interface_dict(config, base, ifname='', recursive_defaults=True, with_pki=False):
     """
     Common utility function to retrieve and mangle the interfaces configuration
     from the CLI input nodes. All interfaces have a common base where value
@@ -444,7 +459,8 @@ def get_interface_dict(config, base, ifname='', recursive_defaults=True):
                                       get_first_key=True,
                                       no_tag_node_value_mangle=True,
                                       with_defaults=True,
-                                      with_recursive_defaults=recursive_defaults)
+                                      with_recursive_defaults=recursive_defaults,
+                                      with_pki=with_pki)
 
         # If interface does not request an IPv4 DHCP address there is no need
         # to keep the dhcp-options key
@@ -608,7 +624,7 @@ def get_vlan_ids(interface):
 
     return vlan_ids
 
-def get_accel_dict(config, base, chap_secrets):
+def get_accel_dict(config, base, chap_secrets, with_pki=False):
     """
     Common utility function to retrieve and mangle the Accel-PPP configuration
     from different CLI input nodes. All Accel-PPP services have a common base
@@ -623,7 +639,8 @@ def get_accel_dict(config, base, chap_secrets):
     dict = config.get_config_dict(base, key_mangling=('-', '_'),
                                   get_first_key=True,
                                   no_tag_node_value_mangle=True,
-                                  with_recursive_defaults=True)
+                                  with_recursive_defaults=True,
+                                  with_pki=with_pki)
 
     # set CPUs cores to process requests
     dict.update({'thread_count' : get_half_cpus()})
diff --git a/python/vyos/configdiff.py b/python/vyos/configdiff.py
index 1ec2dfafe..03b06c6d9 100644
--- a/python/vyos/configdiff.py
+++ b/python/vyos/configdiff.py
@@ -165,6 +165,30 @@ class ConfigDiff(object):
             return True
         return False
 
+    def node_changed_presence(self, path=[]) -> bool:
+        if self._diff_tree is None:
+            raise NotImplementedError("diff_tree class not available")
+
+        path = self._make_path(path)
+        before = self._diff_tree.left.exists(path)
+        after = self._diff_tree.right.exists(path)
+        return (before and not after) or (not before and after)
+
+    def node_changed_children(self, path=[]) -> list:
+        if self._diff_tree is None:
+            raise NotImplementedError("diff_tree class not available")
+
+        path = self._make_path(path)
+        add = self._diff_tree.add
+        sub = self._diff_tree.sub
+        children = set()
+        if add.exists(path):
+            children.update(add.list_nodes(path))
+        if sub.exists(path):
+            children.update(sub.list_nodes(path))
+
+        return list(children)
+
     def get_child_nodes_diff_str(self, path=[]):
         ret = {'add': {}, 'change': {}, 'delete': {}}
 
diff --git a/python/vyos/configsession.py b/python/vyos/configsession.py
index 6d4b2af59..90842b749 100644
--- a/python/vyos/configsession.py
+++ b/python/vyos/configsession.py
@@ -30,11 +30,15 @@ SHOW_CONFIG = ['/bin/cli-shell-api', 'showConfig']
 LOAD_CONFIG = ['/bin/cli-shell-api', 'loadFile']
 MIGRATE_LOAD_CONFIG = ['/usr/libexec/vyos/vyos-load-config.py']
 SAVE_CONFIG = ['/usr/libexec/vyos/vyos-save-config.py']
-INSTALL_IMAGE = ['/opt/vyatta/sbin/install-image', '--url']
-REMOVE_IMAGE = ['/opt/vyatta/bin/vyatta-boot-image.pl', '--del']
+INSTALL_IMAGE = ['/usr/libexec/vyos/op_mode/image_installer.py',
+                 '--action', 'add', '--no-prompt', '--image-path']
+REMOVE_IMAGE = ['/usr/libexec/vyos/op_mode/image_manager.py',
+                '--action', 'delete', '--no-prompt', '--image-name']
 GENERATE = ['/opt/vyatta/bin/vyatta-op-cmd-wrapper', 'generate']
 SHOW = ['/opt/vyatta/bin/vyatta-op-cmd-wrapper', 'show']
 RESET = ['/opt/vyatta/bin/vyatta-op-cmd-wrapper', 'reset']
+REBOOT = ['/opt/vyatta/bin/vyatta-op-cmd-wrapper', 'reboot']
+POWEROFF = ['/opt/vyatta/bin/vyatta-op-cmd-wrapper', 'poweroff']
 OP_CMD_ADD = ['/opt/vyatta/bin/vyatta-op-cmd-wrapper', 'add']
 OP_CMD_DELETE = ['/opt/vyatta/bin/vyatta-op-cmd-wrapper', 'delete']
 
@@ -220,10 +224,18 @@ class ConfigSession(object):
         out = self.__run_command(SHOW + path)
         return out
 
+    def reboot(self, path):
+        out = self.__run_command(REBOOT + path)
+        return out
+
     def reset(self, path):
         out = self.__run_command(RESET + path)
         return out
 
+    def poweroff(self, path):
+        out = self.__run_command(POWEROFF + path)
+        return out
+
     def add_container_image(self, name):
         out = self.__run_command(OP_CMD_ADD + ['container', 'image'] + [name])
         return out
diff --git a/python/vyos/configtree.py b/python/vyos/configtree.py
index 09cfd43d3..d048901f0 100644
--- a/python/vyos/configtree.py
+++ b/python/vyos/configtree.py
@@ -160,6 +160,9 @@ class ConfigTree(object):
     def _get_config(self):
         return self.__config
 
+    def get_version_string(self):
+        return self.__version
+
     def to_string(self, ordered_values=False):
         config_string = self.__to_string(self.__config, ordered_values).decode()
         config_string = "{0}\n{1}".format(config_string, self.__version)
diff --git a/python/vyos/configverify.py b/python/vyos/configverify.py
index 52f9238b8..85423142d 100644
--- a/python/vyos/configverify.py
+++ b/python/vyos/configverify.py
@@ -281,16 +281,22 @@ def verify_source_interface(config):
     perform recurring validation of the existence of a source-interface
     required by e.g. peth/MACvlan, MACsec ...
     """
+    import re
     from netifaces import interfaces
-    if 'source_interface' not in config:
-        raise ConfigError('Physical source-interface required for '
-                          'interface "{ifname}"'.format(**config))
 
-    if config['source_interface'] not in interfaces():
-        raise ConfigError('Specified source-interface {source_interface} does '
-                          'not exist'.format(**config))
+    ifname = config['ifname']
+    if 'source_interface' not in config:
+        raise ConfigError(f'Physical source-interface required for "{ifname}"!')
 
     src_ifname = config['source_interface']
+    # We do not allow sourcing other interfaces (e.g. tunnel) from dynamic interfaces
+    tmp = re.compile(r'(ppp|pppoe|sstpc|l2tp|ipoe)[0-9]+')
+    if tmp.match(src_ifname):
+        raise ConfigError(f'Can not source "{ifname}" from dynamic interface "{src_ifname}"!')
+
+    if src_ifname not in interfaces():
+        raise ConfigError(f'Specified source-interface {src_ifname} does not exist')
+
     if 'source_interface_is_bridge_member' in config:
         bridge_name = next(iter(config['source_interface_is_bridge_member']))
         raise ConfigError(f'Invalid source-interface "{src_ifname}". Interface '
@@ -303,7 +309,6 @@ def verify_source_interface(config):
 
     if 'is_source_interface' in config:
         tmp = config['is_source_interface']
-        src_ifname = config['source_interface']
         raise ConfigError(f'Can not use source-interface "{src_ifname}", it already ' \
                           f'belongs to interface "{tmp}"!')
 
@@ -385,72 +390,6 @@ def verify_vlan_config(config):
             verify_mtu_parent(c_vlan, config)
             verify_mtu_parent(c_vlan, s_vlan)
 
-def verify_accel_ppp_base_service(config, local_users=True):
-    """
-    Common helper function which must be used by all Accel-PPP services based
-    on get_config_dict()
-    """
-    # vertify auth settings
-    if local_users and dict_search('authentication.mode', config) == 'local':
-        if (dict_search(f'authentication.local_users', config) is None or
-                dict_search(f'authentication.local_users', config) == {}):
-            raise ConfigError(
-                'Authentication mode local requires local users to be configured!')
-
-        for user in dict_search('authentication.local_users.username', config):
-            user_config = config['authentication']['local_users']['username'][user]
-
-            if 'password' not in user_config:
-                raise ConfigError(f'Password required for local user "{user}"')
-
-            if 'rate_limit' in user_config:
-                # if up/download is set, check that both have a value
-                if not {'upload', 'download'} <= set(user_config['rate_limit']):
-                    raise ConfigError(f'User "{user}" has rate-limit configured for only one ' \
-                                      'direction but both upload and download must be given!')
-
-    elif dict_search('authentication.mode', config) == 'radius':
-        if not dict_search('authentication.radius.server', config):
-            raise ConfigError('RADIUS authentication requires at least one server')
-
-        for server in dict_search('authentication.radius.server', config):
-            radius_config = config['authentication']['radius']['server'][server]
-            if 'key' not in radius_config:
-                raise ConfigError(f'Missing RADIUS secret key for server "{server}"')
-
-    # Check global gateway or gateway in named pool
-    gateway = False
-    if 'gateway_address' in config:
-        gateway = True
-    else:
-        if 'client_ip_pool' in config:
-            if dict_search_recursive(config, 'gateway_address', ['client_ip_pool', 'name']):
-                for _, v in config['client_ip_pool']['name'].items():
-                    if 'gateway_address' in v:
-                        gateway = True
-                        break
-    if not gateway:
-        raise ConfigError('Server requires gateway-address to be configured!')
-
-    if 'name_server_ipv4' in config:
-        if len(config['name_server_ipv4']) > 2:
-            raise ConfigError('Not more then two IPv4 DNS name-servers ' \
-                              'can be configured')
-
-    if 'name_server_ipv6' in config:
-        if len(config['name_server_ipv6']) > 3:
-            raise ConfigError('Not more then three IPv6 DNS name-servers ' \
-                              'can be configured')
-
-    if 'client_ipv6_pool' in config:
-        ipv6_pool = config['client_ipv6_pool']
-        if 'delegate' in ipv6_pool:
-            if 'prefix' not in ipv6_pool:
-                raise ConfigError('IPv6 "delegate" also requires "prefix" to be defined!')
-
-            for delegate in ipv6_pool['delegate']:
-                if 'delegation_prefix' not in ipv6_pool['delegate'][delegate]:
-                    raise ConfigError('delegation-prefix length required!')
 
 def verify_diffie_hellman_length(file, min_keysize):
     """ Verify Diffie-Hellamn keypair length given via file. It must be greater
diff --git a/python/vyos/defaults.py b/python/vyos/defaults.py
index a5314790d..64145a42e 100644
--- a/python/vyos/defaults.py
+++ b/python/vyos/defaults.py
@@ -24,7 +24,6 @@ directories = {
   'op_mode' : f'{base_dir}/op_mode',
   'services' : f'{base_dir}/services',
   'config' : '/opt/vyatta/etc/config',
-  'current' : '/opt/vyatta/etc/config-migrate/current',
   'migrate' : '/opt/vyatta/etc/config-migrate/migrate',
   'log' : '/var/log/vyatta',
   'templates' : '/usr/share/vyos/templates/',
@@ -38,6 +37,7 @@ directories = {
 }
 
 config_status = '/tmp/vyos-config-status'
+api_config_state = '/run/http-api-state'
 
 cfg_group = 'vyattacfg'
 
@@ -46,23 +46,3 @@ cfg_vintage = 'vyos'
 commit_lock = '/opt/vyatta/config/.lock'
 
 component_version_json = os.path.join(directories['data'], 'component-versions.json')
-
-https_data = {
-    'listen_addresses' : { '*': ['_'] }
-}
-
-api_data = {
-    'listen_address' : '127.0.0.1',
-    'port' : '8080',
-    'socket' : False,
-    'strict' : False,
-    'debug' : False,
-    'api_keys' : [ {'id' : 'testapp', 'key' : 'qwerty'} ]
-}
-
-vyos_cert_data = {
-    'conf' : '/etc/nginx/snippets/vyos-cert.conf',
-    'crt' : '/etc/ssl/certs/vyos-selfsigned.crt',
-    'key' : '/etc/ssl/private/vyos-selfsign',
-    'lifetime' : '365',
-}
diff --git a/python/vyos/ethtool.py b/python/vyos/ethtool.py
index ca3bcfc3d..ba638b280 100644
--- a/python/vyos/ethtool.py
+++ b/python/vyos/ethtool.py
@@ -23,6 +23,7 @@ from vyos.utils.process import popen
 _drivers_without_speed_duplex_flow = ['vmxnet3', 'virtio_net', 'xen_netfront',
                                       'iavf', 'ice', 'i40e', 'hv_netvsc', 'veth', 'ixgbevf',
                                       'tun']
+_drivers_without_eee = ['vmxnet3', 'virtio_net', 'xen_netfront', 'hv_netvsc']
 
 class Ethtool:
     """
@@ -55,16 +56,18 @@ class Ethtool:
     _auto_negotiation_supported = None
     _flow_control = False
     _flow_control_enabled = None
+    _eee = False
+    _eee_enabled = None
 
     def __init__(self, ifname):
         # Get driver used for interface
-        out, err = popen(f'ethtool --driver {ifname}')
+        out, _ = popen(f'ethtool --driver {ifname}')
         driver = re.search(r'driver:\s(\w+)', out)
         if driver:
             self._driver_name = driver.group(1)
 
         # Build a dictinary of supported link-speed and dupley settings.
-        out, err = popen(f'ethtool {ifname}')
+        out, _ = popen(f'ethtool {ifname}')
         reading = False
         pattern = re.compile(r'\d+base.*')
         for line in out.splitlines()[1:]:
@@ -95,7 +98,7 @@ class Ethtool:
                 self._auto_negotiation = bool(tmp == 'on')
 
         # Now populate features dictionaty
-        out, err = popen(f'ethtool --show-features {ifname}')
+        out, _ = popen(f'ethtool --show-features {ifname}')
         # skip the first line, it only says: "Features for eth0":
         for line in out.splitlines()[1:]:
             if ":" in line:
@@ -108,7 +111,7 @@ class Ethtool:
                     'fixed' : fixed
                 }
 
-        out, err = popen(f'ethtool --show-ring {ifname}')
+        out, _ = popen(f'ethtool --show-ring {ifname}')
         # We are only interested in line 2-5 which contains the device maximum
         # ringbuffers
         for line in out.splitlines()[2:6]:
@@ -133,13 +136,22 @@ class Ethtool:
 
         # Get current flow control settings, but this is not supported by
         # all NICs (e.g. vmxnet3 does not support is)
-        out, err = popen(f'ethtool --show-pause {ifname}')
+        out, _ = popen(f'ethtool --show-pause {ifname}')
         if len(out.splitlines()) > 1:
             self._flow_control = True
             # read current flow control setting, this returns:
             # ['Autonegotiate:', 'on']
             self._flow_control_enabled = out.splitlines()[1].split()[-1]
 
+        # Get current Energy Efficient Ethernet (EEE) settings, but this is
+        # not supported by all NICs (e.g. vmxnet3 does not support is)
+        out, _ = popen(f'ethtool --show-eee {ifname}')
+        if len(out.splitlines()) > 1:
+            self._eee = True
+            # read current EEE setting, this returns:
+            # EEE status: disabled || EEE status: enabled - inactive || EEE status: enabled - active
+            self._eee_enabled = bool('enabled' in out.splitlines()[2])
+
     def check_auto_negotiation_supported(self):
         """ Check if the NIC supports changing auto-negotiation """
         return self._auto_negotiation_supported
@@ -172,6 +184,9 @@ class Ethtool:
     def get_generic_segmentation_offload(self):
         return self._get_generic('generic-segmentation-offload')
 
+    def get_hw_tc_offload(self):
+        return self._get_generic('hw-tc-offload')
+
     def get_large_receive_offload(self):
         return self._get_generic('large-receive-offload')
 
@@ -224,3 +239,15 @@ class Ethtool:
             raise ValueError('Interface does not support changing '\
                              'flow-control settings!')
         return self._flow_control_enabled
+
+    def check_eee(self):
+        """ Check if the NIC supports eee """
+        if self.get_driver_name() in _drivers_without_eee:
+            return False
+        return self._eee
+
+    def get_eee(self):
+        if self._eee_enabled == None:
+            raise ValueError('Interface does not support changing '\
+                             'EEE settings!')
+        return self._eee_enabled
diff --git a/python/vyos/firewall.py b/python/vyos/firewall.py
index 53ff8259e..4fc1abb15 100644
--- a/python/vyos/firewall.py
+++ b/python/vyos/firewall.py
@@ -87,14 +87,33 @@ def nft_action(vyos_action):
 
 def parse_rule(rule_conf, hook, fw_name, rule_id, ip_name):
     output = []
-    def_suffix = '6' if ip_name == 'ip6' else ''
+    if ip_name == 'ip6':
+        def_suffix = '6'
+        family = 'ipv6'
+    else:
+        def_suffix = ''
+        family = 'bri' if ip_name == 'bri' else 'ipv4'
 
     if 'state' in rule_conf and rule_conf['state']:
-        states = ",".join([s for s, v in rule_conf['state'].items() if v == 'enable'])
+        states = ",".join([s for s in rule_conf['state']])
 
         if states:
             output.append(f'ct state {{{states}}}')
 
+    if 'conntrack_helper' in rule_conf:
+        helper_map = {'h323': ['RAS', 'Q.931'], 'nfs': ['rpc'], 'sqlnet': ['tns']}
+        helper_out = []
+
+        for helper in rule_conf['conntrack_helper']:
+            if helper in helper_map:
+                helper_out.extend(helper_map[helper])
+            else:
+                helper_out.append(helper)
+
+        if helper_out:
+            helper_str = ','.join(f'"{s}"' for s in helper_out)
+            output.append(f'ct helper {{{helper_str}}}')
+
     if 'connection_status' in rule_conf and rule_conf['connection_status']:
         status = rule_conf['connection_status']
         if status['nat'] == 'destination':
@@ -242,28 +261,6 @@ def parse_rule(rule_conf, hook, fw_name, rule_id, ip_name):
 
                     output.append(f'{proto} {prefix}port {operator} @P_{group_name}')
 
-    if 'log' in rule_conf and rule_conf['log'] == 'enable':
-        action = rule_conf['action'] if 'action' in rule_conf else 'accept'
-        output.append(f'log prefix "[{fw_name[:19]}-{rule_id}-{action[:1].upper()}]"')
-
-        if 'log_options' in rule_conf:
-
-            if 'level' in rule_conf['log_options']:
-                log_level = rule_conf['log_options']['level']
-                output.append(f'log level {log_level}')
-
-            if 'group' in rule_conf['log_options']:
-                log_group = rule_conf['log_options']['group']
-                output.append(f'log group {log_group}')
-
-                if 'queue_threshold' in rule_conf['log_options']:
-                    queue_threshold = rule_conf['log_options']['queue_threshold']
-                    output.append(f'queue-threshold {queue_threshold}')
-
-                if 'snapshot_length' in rule_conf['log_options']:
-                    log_snaplen = rule_conf['log_options']['snapshot_length']
-                    output.append(f'snaplen {log_snaplen}')
-
     if 'hop_limit' in rule_conf:
         operators = {'eq': '==', 'gt': '>', 'lt': '<'}
         for op, operator in operators.items():
@@ -273,14 +270,14 @@ def parse_rule(rule_conf, hook, fw_name, rule_id, ip_name):
 
     if 'inbound_interface' in rule_conf:
         operator = ''
-        if 'interface_name' in rule_conf['inbound_interface']:
-            iiface = rule_conf['inbound_interface']['interface_name']
+        if 'name' in rule_conf['inbound_interface']:
+            iiface = rule_conf['inbound_interface']['name']
             if iiface[0] == '!':
                 operator = '!='
                 iiface = iiface[1:]
             output.append(f'iifname {operator} {{{iiface}}}')
         else:
-            iiface = rule_conf['inbound_interface']['interface_group']
+            iiface = rule_conf['inbound_interface']['group']
             if iiface[0] == '!':
                 operator = '!='
                 iiface = iiface[1:]
@@ -288,14 +285,14 @@ def parse_rule(rule_conf, hook, fw_name, rule_id, ip_name):
 
     if 'outbound_interface' in rule_conf:
         operator = ''
-        if 'interface_name' in rule_conf['outbound_interface']:
-            oiface = rule_conf['outbound_interface']['interface_name']
+        if 'name' in rule_conf['outbound_interface']:
+            oiface = rule_conf['outbound_interface']['name']
             if oiface[0] == '!':
                 operator = '!='
                 oiface = oiface[1:]
             output.append(f'oifname {operator} {{{oiface}}}')
         else:
-            oiface = rule_conf['outbound_interface']['interface_group']
+            oiface = rule_conf['outbound_interface']['group']
             if oiface[0] == '!':
                 operator = '!='
                 oiface = oiface[1:]
@@ -379,6 +376,43 @@ def parse_rule(rule_conf, hook, fw_name, rule_id, ip_name):
         conn_mark_str = ','.join(rule_conf['connection_mark'])
         output.append(f'ct mark {{{conn_mark_str}}}')
 
+    if 'mark' in rule_conf:
+        mark = rule_conf['mark']
+        operator = ''
+        if mark[0] == '!':
+            operator = '!='
+            mark = mark[1:]
+        output.append(f'meta mark {operator} {{{mark}}}')
+
+    if 'vlan' in rule_conf:
+        if 'id' in rule_conf['vlan']:
+            output.append(f'vlan id {rule_conf["vlan"]["id"]}')
+        if 'priority' in rule_conf['vlan']:
+            output.append(f'vlan pcp {rule_conf["vlan"]["priority"]}')
+
+    if 'log' in rule_conf:
+        action = rule_conf['action'] if 'action' in rule_conf else 'accept'
+        #output.append(f'log prefix "[{fw_name[:19]}-{rule_id}-{action[:1].upper()}]"')
+        output.append(f'log prefix "[{family}-{hook}-{fw_name}-{rule_id}-{action[:1].upper()}]"')
+                        ##{family}-{hook}-{fw_name}-{rule_id}
+        if 'log_options' in rule_conf:
+
+            if 'level' in rule_conf['log_options']:
+                log_level = rule_conf['log_options']['level']
+                output.append(f'log level {log_level}')
+
+            if 'group' in rule_conf['log_options']:
+                log_group = rule_conf['log_options']['group']
+                output.append(f'log group {log_group}')
+
+                if 'queue_threshold' in rule_conf['log_options']:
+                    queue_threshold = rule_conf['log_options']['queue_threshold']
+                    output.append(f'queue-threshold {queue_threshold}')
+
+                if 'snapshot_length' in rule_conf['log_options']:
+                    log_snaplen = rule_conf['log_options']['snapshot_length']
+                    output.append(f'snaplen {log_snaplen}')
+
     output.append('counter')
 
     if 'set' in rule_conf:
@@ -387,24 +421,29 @@ def parse_rule(rule_conf, hook, fw_name, rule_id, ip_name):
     if 'action' in rule_conf:
         # Change action=return to action=action
         # #output.append(nft_action(rule_conf['action']))
-        output.append(f'{rule_conf["action"]}')
-        if 'jump' in rule_conf['action']:
-            target = rule_conf['jump_target']
-            output.append(f'NAME{def_suffix}_{target}')
+        if rule_conf['action'] == 'offload':
+            offload_target = rule_conf['offload_target']
+            output.append(f'flow add @VYOS_FLOWTABLE_{offload_target}')
+        else:
+            output.append(f'{rule_conf["action"]}')
+
+            if 'jump' in rule_conf['action']:
+                target = rule_conf['jump_target']
+                output.append(f'NAME{def_suffix}_{target}')
 
-        if 'queue' in rule_conf['action']:
-            if 'queue' in rule_conf:
-                target = rule_conf['queue']
-                output.append(f'num {target}')
+            if 'queue' in rule_conf['action']:
+                if 'queue' in rule_conf:
+                    target = rule_conf['queue']
+                    output.append(f'num {target}')
 
-            if 'queue_options' in rule_conf:
-                queue_opts = ','.join(rule_conf['queue_options'])
-                output.append(f'{queue_opts}')
+                if 'queue_options' in rule_conf:
+                    queue_opts = ','.join(rule_conf['queue_options'])
+                    output.append(f'{queue_opts}')
 
     else:
         output.append('return')
 
-    output.append(f'comment "{hook}-{fw_name}-{rule_id}"')
+    output.append(f'comment "{family}-{hook}-{fw_name}-{rule_id}"')
     return " ".join(output)
 
 def parse_tcp_flags(flags):
diff --git a/python/vyos/frr.py b/python/vyos/frr.py
index 2e3c8a271..a01d967e4 100644
--- a/python/vyos/frr.py
+++ b/python/vyos/frr.py
@@ -86,9 +86,8 @@ ch2 = logging.StreamHandler(stream=sys.stdout)
 LOG.addHandler(ch)
 LOG.addHandler(ch2)
 
-_frr_daemons = ['zebra', 'bgpd', 'fabricd', 'isisd', 'ospf6d', 'ospfd', 'pbrd',
-                'pimd', 'ripd', 'ripngd', 'sharpd', 'staticd', 'vrrpd', 'ldpd',
-                'bfdd', 'eigrpd', 'babeld']
+_frr_daemons = ['zebra', 'staticd', 'bgpd', 'ospfd', 'ospf6d', 'ripd', 'ripngd',
+                'isisd', 'pimd', 'pim6d', 'ldpd', 'eigrpd', 'babeld', 'bfdd']
 
 path_vtysh = '/usr/bin/vtysh'
 path_frr_reload = '/usr/lib/frr/frr-reload.py'
diff --git a/python/vyos/ifconfig/bond.py b/python/vyos/ifconfig/bond.py
index d1d7d48c4..45e6e4c16 100644
--- a/python/vyos/ifconfig/bond.py
+++ b/python/vyos/ifconfig/bond.py
@@ -92,6 +92,19 @@ class BondIf(Interface):
         }
     }}
 
+    @staticmethod
+    def get_inherit_bond_options() -> list:
+        """
+        Returns list of option
+        which are inherited from bond interface to member interfaces
+        :return: List of interface options
+        :rtype: list
+        """
+        options = [
+            'mtu'
+        ]
+        return options
+
     def remove(self):
         """
         Remove interface from operating system. Removing the interface
diff --git a/python/vyos/ifconfig/ethernet.py b/python/vyos/ifconfig/ethernet.py
index 24ce3a803..aaf903acd 100644
--- a/python/vyos/ifconfig/ethernet.py
+++ b/python/vyos/ifconfig/ethernet.py
@@ -57,6 +57,10 @@ class EthernetIf(Interface):
             'validate': lambda v: assert_list(v, ['on', 'off']),
             'possible': lambda i, v: EthernetIf.feature(i, 'gso', v),
         },
+        'hw-tc-offload': {
+            'validate': lambda v: assert_list(v, ['on', 'off']),
+            'possible': lambda i, v: EthernetIf.feature(i, 'hw-tc-offload', v),
+        },
         'lro': {
             'validate': lambda v: assert_list(v, ['on', 'off']),
             'possible': lambda i, v: EthernetIf.feature(i, 'lro', v),
@@ -71,6 +75,40 @@ class EthernetIf(Interface):
         },
     }}
 
+    @staticmethod
+    def get_bond_member_allowed_options() -> list:
+        """
+        Return list of options which are allowed for changing,
+        when interface is a bond member
+        :return: List of interface options
+        :rtype: list
+        """
+        bond_allowed_sections = [
+            'description',
+            'disable',
+            'disable_flow_control',
+            'disable_link_detect',
+            'duplex',
+            'eapol.ca_certificate',
+            'eapol.certificate',
+            'eapol.passphrase',
+            'mirror.egress',
+            'mirror.ingress',
+            'offload.gro',
+            'offload.gso',
+            'offload.lro',
+            'offload.rfs',
+            'offload.rps',
+            'offload.sg',
+            'offload.tso',
+            'redirect',
+            'ring_buffer.rx',
+            'ring_buffer.tx',
+            'speed',
+            'hw_id'
+        ]
+        return bond_allowed_sections
+
     def __init__(self, ifname, **kargs):
         super().__init__(ifname, **kargs)
         self.ethtool = Ethtool(ifname)
@@ -222,6 +260,25 @@ class EthernetIf(Interface):
                 print('Adapter does not support changing generic-segmentation-offload settings!')
         return False
 
+    def set_hw_tc_offload(self, state):
+        """
+        Enable hardware TC flow offload. State can be either True or False.
+        Example:
+        >>> from vyos.ifconfig import EthernetIf
+        >>> i = EthernetIf('eth0')
+        >>> i.set_hw_tc_offload(True)
+        """
+        if not isinstance(state, bool):
+            raise ValueError('Value out of range')
+
+        enabled, fixed = self.ethtool.get_hw_tc_offload()
+        if enabled != state:
+            if not fixed:
+                return self.set_interface('hw-tc-offload', 'on' if state else 'off')
+            else:
+                print('Adapter does not support changing hw-tc-offload settings!')
+        return False
+
     def set_lro(self, state):
         """
         Enable Large Receive offload. State can be either True or False.
@@ -342,6 +399,34 @@ class EthernetIf(Interface):
             print(f'could not set "{rx_tx}" ring-buffer for {ifname}')
         return output
 
+    def set_eee(self, enable):
+        """
+        Enable/Disable Energy Efficient Ethernet (EEE) settings
+
+        Example:
+        >>> from vyos.ifconfig import EthernetIf
+        >>> i = EthernetIf('eth0')
+        >>> i.set_eee(enable=False)
+        """
+        if not isinstance(enable, bool):
+            raise ValueError('Value out of range')
+
+        if not self.ethtool.check_eee():
+            self._debug_msg(f'NIC driver does not support changing EEE settings!')
+            return False
+
+        current = self.ethtool.get_eee()
+        if current != enable:
+            # Assemble command executed on system. Unfortunately there is no way
+            # to change this setting via sysfs
+            cmd = f'ethtool --set-eee {self.ifname} eee '
+            cmd += 'on' if enable else 'off'
+            output, code = self._popen(cmd)
+            if code:
+                Warning(f'could not change "{self.ifname}" EEE setting!')
+            return output
+        return None
+
     def update(self, config):
         """ General helper function which works on a dictionary retrived by
         get_config_dict(). It's main intention is to consolidate the scattered
@@ -352,12 +437,18 @@ class EthernetIf(Interface):
         value = 'off' if 'disable_flow_control' in config else 'on'
         self.set_flow_control(value)
 
+        # Always disable Energy Efficient Ethernet
+        self.set_eee(False)
+
         # GRO (generic receive offload)
         self.set_gro(dict_search('offload.gro', config) != None)
 
         # GSO (generic segmentation offload)
         self.set_gso(dict_search('offload.gso', config) != None)
 
+        # GSO (generic segmentation offload)
+        self.set_hw_tc_offload(dict_search('offload.hw-tc-offload', config) != None)
+
         # LRO (large receive offload)
         self.set_lro(dict_search('offload.lro', config) != None)
 
diff --git a/python/vyos/ifconfig/interface.py b/python/vyos/ifconfig/interface.py
index 9e9a6b92a..c793f6199 100644
--- a/python/vyos/ifconfig/interface.py
+++ b/python/vyos/ifconfig/interface.py
@@ -113,7 +113,7 @@ class Interface(Control):
         },
         'vrf': {
             'shellcmd': 'ip -json -detail link list dev {ifname}',
-            'format': lambda j: jmespath.search('[*].master | [0]', json.loads(j)),
+            'format': lambda j: jmespath.search('[?linkinfo.info_slave_kind == `vrf`].master | [0]', json.loads(j)),
         },
     }
 
@@ -481,12 +481,12 @@ class Interface(Control):
         from hashlib import sha256
 
         # Get processor ID number
-        cpu_id = self._cmd('sudo dmidecode -t 4 | grep ID | head -n1 |  sed "s/.*ID://;s/ //g"')
+        cpu_id = self._cmd('sudo dmidecode -t 4 | grep ID | head -n1 | sed "s/.*ID://;s/ //g"')
 
         # XXX: T3894 - it seems not all systems have eth0 - get a list of all
         # available Ethernet interfaces on the system (without VLAN subinterfaces)
         # and then take the first one.
-        all_eth_ifs = [x for x in Section.interfaces('ethernet') if '.' not in x]
+        all_eth_ifs = Section.interfaces('ethernet', vlan=False)
         first_mac = Interface(all_eth_ifs[0]).get_mac()
 
         sha = sha256()
@@ -562,6 +562,16 @@ class Interface(Control):
 
         self.set_interface('netns', netns)
 
+    def get_vrf(self):
+        """
+        Get VRF from interface
+
+        Example:
+        >>> from vyos.ifconfig import Interface
+        >>> Interface('eth0').get_vrf()
+        """
+        return self.get_interface('vrf')
+
     def set_vrf(self, vrf):
         """
         Add/Remove interface from given VRF instance.
diff --git a/python/vyos/ifconfig/macsec.py b/python/vyos/ifconfig/macsec.py
index 9329c5ee7..bde1d9aec 100644
--- a/python/vyos/ifconfig/macsec.py
+++ b/python/vyos/ifconfig/macsec.py
@@ -45,6 +45,10 @@ class MACsecIf(Interface):
         # create tunnel interface
         cmd  = 'ip link add link {source_interface} {ifname} type {type}'.format(**self.config)
         cmd += f' cipher {self.config["security"]["cipher"]}'
+
+        if 'encrypt' in self.config["security"]:
+            cmd += ' encrypt on'
+
         self._cmd(cmd)
 
         # Check if using static keys
diff --git a/python/vyos/ifconfig/vxlan.py b/python/vyos/ifconfig/vxlan.py
index 6a9911588..a2c4aad50 100644
--- a/python/vyos/ifconfig/vxlan.py
+++ b/python/vyos/ifconfig/vxlan.py
@@ -1,4 +1,4 @@
-# Copyright 2019-2022 VyOS maintainers and contributors <maintainers@vyos.io>
+# Copyright 2019-2023 VyOS maintainers and contributors <maintainers@vyos.io>
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -13,9 +13,16 @@
 # You should have received a copy of the GNU Lesser General Public
 # License along with this library.  If not, see <http://www.gnu.org/licenses/>.
 
+from json import loads
+
 from vyos import ConfigError
+from vyos.configdict import list_diff
 from vyos.ifconfig import Interface
+from vyos.utils.assertion import assert_list
 from vyos.utils.dict import dict_search
+from vyos.utils.network import get_interface_config
+from vyos.utils.network import get_vxlan_vlan_tunnels
+from vyos.utils.network import get_vxlan_vni_filter
 
 @Interface.register
 class VXLANIf(Interface):
@@ -49,19 +56,31 @@ class VXLANIf(Interface):
         }
     }
 
+    _command_set = {**Interface._command_set, **{
+        'neigh_suppress': {
+            'validate': lambda v: assert_list(v, ['on', 'off']),
+            'shellcmd': 'bridge link set dev {ifname} neigh_suppress {value} learning off',
+        },
+        'vlan_tunnel': {
+            'validate': lambda v: assert_list(v, ['on', 'off']),
+            'shellcmd': 'bridge link set dev {ifname} vlan_tunnel {value}',
+        },
+    }}
+
     def _create(self):
         # This table represents a mapping from VyOS internal config dict to
         # arguments used by iproute2. For more information please refer to:
         # - https://man7.org/linux/man-pages/man8/ip-link.8.html
         mapping = {
             'group'                      : 'group',
-            'external'                   : 'external',
             'gpe'                        : 'gpe',
+            'parameters.external'        : 'external',
             'parameters.ip.df'           : 'df',
             'parameters.ip.tos'          : 'tos',
             'parameters.ip.ttl'          : 'ttl',
             'parameters.ipv6.flowlabel'  : 'flowlabel',
             'parameters.nolearning'      : 'nolearning',
+            'parameters.vni_filter'      : 'vnifilter',
             'remote'                     : 'remote',
             'source_address'             : 'local',
             'source_interface'           : 'dev',
@@ -93,9 +112,86 @@ class VXLANIf(Interface):
         # interface is always A/D down. It needs to be enabled explicitly
         self.set_admin_state('down')
 
-        # VXLAN tunnel is always recreated on any change - see interfaces-vxlan.py
+        # VXLAN tunnel is always recreated on any change - see interfaces_vxlan.py
         if remote_list:
             for remote in remote_list:
                 cmd = f'bridge fdb append to 00:00:00:00:00:00 dst {remote} ' \
                        'port {port} dev {ifname}'
                 self._cmd(cmd.format(**self.config))
+
+    def set_neigh_suppress(self, state):
+        """
+        Controls whether neigh discovery (arp and nd) proxy and suppression
+        is enabled on the port. By default this flag is off.
+        """
+
+        # Determine current OS Kernel neigh_suppress setting - only adjust when needed
+        tmp = get_interface_config(self.ifname)
+        cur_state = 'on' if dict_search(f'linkinfo.info_slave_data.neigh_suppress', tmp) == True else 'off'
+        new_state = 'on' if state else 'off'
+        if cur_state != new_state:
+            self.set_interface('neigh_suppress', state)
+
+    def set_vlan_vni_mapping(self, state):
+        """
+        Controls whether vlan to tunnel mapping is enabled on the port.
+        By default this flag is off.
+        """
+        if not isinstance(state, bool):
+            raise ValueError('Value out of range')
+
+        if 'vlan_to_vni_removed' in self.config:
+            cur_vni_filter = get_vxlan_vni_filter(self.ifname)
+            for vlan, vlan_config in self.config['vlan_to_vni_removed'].items():
+                # If VNI filtering is enabled, remove matching VNI filter
+                if dict_search('parameters.vni_filter', self.config) != None:
+                    vni = vlan_config['vni']
+                    if vni in cur_vni_filter:
+                        self._cmd(f'bridge vni delete dev {self.ifname} vni {vni}')
+                self._cmd(f'bridge vlan del dev {self.ifname} vid {vlan}')
+
+        # Determine current OS Kernel vlan_tunnel setting - only adjust when needed
+        tmp = get_interface_config(self.ifname)
+        cur_state = 'on' if dict_search(f'linkinfo.info_slave_data.vlan_tunnel', tmp) == True else 'off'
+        new_state = 'on' if state else 'off'
+        if cur_state != new_state:
+            self.set_interface('vlan_tunnel', new_state)
+
+        if 'vlan_to_vni' in self.config:
+            # Determine current OS Kernel configured VLANs
+            os_configured_vlan_ids = get_vxlan_vlan_tunnels(self.ifname)
+            add_vlan = list_diff(list(self.config['vlan_to_vni'].keys()), os_configured_vlan_ids)
+
+            for vlan, vlan_config in self.config['vlan_to_vni'].items():
+                # VLAN mapping already exists - skip
+                if vlan not in add_vlan:
+                    continue
+
+                vni = vlan_config['vni']
+                # The following commands must be run one after another,
+                # they can not be combined with linux 6.1 and iproute2 6.1
+                self._cmd(f'bridge vlan add dev {self.ifname} vid {vlan}')
+                self._cmd(f'bridge vlan add dev {self.ifname} vid {vlan} tunnel_info id {vni}')
+
+                # If VNI filtering is enabled, install matching VNI filter
+                if dict_search('parameters.vni_filter', self.config) != None:
+                    self._cmd(f'bridge vni add dev {self.ifname} vni {vni}')
+
+    def update(self, config):
+        """ General helper function which works on a dictionary retrived by
+        get_config_dict(). It's main intention is to consolidate the scattered
+        interface setup code and provide a single point of entry when workin
+        on any interface. """
+
+        # call base class last
+        super().update(config)
+
+        # Enable/Disable VLAN tunnel mapping
+        # This is only possible after the interface was assigned to the bridge
+        self.set_vlan_vni_mapping(dict_search('vlan_to_vni', config) != None)
+
+        # Enable/Disable neighbor suppression and learning, there is no need to
+        # explicitly "disable" it, as VXLAN interface will be recreated if anything
+        # under "parameters" changes.
+        if dict_search('parameters.neighbor_suppress', config) != None:
+            self.set_neigh_suppress('on')
diff --git a/python/vyos/ifconfig/wireguard.py b/python/vyos/ifconfig/wireguard.py
index 4aac103ec..5704f8b64 100644
--- a/python/vyos/ifconfig/wireguard.py
+++ b/python/vyos/ifconfig/wireguard.py
@@ -167,11 +167,6 @@ class WireGuardIf(Interface):
         interface setup code and provide a single point of entry when workin
         on any interface. """
 
-        # remove no longer associated peers first
-        if 'peer_remove' in config:
-            for peer, public_key in config['peer_remove'].items():
-                self._cmd(f'wg set {self.ifname} peer {public_key} remove')
-
         tmp_file = NamedTemporaryFile('w')
         tmp_file.write(config['private_key'])
         tmp_file.flush()
diff --git a/python/vyos/load_config.py b/python/vyos/load_config.py
new file mode 100644
index 000000000..af563614d
--- /dev/null
+++ b/python/vyos/load_config.py
@@ -0,0 +1,200 @@
+# Copyright 2023 VyOS maintainers and contributors <maintainers@vyos.io>
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library.  If not, see <http://www.gnu.org/licenses/>.
+
+"""This module abstracts the loading of a config file into the running
+config. It provides several varieties of loading a config file, from the
+legacy version to the developing versions, as a means of offering
+alternatives for competing use cases, and a base for profiling the
+performance of each.
+"""
+
+import sys
+from pathlib import Path
+from tempfile import NamedTemporaryFile
+from typing import Union, Literal, TypeAlias, get_type_hints, get_args
+
+from vyos.config import Config
+from vyos.configtree import ConfigTree, DiffTree
+from vyos.configsource import ConfigSourceSession, VyOSError
+from vyos.component_version import from_string as version_from_string
+from vyos.component_version import from_system as version_from_system
+from vyos.migrator import Migrator, VirtualMigrator, MigratorError
+from vyos.utils.process import popen, DEVNULL
+
+Variety: TypeAlias = Literal['explicit', 'batch', 'tree', 'legacy']
+ConfigObj: TypeAlias = Union[str, ConfigTree]
+
+thismod = sys.modules[__name__]
+
+class LoadConfigError(Exception):
+    """Raised when an error occurs loading a config file.
+    """
+
+# utility functions
+
+def get_running_config(config: Config) -> ConfigTree:
+    return config.get_config_tree(effective=True)
+
+def get_proposed_config(config_file: str = None) -> ConfigTree:
+    config_str = Path(config_file).read_text()
+    return ConfigTree(config_str)
+
+def migration_needed(config_obj: ConfigObj) -> bool:
+    """Check if a migration is needed for the config object.
+    """
+    if not isinstance(config_obj, ConfigTree):
+        atree = get_proposed_config(config_obj)
+    else:
+        atree = config_obj
+    version_str = atree.get_version_string()
+    if not version_str:
+        return True
+    aversion = version_from_string(version_str.splitlines()[1])
+    bversion = version_from_system()
+    return aversion != bversion
+
+def check_session(strict: bool, switch: Variety) -> None:
+    """Check if we are in a config session, with no uncommitted changes, if
+    strict. This is not needed for legacy load, as these checks are
+    implicit.
+    """
+
+    if switch == 'legacy':
+        return
+
+    context = ConfigSourceSession()
+
+    if not context.in_session():
+        raise LoadConfigError('not in a config session')
+
+    if strict and context.session_changed():
+        raise LoadConfigError('commit or discard changes before loading config')
+
+# methods to call for each variety
+
+# explicit
+def diff_to_commands(ctree: ConfigTree, ntree: ConfigTree) -> list:
+    """Calculate the diff between the current and proposed config."""
+    # Calculate the diff between the current and new config tree
+    commands = DiffTree(ctree, ntree).to_commands()
+    # on an empty set of 'add' or 'delete' commands, to_commands
+    # returns '\n'; prune below
+    command_list = commands.splitlines()
+    command_list = [c for c in command_list if c]
+    return command_list
+
+def set_commands(cmds: list) -> None:
+    """Set commands in the config session."""
+    if not cmds:
+        print('no commands to set')
+        return
+    error_out = []
+    for op in cmds:
+        out, rc = popen(f'/opt/vyatta/sbin/my_{op}', shell=True, stderr=DEVNULL)
+        if rc != 0:
+            error_out.append(out)
+            continue
+    if error_out:
+        out = '\n'.join(error_out)
+        raise LoadConfigError(out)
+
+# legacy
+class LoadConfig(ConfigSourceSession):
+    """A subclass for calling 'loadFile'.
+    """
+    def load_config(self, file_name):
+        return self._run(['/bin/cli-shell-api','loadFile', file_name])
+
+# end methods to call for each variety
+
+def migrate(config_obj: ConfigObj) -> ConfigObj:
+    """Migrate a config object to the current version.
+    """
+    if isinstance(config_obj, ConfigTree):
+        config_file = NamedTemporaryFile(delete=False).name
+        Path(config_file).write_text(config_obj.to_string())
+    else:
+        config_file = config_obj
+
+    virtual_migration = VirtualMigrator(config_file)
+    migration = Migrator(config_file)
+    try:
+        virtual_migration.run()
+        migration.run()
+    except MigratorError as e:
+        raise LoadConfigError(e) from e
+    else:
+        if isinstance(config_obj, ConfigTree):
+            return ConfigTree(Path(config_file).read_text())
+        return config_file
+    finally:
+        if isinstance(config_obj, ConfigTree):
+            Path(config_file).unlink()
+
+def load_explicit(config_obj: ConfigObj):
+    """Explicit load from file or configtree.
+    """
+    config = Config()
+    ctree = get_running_config(config)
+    if isinstance(config_obj, ConfigTree):
+        ntree = config_obj
+    else:
+        ntree = get_proposed_config(config_obj)
+    # Calculate the diff between the current and proposed config
+    cmds = diff_to_commands(ctree, ntree)
+    # Set the commands in the config session
+    set_commands(cmds)
+
+def load_batch(config_obj: ConfigObj):
+    # requires legacy backend patch
+    raise NotImplementedError('batch loading not implemented')
+
+def load_tree(config_obj: ConfigObj):
+    # requires vyconf backend patch
+    raise NotImplementedError('tree loading not implemented')
+
+def load_legacy(config_obj: ConfigObj):
+    """Legacy load from file or configtree.
+    """
+    if isinstance(config_obj, ConfigTree):
+        config_file = NamedTemporaryFile(delete=False).name
+        Path(config_file).write_text(config_obj.to_string())
+    else:
+        config_file = config_obj
+
+    config = LoadConfig()
+
+    try:
+        config.load_config(config_file)
+    except VyOSError as e:
+        raise LoadConfigError(e) from e
+    finally:
+        if isinstance(config_obj, ConfigTree):
+            Path(config_file).unlink()
+
+def load(config_obj: ConfigObj, strict: bool = True,
+         switch: Variety = 'legacy'):
+    type_hints = get_type_hints(load)
+    switch_choice = get_args(type_hints['switch'])
+    if switch not in switch_choice:
+        raise ValueError(f'invalid switch: {switch}')
+
+    check_session(strict, switch)
+
+    if migration_needed(config_obj):
+        config_obj = migrate(config_obj)
+
+    func = getattr(thismod, f'load_{switch}')
+    func(config_obj)
diff --git a/python/vyos/nat.py b/python/vyos/nat.py
index 9cbc2b96e..7215aac88 100644
--- a/python/vyos/nat.py
+++ b/python/vyos/nat.py
@@ -32,14 +32,34 @@ def parse_nat_rule(rule_conf, rule_id, nat_type, ipv6=False):
     translation_str = ''
 
     if 'inbound_interface' in rule_conf:
-        ifname = rule_conf['inbound_interface']
-        if ifname != 'any':
-            output.append(f'iifname "{ifname}"')
+        operator = ''
+        if 'name' in rule_conf['inbound_interface']:
+            iiface = rule_conf['inbound_interface']['name']
+            if iiface[0] == '!':
+                operator = '!='
+                iiface = iiface[1:]
+            output.append(f'iifname {operator} {{{iiface}}}')
+        else:
+            iiface = rule_conf['inbound_interface']['group']
+            if iiface[0] == '!':
+                operator = '!='
+                iiface = iiface[1:]
+            output.append(f'iifname {operator} @I_{iiface}')
 
     if 'outbound_interface' in rule_conf:
-        ifname = rule_conf['outbound_interface']
-        if ifname != 'any':
-            output.append(f'oifname "{ifname}"')
+        operator = ''
+        if 'name' in rule_conf['outbound_interface']:
+            oiface = rule_conf['outbound_interface']['name']
+            if oiface[0] == '!':
+                operator = '!='
+                oiface = oiface[1:]
+            output.append(f'oifname {operator} {{{oiface}}}')
+        else:
+            oiface = rule_conf['outbound_interface']['group']
+            if oiface[0] == '!':
+                operator = '!='
+                oiface = oiface[1:]
+            output.append(f'oifname {operator} @I_{oiface}')
 
     if 'protocol' in rule_conf and rule_conf['protocol'] != 'all':
         protocol = rule_conf['protocol']
@@ -69,7 +89,10 @@ def parse_nat_rule(rule_conf, rule_id, nat_type, ipv6=False):
             if addr and is_ip_network(addr):
                 if not ipv6:
                     map_addr =  dict_search_args(rule_conf, nat_type, 'address')
-                    translation_output.append(f'{ip_prefix} prefix to {ip_prefix} {translation_prefix}addr map {{ {map_addr} : {addr} }}')
+                    if port:
+                        translation_output.append(f'{ip_prefix} prefix to {ip_prefix} {translation_prefix}addr map {{ {map_addr} : {addr} . {port} }}')
+                    else:
+                        translation_output.append(f'{ip_prefix} prefix to {ip_prefix} {translation_prefix}addr map {{ {map_addr} : {addr} }}')
                     ignore_type_addr = True
                 else:
                     translation_output.append(f'prefix to {addr}')
@@ -92,7 +115,10 @@ def parse_nat_rule(rule_conf, rule_id, nat_type, ipv6=False):
         if port_mapping and port_mapping != 'none':
             options.append(port_mapping)
 
-        translation_str = " ".join(translation_output) + (f':{port}' if port else '')
+        if ((not addr) or (addr and not is_ip_network(addr))) and port:
+            translation_str = " ".join(translation_output) + (f':{port}')
+        else:
+            translation_str = " ".join(translation_output)
 
         if options:
             translation_str += f' {",".join(options)}'
@@ -150,7 +176,7 @@ def parse_nat_rule(rule_conf, rule_id, nat_type, ipv6=False):
             operator = ''
             if addr_prefix[:1] == '!':
                 operator = '!='
-                addr_prefix = addr[1:]
+                addr_prefix = addr_prefix[1:]
             output.append(f'ip6 {prefix}addr {operator} {addr_prefix}')
 
         port = dict_search_args(side_conf, 'port')
diff --git a/python/vyos/progressbar.py b/python/vyos/progressbar.py
new file mode 100644
index 000000000..7bc9d9856
--- /dev/null
+++ b/python/vyos/progressbar.py
@@ -0,0 +1,79 @@
+# Copyright 2023 VyOS maintainers and contributors <maintainers@vyos.io>
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library.  If not, see <http://www.gnu.org/licenses/>.
+
+import math
+import os
+import signal
+import subprocess
+import sys
+
+from vyos.utils.io import is_dumb_terminal
+from vyos.utils.io import print_error
+
+
+class Progressbar:
+    def __init__(self, step=None):
+        self.total = 0.0
+        self.step = step
+        # Silently ignore all calls if terminal capabilities are lacking.
+        # This will also prevent the output from littering Ansible logs,
+        # as `ansible.netcommon.network_cli' coaxes the terminal into believing
+        # it is interactive.
+        self._dumb = is_dumb_terminal()
+    def __enter__(self):
+        if not self._dumb:
+            # Recalculate terminal width with every window resize.
+            signal.signal(signal.SIGWINCH, lambda signum, frame: self._update_cols())
+            # Disable line wrapping to prevent the staircase effect.
+            subprocess.run(['tput', 'rmam'], check=False)
+            self._update_cols()
+            # Print an empty progressbar with entry.
+            self.progress(0, 1)
+        return self
+    def __exit__(self, exc_type, kexc_val, exc_tb):
+        if not self._dumb:
+            # Revert to the default SIGWINCH handler (ie nothing).
+            signal.signal(signal.SIGWINCH, signal.SIG_DFL)
+            # Reenable line wrapping.
+            subprocess.run(['tput', 'smam'], check=False)
+    def _update_cols(self):
+        # `os.get_terminal_size()' is fast enough for our purposes.
+        self.col = max(os.get_terminal_size().columns - 15, 20)
+    def increment(self):
+        """
+        Stateful progressbar taking the step fraction at init and no input at
+        callback (for FTP)
+        """
+        if self.step:
+            if self.total < 1.0:
+                self.total += self.step
+            if self.total >= 1.0:
+                self.total = 1.0
+                # Ignore superfluous calls caused by fuzzy FTP size calculations.
+                self.step = None
+            self.progress(self.total, 1.0)
+    def progress(self, done, total):
+        """
+        Stateless progressbar taking no input at init and current progress with
+        final size at callback (for SSH)
+        """
+        if done <= total and not self._dumb:
+            length = math.ceil(self.col * done / total)
+            percentage = str(math.ceil(100 * done / total)).rjust(3)
+            # Carriage return at the end will make sure the line will get overwritten.
+            print_error(f'[{length * "#"}{(self.col - length) * "_"}] {percentage}%', end='\r')
+        # Print a newline to make sure the full progressbar doesn't get overwritten by the next line.
+        if done == total:
+            print_error()
diff --git a/python/vyos/qos/trafficshaper.py b/python/vyos/qos/trafficshaper.py
index c63c7cf39..0d5f9a8a1 100644
--- a/python/vyos/qos/trafficshaper.py
+++ b/python/vyos/qos/trafficshaper.py
@@ -1,4 +1,4 @@
-# Copyright 2022 VyOS maintainers and contributors <maintainers@vyos.io>
+# Copyright 2022-2023 VyOS maintainers and contributors <maintainers@vyos.io>
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -89,6 +89,10 @@ class TrafficShaper(QoSBase):
                 if 'priority' in cls_config:
                     priority = cls_config['priority']
                     tmp += f' prio {priority}'
+
+                if 'ceiling' in cls_config:
+                    f_ceil = self._rate_convert(cls_config['ceiling'])
+                    tmp += f' ceil {f_ceil}'
                 self._cmd(tmp)
 
                 tmp = f'tc qdisc replace dev {self._interface} parent {self._parent:x}:{cls:x} sfq'
@@ -102,6 +106,9 @@ class TrafficShaper(QoSBase):
                 if 'priority' in config['default']:
                     priority = config['default']['priority']
                     tmp += f' prio {priority}'
+                if 'ceiling' in config['default']:
+                    f_ceil = self._rate_convert(config['default']['ceiling'])
+                    tmp += f' ceil {f_ceil}'
                 self._cmd(tmp)
 
                 tmp = f'tc qdisc replace dev {self._interface} parent {self._parent:x}:{default_minor_id:x} sfq'
diff --git a/python/vyos/raid.py b/python/vyos/raid.py
new file mode 100644
index 000000000..7fb794817
--- /dev/null
+++ b/python/vyos/raid.py
@@ -0,0 +1,71 @@
+# Copyright 2023 VyOS maintainers and contributors <maintainers@vyos.io>
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library.  If not, see <http://www.gnu.org/licenses/>.
+
+from vyos.utils.disk import device_from_id
+from vyos.utils.process import cmd
+
+def raid_sets():
+    """
+    Returns a list of RAID sets
+    """
+    with open('/proc/mdstat') as f:
+        return [line.split()[0].rstrip(':') for line in f if line.startswith('md')]
+
+def raid_set_members(raid_set_name: str):
+    """
+    Returns a list of members of a RAID set
+    """
+    with open('/proc/mdstat') as f:
+        for line in f:
+            if line.startswith(raid_set_name):
+                return [l.split('[')[0] for l in line.split()[4:]]
+    return []
+
+def partitions():
+    """
+    Returns a list of partitions
+    """
+    with open('/proc/partitions') as f:
+        p = [l.strip().split()[-1] for l in list(f) if l.strip()]
+    p.remove('name')
+    return p
+
+def add_raid_member(raid_set_name: str, member: str, by_id: bool = False):
+    """
+    Add a member to an existing RAID set
+    """
+    if by_id:
+        member = device_from_id(member)
+    if raid_set_name not in raid_sets():
+        raise ValueError(f"RAID set {raid_set_name} does not exist")
+    if member not in partitions():
+        raise ValueError(f"Partition {member} does not exist")
+    if member in raid_set_members(raid_set_name):
+        raise ValueError(f"Partition {member} is already a member of RAID set {raid_set_name}")
+    cmd(f'mdadm --add /dev/{raid_set_name} /dev/{member}')
+    disk = cmd(f'lsblk -ndo PKNAME /dev/{member}')
+    cmd(f'grub-install /dev/{disk}')
+
+def delete_raid_member(raid_set_name: str, member: str, by_id: bool = False):
+    """
+    Delete a member from an existing RAID set
+    """
+    if by_id:
+        member = device_from_id(member)
+    if raid_set_name not in raid_sets():
+        raise ValueError(f"RAID set {raid_set_name} does not exist")
+    if member not in raid_set_members(raid_set_name):
+        raise ValueError(f"Partition {member} is not a member of RAID set {raid_set_name}")
+    cmd(f'mdadm --remove /dev/{raid_set_name} /dev/{member}')
diff --git a/python/vyos/remote.py b/python/vyos/remote.py
index cf731c881..b1efcd10b 100644
--- a/python/vyos/remote.py
+++ b/python/vyos/remote.py
@@ -14,6 +14,7 @@
 # License along with this library.  If not, see <http://www.gnu.org/licenses/>.
 
 import os
+import pwd
 import shutil
 import socket
 import ssl
@@ -22,6 +23,9 @@ import sys
 import tempfile
 import urllib.parse
 
+from contextlib import contextmanager
+from pathlib import Path
+
 from ftplib import FTP
 from ftplib import FTP_TLS
 
@@ -32,12 +36,12 @@ from requests import Session
 from requests.adapters import HTTPAdapter
 from requests.packages.urllib3 import PoolManager
 
+from vyos.progressbar import Progressbar
 from vyos.utils.io import ask_yes_no
-from vyos.utils.io import make_incremental_progressbar
-from vyos.utils.io import make_progressbar
+from vyos.utils.io import is_interactive
 from vyos.utils.io import print_error
 from vyos.utils.misc import begin
-from vyos.utils.process import cmd
+from vyos.utils.process import cmd, rc_cmd
 from vyos.version import get_version
 
 CHUNK_SIZE = 8192
@@ -50,7 +54,7 @@ class InteractivePolicy(MissingHostKeyPolicy):
     def missing_host_key(self, client, hostname, key):
         print_error(f"Host '{hostname}' not found in known hosts.")
         print_error('Fingerprint: ' + key.get_fingerprint().hex())
-        if sys.stdout.isatty() and ask_yes_no('Do you wish to continue?'):
+        if is_interactive() and ask_yes_no('Do you wish to continue?'):
             if client._host_keys_filename\
                and ask_yes_no('Do you wish to permanently add this host/key pair to known hosts?'):
                 client._host_keys.add(hostname, key.get_name(), key)
@@ -73,6 +77,17 @@ class SourceAdapter(HTTPAdapter):
             num_pools=connections, maxsize=maxsize,
             block=block, source_address=self._source_pair)
 
+@contextmanager
+def umask(mask: int):
+    """
+    Context manager that temporarily sets the process umask.
+    """
+    import os
+    oldmask = os.umask(mask)
+    try:
+        yield
+    finally:
+        os.umask(oldmask)
 
 def check_storage(path, size):
     """
@@ -131,16 +146,16 @@ class FtpC:
             if self.secure:
                 conn.prot_p()
             # Almost all FTP servers support the `SIZE' command.
+            size = conn.size(self.path)
             if self.check_space:
-                check_storage(path, conn.size(self.path))
+                check_storage(path, size)
             # No progressbar if we can't determine the size or if the file is too small.
             if self.progressbar and size and size > CHUNK_SIZE:
-                progress = make_incremental_progressbar(CHUNK_SIZE / size)
-                next(progress)
-                callback = lambda block: begin(f.write(block), next(progress))
+                with Progressbar(CHUNK_SIZE / size) as p:
+                    callback = lambda block: begin(f.write(block), p.increment())
+                    conn.retrbinary('RETR ' + self.path, callback, CHUNK_SIZE)
             else:
-                callback = f.write
-            conn.retrbinary('RETR ' + self.path, callback, CHUNK_SIZE)
+                conn.retrbinary('RETR ' + self.path, f.write, CHUNK_SIZE)
 
     def upload(self, location: str):
         size = os.path.getsize(location)
@@ -150,12 +165,10 @@ class FtpC:
             if self.secure:
                 conn.prot_p()
             if self.progressbar and size and size > CHUNK_SIZE:
-                progress = make_incremental_progressbar(CHUNK_SIZE / size)
-                next(progress)
-                callback = lambda block: next(progress)
+                with Progressbar(CHUNK_SIZE / size) as p:
+                    conn.storbinary('STOR ' + self.path, f, CHUNK_SIZE, lambda block: p.increment())
             else:
-                callback = None
-            conn.storbinary('STOR ' + self.path, f, CHUNK_SIZE, callback)
+                conn.storbinary('STOR ' + self.path, f, CHUNK_SIZE)
 
 class SshC:
     known_hosts = os.path.expanduser('~/.ssh/known_hosts')
@@ -190,14 +203,16 @@ class SshC:
         return ssh
 
     def download(self, location: str):
-        callback = make_progressbar() if self.progressbar else None
         with self._establish() as ssh, ssh.open_sftp() as sftp:
             if self.check_space:
                 check_storage(location, sftp.stat(self.path).st_size)
-            sftp.get(self.path, location, callback=callback)
+            if self.progressbar:
+                with Progressbar() as p:
+                    sftp.get(self.path, location, callback=p.progress)
+            else:
+                sftp.get(self.path, location)
 
     def upload(self, location: str):
-        callback = make_progressbar() if self.progressbar else None
         with self._establish() as ssh, ssh.open_sftp() as sftp:
             try:
                 # If the remote path is a directory, use the original filename.
@@ -210,7 +225,11 @@ class SshC:
             except IOError:
                 path = self.path
             finally:
-                sftp.put(location, path, callback=callback)
+                if self.progressbar:
+                    with Progressbar() as p:
+                        sftp.put(location, path, callback=p.progress)
+                else:
+                    sftp.put(location, path)
 
 
 class HttpC:
@@ -247,7 +266,6 @@ class HttpC:
                         allow_redirects=True,
                         timeout=self.timeout) as r:
                 # Abort early if the destination is inaccessible.
-                print('pre-3')
                 r.raise_for_status()
                 # If the request got redirected, keep the last URL we ended up with.
                 final_urlstring = r.url
@@ -264,10 +282,9 @@ class HttpC:
             with s.get(final_urlstring, stream=True,
                        timeout=self.timeout) as r, open(location, 'wb') as f:
                 if self.progressbar and size:
-                    progress = make_incremental_progressbar(CHUNK_SIZE / size)
-                    next(progress)
-                    for chunk in iter(lambda: begin(next(progress), r.raw.read(CHUNK_SIZE)), b''):
-                        f.write(chunk)
+                    with Progressbar(CHUNK_SIZE / size) as p:
+                        for chunk in iter(lambda: begin(p.increment(), r.raw.read(CHUNK_SIZE)), b''):
+                            f.write(chunk)
                 else:
                     # We'll try to stream the download directly with `copyfileobj()` so that large
                     #  files (like entire VyOS images) don't occupy much memory.
@@ -308,30 +325,138 @@ class TftpC:
         with open(location, 'rb') as f:
             cmd(f'{self.command} -T - "{self.urlstring}"', input=f.read())
 
+class GitC:
+    def __init__(self,
+        url,
+        progressbar=False,
+        check_space=False,
+        source_host=None,
+        source_port=0,
+        timeout=10,
+    ):
+        self.command = 'git'
+        self.url = url
+        self.urlstring = urllib.parse.urlunsplit(url)
+        if self.urlstring.startswith("git+"):
+            self.urlstring = self.urlstring.replace("git+", "", 1)
+
+    def download(self, location: str):
+        raise NotImplementedError("not supported")
+
+    @umask(0o077)
+    def upload(self, location: str):
+        scheme = self.url.scheme
+        _, _, scheme = scheme.partition("+")
+        netloc = self.url.netloc
+        url = Path(self.url.path).parent
+        with tempfile.TemporaryDirectory(prefix="git-commit-archive-") as directory:
+            # Determine username, fullname, email for Git commit
+            pwd_entry = pwd.getpwuid(os.getuid())
+            user = pwd_entry.pw_name
+            name = pwd_entry.pw_gecos.split(",")[0] or user
+            fqdn = socket.getfqdn()
+            email = f"{user}@{fqdn}"
+
+            # environment vars for our git commands
+            env = {
+                "GIT_TERMINAL_PROMPT": "0",
+                "GIT_AUTHOR_NAME": name,
+                "GIT_AUTHOR_EMAIL": email,
+                "GIT_COMMITTER_NAME": name,
+                "GIT_COMMITTER_EMAIL": email,
+            }
+
+            # build ssh command for git
+            ssh_command = ["ssh"]
+
+            # if we are not interactive, we use StrictHostKeyChecking=yes to avoid any prompts
+            if not sys.stdout.isatty():
+                ssh_command += ["-o", "StrictHostKeyChecking=yes"]
+
+            env["GIT_SSH_COMMAND"] = " ".join(ssh_command)
+
+            # git clone
+            path_repository = Path(directory) / "repository"
+            scheme = f"{scheme}://" if scheme else ""
+            rc, out = rc_cmd(
+                [self.command, "clone", f"{scheme}{netloc}{url}", str(path_repository), "--depth=1"],
+                env=env,
+                shell=False,
+            )
+            if rc:
+                raise Exception(out)
+
+            # git add
+            filename = Path(Path(self.url.path).name).stem
+            dst = path_repository / filename
+            shutil.copy2(location, dst)
+            rc, out = rc_cmd(
+                [self.command, "-C", str(path_repository), "add", filename],
+                env=env,
+                shell=False,
+            )
+
+            # git commit -m
+            commit_message = os.environ.get("COMMIT_COMMENT", "commit")
+            rc, out = rc_cmd(
+                [self.command, "-C", str(path_repository), "commit", "-m", commit_message],
+                env=env,
+                shell=False,
+            )
+
+            # git push
+            rc, out = rc_cmd(
+                [self.command, "-C", str(path_repository), "push"],
+                env=env,
+                shell=False,
+            )
+            if rc:
+                raise Exception(out)
+
 
 def urlc(urlstring, *args, **kwargs):
     """
     Dynamically dispatch the appropriate protocol class.
     """
-    url_classes = {'http': HttpC, 'https': HttpC, 'ftp': FtpC, 'ftps': FtpC, \
-                   'sftp': SshC, 'ssh': SshC, 'scp': SshC, 'tftp': TftpC}
+    url_classes = {
+        "http": HttpC,
+        "https": HttpC,
+        "ftp": FtpC,
+        "ftps": FtpC,
+        "sftp": SshC,
+        "ssh": SshC,
+        "scp": SshC,
+        "tftp": TftpC,
+        "git": GitC,
+    }
     url = urllib.parse.urlsplit(urlstring)
+    scheme, _, _ = url.scheme.partition("+")
     try:
-        return url_classes[url.scheme](url, *args, **kwargs)
+        return url_classes[scheme](url, *args, **kwargs)
     except KeyError:
-        raise ValueError(f'Unsupported URL scheme: "{url.scheme}"')
+        raise ValueError(f'Unsupported URL scheme: "{scheme}"')
 
-def download(local_path, urlstring, *args, **kwargs):
+def download(local_path, urlstring, progressbar=False, check_space=False,
+             source_host='', source_port=0, timeout=10.0, raise_error=False):
     try:
-        urlc(urlstring, *args, **kwargs).download(local_path)
+        progressbar = progressbar and is_interactive()
+        urlc(urlstring, progressbar, check_space, source_host, source_port, timeout).download(local_path)
     except Exception as err:
+        if raise_error:
+            raise
         print_error(f'Unable to download "{urlstring}": {err}')
+    except KeyboardInterrupt:
+        print_error('\nDownload aborted by user.')
 
-def upload(local_path, urlstring, *args, **kwargs):
+def upload(local_path, urlstring, progressbar=False,
+           source_host='', source_port=0, timeout=10.0):
     try:
-        urlc(urlstring, *args, **kwargs).upload(local_path)
+        progressbar = progressbar and is_interactive()
+        urlc(urlstring, progressbar, False, source_host, source_port, timeout).upload(local_path)
     except Exception as err:
         print_error(f'Unable to upload "{urlstring}": {err}')
+    except KeyboardInterrupt:
+        print_error('\nUpload aborted by user.')
 
 def get_remote_config(urlstring, source_host='', source_port=0):
     """
@@ -344,26 +469,3 @@ def get_remote_config(urlstring, source_host='', source_port=0):
             return f.read()
     finally:
         os.remove(temp)
-
-def friendly_download(local_path, urlstring, source_host='', source_port=0):
-    """
-    Download with a progress bar, reassuring messages and free space checks.
-    """
-    try:
-        print_error('Downloading...')
-        download(local_path, urlstring, True, True, source_host, source_port)
-    except KeyboardInterrupt:
-        print_error('\nDownload aborted by user.')
-        sys.exit(1)
-    except:
-        import traceback
-        print_error(f'Failed to download {urlstring}.')
-        # There are a myriad different reasons a download could fail.
-        # SSH errors, FTP errors, I/O errors, HTTP errors (403, 404...)
-        # We omit the scary stack trace but print the error nevertheless.
-        exc_type, exc_value, exc_traceback = sys.exc_info()
-        traceback.print_exception(exc_type, exc_value, None, 0, None, False)
-        sys.exit(1)
-    else:
-        print_error('Download complete.')
-        sys.exit(0)
diff --git a/python/vyos/system/__init__.py b/python/vyos/system/__init__.py
new file mode 100644
index 000000000..0c91330ba
--- /dev/null
+++ b/python/vyos/system/__init__.py
@@ -0,0 +1,18 @@
+# Copyright 2023 VyOS maintainers and contributors <maintainers@vyos.io>
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library.  If not, see <http://www.gnu.org/licenses/>.
+
+__all_: list[str] = ['disk', 'grub', 'image']
+# define image-tools version
+SYSTEM_CFG_VER = 1
diff --git a/python/vyos/system/compat.py b/python/vyos/system/compat.py
new file mode 100644
index 000000000..319c3dabf
--- /dev/null
+++ b/python/vyos/system/compat.py
@@ -0,0 +1,316 @@
+# Copyright 2023 VyOS maintainers and contributors <maintainers@vyos.io>
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library.  If not, see <http://www.gnu.org/licenses/>.
+
+from pathlib import Path
+from re import compile, MULTILINE, DOTALL
+from functools import wraps
+from copy import deepcopy
+from typing import Union
+
+from vyos.system import disk, grub, image, SYSTEM_CFG_VER
+from vyos.template import render
+
+TMPL_GRUB_COMPAT: str = 'grub/grub_compat.j2'
+
+# define regexes and variables
+REGEX_VERSION = r'^menuentry "[^\n]*{\n[^}]*\s+linux /boot/(?P<version>\S+)/[^}]*}'
+REGEX_MENUENTRY = r'^menuentry "[^\n]*{\n[^}]*\s+linux /boot/(?P<version>\S+)/vmlinuz (?P<options>[^\n]+)\n[^}]*}'
+REGEX_CONSOLE = r'^.*console=(?P<console_type>[^\s\d]+)(?P<console_num>[\d]+).*$'
+REGEX_SANIT_CONSOLE = r'\ ?console=[^\s\d]+[\d]+(,\d+)?\ ?'
+REGEX_SANIT_INIT = r'\ ?init=\S*\ ?'
+REGEX_SANIT_QUIET = r'\ ?quiet\ ?'
+PW_RESET_OPTION = 'init=/opt/vyatta/sbin/standalone_root_pw_reset'
+
+
+class DowngradingImageTools(Exception):
+    """Raised when attempting to add an image with an earlier version
+    of image-tools than the current system, as indicated by the value
+    of SYSTEM_CFG_VER or absence thereof."""
+    pass
+
+
+def mode():
+    if grub.get_cfg_ver() >= SYSTEM_CFG_VER:
+        return False
+
+    return True
+
+
+def find_versions(menu_entries: list) -> list:
+    """Find unique VyOS versions from menu entries
+
+    Args:
+        menu_entries (list): a list with menu entries
+
+    Returns:
+        list: List of installed versions
+    """
+    versions = []
+    for vyos_ver in menu_entries:
+        versions.append(vyos_ver.get('version'))
+    # remove duplicates
+    versions = list(set(versions))
+    return versions
+
+
+def filter_unparsed(grub_path: str) -> str:
+    """Find currently installed VyOS version
+
+    Args:
+        grub_path (str): a path to the grub.cfg file
+
+    Returns:
+        str: unparsed grub.cfg items
+    """
+    config_text = Path(grub_path).read_text()
+    regex_filter = compile(REGEX_VERSION, MULTILINE | DOTALL)
+    filtered = regex_filter.sub('', config_text)
+    regex_filter = compile(grub.REGEX_GRUB_VARS, MULTILINE)
+    filtered = regex_filter.sub('', filtered)
+    regex_filter = compile(grub.REGEX_GRUB_MODULES, MULTILINE)
+    filtered = regex_filter.sub('', filtered)
+    # strip extra new lines
+    filtered = filtered.strip()
+    return filtered
+
+
+def get_search_root(unparsed: str) -> str:
+    unparsed_lines = unparsed.splitlines()
+    search_root = next((x for x in unparsed_lines if 'search' in x), '')
+    return search_root
+
+
+def sanitize_boot_opts(boot_opts: str) -> str:
+    """Sanitize boot options from console and init
+
+    Args:
+        boot_opts (str): boot options
+
+    Returns:
+        str: sanitized boot options
+    """
+    regex_filter = compile(REGEX_SANIT_CONSOLE)
+    boot_opts = regex_filter.sub('', boot_opts)
+    regex_filter = compile(REGEX_SANIT_INIT)
+    boot_opts = regex_filter.sub('', boot_opts)
+    # legacy tools add 'quiet' on add system image; this is not desired
+    regex_filter = compile(REGEX_SANIT_QUIET)
+    boot_opts = regex_filter.sub(' ', boot_opts)
+
+    return boot_opts
+
+
+def parse_entry(entry: tuple) -> dict:
+    """Parse GRUB menuentry
+
+    Args:
+        entry (tuple): tuple of (version, options)
+
+    Returns:
+        dict: dictionary with parsed options
+    """
+    # save version to dict
+    entry_dict = {'version': entry[0]}
+    # detect boot mode type
+    if PW_RESET_OPTION in entry[1]:
+        entry_dict['bootmode'] = 'pw_reset'
+    else:
+        entry_dict['bootmode'] = 'normal'
+    # find console type and number
+    regex_filter = compile(REGEX_CONSOLE)
+    entry_dict.update(regex_filter.match(entry[1]).groupdict())
+    entry_dict['boot_opts'] = sanitize_boot_opts(entry[1])
+
+    return entry_dict
+
+
+def parse_menuentries(grub_path: str) -> list:
+    """Parse all GRUB menuentries
+
+    Args:
+        grub_path (str): a path to GRUB config file
+
+    Returns:
+        list: list with menu items (each item is a dict)
+    """
+    menuentries = []
+    # read configuration file
+    config_text = Path(grub_path).read_text()
+    # parse menuentries to tuples (version, options)
+    regex_filter = compile(REGEX_MENUENTRY, MULTILINE)
+    filter_results = regex_filter.findall(config_text)
+    # parse each entry
+    for entry in filter_results:
+        menuentries.append(parse_entry(entry))
+
+    return menuentries
+
+
+def prune_vyos_versions(root_dir: str = '') -> None:
+    """Delete vyos-versions files of registered images subsequently deleted
+    or renamed by legacy image-tools
+
+    Args:
+        root_dir (str): an optional path to the root directory
+    """
+    if not root_dir:
+        root_dir = disk.find_persistence()
+
+    for version in grub.version_list():
+        if not Path(f'{root_dir}/boot/{version}').is_dir():
+            grub.version_del(version)
+
+
+def update_cfg_ver(root_dir:str = '') -> int:
+    """Get minumum version of image-tools across all installed images
+
+    Args:
+        root_dir (str): an optional path to the root directory
+
+    Returns:
+        int: minimum version of image-tools
+    """
+    if not root_dir:
+        root_dir = disk.find_persistence()
+
+    prune_vyos_versions(root_dir)
+
+    images_details = image.get_images_details()
+    cfg_version = min(d['tools_version'] for d in images_details)
+
+    return cfg_version
+
+
+def get_default(menu_entries: list, root_dir: str = '') -> Union[int, None]:
+    """Translate default version to menuentry index
+
+    Args:
+        menu_entries (list): list of dicts of installed version boot data
+        root_dir (str): an optional path to the root directory
+
+    Returns:
+        int: index of default version in menu_entries or None
+    """
+    if not root_dir:
+        root_dir = disk.find_persistence()
+
+    grub_cfg_main = f'{root_dir}/{grub.GRUB_CFG_MAIN}'
+
+    image_name = image.get_default_image()
+
+    sublist = list(filter(lambda x: x.get('version') == image_name,
+                        menu_entries))
+    if sublist:
+        return menu_entries.index(sublist[0])
+
+    return None
+
+
+def update_version_list(root_dir: str = '') -> list[dict]:
+    """Update list of dicts of installed version boot data
+
+    Args:
+        root_dir (str): an optional path to the root directory
+
+    Returns:
+        list: list of dicts of installed version boot data
+    """
+    if not root_dir:
+        root_dir = disk.find_persistence()
+
+    grub_cfg_main = f'{root_dir}/{grub.GRUB_CFG_MAIN}'
+
+    # get list of versions in menuentries
+    menu_entries = parse_menuentries(grub_cfg_main)
+    menu_versions = find_versions(menu_entries)
+
+    # get list of versions added/removed by image-tools
+    current_versions = grub.version_list(root_dir)
+
+    remove = list(set(menu_versions) - set(current_versions))
+    for ver in remove:
+        menu_entries = list(filter(lambda x: x.get('version') != ver,
+                                   menu_entries))
+
+    add = list(set(current_versions) - set(menu_versions))
+    for ver in add:
+        last = menu_entries[0].get('version')
+        new = deepcopy(list(filter(lambda x: x.get('version') == last,
+                                   menu_entries)))
+        for e in new:
+            boot_opts = e.get('boot_opts').replace(last, ver)
+            e.update({'version': ver, 'boot_opts': boot_opts})
+
+        menu_entries = new + menu_entries
+
+    return menu_entries
+
+
+def grub_cfg_fields(root_dir: str = '') -> dict:
+    """Gather fields for rendering grub.cfg
+
+    Args:
+        root_dir (str): an optional path to the root directory
+
+    Returns:
+        dict: dictionary for rendering TMPL_GRUB_COMPAT
+    """
+    if not root_dir:
+        root_dir = disk.find_persistence()
+
+    grub_cfg_main = f'{root_dir}/{grub.GRUB_CFG_MAIN}'
+
+    fields = {'default': 0, 'timeout': 5}
+    # 'default' and 'timeout' from legacy grub.cfg
+    fields |= grub.vars_read(grub_cfg_main)
+
+    fields['tools_version'] = SYSTEM_CFG_VER
+    menu_entries = update_version_list(root_dir)
+    fields['versions'] = menu_entries
+
+    default = get_default(menu_entries, root_dir)
+    if default is not None:
+        fields['default'] = default
+
+    modules = grub.modules_read(grub_cfg_main)
+    fields['modules'] = modules
+
+    unparsed = filter_unparsed(grub_cfg_main).splitlines()
+    search_root = next((x for x in unparsed if 'search' in x), '')
+    fields['search_root'] = search_root
+
+    return fields
+
+
+def render_grub_cfg(root_dir: str = '') -> None:
+    """Render grub.cfg for legacy compatibility"""
+    if not root_dir:
+        root_dir = disk.find_persistence()
+
+    grub_cfg_main = f'{root_dir}/{grub.GRUB_CFG_MAIN}'
+
+    fields = grub_cfg_fields(root_dir)
+    render(grub_cfg_main, TMPL_GRUB_COMPAT, fields)
+
+
+def grub_cfg_update(func):
+    """Decorator to update grub.cfg after function call"""
+    @wraps(func)
+    def wrapper(*args, **kwargs):
+        ret = func(*args, **kwargs)
+        if mode():
+            render_grub_cfg()
+        return ret
+    return wrapper
diff --git a/python/vyos/system/disk.py b/python/vyos/system/disk.py
new file mode 100644
index 000000000..7860d719f
--- /dev/null
+++ b/python/vyos/system/disk.py
@@ -0,0 +1,229 @@
+# Copyright 2023 VyOS maintainers and contributors <maintainers@vyos.io>
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library.  If not, see <http://www.gnu.org/licenses/>.
+
+from json import loads as json_loads
+from os import sync
+from dataclasses import dataclass
+
+from psutil import disk_partitions
+
+from vyos.utils.process import run, cmd
+
+
+@dataclass
+class DiskDetails:
+    """Disk details"""
+    name: str
+    partition: dict[str, str]
+
+
+def disk_cleanup(drive_path: str) -> None:
+    """Clean up disk partition table (MBR and GPT)
+    Remove partition and device signatures.
+    Zeroize primary and secondary headers - first and last 17408 bytes
+    (512 bytes * 34 LBA) on a drive
+
+    Args:
+        drive_path (str): path to a drive that needs to be cleaned
+    """
+    partitions: list[str] = partition_list(drive_path)
+    for partition in partitions:
+        run(f'wipefs -af {partition}')
+    run(f'wipefs -af {drive_path}')
+    run(f'sgdisk -Z {drive_path}')
+
+
+def find_persistence() -> str:
+    """Find a mountpoint for persistence storage
+
+    Returns:
+        str: Path where 'persistance' pertition is mounted, Empty if not found
+    """
+    mounted_partitions = disk_partitions()
+    for partition in mounted_partitions:
+        if partition.mountpoint.endswith('/persistence'):
+            return partition.mountpoint
+    return ''
+
+
+def parttable_create(drive_path: str, root_size: int) -> None:
+    """Create a hybrid MBR/GPT partition table
+    0-2047 first sectors are free
+    2048-4095 sectors - BIOS Boot Partition
+    4096 + 256 MB - EFI system partition
+    Everything else till the end of a drive - Linux partition
+
+    Args:
+        drive_path (str): path to a drive
+    """
+    if not root_size:
+        root_size_text: str = '+100%'
+    else:
+        root_size_text: str = str(root_size)
+    command = f'sgdisk -a1 -n1:2048:4095 -t1:EF02 -n2:4096:+256M -t2:EF00 \
+        -n3:0:+{root_size_text}K -t3:8300 {drive_path}'
+
+    run(command)
+    # update partitons in kernel
+    sync()
+    run(f'partx -u {drive_path}')
+
+    partitions: list[str] = partition_list(drive_path)
+
+    disk: DiskDetails = DiskDetails(
+        name = drive_path,
+        partition = {
+            'efi': next(x for x in partitions if x.endswith('2')),
+            'root': next(x for x in partitions if x.endswith('3'))
+        }
+    )
+
+    return disk
+
+
+def partition_list(drive_path: str) -> list[str]:
+    """Get a list of partitions on a drive
+
+    Args:
+        drive_path (str): path to a drive
+
+    Returns:
+        list[str]: a list of partition paths
+    """
+    lsblk: str = cmd(f'lsblk -Jp {drive_path}')
+    drive_info: dict = json_loads(lsblk)
+    device: list = drive_info.get('blockdevices')
+    children: list[str] = device[0].get('children', []) if device else []
+    partitions: list[str] = [child.get('name') for child in children]
+    return partitions
+
+
+def partition_parent(partition_path: str) -> str:
+    """Get a parent device for a partition
+
+    Args:
+        partition (str): path to a partition
+
+    Returns:
+        str: path to a parent device
+    """
+    parent: str = cmd(f'lsblk -ndpo pkname {partition_path}')
+    return parent
+
+
+def from_partition(partition_path: str) -> DiskDetails:
+    drive_path: str = partition_parent(partition_path)
+    partitions: list[str] = partition_list(drive_path)
+
+    disk: DiskDetails = DiskDetails(
+        name = drive_path,
+        partition = {
+            'efi': next(x for x in partitions if x.endswith('2')),
+            'root': next(x for x in partitions if x.endswith('3'))
+        }
+    )
+
+    return disk
+
+def filesystem_create(partition: str, fstype: str) -> None:
+    """Create a filesystem on a partition
+
+    Args:
+        partition (str): path to a partition (for example: '/dev/sda1')
+        fstype (str): filesystem type ('efi' or 'ext4')
+    """
+    if fstype == 'efi':
+        command = 'mkfs -t fat -n EFI'
+        run(f'{command} {partition}')
+    if fstype == 'ext4':
+        command = 'mkfs -t ext4 -L persistence'
+        run(f'{command} {partition}')
+
+
+def partition_mount(partition: str,
+                    path: str,
+                    fsype: str = '',
+                    overlay_params: dict[str, str] = {}) -> bool:
+    """Mount a partition into a path
+
+    Args:
+        partition (str): path to a partition (for example: '/dev/sda1')
+        path (str): a path where to mount
+        fsype (str): optionally, set fstype ('squashfs', 'overlay', 'iso9660')
+        overlay_params (dict): optionally, set overlay parameters.
+        Defaults to None.
+
+    Returns:
+        bool: True on success
+    """
+    if fsype in ['squashfs', 'iso9660']:
+        command: str = f'mount -o loop,ro -t {fsype} {partition} {path}'
+    if fsype == 'overlay' and overlay_params:
+        command: str = f'mount -t overlay -o noatime,\
+            upperdir={overlay_params["upperdir"]},\
+            lowerdir={overlay_params["lowerdir"]},\
+            workdir={overlay_params["workdir"]} overlay {path}'
+
+    else:
+        command = f'mount {partition} {path}'
+
+    rc = run(command)
+    if rc == 0:
+        return True
+
+    return False
+
+
+def partition_umount(partition: str = '', path: str = '') -> None:
+    """Umount a partition by a partition name or a path
+
+    Args:
+        partition (str): path to a partition (for example: '/dev/sda1')
+        path (str): a path where a partition is mounted
+    """
+    if partition:
+        command = f'umount {partition}'
+        run(command)
+    if path:
+        command = f'umount {path}'
+        run(command)
+
+
+def find_device(mountpoint: str) -> str:
+    """Find a device by mountpoint
+
+    Returns:
+        str: Path to device, Empty if not found
+    """
+    mounted_partitions = disk_partitions()
+    for partition in mounted_partitions:
+        if partition.mountpoint == mountpoint:
+            return partition.mountpoint
+    return ''
+
+
+def disks_size() -> dict[str, int]:
+    """Get a dictionary with physical disks and their sizes
+
+    Returns:
+        dict[str, int]: a dictionary with name: size mapping
+    """
+    disks_size: dict[str, int] = {}
+    lsblk: str = cmd('lsblk -Jbp')
+    blk_list = json_loads(lsblk)
+    for device in blk_list.get('blockdevices'):
+        if device['type'] == 'disk':
+            disks_size.update({device['name']: device['size']})
+    return disks_size
diff --git a/python/vyos/system/grub.py b/python/vyos/system/grub.py
new file mode 100644
index 000000000..61a9c7749
--- /dev/null
+++ b/python/vyos/system/grub.py
@@ -0,0 +1,350 @@
+# Copyright 2023 VyOS maintainers and contributors <maintainers@vyos.io>
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library.  If not, see <http://www.gnu.org/licenses/>.
+
+from pathlib import Path
+from re import MULTILINE, compile as re_compile
+from typing import Union
+from uuid import uuid5, NAMESPACE_URL, UUID
+
+from vyos.template import render
+from vyos.utils.process import cmd, rc_cmd
+from vyos.system import disk
+
+# Define variables
+GRUB_DIR_MAIN: str = '/boot/grub'
+GRUB_CFG_MAIN: str = f'{GRUB_DIR_MAIN}/grub.cfg'
+GRUB_DIR_VYOS: str = f'{GRUB_DIR_MAIN}/grub.cfg.d'
+CFG_VYOS_HEADER: str = f'{GRUB_DIR_VYOS}/00-vyos-header.cfg'
+CFG_VYOS_MODULES: str = f'{GRUB_DIR_VYOS}/10-vyos-modules-autoload.cfg'
+CFG_VYOS_VARS: str = f'{GRUB_DIR_VYOS}/20-vyos-defaults-autoload.cfg'
+CFG_VYOS_COMMON: str = f'{GRUB_DIR_VYOS}/25-vyos-common-autoload.cfg'
+CFG_VYOS_PLATFORM: str = f'{GRUB_DIR_VYOS}/30-vyos-platform-autoload.cfg'
+CFG_VYOS_MENU: str = f'{GRUB_DIR_VYOS}/40-vyos-menu-autoload.cfg'
+CFG_VYOS_OPTIONS: str = f'{GRUB_DIR_VYOS}/50-vyos-options.cfg'
+GRUB_DIR_VYOS_VERS: str = f'{GRUB_DIR_VYOS}/vyos-versions'
+
+TMPL_VYOS_VERSION: str = 'grub/grub_vyos_version.j2'
+TMPL_GRUB_VARS: str = 'grub/grub_vars.j2'
+TMPL_GRUB_MAIN: str = 'grub/grub_main.j2'
+TMPL_GRUB_MENU: str = 'grub/grub_menu.j2'
+TMPL_GRUB_MODULES: str = 'grub/grub_modules.j2'
+TMPL_GRUB_OPTS: str = 'grub/grub_options.j2'
+TMPL_GRUB_COMMON: str = 'grub/grub_common.j2'
+
+# prepare regexes
+REGEX_GRUB_VARS: str = r'^set (?P<variable_name>.+)=[\'"]?(?P<variable_value>.*)(?<![\'"])[\'"]?$'
+REGEX_GRUB_MODULES: str = r'^insmod (?P<module_name>.+)$'
+REGEX_KERNEL_CMDLINE: str = r'^BOOT_IMAGE=/(?P<boot_type>boot|live)/((?P<image_version>.+)/)?vmlinuz.*$'
+
+
+def install(drive_path: str, boot_dir: str, efi_dir: str, id: str = 'VyOS') -> None:
+    """Install GRUB for both BIOS and EFI modes (hybrid boot)
+
+    Args:
+        drive_path (str): path to a drive where GRUB must be installed
+        boot_dir (str): a path to '/boot' directory
+        efi_dir (str): a path to '/boot/efi' directory
+    """
+    commands: list[str] = [
+        f'grub-install --no-floppy --target=i386-pc --boot-directory={boot_dir} \
+            {drive_path} --force',
+        f'grub-install --no-floppy --recheck --target=x86_64-efi \
+            --force-extra-removable --boot-directory={boot_dir} \
+            --efi-directory={efi_dir} --bootloader-id="{id}" \
+            --no-uefi-secure-boot'
+    ]
+    for command in commands:
+        cmd(command)
+
+
+def gen_version_uuid(version_name: str) -> str:
+    """Generate unique ID from version name
+
+    Use UUID5 / NAMESPACE_URL with prefix `uuid5-`
+
+    Args:
+        version_name (str): version name
+
+    Returns:
+        str: generated unique ID
+    """
+    ver_uuid: UUID = uuid5(NAMESPACE_URL, version_name)
+    ver_id: str = f'uuid5-{ver_uuid}'
+    return ver_id
+
+
+def version_add(version_name: str,
+                root_dir: str = '',
+                boot_opts: str = '') -> None:
+    """Add a new VyOS version to GRUB loader configuration
+
+    Args:
+        vyos_version (str): VyOS version name
+        root_dir (str): an optional path to the root directory.
+        Defaults to empty.
+        boot_opts (str): an optional boot options for Linux kernel.
+        Defaults to empty.
+    """
+    if not root_dir:
+        root_dir = disk.find_persistence()
+    version_config: str = f'{root_dir}/{GRUB_DIR_VYOS_VERS}/{version_name}.cfg'
+    render(
+        version_config, TMPL_VYOS_VERSION, {
+            'version_name': version_name,
+            'version_uuid': gen_version_uuid(version_name),
+            'boot_opts': boot_opts
+        })
+
+
+def version_del(vyos_version: str, root_dir: str = '') -> None:
+    """Delete a VyOS version from GRUB loader configuration
+
+    Args:
+        vyos_version (str): VyOS version name
+        root_dir (str): an optional path to the root directory.
+        Defaults to empty.
+    """
+    if not root_dir:
+        root_dir = disk.find_persistence()
+    version_config: str = f'{root_dir}/{GRUB_DIR_VYOS_VERS}/{vyos_version}.cfg'
+    Path(version_config).unlink(missing_ok=True)
+
+
+def version_list(root_dir: str = '') -> list[str]:
+    """Generate a list with installed VyOS versions
+
+    Args:
+        root_dir (str): an optional path to the root directory.
+        Defaults to empty.
+
+    Returns:
+        list: A list with versions names
+
+    N.B. coreutils stat reports st_birthtime, but not available in
+    Path.stat()/os.stat()
+    """
+    if not root_dir:
+        root_dir = disk.find_persistence()
+    versions_files = Path(f'{root_dir}/{GRUB_DIR_VYOS_VERS}').glob('*.cfg')
+    versions_order: dict[str, int] = {}
+    for file in versions_files:
+        p = Path(root_dir).joinpath('boot').joinpath(file.stem)
+        command = f'stat -c %W {p.as_posix()}'
+        rc, out = rc_cmd(command)
+        if rc == 0:
+            versions_order[file.stem] = int(out)
+    versions_order = sorted(versions_order, key=versions_order.get, reverse=True)
+    versions_list: list[str] = list(versions_order)
+
+    return versions_list
+
+
+def read_env(env_file: str = '') -> dict[str, str]:
+    """Read GRUB environment
+
+    Args:
+        env_file (str, optional): a path to grub environment file.
+        Defaults to empty.
+
+    Returns:
+        dict: dictionary with GRUB environment
+    """
+    if not env_file:
+        root_dir: str = disk.find_persistence()
+        env_file = f'{root_dir}/{GRUB_DIR_MAIN}/grubenv'
+
+    env_content: str = cmd(f'grub-editenv {env_file} list').splitlines()
+    regex_filter = re_compile(r'^(?P<variable_name>.*)=(?P<variable_value>.*)$')
+    env_dict: dict[str, str] = {}
+    for env_item in env_content:
+        search_result = regex_filter.fullmatch(env_item)
+        if search_result:
+            search_result_dict: dict[str, str] = search_result.groupdict()
+            variable_name: str = search_result_dict.get('variable_name', '')
+            variable_value: str = search_result_dict.get('variable_value', '')
+            if variable_name and variable_value:
+                env_dict.update({variable_name: variable_value})
+    return env_dict
+
+
+def get_cfg_ver(root_dir: str = '') -> int:
+    """Get current version of GRUB configuration
+
+    Args:
+        root_dir (str, optional): an optional path to the root directory.
+        Defaults to empty.
+
+    Returns:
+        int: a configuration version
+    """
+    if not root_dir:
+        root_dir = disk.find_persistence()
+
+    cfg_ver: str = vars_read(f'{root_dir}/{CFG_VYOS_HEADER}').get(
+            'VYOS_CFG_VER')
+    if cfg_ver:
+        cfg_ver_int: int = int(cfg_ver)
+    else:
+        cfg_ver_int: int = 0
+    return cfg_ver_int
+
+
+def write_cfg_ver(cfg_ver: int, root_dir: str = '') -> None:
+    """Write version number of GRUB configuration
+
+    Args:
+        cfg_ver (int): a version number to write
+        root_dir (str, optional): an optional path to the root directory.
+        Defaults to empty.
+
+    Returns:
+        int: a configuration version
+    """
+    if not root_dir:
+        root_dir = disk.find_persistence()
+
+    vars_file: str = f'{root_dir}/{CFG_VYOS_HEADER}'
+    vars_current: dict[str, str] = vars_read(vars_file)
+    vars_current['VYOS_CFG_VER'] = str(cfg_ver)
+    vars_write(vars_file, vars_current)
+
+
+def vars_read(grub_cfg: str) -> dict[str, str]:
+    """Read variables from a GRUB configuration file
+
+    Args:
+        grub_cfg (str): a path to the GRUB config file
+
+    Returns:
+        dict: a dictionary with variables and values
+    """
+    vars_dict: dict[str, str] = {}
+    regex_filter = re_compile(REGEX_GRUB_VARS)
+    try:
+        config_text: list[str] = Path(grub_cfg).read_text().splitlines()
+    except FileNotFoundError:
+        return vars_dict
+    for line in config_text:
+        search_result = regex_filter.fullmatch(line)
+        if search_result:
+            search_dict = search_result.groupdict()
+            variable_name: str = search_dict.get('variable_name', '')
+            variable_value: str = search_dict.get('variable_value', '')
+            if variable_name and variable_value:
+                vars_dict.update({variable_name: variable_value})
+    return vars_dict
+
+
+def modules_read(grub_cfg: str) -> list[str]:
+    """Read modules list from a GRUB configuration file
+
+    Args:
+        grub_cfg (str): a path to the GRUB config file
+
+    Returns:
+        list: a list with modules to load
+    """
+    mods_list: list[str] = []
+    regex_filter = re_compile(REGEX_GRUB_MODULES, MULTILINE)
+    try:
+        config_text = Path(grub_cfg).read_text()
+    except FileNotFoundError:
+        return mods_list
+    mods_list = regex_filter.findall(config_text)
+
+    return mods_list
+
+
+def modules_write(grub_cfg: str, mods_list: list[str]) -> None:
+    """Write modules list to a GRUB configuration file (overwrite everything)
+
+    Args:
+        grub_cfg (str): a path to GRUB configuration file
+        mods_list (list): a list with modules to load
+    """
+    render(grub_cfg, TMPL_GRUB_MODULES, {'mods_list': mods_list})
+
+
+def vars_write(grub_cfg: str, grub_vars: dict[str, str]) -> None:
+    """Write variables to a GRUB configuration file (overwrite everything)
+
+    Args:
+        grub_cfg (str): a path to GRUB configuration file
+        grub_vars (dict): a dictionary with new variables
+    """
+    render(grub_cfg, TMPL_GRUB_VARS, {'vars': grub_vars})
+
+
+def set_default(version_name: str, root_dir: str = '') -> None:
+    """Set version as default boot entry
+
+    Args:
+        version_name (str): versio name
+        root_dir (str, optional): an optional path to the root directory.
+        Defaults to empty.
+    """
+    if not root_dir:
+        root_dir = disk.find_persistence()
+
+    vars_file = f'{root_dir}/{CFG_VYOS_VARS}'
+    vars_current = vars_read(vars_file)
+    vars_current['default'] = gen_version_uuid(version_name)
+    vars_write(vars_file, vars_current)
+
+
+def common_write(root_dir: str = '', grub_common: dict[str, str] = {}) -> None:
+    """Write common GRUB configuration file (overwrite everything)
+
+    Args:
+        root_dir (str, optional): an optional path to the root directory.
+        Defaults to empty.
+    """
+    if not root_dir:
+        root_dir = disk.find_persistence()
+    common_config = f'{root_dir}/{CFG_VYOS_COMMON}'
+    render(common_config, TMPL_GRUB_COMMON, grub_common)
+
+
+def create_structure(root_dir: str = '') -> None:
+    """Create GRUB directories structure
+
+    Args:
+        root_dir (str, optional): an optional path to the root directory.
+        Defaults to ''.
+    """
+    if not root_dir:
+        root_dir = disk.find_persistence()
+
+    Path(f'{root_dir}/GRUB_DIR_VYOS_VERS').mkdir(parents=True, exist_ok=True)
+
+
+def set_console_type(console_type: str, root_dir: str = '') -> None:
+    """Write default console type to GRUB configuration
+
+    Args:
+        console_type (str): a default console type
+        root_dir (str, optional): an optional path to the root directory.
+        Defaults to empty.
+    """
+    if not root_dir:
+        root_dir = disk.find_persistence()
+
+    vars_file: str = f'{root_dir}/{CFG_VYOS_VARS}'
+    vars_current: dict[str, str] = vars_read(vars_file)
+    vars_current['console_type'] = str(console_type)
+    vars_write(vars_file, vars_current)
+
+def set_raid(root_dir: str = '') -> None:
+    pass
diff --git a/python/vyos/system/image.py b/python/vyos/system/image.py
new file mode 100644
index 000000000..514275654
--- /dev/null
+++ b/python/vyos/system/image.py
@@ -0,0 +1,268 @@
+# Copyright 2023 VyOS maintainers and contributors <maintainers@vyos.io>
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library.  If not, see <http://www.gnu.org/licenses/>.
+
+from pathlib import Path
+from re import compile as re_compile
+from tempfile import TemporaryDirectory
+from typing import TypedDict
+
+from vyos import version
+from vyos.system import disk, grub
+
+# Define variables
+GRUB_DIR_MAIN: str = '/boot/grub'
+GRUB_DIR_VYOS: str = f'{GRUB_DIR_MAIN}/grub.cfg.d'
+CFG_VYOS_VARS: str = f'{GRUB_DIR_VYOS}/20-vyos-defaults-autoload.cfg'
+GRUB_DIR_VYOS_VERS: str = f'{GRUB_DIR_VYOS}/vyos-versions'
+# prepare regexes
+REGEX_KERNEL_CMDLINE: str = r'^BOOT_IMAGE=/(?P<boot_type>boot|live)/((?P<image_version>.+)/)?vmlinuz.*$'
+REGEX_SYSTEM_CFG_VER: str = r'(\r\n|\r|\n)SYSTEM_CFG_VER\s*=\s*(?P<cfg_ver>\d+)(\r\n|\r|\n)'
+
+
+# structures definitions
+class ImageDetails(TypedDict):
+    name: str
+    version: str
+    tools_version: int
+    disk_ro: int
+    disk_rw: int
+    disk_total: int
+
+
+class BootDetails(TypedDict):
+    image_default: str
+    image_running: str
+    images_available: list[str]
+    console_type: str
+    console_num: int
+
+
+def bootmode_detect() -> str:
+    """Detect system boot mode
+
+    Returns:
+        str: 'bios' or 'efi'
+    """
+    if Path('/sys/firmware/efi/').exists():
+        return 'efi'
+    else:
+        return 'bios'
+
+
+def get_image_version(mount_path: str) -> str:
+    """Extract version name from rootfs mounted at mount_path
+
+    Args:
+        mount_path (str): mount path of rootfs
+
+    Returns:
+        str: version name
+    """
+    version_file: str = Path(
+        f'{mount_path}/opt/vyatta/etc/version').read_text()
+    version_name: str = version_file.lstrip('Version: ').strip()
+
+    return version_name
+
+
+def get_image_tools_version(mount_path: str) -> int:
+    """Extract image-tools version from rootfs mounted at mount_path
+
+    Args:
+        mount_path (str): mount path of rootfs
+
+    Returns:
+        str: image-tools version
+    """
+    try:
+        version_file: str = Path(
+            f'{mount_path}/usr/lib/python3/dist-packages/vyos/system/__init__.py').read_text()
+    except FileNotFoundError:
+        system_cfg_ver: int = 0
+    else:
+        res = re_compile(REGEX_SYSTEM_CFG_VER).search(version_file)
+        system_cfg_ver: int = int(res.groupdict().get('cfg_ver', 0))
+
+    return system_cfg_ver
+
+
+def get_versions(image_name: str, root_dir: str = '') -> dict[str, str]:
+    """Return versions of image and image-tools
+
+    Args:
+        image_name (str): a name of an image
+        root_dir (str, optional): an optional path to the root directory.
+        Defaults to ''.
+
+    Returns:
+        dict[str, int]: a dictionary with versions of image and image-tools
+    """
+    if not root_dir:
+        root_dir = disk.find_persistence()
+
+    squashfs_file: str = next(
+        Path(f'{root_dir}/boot/{image_name}').glob('*.squashfs')).as_posix()
+    with TemporaryDirectory() as squashfs_mounted:
+        disk.partition_mount(squashfs_file, squashfs_mounted, 'squashfs')
+
+        image_version: str = get_image_version(squashfs_mounted)
+        image_tools_version: int = get_image_tools_version(squashfs_mounted)
+
+        disk.partition_umount(squashfs_file)
+
+    versions: dict[str, int] = {
+        'image': image_version,
+        'image-tools': image_tools_version
+    }
+
+    return versions
+
+
+def get_details(image_name: str, root_dir: str = '') -> ImageDetails:
+    """Return information about image
+
+    Args:
+        image_name (str): a name of an image
+        root_dir (str, optional): an optional path to the root directory.
+        Defaults to ''.
+
+    Returns:
+        ImageDetails: a dictionary with details about an image (name, size)
+    """
+    if not root_dir:
+        root_dir = disk.find_persistence()
+
+    versions = get_versions(image_name, root_dir)
+    image_version: str = versions.get('image', '')
+    image_tools_version: int = versions.get('image-tools', 0)
+
+    image_path: Path = Path(f'{root_dir}/boot/{image_name}')
+    image_path_rw: Path = Path(f'{root_dir}/boot/{image_name}/rw')
+
+    image_disk_ro: int = int()
+    for item in image_path.iterdir():
+        if not item.is_symlink():
+            image_disk_ro += item.stat().st_size
+
+    image_disk_rw: int = int()
+    for item in image_path_rw.rglob('*'):
+        if not item.is_symlink():
+            image_disk_rw += item.stat().st_size
+
+    image_details: ImageDetails = {
+        'name': image_name,
+        'version': image_version,
+        'tools_version': image_tools_version,
+        'disk_ro': image_disk_ro,
+        'disk_rw': image_disk_rw,
+        'disk_total': image_disk_ro + image_disk_rw
+    }
+
+    return image_details
+
+
+def get_images_details() -> list[ImageDetails]:
+    """Return information about all images
+
+    Returns:
+        list[ImageDetails]: a list of dictionaries with details about images
+    """
+    images: list[str] = grub.version_list()
+    images_details: list[ImageDetails] = list()
+    for image_name in images:
+        images_details.append(get_details(image_name))
+
+    return images_details
+
+
+def get_running_image() -> str:
+    """Find currently running image name
+
+    Returns:
+        str: image name
+    """
+    running_image: str = ''
+    regex_filter = re_compile(REGEX_KERNEL_CMDLINE)
+    cmdline: str = Path('/proc/cmdline').read_text()
+    running_image_result = regex_filter.match(cmdline)
+    if running_image_result:
+        running_image: str = running_image_result.groupdict().get(
+            'image_version', '')
+    # we need to have a fallback for live systems
+    if not running_image:
+        running_image: str = version.get_version()
+
+    return running_image
+
+
+def get_default_image(root_dir: str = '') -> str:
+    """Get default boot entry
+
+    Args:
+        root_dir (str, optional): an optional path to the root directory.
+        Defaults to empty.
+    Returns:
+        str: a version name
+    """
+    if not root_dir:
+        root_dir = disk.find_persistence()
+
+    vars_file: str = f'{root_dir}/{CFG_VYOS_VARS}'
+    vars_current: dict[str, str] = grub.vars_read(vars_file)
+    default_uuid: str = vars_current.get('default', '')
+    if default_uuid:
+        images_list: list[str] = grub.version_list(root_dir)
+        for image_name in images_list:
+            if default_uuid == grub.gen_version_uuid(image_name):
+                return image_name
+        return ''
+    else:
+        return ''
+
+
+def validate_name(image_name: str) -> bool:
+    """Validate image name
+
+    Args:
+        image_name (str): suggested image name
+
+    Returns:
+        bool: validation result
+    """
+    regex_filter = re_compile(r'^[\w\.+-]{1,64}$')
+    if regex_filter.match(image_name):
+        return True
+    return False
+
+
+def is_live_boot() -> bool:
+    """Detect live booted system
+
+    Returns:
+        bool: True if the system currently booted in live mode
+    """
+    regex_filter = re_compile(REGEX_KERNEL_CMDLINE)
+    cmdline: str = Path('/proc/cmdline').read_text()
+    running_image_result = regex_filter.match(cmdline)
+    if running_image_result:
+        boot_type: str = running_image_result.groupdict().get('boot_type', '')
+        if boot_type == 'live':
+            return True
+    return False
+
+def is_running_as_container() -> bool:
+    if Path('/.dockerenv').exists():
+        return True
+    return False
diff --git a/python/vyos/system/raid.py b/python/vyos/system/raid.py
new file mode 100644
index 000000000..5b33d34da
--- /dev/null
+++ b/python/vyos/system/raid.py
@@ -0,0 +1,122 @@
+# Copyright 2023 VyOS maintainers and contributors <maintainers@vyos.io>
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library.  If not, see <http://www.gnu.org/licenses/>.
+
+"""RAID related functions"""
+
+from pathlib import Path
+from shutil import copy
+from dataclasses import dataclass
+
+from vyos.utils.process import cmd, run
+from vyos.system import disk
+
+
+@dataclass
+class RaidDetails:
+    """RAID type"""
+    name: str
+    level: str
+    members: list[str]
+    disks: list[disk.DiskDetails]
+
+
+def raid_create(raid_members: list[str],
+                raid_name: str = 'md0',
+                raid_level: str = 'raid1') -> None:
+    """Create a RAID array
+
+    Args:
+        raid_name (str): a name of array (data, backup, test, etc.)
+        raid_members (list[str]): a list of array members
+        raid_level (str, optional): an array level. Defaults to 'raid1'.
+    """
+    raid_devices_num: int = len(raid_members)
+    raid_members_str: str = ' '.join(raid_members)
+    for part in raid_members:
+        drive: str = disk.partition_parent(part)
+        # set partition type GUID for raid member; cf.
+        # https://en.wikipedia.org/wiki/GUID_Partition_Table#Partition_type_GUIDs
+        command: str = f'sgdisk --typecode=3:A19D880F-05FC-4D3B-A006-743F0F84911E {drive}'
+        cmd(command)
+    command: str = f'mdadm --create /dev/{raid_name} -R --metadata=1.0 \
+        --raid-devices={raid_devices_num} --level={raid_level} \
+        {raid_members_str}'
+
+    cmd(command)
+
+    raid = RaidDetails(
+        name = f'/dev/{raid_name}',
+        level = raid_level,
+        members = raid_members,
+        disks = [disk.from_partition(m) for m in raid_members]
+    )
+
+    return raid
+
+def clear():
+    """Deactivate all RAID arrays"""
+    command: str = 'mdadm --examine --scan'
+    raid_config = cmd(command)
+    if not raid_config:
+        return
+    command: str = 'mdadm --run /dev/md?*'
+    run(command)
+    command: str = 'mdadm --assemble --scan --auto=yes --symlink=no'
+    run(command)
+    command: str = 'mdadm --stop --scan'
+    run(command)
+
+
+def update_initramfs() -> None:
+    """Update initramfs"""
+    mdadm_script = '/etc/initramfs-tools/scripts/local-top/mdadm'
+    copy('/usr/share/initramfs-tools/scripts/local-block/mdadm', mdadm_script)
+    p = Path(mdadm_script)
+    p.write_text(p.read_text().replace('$((COUNT + 1))', '20'))
+    command: str = 'update-initramfs -u'
+    cmd(command)
+
+def update_default(target_dir: str) -> None:
+    """Update /etc/default/mdadm to start MD monitoring daemon at boot
+    """
+    source_mdadm_config = '/etc/default/mdadm'
+    target_mdadm_config = Path(target_dir).joinpath('/etc/default/mdadm')
+    target_mdadm_config_dir = Path(target_mdadm_config).parent
+    Path.mkdir(target_mdadm_config_dir, parents=True, exist_ok=True)
+    s = Path(source_mdadm_config).read_text().replace('START_DAEMON=false',
+                                                      'START_DAEMON=true')
+    Path(target_mdadm_config).write_text(s)
+
+def get_uuid(device: str) -> str:
+    """Get UUID of a device"""
+    command: str = f'tune2fs -l {device}'
+    l = cmd(command).splitlines()
+    uuid = next((x for x in l if x.startswith('Filesystem UUID')), '')
+    return uuid.split(':')[1].strip() if uuid else ''
+
+def get_uuids(raid_details: RaidDetails) -> tuple[str]:
+    """Get UUIDs of RAID members
+
+    Args:
+        raid_name (str): a name of array (data, backup, test, etc.)
+
+    Returns:
+        tuple[str]: root_disk uuid, root_md uuid
+    """
+    raid_name: str = raid_details.name
+    root_partition: str = raid_details.members[0]
+    uuid_root_disk: str = get_uuid(root_partition)
+    uuid_root_md: str = get_uuid(raid_name)
+    return uuid_root_disk, uuid_root_md
diff --git a/python/vyos/template.py b/python/vyos/template.py
index e167488c6..b65386654 100644
--- a/python/vyos/template.py
+++ b/python/vyos/template.py
@@ -316,20 +316,15 @@ def is_ipv6(text):
     except: return False
 
 @register_filter('first_host_address')
-def first_host_address(text):
+def first_host_address(prefix):
     """ Return first usable (host) IP address from given prefix.
     Example:
       - 10.0.0.0/24 -> 10.0.0.1
       - 2001:db8::/64 -> 2001:db8::
     """
     from ipaddress import ip_interface
-    from ipaddress import IPv4Network
-    from ipaddress import IPv6Network
-
-    addr = ip_interface(text)
-    if addr.version == 4:
-        return str(addr.ip +1)
-    return str(addr.ip)
+    tmp = ip_interface(prefix).network
+    return str(tmp.network_address +1)
 
 @register_filter('last_host_address')
 def last_host_address(text):
@@ -582,10 +577,11 @@ def nft_rule(rule_conf, fw_hook, fw_name, rule_id, ip_name='ip'):
 def nft_default_rule(fw_conf, fw_name, ipv6=False):
     output = ['counter']
     default_action = fw_conf['default_action']
+    family = 'ipv6' if ipv6 else 'ipv4'
 
-    if 'enable_default_log' in fw_conf:
+    if 'default_log' in fw_conf:
         action_suffix = default_action[:1].upper()
-        output.append(f'log prefix "[{fw_name[:19]}-default-{action_suffix}]"')
+        output.append(f'log prefix "[{family}-{fw_name[:19]}-default-{action_suffix}]"')
 
     #output.append(nft_action(default_action))
     output.append(f'{default_action}')
@@ -601,7 +597,7 @@ def nft_default_rule(fw_conf, fw_name, ipv6=False):
 def nft_state_policy(conf, state):
     out = [f'ct state {state}']
 
-    if 'log' in conf and 'enable' in conf['log']:
+    if 'log' in conf:
         log_state = state[:3].upper()
         log_action = (conf['action'] if 'action' in conf else 'accept')[:1].upper()
         out.append(f'log prefix "[STATE-POLICY-{log_state}-{log_action}]"')
diff --git a/python/vyos/utils/config.py b/python/vyos/utils/config.py
new file mode 100644
index 000000000..bd363ce46
--- /dev/null
+++ b/python/vyos/utils/config.py
@@ -0,0 +1,34 @@
+# Copyright 2023 VyOS maintainers and contributors <maintainers@vyos.io>
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library.  If not, see <http://www.gnu.org/licenses/>.
+
+import os
+from vyos.defaults import directories
+
+config_file = os.path.join(directories['config'], 'config.boot')
+
+def read_saved_value(path: list):
+    if not isinstance(path, list) or not path:
+        return ''
+    from vyos.configtree import ConfigTree
+    try:
+        with open(config_file) as f:
+            config_string = f.read()
+        ct = ConfigTree(config_string)
+    except Exception:
+        return ''
+    if not ct.exists(path):
+        return ''
+    res = ct.return_values(path)
+    return res[0] if len(res) == 1 else res
diff --git a/python/vyos/utils/convert.py b/python/vyos/utils/convert.py
index 9a8a1ff7d..c02f0071e 100644
--- a/python/vyos/utils/convert.py
+++ b/python/vyos/utils/convert.py
@@ -52,7 +52,8 @@ def seconds_to_human(s, separator=""):
 
     return result
 
-def bytes_to_human(bytes, initial_exponent=0, precision=2):
+def bytes_to_human(bytes, initial_exponent=0, precision=2,
+                   int_below_exponent=0):
     """ Converts a value in bytes to a human-readable size string like 640 KB
 
     The initial_exponent parameter is the exponent of 2,
@@ -68,6 +69,8 @@ def bytes_to_human(bytes, initial_exponent=0, precision=2):
 
     # log2 is a float, while range checking requires an int
     exponent = int(log2(bytes))
+    if exponent < int_below_exponent:
+        precision = 0
 
     if exponent < 10:
         value = bytes
diff --git a/python/vyos/utils/dict.py b/python/vyos/utils/dict.py
index 9484eacdd..d36b6fcfb 100644
--- a/python/vyos/utils/dict.py
+++ b/python/vyos/utils/dict.py
@@ -199,6 +199,31 @@ def dict_search_recursive(dict_object, key, path=[]):
             for x in dict_search_recursive(j, key, new_path):
                 yield x
 
+
+def dict_set(key_path, value, dict_object):
+    """ Set value to Python dictionary (dict_object) using path to key delimited by dot (.).
+        The key will be added if it does not exist.
+    """
+    path_list = key_path.split(".")
+    dynamic_dict = dict_object
+    if len(path_list) > 0:
+        for i in range(0, len(path_list)-1):
+            dynamic_dict = dynamic_dict[path_list[i]]
+        dynamic_dict[path_list[len(path_list)-1]] = value
+
+def dict_delete(key_path, dict_object):
+    """ Delete key in Python dictionary (dict_object) using path to key delimited by dot (.).
+    """
+    path_dict = dict_object
+    path_list = key_path.split('.')
+    inside = path_list[:-1]
+    if not inside:
+        del dict_object[path_list]
+    else:
+        for key in path_list[:-1]:
+            path_dict = path_dict[key]
+        del path_dict[path_list[len(path_list)-1]]
+
 def dict_to_list(d, save_key_to=None):
     """ Convert a dict to a list of dicts.
 
@@ -228,6 +253,39 @@ def dict_to_list(d, save_key_to=None):
 
     return collect
 
+def dict_to_paths_values(conf: dict) -> dict:
+    """
+    Convert nested dictionary to simple dictionary, where key is a path is delimited by dot (.).
+    """
+    list_of_paths = []
+    dict_of_options ={}
+    for path in dict_to_key_paths(conf):
+        str_path = '.'.join(path)
+        list_of_paths.append(str_path)
+
+    for path in list_of_paths:
+        dict_of_options[path] = dict_search(path,conf)
+
+    return dict_of_options
+def dict_to_key_paths(d: dict) -> list:
+    """ Generator to return list of key paths from dict of list[str]|str
+    """
+    def func(d, path):
+        if isinstance(d, dict):
+            if not d:
+                yield path
+            for k, v in d.items():
+                for r in func(v, path + [k]):
+                    yield r
+        elif isinstance(d, list):
+            yield path
+        elif isinstance(d, str):
+            yield path
+        else:
+            raise ValueError('object is not a dict of strings/list of strings')
+    for r in func(d, []):
+        yield r
+
 def dict_to_paths(d: dict) -> list:
     """ Generator to return list of paths from dict of list[str]|str
     """
@@ -305,3 +363,4 @@ class FixedDict(dict):
         if k not in self._allowed:
             raise ConfigError(f'Option "{k}" has no defined default')
         super().__setitem__(k, v)
+
diff --git a/python/vyos/utils/disk.py b/python/vyos/utils/disk.py
new file mode 100644
index 000000000..ee540b107
--- /dev/null
+++ b/python/vyos/utils/disk.py
@@ -0,0 +1,23 @@
+# Copyright 2023 VyOS maintainers and contributors <maintainers@vyos.io>
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library.  If not, see <http://www.gnu.org/licenses/>.
+
+from pathlib import Path
+
+def device_from_id(id):
+    """ Return the device name from (partial) disk id """
+    path = Path('/dev/disk/by-id')
+    for device in path.iterdir():
+        if device.name.endswith(id):
+            return device.readlink().stem
diff --git a/python/vyos/utils/file.py b/python/vyos/utils/file.py
index 667a2464b..0818f1b81 100644
--- a/python/vyos/utils/file.py
+++ b/python/vyos/utils/file.py
@@ -83,21 +83,34 @@ def read_json(fname, defaultonfailure=None):
             return defaultonfailure
         raise e
 
-def chown(path, user, group):
+def chown(path, user=None, group=None, recursive=False):
     """ change file/directory owner """
     from pwd import getpwnam
     from grp import getgrnam
 
-    if user is None or group is None:
+    if user is None and group is None:
         return False
 
     # path may also be an open file descriptor
     if not isinstance(path, int) and not os.path.exists(path):
         return False
 
-    uid = getpwnam(user).pw_uid
-    gid = getgrnam(group).gr_gid
-    os.chown(path, uid, gid)
+    # keep current value if not specified otherwise
+    uid = -1
+    gid = -1
+
+    if user:
+        uid = getpwnam(user).pw_uid
+    if group:
+        gid = getgrnam(group).gr_gid
+
+    if recursive:
+        for dirpath, dirnames, filenames in os.walk(path):
+            os.chown(dirpath, uid, gid)
+            for filename in filenames:
+                os.chown(os.path.join(dirpath, filename), uid, gid)
+    else:
+        os.chown(path, uid, gid)
     return True
 
 
@@ -134,6 +147,12 @@ def chmod_755(path):
               S_IROTH | S_IXOTH
     chmod(path, bitmask)
 
+def chmod_2775(path):
+    """ user/group permissions with set-group-id bit set """
+    from stat import S_ISGID, S_IRWXU, S_IRWXG, S_IROTH, S_IXOTH
+
+    bitmask = S_ISGID | S_IRWXU | S_IRWXG | S_IROTH | S_IXOTH
+    chmod(path, bitmask)
 
 def makedir(path, user=None, group=None):
     if os.path.exists(path):
diff --git a/python/vyos/utils/io.py b/python/vyos/utils/io.py
index 843494855..0afaf695c 100644
--- a/python/vyos/utils/io.py
+++ b/python/vyos/utils/io.py
@@ -13,6 +13,8 @@
 # You should have received a copy of the GNU Lesser General Public
 # License along with this library.  If not, see <http://www.gnu.org/licenses/>.
 
+from typing import Callable
+
 def print_error(str='', end='\n'):
     """
     Print `str` to stderr, terminated with `end`.
@@ -24,52 +26,18 @@ def print_error(str='', end='\n'):
     sys.stderr.write(end)
     sys.stderr.flush()
 
-def make_progressbar():
-    """
-    Make a procedure that takes two arguments `done` and `total` and prints a
-     progressbar based on the ratio thereof, whose length is determined by the
-     width of the terminal.
-    """
-    import shutil, math
-    col, _ = shutil.get_terminal_size()
-    col = max(col - 15, 20)
-    def print_progressbar(done, total):
-        if done <= total:
-            increment = total / col
-            length = math.ceil(done / increment)
-            percentage = str(math.ceil(100 * done / total)).rjust(3)
-            print_error(f'[{length * "#"}{(col - length) * "_"}] {percentage}%', '\r')
-            # Print a newline so that the subsequent prints don't overwrite the full bar.
-        if done == total:
-            print_error()
-    return print_progressbar
-
-def make_incremental_progressbar(increment: float):
-    """
-    Make a generator that displays a progressbar that grows monotonically with
-     every iteration.
-    First call displays it at 0% and every subsequent iteration displays it
-     at `increment` increments where 0.0 < `increment` < 1.0.
-    Intended for FTP and HTTP transfers with stateless callbacks.
-    """
-    print_progressbar = make_progressbar()
-    total = 0.0
-    while total < 1.0:
-        print_progressbar(total, 1.0)
-        yield
-        total += increment
-    print_progressbar(1, 1)
-    # Ignore further calls.
-    while True:
-        yield
-
-def ask_input(question, default='', numeric_only=False, valid_responses=[]):
+def ask_input(question, default='', numeric_only=False, valid_responses=[],
+              no_echo=False):
+    from getpass import getpass
     question_out = question
     if default:
         question_out += f' (Default: {default})'
     response = ''
     while True:
-        response = input(question_out + ' ').strip()
+        if not no_echo:
+            response = input(question_out + ' ').strip()
+        else:
+            response = getpass(question_out + ' ').strip()
         if not response and default:
             return default
         if numeric_only:
@@ -101,3 +69,36 @@ def ask_yes_no(question, default=False) -> bool:
                 stdout.write("Please respond with yes/y or no/n\n")
         except EOFError:
             stdout.write("\nPlease respond with yes/y or no/n\n")
+
+def is_interactive():
+    """Try to determine if the routine was called from an interactive shell."""
+    import os, sys
+    return os.getenv('TERM', default=False) and sys.stderr.isatty() and sys.stdout.isatty()
+
+def is_dumb_terminal():
+    """Check if the current TTY is dumb, so that we can disable advanced terminal features."""
+    import os
+    return os.getenv('TERM') in ['vt100', 'dumb']
+
+def select_entry(l: list, list_msg: str = '', prompt_msg: str = '',
+                 list_format: Callable = None,) -> str:
+    """Select an entry from a list
+
+    Args:
+        l (list): a list of entries
+        list_msg (str): a message to print before listing the entries
+        prompt_msg (str): a message to print as prompt for selection
+
+    Returns:
+        str: a selected entry
+    """
+    en = list(enumerate(l, 1))
+    print(list_msg)
+    for i, e in en:
+        if list_format:
+            print(f'\t{i}: {list_format(e)}')
+        else:
+            print(f'\t{i}: {e}')
+    select = ask_input(prompt_msg, numeric_only=True,
+                       valid_responses=range(1, len(l)+1))
+    return next(filter(lambda x: x[0] == select, en))[1]
diff --git a/python/vyos/utils/network.py b/python/vyos/utils/network.py
index bc6899e45..c3c419a61 100644
--- a/python/vyos/utils/network.py
+++ b/python/vyos/utils/network.py
@@ -55,14 +55,17 @@ def get_vrf_members(vrf: str) -> list:
     """
     import json
     from vyos.utils.process import cmd
-    if not interface_exists(vrf):
-        raise ValueError(f'VRF "{vrf}" does not exist!')
-    output = cmd(f'ip --json --brief link show master {vrf}')
-    answer = json.loads(output)
     interfaces = []
-    for data in answer:
-        if 'ifname' in data:
-            interfaces.append(data.get('ifname'))
+    try:
+        if not interface_exists(vrf):
+            raise ValueError(f'VRF "{vrf}" does not exist!')
+        output = cmd(f'ip --json --brief link show vrf {vrf}')
+        answer = json.loads(output)
+        for data in answer:
+            if 'ifname' in data:
+                interfaces.append(data.get('ifname'))
+    except:
+        pass
     return interfaces
 
 def get_interface_vrf(interface):
@@ -135,7 +138,7 @@ def is_ipv6_tentative(iface: str, ipv6_address: str) -> bool:
     import json
     from vyos.utils.process import rc_cmd
 
-    rc, out = rc_cmd(f'ip -6 --json address show dev {iface} scope global')
+    rc, out = rc_cmd(f'ip -6 --json address show dev {iface}')
     if rc:
         return False
 
@@ -194,6 +197,22 @@ def get_all_vrfs():
         data[name] = entry
     return data
 
+def interface_list() -> list:
+    from vyos.ifconfig import Section
+    """
+    Get list of interfaces in system
+    :rtype: list
+    """
+    return Section.interfaces()
+
+
+def vrf_list() -> list:
+    """
+    Get list of VRFs in system
+    :rtype: list
+    """
+    return list(get_all_vrfs().keys())
+
 def mac2eui64(mac, prefix=None):
     """
     Convert a MAC address to a EUI64 address or, with prefix provided, a full
@@ -429,7 +448,7 @@ def is_subnet_connected(subnet, primary=False):
 
     return False
 
-def is_afi_configured(interface, afi):
+def is_afi_configured(interface: str, afi):
     """ Check if given address family is configured, or in other words - an IP
     address is assigned to the interface. """
     from netifaces import ifaddresses
@@ -446,3 +465,79 @@ def is_afi_configured(interface, afi):
         return False
 
     return afi in addresses
+
+def get_vxlan_vlan_tunnels(interface: str) -> list:
+    """ Return a list of strings with VLAN IDs configured in the Kernel """
+    from json import loads
+    from vyos.utils.process import cmd
+
+    if not interface.startswith('vxlan'):
+        raise ValueError('Only applicable for VXLAN interfaces!')
+
+    # Determine current OS Kernel configured VLANs
+    #
+    # $ bridge -j -p vlan tunnelshow dev vxlan0
+    # [ {
+    #         "ifname": "vxlan0",
+    #         "tunnels": [ {
+    #                 "vlan": 10,
+    #                 "vlanEnd": 11,
+    #                 "tunid": 10010,
+    #                 "tunidEnd": 10011
+    #             },{
+    #                 "vlan": 20,
+    #                 "tunid": 10020
+    #             } ]
+    #     } ]
+    #
+    os_configured_vlan_ids = []
+    tmp = loads(cmd(f'bridge --json vlan tunnelshow dev {interface}'))
+    if tmp:
+        for tunnel in tmp[0].get('tunnels', {}):
+            vlanStart = tunnel['vlan']
+            if 'vlanEnd' in tunnel:
+                vlanEnd = tunnel['vlanEnd']
+                # Build a real list for user VLAN IDs
+                vlan_list = list(range(vlanStart, vlanEnd +1))
+                # Convert list of integers to list or strings
+                os_configured_vlan_ids.extend(map(str, vlan_list))
+                # Proceed with next tunnel - this one is complete
+                continue
+
+            # Add single tunel id - not part of a range
+            os_configured_vlan_ids.append(str(vlanStart))
+
+    return os_configured_vlan_ids
+
+def get_vxlan_vni_filter(interface: str) -> list:
+    """ Return a list of strings with VNIs configured in the Kernel"""
+    from json import loads
+    from vyos.utils.process import cmd
+
+    if not interface.startswith('vxlan'):
+        raise ValueError('Only applicable for VXLAN interfaces!')
+
+    # Determine current OS Kernel configured VNI filters in VXLAN interface
+    #
+    # $ bridge -j vni show dev vxlan1
+    # [{"ifname":"vxlan1","vnis":[{"vni":100},{"vni":200},{"vni":300,"vniEnd":399}]}]
+    #
+    # Example output: ['10010', '10020', '10021', '10022']
+    os_configured_vnis = []
+    tmp = loads(cmd(f'bridge --json vni show dev {interface}'))
+    if tmp:
+        for tunnel in tmp[0].get('vnis', {}):
+            vniStart = tunnel['vni']
+            if 'vniEnd' in tunnel:
+                vniEnd = tunnel['vniEnd']
+                # Build a real list for user VNIs
+                vni_list = list(range(vniStart, vniEnd +1))
+                # Convert list of integers to list or strings
+                os_configured_vnis.extend(map(str, vni_list))
+                # Proceed with next tunnel - this one is complete
+                continue
+
+            # Add single tunel id - not part of a range
+            os_configured_vnis.append(str(vniStart))
+
+    return os_configured_vnis
diff --git a/python/vyos/utils/process.py b/python/vyos/utils/process.py
index e09c7d86d..bd0644bc0 100644
--- a/python/vyos/utils/process.py
+++ b/python/vyos/utils/process.py
@@ -204,17 +204,32 @@ def process_running(pid_file):
         pid = f.read().strip()
     return pid_exists(int(pid))
 
-def process_named_running(name, cmdline: str=None):
+def process_named_running(name: str, cmdline: str=None, timeout: int=0):
     """ Checks if process with given name is running and returns its PID.
     If Process is not running, return None
     """
     from psutil import process_iter
-    for p in process_iter(['name', 'pid', 'cmdline']):
-        if cmdline:
-            if p.info['name'] == name and cmdline in p.info['cmdline']:
+    def check_process(name, cmdline):
+        for p in process_iter(['name', 'pid', 'cmdline']):
+            if cmdline:
+                if name in p.info['name'] and cmdline in p.info['cmdline']:
+                    return p.info['pid']
+            elif name in p.info['name']:
                 return p.info['pid']
-        elif p.info['name'] == name:
-            return p.info['pid']
+        return None
+    if timeout:
+        import time
+        time_expire = time.time() + timeout
+        while True:
+            tmp = check_process(name, cmdline)
+            if not tmp:
+                if time.time() > time_expire:
+                    break
+                time.sleep(0.100) # wait 250ms
+                continue
+            return tmp
+    else:
+        return check_process(name, cmdline)
     return None
 
 def is_systemd_service_active(service):
diff --git a/python/vyos/vpp.py b/python/vyos/vpp.py
deleted file mode 100644
index 76e5d29c3..000000000
--- a/python/vyos/vpp.py
+++ /dev/null
@@ -1,315 +0,0 @@
-# Copyright 2023 VyOS maintainers and contributors <maintainers@vyos.io>
-#
-# This library is free software; you can redistribute it and/or
-# modify it under the terms of the GNU Lesser General Public
-# License as published by the Free Software Foundation; either
-# version 2.1 of the License, or (at your option) any later version.
-#
-# This library is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-# Lesser General Public License for more details.
-#
-# You should have received a copy of the GNU Lesser General Public
-# License along with this library.  If not, see <http://www.gnu.org/licenses/>.
-
-from functools import wraps
-from pathlib import Path
-from re import search as re_search, fullmatch as re_fullmatch, MULTILINE as re_M
-from subprocess import run
-from time import sleep
-
-from vpp_papi import VPPApiClient
-from vpp_papi import VPPIOError, VPPValueError
-
-
-class VPPControl:
-    """Control VPP network stack
-    """
-
-    class _Decorators:
-        """Decorators for VPPControl
-        """
-
-        @classmethod
-        def api_call(cls, decorated_func):
-            """Check if API is connected before API call
-
-            Args:
-                decorated_func: function to decorate
-
-            Raises:
-                VPPIOError: Connection to API is not established
-            """
-
-            @wraps(decorated_func)
-            def api_safe_wrapper(cls, *args, **kwargs):
-                if not cls.vpp_api_client.transport.connected:
-                    raise VPPIOError(2, 'VPP API is not connected')
-                return decorated_func(cls, *args, **kwargs)
-
-            return api_safe_wrapper
-
-        @classmethod
-        def check_retval(cls, decorated_func):
-            """Check retval from API response
-
-            Args:
-                decorated_func: function to decorate
-
-            Raises:
-                VPPValueError: raised when retval is not 0
-            """
-
-            @wraps(decorated_func)
-            def check_retval_wrapper(cls, *args, **kwargs):
-                return_value = decorated_func(cls, *args, **kwargs)
-                if not return_value.retval == 0:
-                    raise VPPValueError(
-                        f'VPP API call failed: {return_value.retval}')
-                return return_value
-
-            return check_retval_wrapper
-
-    def __init__(self, attempts: int = 5, interval: int = 1000) -> None:
-        """Create VPP API connection
-
-        Args:
-            attempts (int, optional): attempts to connect. Defaults to 5.
-            interval (int, optional): interval between attempts in ms. Defaults to 1000.
-
-        Raises:
-            VPPIOError: Connection to API cannot be established
-        """
-        self.vpp_api_client = VPPApiClient()
-        # connect with interval
-        while attempts:
-            try:
-                attempts -= 1
-                self.vpp_api_client.connect('vpp-vyos')
-                break
-            except (ConnectionRefusedError, FileNotFoundError) as err:
-                print(f'VPP API connection timeout: {err}')
-                sleep(interval / 1000)
-        # raise exception if connection was not successful in the end
-        if not self.vpp_api_client.transport.connected:
-            raise VPPIOError(2, 'Cannot connect to VPP API')
-
-    def __del__(self) -> None:
-        """Disconnect from VPP API (destructor)
-        """
-        self.disconnect()
-
-    def disconnect(self) -> None:
-        """Disconnect from VPP API
-        """
-        if self.vpp_api_client.transport.connected:
-            self.vpp_api_client.disconnect()
-
-    @_Decorators.check_retval
-    @_Decorators.api_call
-    def cli_cmd(self, command: str):
-        """Send raw CLI command
-
-        Args:
-            command (str): command to send
-
-        Returns:
-            vpp_papi.vpp_serializer.cli_inband_reply: CLI reply class
-        """
-        return self.vpp_api_client.api.cli_inband(cmd=command)
-
-    @_Decorators.api_call
-    def get_mac(self, ifname: str) -> str:
-        """Find MAC address by interface name in VPP
-
-        Args:
-            ifname (str): interface name inside VPP
-
-        Returns:
-            str: MAC address
-        """
-        for iface in self.vpp_api_client.api.sw_interface_dump():
-            if iface.interface_name == ifname:
-                return iface.l2_address.mac_string
-        return ''
-
-    @_Decorators.api_call
-    def get_sw_if_index(self, ifname: str) -> int | None:
-        """Find interface index by interface name in VPP
-
-        Args:
-            ifname (str): interface name inside VPP
-
-        Returns:
-            int | None: Interface index or None (if was not fount)
-        """
-        for iface in self.vpp_api_client.api.sw_interface_dump():
-            if iface.interface_name == ifname:
-                return iface.sw_if_index
-        return None
-
-    @_Decorators.check_retval
-    @_Decorators.api_call
-    def lcp_pair_add(self, iface_name_vpp: str, iface_name_kernel: str) -> None:
-        """Create LCP interface pair between VPP and kernel
-
-        Args:
-            iface_name_vpp (str): interface name in VPP
-            iface_name_kernel (str): interface name in kernel
-        """
-        iface_index = self.get_sw_if_index(iface_name_vpp)
-        if iface_index:
-            return self.vpp_api_client.api.lcp_itf_pair_add_del(
-                is_add=True,
-                sw_if_index=iface_index,
-                host_if_name=iface_name_kernel)
-
-    @_Decorators.check_retval
-    @_Decorators.api_call
-    def lcp_pair_del(self, iface_name_vpp: str, iface_name_kernel: str) -> None:
-        """Delete LCP interface pair between VPP and kernel
-
-        Args:
-            iface_name_vpp (str): interface name in VPP
-            iface_name_kernel (str): interface name in kernel
-        """
-        iface_index = self.get_sw_if_index(iface_name_vpp)
-        if iface_index:
-            return self.vpp_api_client.api.lcp_itf_pair_add_del(
-                is_add=False,
-                sw_if_index=iface_index,
-                host_if_name=iface_name_kernel)
-
-    @_Decorators.check_retval
-    @_Decorators.api_call
-    def iface_rxmode(self, iface_name: str, rx_mode: str) -> None:
-        """Set interface rx-mode in VPP
-
-        Args:
-            iface_name (str): interface name in VPP
-            rx_mode (str): mode (polling, interrupt, adaptive)
-        """
-        modes_dict: dict[str, int] = {
-            'polling': 1,
-            'interrupt': 2,
-            'adaptive': 3
-        }
-        if rx_mode not in modes_dict:
-            raise VPPValueError(f'Mode {rx_mode} is not known')
-        iface_index = self.get_sw_if_index(iface_name)
-        return self.vpp_api_client.api.sw_interface_set_rx_mode(
-            sw_if_index=iface_index, mode=modes_dict[rx_mode])
-
-    @_Decorators.api_call
-    def get_pci_addr(self, ifname: str) -> str:
-        """Find PCI address of interface by interface name in VPP
-
-        Args:
-            ifname (str): interface name inside VPP
-
-        Returns:
-            str: PCI address
-        """
-        hw_info = self.cli_cmd(f'show hardware-interfaces {ifname}').reply
-
-        regex_filter = r'^\s+pci: device (?P<device>\w+:\w+) subsystem (?P<subsystem>\w+:\w+) address (?P<address>\w+:\w+:\w+\.\w+) numa (?P<numa>\w+)$'
-        re_obj = re_search(regex_filter, hw_info, re_M)
-
-        # return empty string if no interface or no PCI info was found
-        if not hw_info or not re_obj:
-            return ''
-
-        address = re_obj.groupdict().get('address', '')
-
-        # we need to modify address to math kernel style
-        # for example: 0000:06:14.00 -> 0000:06:14.0
-        address_chunks: list[str] = address.split('.')
-        address_normalized: str = f'{address_chunks[0]}.{int(address_chunks[1])}'
-
-        return address_normalized
-
-
-class HostControl:
-    """Control Linux host
-    """
-
-    @staticmethod
-    def pci_rescan(pci_addr: str = '') -> None:
-        """Rescan PCI device by removing it and rescan PCI bus
-
-        If PCI address is not defined - just rescan PCI bus
-
-        Args:
-            address (str, optional): PCI address of device. Defaults to ''.
-        """
-        if pci_addr:
-            device_file = Path(f'/sys/bus/pci/devices/{pci_addr}/remove')
-            if device_file.exists():
-                device_file.write_text('1')
-                # wait 10 seconds max until device will be removed
-                attempts = 100
-                while device_file.exists() and attempts:
-                    attempts -= 1
-                    sleep(0.1)
-                if device_file.exists():
-                    raise TimeoutError(
-                        f'Timeout was reached for removing PCI device {pci_addr}'
-                    )
-            else:
-                raise FileNotFoundError(f'PCI device {pci_addr} does not exist')
-        rescan_file = Path('/sys/bus/pci/rescan')
-        rescan_file.write_text('1')
-        if pci_addr:
-            # wait 10 seconds max until device will be installed
-            attempts = 100
-            while not device_file.exists() and attempts:
-                attempts -= 1
-                sleep(0.1)
-            if not device_file.exists():
-                raise TimeoutError(
-                    f'Timeout was reached for installing PCI device {pci_addr}')
-
-    @staticmethod
-    def get_eth_name(pci_addr: str) -> str:
-        """Find Ethernet interface name by PCI address
-
-        Args:
-            pci_addr (str): PCI address
-
-        Raises:
-            FileNotFoundError: no Ethernet interface was found
-
-        Returns:
-            str: Ethernet interface name
-        """
-        # find all PCI devices with eth* names
-        net_devs: dict[str, str] = {}
-        net_devs_dir = Path('/sys/class/net')
-        regex_filter = r'^/sys/devices/pci[\w/:\.]+/(?P<pci_addr>\w+:\w+:\w+\.\w+)/[\w/:\.]+/(?P<iface_name>eth\d+)$'
-        for dir in net_devs_dir.iterdir():
-            real_dir: str = dir.resolve().as_posix()
-            re_obj = re_fullmatch(regex_filter, real_dir)
-            if re_obj:
-                iface_name: str = re_obj.group('iface_name')
-                iface_addr: str = re_obj.group('pci_addr')
-                net_devs.update({iface_addr: iface_name})
-        # match to provided PCI address and return a name if found
-        if pci_addr in net_devs:
-            return net_devs[pci_addr]
-        # raise error if device was not found
-        raise FileNotFoundError(
-            f'PCI device {pci_addr} not found in ethernet interfaces')
-
-    @staticmethod
-    def rename_iface(name_old: str, name_new: str) -> None:
-        """Rename interface
-
-        Args:
-            name_old (str): old name
-            name_new (str): new name
-        """
-        rename_cmd: list[str] = [
-            'ip', 'link', 'set', name_old, 'name', name_new
-        ]
-        run(rename_cmd)
diff --git a/scripts/build-command-templates b/scripts/build-command-templates
index c8ae83d9d..2e7f8b994 100755
--- a/scripts/build-command-templates
+++ b/scripts/build-command-templates
@@ -145,6 +145,8 @@ def get_properties(p, default=None):
             description = v.find("description").text
             if default != None and default.text == format:
                 description += f' (default)'
+            # Is no description was specified, keep it empty
+            if not description: description = ''
             vh.append( (format, description) )
         props["val_help"] = vh
     except:
diff --git a/scripts/override-default b/scripts/override-default
index 0c49087c8..5058e79b3 100755
--- a/scripts/override-default
+++ b/scripts/override-default
@@ -41,6 +41,14 @@ if debug:
 else:
     logger.setLevel(logging.INFO)
 
+def clear_empty_path(el):
+    # on the odd chance of interleaved comments
+    tmp = [l for l in el if isinstance(l.tag, str)]
+    if not tmp:
+        p = el.getparent()
+        p.remove(el)
+        clear_empty_path(p)
+
 def override_element(l: list):
     """
     Allow multiple override elements; use the final one (in document order).
@@ -59,7 +67,9 @@ def override_element(l: list):
 
     # remove all but overridden element
     for el in parents:
-        el.getparent().remove(el)
+        tmp = el.getparent()
+        tmp.remove(el)
+        clear_empty_path(tmp)
 
 def merge_remaining(l: list, elementtree):
     """
@@ -81,7 +91,9 @@ def merge_remaining(l: list, elementtree):
                 # override_element() has already run
                 for child in el:
                     rp[0].append(deepcopy(child))
-                el.getparent().remove(el)
+                tmp = el.getparent()
+                tmp.remove(el)
+                clear_empty_path(tmp)
 
 def collect_and_override(dir_name):
     """
@@ -104,7 +116,7 @@ def collect_and_override(dir_name):
 
         for k, v in defv.items():
             if len(v) > 1:
-                logger.info(f"overridding default in path '{k}'")
+                logger.info(f"overriding default in path '{k}'")
                 override_element(v)
 
         to_merge = list(defv)
diff --git a/smoketest/config-tests/basic-api-service b/smoketest/config-tests/basic-api-service
new file mode 100644
index 000000000..dc54929b9
--- /dev/null
+++ b/smoketest/config-tests/basic-api-service
@@ -0,0 +1,16 @@
+set interfaces ethernet eth0 address '192.0.2.1/31'
+set interfaces ethernet eth0 address '2001:db8::1234/64'
+set interfaces loopback lo
+set service ntp server time1.vyos.net
+set service ntp server time2.vyos.net
+set service ntp server time3.vyos.net
+set service https allow-client address '172.16.0.0/12'
+set service https allow-client address '192.168.0.0/16'
+set service https allow-client address '10.0.0.0/8'
+set service https allow-client address '2001:db8::/32'
+set service https api keys id 1 key 'S3cur3'
+set system config-management commit-revisions '100'
+set system host-name 'vyos'
+set system login user vyos authentication encrypted-password '$6$2Ta6TWHd/U$NmrX0x9kexCimeOcYK1MfhMpITF9ELxHcaBU/znBq.X2ukQOj61fVI2UYP/xBzP4QtiTcdkgs7WOQMHWsRymO/'
+set system login user vyos authentication plaintext-password ''
+set system console device ttyS0 speed '115200'
diff --git a/smoketest/config-tests/igmp-pim-small b/smoketest/config-tests/igmp-pim-small
new file mode 100644
index 000000000..207c17d45
--- /dev/null
+++ b/smoketest/config-tests/igmp-pim-small
@@ -0,0 +1,17 @@
+set interfaces ethernet eth1 address '100.64.0.1/24'
+set interfaces ethernet eth2 address '172.16.0.2/24'
+set protocols pim interface eth1 igmp join 224.1.0.0 source-address '1.1.1.1'
+set protocols pim interface eth1 igmp join 224.1.0.0 source-address '1.1.1.2'
+set protocols pim interface eth1 igmp query-interval '1000'
+set protocols pim interface eth1 igmp query-max-response-time '30'
+set protocols pim interface eth1 igmp version '2'
+set protocols pim interface eth2
+set protocols pim rp address 172.16.255.1 group '224.0.0.0/4'
+set service ntp server 0.pool.ntp.org
+set service ntp server 1.pool.ntp.org
+set service ntp server 2.pool.ntp.org
+set system domain-name 'vyos.io'
+set system host-name 'vyos'
+set system login user vyos authentication encrypted-password '$6$2Ta6TWHd/U$NmrX0x9kexCimeOcYK1MfhMpITF9ELxHcaBU/znBq.X2ukQOj61fVI2UYP/xBzP4QtiTcdkgs7WOQMHWsRymO/'
+set system login user vyos authentication plaintext-password ''
+set system console device ttyS0 speed '115200'
diff --git a/smoketest/configs/basic-api-service b/smoketest/configs/basic-api-service
new file mode 100644
index 000000000..f997ccd73
--- /dev/null
+++ b/smoketest/configs/basic-api-service
@@ -0,0 +1,87 @@
+interfaces {
+    ethernet eth0 {
+        address 192.0.2.1/31
+        address 2001:db8::1234/64
+    }
+    ethernet eth1 {
+    }
+    loopback lo {
+    }
+}
+service {
+    https {
+        api {
+            keys {
+                id 1 {
+                    key S3cur3
+                }
+            }
+            socket
+        }
+        virtual-host bar {
+            allow-client {
+                address 172.16.0.0/12
+            }
+            listen-port 5555
+            server-name bar
+        }
+        virtual-host baz {
+            allow-client {
+                address 192.168.0.0/16
+            }
+            listen-address "*"
+            listen-port 6666
+            server-name baz
+        }
+        virtual-host foo {
+            allow-client {
+                address 10.0.0.0/8
+                address 2001:db8::/32
+            }
+            listen-port 7777
+            server-name foo
+        }
+    }
+}
+system {
+    config-management {
+        commit-revisions 100
+    }
+    console {
+        device ttyS0 {
+            speed 115200
+        }
+    }
+    host-name vyos
+    login {
+        user vyos {
+            authentication {
+                encrypted-password $6$2Ta6TWHd/U$NmrX0x9kexCimeOcYK1MfhMpITF9ELxHcaBU/znBq.X2ukQOj61fVI2UYP/xBzP4QtiTcdkgs7WOQMHWsRymO/
+                plaintext-password ""
+            }
+        }
+    }
+    ntp {
+        server time1.vyos.net {
+        }
+        server time2.vyos.net {
+        }
+        server time3.vyos.net {
+        }
+    }
+    syslog {
+        global {
+            facility all {
+                level info
+            }
+            facility protocols {
+                level debug
+            }
+        }
+    }
+}
+
+
+// Warning: Do not remove the following line.
+// vyos-config-version: "broadcast-relay@1:cluster@1:config-management@1:conntrack@1:conntrack-sync@1:dhcp-relay@2:dhcp-server@5:dhcpv6-server@1:dns-forwarding@3:firewall@5:https@2:interfaces@13:ipoe-server@1:ipsec@5:l2tp@3:lldp@1:mdns@1:nat@5:ntp@1:pppoe-server@5:pptp@2:qos@1:quagga@6:salt@1:snmp@2:ssh@2:sstp@3:system@19:vrrp@2:vyos-accel-ppp@2:wanloadbalance@3:webgui@1:webproxy@2:zone-policy@1"
+// Release version: 1.3-rolling-202010241631
diff --git a/smoketest/configs/bgp-evpn-l2vpn-leaf b/smoketest/configs/bgp-evpn-l2vpn-leaf
index 020490186..ab46fbb02 100644
--- a/smoketest/configs/bgp-evpn-l2vpn-leaf
+++ b/smoketest/configs/bgp-evpn-l2vpn-leaf
@@ -33,7 +33,6 @@ interfaces {
         parameters {
             nolearning
         }
-        port 4789
         source-address 172.29.0.1
         vni 100
     }
diff --git a/smoketest/configs/dialup-router-wireguard-ipv6 b/smoketest/configs/dialup-router-wireguard-ipv6
new file mode 100644
index 000000000..33afb9b04
--- /dev/null
+++ b/smoketest/configs/dialup-router-wireguard-ipv6
@@ -0,0 +1,1629 @@
+firewall {
+    all-ping enable
+    broadcast-ping disable
+    config-trap disable
+    group {
+        address-group DMZ-WEBSERVER {
+            address 172.16.36.10
+            address 172.16.36.40
+            address 172.16.36.20
+        }
+        address-group DMZ-RDP-SERVER {
+            address 172.16.33.40
+        }
+        address-group DOMAIN-CONTROLLER {
+            address 172.16.100.10
+            address 172.16.100.20
+            address 172.16.110.30
+        }
+        address-group VIDEO {
+            address 172.16.33.211
+            address 172.16.33.212
+            address 172.16.33.213
+            address 172.16.33.214
+        }
+        ipv6-network-group LOCAL-ADDRESSES {
+            network ff02::/64
+            network fe80::/10
+        }
+        network-group SSH-IN-ALLOW {
+            network 100.65.150.0/23
+            network 100.64.69.205/32
+            network 100.64.8.67/32
+            network 100.64.55.1/32
+        }
+    }
+    ipv6-name ALLOW-ALL-6 {
+        default-action accept
+    }
+    ipv6-name ALLOW-BASIC-6 {
+        default-action drop
+        enable-default-log
+        rule 1 {
+            action accept
+            state {
+                established enable
+                related enable
+            }
+        }
+        rule 2 {
+            action drop
+            state {
+                invalid enable
+            }
+        }
+        rule 10 {
+            action accept
+            protocol icmpv6
+        }
+    }
+    ipv6-name ALLOW-ESTABLISHED-6 {
+        default-action drop
+        enable-default-log
+        rule 1 {
+            action accept
+            state {
+                established enable
+                related enable
+            }
+        }
+        rule 2 {
+            action drop
+            state {
+                invalid enable
+            }
+        }
+        rule 10 {
+            action accept
+            destination {
+                group {
+                    network-group LOCAL-ADDRESSES
+                }
+            }
+            protocol icmpv6
+            source {
+                address fe80::/10
+            }
+        }
+        rule 20 {
+            action accept
+            icmpv6 {
+                type echo-request
+            }
+            protocol icmpv6
+        }
+        rule 21 {
+            action accept
+            icmpv6 {
+                type destination-unreachable
+            }
+            protocol icmpv6
+        }
+        rule 22 {
+            action accept
+            icmpv6 {
+                type packet-too-big
+            }
+            protocol icmpv6
+        }
+        rule 23 {
+            action accept
+            icmpv6 {
+                type time-exceeded
+            }
+            protocol icmpv6
+        }
+        rule 24 {
+            action accept
+            icmpv6 {
+                type parameter-problem
+            }
+            protocol icmpv6
+        }
+    }
+    ipv6-name WAN-LOCAL-6 {
+        default-action drop
+        enable-default-log
+        rule 1 {
+            action accept
+            state {
+                established enable
+                related enable
+            }
+        }
+        rule 2 {
+            action drop
+            state {
+                invalid enable
+            }
+        }
+        rule 10 {
+            action accept
+            destination {
+                address ff02::/64
+            }
+            protocol icmpv6
+            source {
+                address fe80::/10
+            }
+        }
+        rule 50 {
+            action accept
+            destination {
+                address fe80::/10
+                port 546
+            }
+            protocol udp
+            source {
+                address fe80::/10
+                port 547
+            }
+        }
+    }
+    ipv6-receive-redirects disable
+    ipv6-src-route disable
+    ip-src-route disable
+    log-martians enable
+    name DMZ-GUEST {
+        default-action drop
+        enable-default-log
+        rule 1 {
+            action accept
+            state {
+                established enable
+                related enable
+            }
+        }
+        rule 2 {
+            action drop
+            log enable
+            state {
+                invalid enable
+            }
+        }
+    }
+    name DMZ-LAN {
+        default-action drop
+        enable-default-log
+        rule 1 {
+            action accept
+            state {
+                established enable
+                related enable
+            }
+        }
+        rule 2 {
+            action drop
+            log enable
+            state {
+                invalid enable
+            }
+        }
+        rule 100 {
+            action accept
+            destination {
+                group {
+                    address-group DOMAIN-CONTROLLER
+                }
+                port 123,389,636
+            }
+            protocol tcp_udp
+        }
+        rule 300 {
+            action accept
+            destination {
+                group {
+                    address-group DMZ-RDP-SERVER
+                }
+                port 3389
+            }
+            protocol tcp_udp
+            source {
+                address 172.16.36.20
+            }
+        }
+    }
+    name DMZ-LOCAL {
+        default-action drop
+        enable-default-log
+        rule 1 {
+            action accept
+            state {
+                established enable
+                related enable
+            }
+        }
+        rule 2 {
+            action drop
+            log enable
+            state {
+                invalid enable
+            }
+        }
+        rule 50 {
+            action accept
+            destination {
+                address 172.16.254.30
+                port 53
+            }
+            protocol tcp_udp
+        }
+        rule 123 {
+            action accept
+            destination {
+                port 123
+            }
+            protocol udp
+        }
+    }
+    name DMZ-WAN {
+        default-action accept
+    }
+    name GUEST-DMZ {
+        default-action drop
+        enable-default-log
+        rule 1 {
+            action accept
+            state {
+                established enable
+                related enable
+            }
+        }
+        rule 2 {
+            action drop
+            log enable
+            state {
+                invalid enable
+            }
+        }
+    }
+    name GUEST-LAN {
+        default-action drop
+        enable-default-log
+        rule 1 {
+            action accept
+            state {
+                established enable
+                related enable
+            }
+        }
+        rule 2 {
+            action drop
+            log enable
+            state {
+                invalid enable
+            }
+        }
+    }
+    name GUEST-LOCAL {
+        default-action drop
+        enable-default-log
+        rule 1 {
+            action accept
+            state {
+                established enable
+                related enable
+            }
+        }
+        rule 2 {
+            action drop
+            log enable
+            state {
+                invalid enable
+            }
+        }
+        rule 10 {
+            action accept
+            destination {
+                address 172.31.0.254
+                port 53
+            }
+            protocol tcp_udp
+        }
+        rule 11 {
+            action accept
+            destination {
+                port 67
+            }
+            protocol udp
+        }
+        rule 15 {
+            action accept
+            destination {
+                address 172.31.0.254
+            }
+            protocol icmp
+        }
+        rule 100 {
+            action accept
+            destination {
+                address 172.31.0.254
+                port 80,443
+            }
+            protocol tcp
+        }
+    }
+    name GUEST-WAN {
+        default-action drop
+        enable-default-log
+        rule 1 {
+            action accept
+            state {
+                established enable
+                related enable
+            }
+        }
+        rule 2 {
+            action drop
+            log enable
+            state {
+                invalid enable
+            }
+        }
+        rule 25 {
+            action accept
+            destination {
+                port 25,587
+            }
+            protocol tcp
+        }
+        rule 53 {
+            action accept
+            destination {
+                port 53
+            }
+            protocol tcp_udp
+        }
+        rule 60 {
+            action accept
+            source {
+                address 172.31.0.200
+            }
+        }
+        rule 80 {
+            action accept
+            source {
+                address 172.31.0.200
+            }
+        }
+        rule 100 {
+            action accept
+            protocol icmp
+        }
+        rule 110 {
+            action accept
+            destination {
+                port 110,995
+            }
+            protocol tcp
+        }
+        rule 123 {
+            action accept
+            destination {
+                port 123
+            }
+            protocol udp
+        }
+        rule 143 {
+            action accept
+            destination {
+                port 143,993
+            }
+            protocol tcp
+        }
+        rule 200 {
+            action accept
+            destination {
+                port 80,443
+            }
+            protocol tcp
+        }
+        rule 500 {
+            action accept
+            destination {
+                port 500,4500
+            }
+            protocol udp
+        }
+        rule 600 {
+            action accept
+            destination {
+                port 5222-5224
+            }
+            protocol tcp
+        }
+        rule 601 {
+            action accept
+            destination {
+                port 3478-3497,4500,16384-16387,16393-16402
+            }
+            protocol udp
+        }
+        rule 1000 {
+            action accept
+            source {
+                address 172.31.0.184
+            }
+        }
+    }
+    name LAN-DMZ {
+        default-action drop
+        enable-default-log
+        rule 1 {
+            action accept
+            state {
+                established enable
+                related enable
+            }
+        }
+        rule 2 {
+            action drop
+            log enable
+            state {
+                invalid enable
+            }
+        }
+        rule 22 {
+            action accept
+            destination {
+                port 22
+            }
+            protocol tcp
+        }
+        rule 100 {
+            action accept
+            destination {
+                group {
+                    address-group DMZ-WEBSERVER
+                }
+                port 22
+            }
+            protocol tcp
+        }
+    }
+    name LAN-GUEST {
+        default-action drop
+        enable-default-log
+        rule 1 {
+            action accept
+            state {
+                established enable
+                related enable
+            }
+        }
+        rule 2 {
+            action drop
+            log enable
+            state {
+                invalid enable
+            }
+        }
+    }
+    name LAN-LOCAL {
+        default-action accept
+    }
+    name LAN-WAN {
+        default-action accept
+        rule 90 {
+            action accept
+            destination {
+                address 100.65.150.0/23
+                port 25
+            }
+            protocol tcp_udp
+            source {
+                group {
+                    address-group VIDEO
+                }
+            }
+        }
+        rule 100 {
+            action drop
+            source {
+                group {
+                    address-group VIDEO
+                }
+            }
+        }
+    }
+    name LOCAL-DMZ {
+        default-action drop
+        enable-default-log
+        rule 1 {
+            action accept
+            state {
+                established enable
+                related enable
+            }
+        }
+        rule 2 {
+            action drop
+            log enable
+            state {
+                invalid enable
+            }
+        }
+        rule 100 {
+            action accept
+            destination {
+                address 172.16.36.40
+                port 80,443
+            }
+            protocol tcp
+        }
+    }
+    name LOCAL-GUEST {
+        default-action drop
+        enable-default-log
+        rule 1 {
+            action accept
+            state {
+                established enable
+                related enable
+            }
+        }
+        rule 2 {
+            action drop
+            log enable
+            state {
+                invalid enable
+            }
+        }
+        rule 5 {
+            action accept
+            protocol icmp
+        }
+        rule 300 {
+            action accept
+            destination {
+                port 1900
+            }
+            protocol udp
+        }
+    }
+    name LOCAL-LAN {
+        default-action accept
+    }
+    name LOCAL-WAN {
+        default-action drop
+        enable-default-log
+        rule 1 {
+            action accept
+            state {
+                established enable
+                related enable
+            }
+        }
+        rule 2 {
+            action drop
+            log enable
+            state {
+                invalid enable
+            }
+        }
+        rule 10 {
+            action accept
+            protocol icmp
+        }
+        rule 50 {
+            action accept
+            destination {
+                port 53
+            }
+            protocol tcp_udp
+        }
+        rule 80 {
+            action accept
+            destination {
+                port 80,443
+            }
+            protocol tcp
+        }
+        rule 123 {
+            action accept
+            destination {
+                port 123
+            }
+            protocol udp
+        }
+        rule 800 {
+            action accept
+            destination {
+                address 100.65.151.213
+            }
+            protocol udp
+        }
+        rule 805 {
+            action accept
+            destination {
+                address 100.65.151.2
+            }
+            protocol all
+        }
+        rule 1010 {
+            action accept
+            destination {
+                address 100.64.69.205
+                port 7705
+            }
+            protocol udp
+            source {
+                port 7705
+            }
+        }
+        rule 1990 {
+            action accept
+            destination {
+                address 100.64.55.1
+                port 10666
+            }
+            protocol udp
+        }
+        rule 2000 {
+            action accept
+            destination {
+                address 100.64.39.249
+            }
+        }
+        rule 10200 {
+            action accept
+            destination {
+                address 100.64.89.98
+                port 10200
+            }
+            protocol udp
+            source {
+                port 10200
+            }
+        }
+    }
+    name WAN-DMZ {
+        default-action drop
+        enable-default-log
+        rule 1 {
+            action accept
+            state {
+                established enable
+                related enable
+            }
+        }
+        rule 2 {
+            action drop
+            log enable
+            state {
+                invalid enable
+            }
+        }
+        rule 100 {
+            action accept
+            destination {
+                address 172.16.36.10
+                port 80,443
+            }
+            protocol tcp
+        }
+    }
+    name WAN-GUEST {
+        default-action drop
+        enable-default-log
+        rule 1 {
+            action accept
+            state {
+                established enable
+                related enable
+            }
+        }
+        rule 2 {
+            action drop
+            log enable
+            state {
+                invalid enable
+            }
+        }
+        rule 1000 {
+            action accept
+            destination {
+                address 172.31.0.184
+            }
+        }
+        rule 8000 {
+            action accept
+            destination {
+                address 172.31.0.200
+                port 10000
+            }
+            protocol udp
+        }
+    }
+    name WAN-LAN {
+        default-action drop
+        enable-default-log
+        rule 1 {
+            action accept
+            state {
+                established enable
+                related enable
+            }
+        }
+        rule 2 {
+            action drop
+            log enable
+            state {
+                invalid enable
+            }
+        }
+        rule 1000 {
+            action accept
+            destination {
+                address 172.16.33.40
+                port 3389
+            }
+            protocol tcp
+            source {
+                group {
+                    network-group SSH-IN-ALLOW
+                }
+            }
+        }
+    }
+    name WAN-LOCAL {
+        default-action drop
+        rule 1 {
+            action accept
+            state {
+                established enable
+                related enable
+            }
+        }
+        rule 2 {
+            action drop
+            log enable
+            state {
+                invalid enable
+            }
+        }
+        rule 22 {
+            action accept
+            destination {
+                port 22
+            }
+            protocol tcp
+            source {
+                group {
+                    network-group SSH-IN-ALLOW
+                }
+            }
+        }
+        rule 1990 {
+            action accept
+            destination {
+                port 10666
+            }
+            protocol udp
+            source {
+                address 100.64.55.1
+            }
+        }
+        rule 10000 {
+            action accept
+            destination {
+                port 80,443
+            }
+            protocol tcp
+        }
+        rule 10100 {
+            action accept
+            destination {
+                port 10100
+            }
+            protocol udp
+            source {
+                port 10100
+            }
+        }
+        rule 10200 {
+            action accept
+            destination {
+                port 10200
+            }
+            protocol udp
+            source {
+                address 100.64.89.98
+                port 10200
+            }
+        }
+    }
+    options {
+        interface pppoe0 {
+            adjust-mss 1452
+            adjust-mss6 1432
+        }
+    }
+    receive-redirects disable
+    send-redirects enable
+    source-validation disable
+    syn-cookies enable
+    twa-hazards-protection disable
+}
+interfaces {
+    dummy dum0 {
+        address 172.16.254.30/32
+    }
+    ethernet eth0 {
+        duplex auto
+        offload {
+            gro
+            gso
+            sg
+            tso
+        }
+        ring-buffer {
+            rx 256
+            tx 256
+        }
+        speed auto
+        vif 5 {
+            address 172.16.37.254/24
+            ip {
+                ospf {
+                    authentication {
+                        md5 {
+                            key-id 10 {
+                                md5-key ospf
+                            }
+                        }
+                    }
+                    dead-interval 40
+                    hello-interval 10
+                    priority 1
+                    retransmit-interval 5
+                    transmit-delay 1
+                }
+            }
+        }
+        vif 10 {
+            address 172.16.33.254/24
+            address 172.16.40.254/24
+        }
+        vif 50 {
+            address 172.16.36.254/24
+        }
+    }
+    ethernet eth1 {
+        duplex auto
+        offload {
+            gro
+            gso
+            sg
+            tso
+        }
+        speed auto
+        vif 20 {
+            address 172.31.0.254/24
+        }
+    }
+    ethernet eth2 {
+        disable
+        duplex auto
+        offload {
+            gro
+            gso
+            sg
+            tso
+        }
+        speed auto
+    }
+    ethernet eth3 {
+        duplex auto
+        offload {
+            gro
+            gso
+            sg
+            tso
+        }
+        ring-buffer {
+            rx 256
+            tx 256
+        }
+        speed auto
+        vif 7 {
+        }
+    }
+    loopback lo {
+        address 172.16.254.30/32
+    }
+    pppoe pppoe0 {
+        authentication {
+            password vyos
+            user vyos
+        }
+        default-route force
+        dhcpv6-options {
+            pd 0 {
+                interface eth0.10 {
+                    address 1
+                    sla-id 10
+                }
+                interface eth1.20 {
+                    address 1
+                    sla-id 20
+                }
+                length 56
+            }
+        }
+        ipv6 {
+            address {
+                autoconf
+            }
+        }
+        no-peer-dns
+        source-interface eth3.7
+    }
+    wireguard wg100 {
+        address 172.16.252.128/31
+        mtu 1500
+        peer HR6 {
+            address 100.65.151.213
+            allowed-ips 0.0.0.0/0
+            port 10100
+            pubkey yLpi+UZuI019bmWH2h5fX3gStbpPPPLgEoYMyrdkOnQ=
+        }
+        port 10100
+    }
+    wireguard wg200 {
+        address 172.16.252.130/31
+        mtu 1500
+        peer WH56 {
+            address 80.151.69.205
+            allowed-ips 0.0.0.0/0
+            port 10200
+            pubkey XQbkj6vnKKBJfJQyThXysU0iGxCvEOEb31kpaZgkrD8=
+        }
+        port 10200
+    }
+    wireguard wg666 {
+        address 172.29.0.1/31
+        mtu 1500
+        peer WH34 {
+            address 100.65.55.1
+            allowed-ips 0.0.0.0/0
+            port 10666
+            pubkey yaTN4+xAafKM04D+Baeg5GWfbdaw35TE9HQivwRgAk0=
+        }
+        port 10666
+    }
+}
+nat {
+    destination {
+        rule 8000 {
+            destination {
+                port 10000
+            }
+            inbound-interface pppoe0
+            protocol udp
+            translation {
+                address 172.31.0.200
+            }
+        }
+    }
+    source {
+        rule 50 {
+            outbound-interface pppoe0
+            source {
+                address 100.64.0.0/24
+            }
+            translation {
+                address masquerade
+            }
+        }
+        rule 100 {
+            outbound-interface pppoe0
+            source {
+                address 172.16.32.0/21
+            }
+            translation {
+                address masquerade
+            }
+        }
+        rule 200 {
+            outbound-interface pppoe0
+            source {
+                address 172.16.100.0/24
+            }
+            translation {
+                address masquerade
+            }
+        }
+        rule 300 {
+            outbound-interface pppoe0
+            source {
+                address 172.31.0.0/24
+            }
+            translation {
+                address masquerade
+            }
+        }
+        rule 400 {
+            outbound-interface pppoe0
+            source {
+                address 172.18.200.0/21
+            }
+            translation {
+                address masquerade
+            }
+        }
+        rule 1000 {
+            destination {
+                address 192.168.189.0/24
+            }
+            outbound-interface wg666
+            source {
+                address 172.16.32.0/21
+            }
+            translation {
+                address 172.29.0.1
+            }
+        }
+        rule 1001 {
+            destination {
+                address 192.168.189.0/24
+            }
+            outbound-interface wg666
+            source {
+                address 172.16.100.0/24
+            }
+            translation {
+                address 172.29.0.1
+            }
+        }
+    }
+}
+policy {
+    route-map MAP-OSPF-CONNECTED {
+        rule 1 {
+            action deny
+            match {
+                interface eth1.20
+            }
+        }
+        rule 20 {
+            action permit
+            match {
+                interface eth0.10
+            }
+        }
+        rule 40 {
+            action permit
+            match {
+                interface eth0.50
+            }
+        }
+    }
+}
+protocols {
+    bfd {
+        peer 172.16.252.129 {
+        }
+        peer 172.16.252.131 {
+        }
+        peer 172.18.254.201 {
+        }
+    }
+    bgp 64503 {
+        address-family {
+            ipv4-unicast {
+                network 172.16.32.0/21 {
+                }
+                network 172.16.100.0/24 {
+                }
+                network 172.16.252.128/31 {
+                }
+                network 172.16.252.130/31 {
+                }
+                network 172.16.254.30/32 {
+                }
+                network 172.18.0.0/16 {
+                }
+            }
+        }
+        neighbor 172.16.252.129 {
+            peer-group WIREGUARD
+        }
+        neighbor 172.16.252.131 {
+            peer-group WIREGUARD
+        }
+        neighbor 172.18.254.201 {
+            address-family {
+                ipv4-unicast {
+                    nexthop-self {
+                    }
+                }
+            }
+            bfd {
+            }
+            remote-as 64503
+            update-source dum0
+        }
+        parameters {
+            default {
+                no-ipv4-unicast
+            }
+            log-neighbor-changes
+        }
+        peer-group WIREGUARD {
+            address-family {
+                ipv4-unicast {
+                    soft-reconfiguration {
+                        inbound
+                    }
+                }
+            }
+            bfd
+            remote-as external
+        }
+        timers {
+            holdtime 30
+            keepalive 10
+        }
+    }
+    ospf {
+        area 0 {
+            network 172.16.254.30/32
+            network 172.16.37.0/24
+            network 172.18.201.0/24
+            network 172.18.202.0/24
+            network 172.18.203.0/24
+            network 172.18.204.0/24
+        }
+        default-information {
+            originate {
+                always
+                metric-type 2
+            }
+        }
+        log-adjacency-changes {
+            detail
+        }
+        parameters {
+            abr-type cisco
+            router-id 172.16.254.30
+        }
+        passive-interface default
+        passive-interface-exclude eth0.5
+        redistribute {
+            connected {
+                metric-type 2
+                route-map MAP-OSPF-CONNECTED
+            }
+        }
+    }
+    static {
+        interface-route6 2000::/3 {
+            next-hop-interface pppoe0 {
+            }
+        }
+        route 10.0.0.0/8 {
+            blackhole {
+                distance 254
+            }
+        }
+        route 169.254.0.0/16 {
+            blackhole {
+                distance 254
+            }
+        }
+        route 172.16.0.0/12 {
+            blackhole {
+                distance 254
+            }
+        }
+        route 172.16.32.0/21 {
+            blackhole {
+            }
+        }
+        route 172.18.0.0/16 {
+            blackhole {
+            }
+        }
+        route 172.29.0.2/31 {
+            next-hop 172.29.0.0 {
+            }
+        }
+        route 192.168.0.0/16 {
+            blackhole {
+                distance 254
+            }
+        }
+        route 192.168.189.0/24 {
+            next-hop 172.29.0.0 {
+            }
+        }
+    }
+}
+service {
+    dhcp-server {
+        shared-network-name BACKBONE {
+            authoritative
+            subnet 172.16.37.0/24 {
+                default-router 172.16.37.254
+                domain-name vyos.net
+                domain-search vyos.net
+                lease 86400
+                name-server 172.16.254.30
+                ntp-server 172.16.254.30
+                range 0 {
+                    start 172.16.37.120
+                    stop 172.16.37.149
+                }
+                static-mapping AP1 {
+                    ip-address 172.16.37.231
+                    mac-address 02:00:00:00:ee:18
+                }
+                static-mapping AP2 {
+                    ip-address 172.16.37.232
+                    mac-address 02:00:00:00:52:84
+                }
+                static-mapping AP3 {
+                    ip-address 172.16.37.233
+                    mac-address 02:00:00:00:51:c0
+                }
+                static-mapping AP4 {
+                    ip-address 172.16.37.234
+                    mac-address 02:00:00:00:e6:fc
+                }
+                static-mapping AP5 {
+                    ip-address 172.16.37.235
+                    mac-address 02:00:00:00:c3:50
+                }
+            }
+        }
+        shared-network-name GUEST {
+            authoritative
+            subnet 172.31.0.0/24 {
+                default-router 172.31.0.254
+                domain-name vyos.net
+                domain-search vyos.net
+                lease 86400
+                name-server 172.31.0.254
+                range 0 {
+                    start 172.31.0.101
+                    stop 172.31.0.199
+                }
+            }
+        }
+        shared-network-name LAN {
+            authoritative
+            subnet 172.16.33.0/24 {
+                default-router 172.16.33.254
+                domain-name vyos.net
+                domain-search vyos.net
+                lease 86400
+                name-server 172.16.254.30
+                ntp-server 172.16.254.30
+                range 0 {
+                    start 172.16.33.100
+                    stop 172.16.33.189
+                }
+                static-mapping one {
+                    ip-address 172.16.33.221
+                    mac-address 02:00:00:00:eb:a6
+                }
+                static-mapping two {
+                    ip-address 172.16.33.211
+                    mac-address 02:00:00:00:58:90
+                }
+                static-mapping three {
+                    ip-address 172.16.33.212
+                    mac-address 02:00:00:00:12:c7
+                }
+                static-mapping four {
+                    ip-address 172.16.33.214
+                    mac-address 02:00:00:00:c4:33
+                }
+            }
+        }
+    }
+    dns {
+        dynamic {
+            interface pppoe0 {
+                service vyos {
+                    host-name r1.vyos.net
+                    login vyos-vyos
+                    password vyos
+                    protocol dyndns2
+                    server dyndns.vyos.io
+                }
+            }
+        }
+        forwarding {
+            allow-from 172.16.0.0/12
+            domain 16.172.in-addr.arpa {
+                addnta
+                recursion-desired
+                server 172.16.100.10
+                server 172.16.100.20
+            }
+            domain 18.172.in-addr.arpa {
+                addnta
+                recursion-desired
+                server 172.16.100.10
+                server 172.16.100.20
+            }
+            domain vyos.net {
+                addnta
+                recursion-desired
+                server 172.16.100.20
+                server 172.16.100.10
+            }
+            ignore-hosts-file
+            listen-address 172.16.254.30
+            listen-address 172.31.0.254
+            negative-ttl 60
+        }
+    }
+    lldp {
+        legacy-protocols {
+            cdp
+            edp
+            fdp
+            sonmp
+        }
+        snmp {
+            enable
+        }
+    }
+    router-advert {
+        interface eth0.10 {
+            prefix ::/64 {
+                preferred-lifetime 2700
+                valid-lifetime 5400
+            }
+        }
+        interface eth1.20 {
+            prefix ::/64 {
+                preferred-lifetime 2700
+                valid-lifetime 5400
+            }
+        }
+    }
+    snmp {
+        community ro-community {
+            authorization ro
+            network 172.16.100.0/24
+        }
+        contact "VyOS"
+        listen-address 172.16.254.30 {
+            port 161
+        }
+        location "CLOUD"
+    }
+    ssh {
+        disable-host-validation
+        port 22
+    }
+}
+system {
+    config-management {
+        commit-revisions 200
+    }
+    conntrack {
+        expect-table-size 2048
+        hash-size 32768
+        modules {
+            ftp
+            h323
+            nfs
+            pptp
+            sqlnet
+            tftp
+        }
+        table-size 262144
+        timeout {
+            icmp 30
+            other 600
+            udp {
+                other 300
+                stream 300
+            }
+        }
+    }
+    console {
+        device ttyS0 {
+            speed 115200
+        }
+    }
+    domain-name vyos.net
+    host-name r1
+    login {
+        user vyos {
+            authentication {
+                encrypted-password $6$2Ta6TWHd/U$NmrX0x9kexCimeOcYK1MfhMpITF9ELxHcaBU/znBq.X2ukQOj61fVI2UYP/xBzP4QtiTcdkgs7WOQMHWsRymO/
+                plaintext-password ""
+            }
+        }
+    }
+    name-server 172.16.254.30
+    ntp {
+        allow-clients {
+            address 172.16.0.0/12
+        }
+        server time1.vyos.net {
+        }
+        server time2.vyos.net {
+        }
+    }
+    option {
+        ctrl-alt-delete ignore
+        performance latency
+        reboot-on-panic
+        startup-beep
+    }
+    syslog {
+        global {
+            facility all {
+                level debug
+            }
+            facility protocols {
+                level debug
+            }
+        }
+        host 172.16.100.1 {
+            facility all {
+                level warning
+            }
+        }
+    }
+    time-zone Europe/Berlin
+}
+traffic-policy {
+    shaper QoS {
+        bandwidth 50mbit
+        default {
+            bandwidth 100%
+            burst 15k
+            queue-limit 1000
+            queue-type fq-codel
+        }
+    }
+}
+zone-policy {
+    zone DMZ {
+        default-action drop
+        from GUEST {
+            firewall {
+                name GUEST-DMZ
+            }
+        }
+        from LAN {
+            firewall {
+                name LAN-DMZ
+            }
+        }
+        from LOCAL {
+            firewall {
+                name LOCAL-DMZ
+            }
+        }
+        from WAN {
+            firewall {
+                name WAN-DMZ
+            }
+        }
+        interface eth0.50
+    }
+    zone GUEST {
+        default-action drop
+        from DMZ {
+            firewall {
+                name DMZ-GUEST
+            }
+        }
+        from LAN {
+            firewall {
+                name LAN-GUEST
+            }
+        }
+        from LOCAL {
+            firewall {
+                ipv6-name ALLOW-ALL-6
+                name LOCAL-GUEST
+            }
+        }
+        from WAN {
+            firewall {
+                ipv6-name ALLOW-ESTABLISHED-6
+                name WAN-GUEST
+            }
+        }
+        interface eth1.20
+    }
+    zone LAN {
+        default-action drop
+        from DMZ {
+            firewall {
+                name DMZ-LAN
+            }
+        }
+        from GUEST {
+            firewall {
+                name GUEST-LAN
+            }
+        }
+        from LOCAL {
+            firewall {
+                ipv6-name ALLOW-ALL-6
+                name LOCAL-LAN
+            }
+        }
+        from WAN {
+            firewall {
+                ipv6-name ALLOW-ESTABLISHED-6
+                name WAN-LAN
+            }
+        }
+        interface eth0.5
+        interface eth0.10
+        interface wg100
+        interface wg200
+    }
+    zone LOCAL {
+        default-action drop
+        from DMZ {
+            firewall {
+                name DMZ-LOCAL
+            }
+        }
+        from GUEST {
+            firewall {
+                ipv6-name ALLOW-ESTABLISHED-6
+                name GUEST-LOCAL
+            }
+        }
+        from LAN {
+            firewall {
+                ipv6-name ALLOW-ALL-6
+                name LAN-LOCAL
+            }
+        }
+        from WAN {
+            firewall {
+                ipv6-name WAN-LOCAL-6
+                name WAN-LOCAL
+            }
+        }
+        local-zone
+    }
+    zone WAN {
+        default-action drop
+        from DMZ {
+            firewall {
+                name DMZ-WAN
+            }
+        }
+        from GUEST {
+            firewall {
+                ipv6-name ALLOW-ALL-6
+                name GUEST-WAN
+            }
+        }
+        from LAN {
+            firewall {
+                ipv6-name ALLOW-ALL-6
+                name LAN-WAN
+            }
+        }
+        from LOCAL {
+            firewall {
+                ipv6-name ALLOW-ALL-6
+                name LOCAL-WAN
+            }
+        }
+        interface pppoe0
+        interface wg666
+    }
+}
+
+
+// Warning: Do not remove the following line.
+// vyos-config-version: "broadcast-relay@1:cluster@1:config-management@1:conntrack@3:conntrack-sync@2:container@1:dhcp-relay@2:dhcp-server@6:dhcpv6-server@1:dns-forwarding@3:firewall@5:https@2:interfaces@22:ipoe-server@1:ipsec@5:isis@1:l2tp@3:lldp@1:mdns@1:nat@5:ntp@1:pppoe-server@5:pptp@2:qos@1:quagga@8:rpki@1:salt@1:snmp@2:ssh@2:sstp@3:system@21:vrrp@2:vyos-accel-ppp@2:wanloadbalance@3:webproxy@2:zone-policy@1"
+// Release version: 1.3.4
diff --git a/smoketest/configs/igmp-pim-small b/smoketest/configs/igmp-pim-small
new file mode 100644
index 000000000..f433ff8d7
--- /dev/null
+++ b/smoketest/configs/igmp-pim-small
@@ -0,0 +1,84 @@
+interfaces {
+    ethernet eth0 {
+        duplex auto
+        speed auto
+    }
+    ethernet eth1 {
+        address 100.64.0.1/24
+        duplex auto
+        speed auto
+    }
+    ethernet eth2 {
+        address 172.16.0.2/24
+        duplex auto
+        speed auto
+    }
+}
+protocols {
+    igmp {
+        interface eth1 {
+            join 224.1.0.0 {
+                source 1.1.1.1
+                source 1.1.1.2
+            }
+            query-interval 1000
+            query-max-response-time 30
+            version 2
+        }
+    }
+    pim {
+        interface eth1 {
+        }
+        interface eth2 {
+        }
+        rp {
+            address 172.16.255.1 {
+                group 224.0.0.0/4
+            }
+        }
+    }
+}
+system {
+    config-management {
+        commit-revisions 200
+    }
+    console {
+        device ttyS0 {
+            speed 115200
+        }
+    }
+    domain-name vyos.io
+    host-name vyos
+    login {
+        user vyos {
+            authentication {
+                encrypted-password $6$2Ta6TWHd/U$NmrX0x9kexCimeOcYK1MfhMpITF9ELxHcaBU/znBq.X2ukQOj61fVI2UYP/xBzP4QtiTcdkgs7WOQMHWsRymO/
+                plaintext-password ""
+            }
+        }
+    }
+    ntp {
+        server 0.pool.ntp.org {
+        }
+        server 1.pool.ntp.org {
+        }
+        server 2.pool.ntp.org {
+        }
+    }
+    syslog {
+        global {
+            facility all {
+                level info
+            }
+            facility protocols {
+                level debug
+            }
+        }
+    }
+    time-zone Europe/Berlin
+}
+
+
+// Warning: Do not remove the following line.
+// vyos-config-version: "broadcast-relay@1:cluster@1:config-management@1:conntrack@1:conntrack-sync@1:dhcp-relay@2:dhcp-server@5:dhcpv6-server@1:dns-forwarding@3:firewall@5:https@2:interfaces@18:ipoe-server@1:ipsec@5:l2tp@3:lldp@1:mdns@1:nat@5:ntp@1:pppoe-server@5:pptp@2:qos@1:quagga@7:rpki@1:salt@1:snmp@2:ssh@2:sstp@3:system@20:vrrp@2:vyos-accel-ppp@2:wanloadbalance@3:webproxy@2:zone-policy@1"
+// Release version: 1.3.0
diff --git a/smoketest/configs/ospf-small b/smoketest/configs/ospf-small
index 767f4e21f..b3002b1af 100644
--- a/smoketest/configs/ospf-small
+++ b/smoketest/configs/ospf-small
@@ -81,6 +81,9 @@ service {
     lldp {
         interface all {
         }
+        snmp {
+            enable
+        }
     }
     snmp {
         community public {
diff --git a/smoketest/configs/pppoe-server b/smoketest/configs/pppoe-server
index bfbef4a34..ff5815e29 100644
--- a/smoketest/configs/pppoe-server
+++ b/smoketest/configs/pppoe-server
@@ -39,8 +39,9 @@ service {
             mode local
         }
         client-ip-pool {
-            start 192.168.0.100
-            stop 192.168.0.200
+            subnet 10.0.0.0/24
+            subnet 10.0.1.0/24
+            subnet 10.0.2.0/24
         }
         gateway-address 192.168.0.2
         interface eth1 {
diff --git a/smoketest/scripts/cli/base_accel_ppp_test.py b/smoketest/scripts/cli/base_accel_ppp_test.py
index 989028f64..1ea5db898 100644
--- a/smoketest/scripts/cli/base_accel_ppp_test.py
+++ b/smoketest/scripts/cli/base_accel_ppp_test.py
@@ -11,10 +11,10 @@
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
 import re
 import unittest
 
+
 from base_vyostest_shim import VyOSUnitTestSHIM
 from configparser import ConfigParser
 
@@ -25,12 +25,12 @@ from vyos.utils.system import get_half_cpus
 from vyos.utils.process import process_named_running
 from vyos.utils.process import cmd
 
+
 class BasicAccelPPPTest:
     class TestCase(VyOSUnitTestSHIM.TestCase):
-
         @classmethod
         def setUpClass(cls):
-            cls._process_name = 'accel-pppd'
+            cls._process_name = "accel-pppd"
 
             super(BasicAccelPPPTest.TestCase, cls).setUpClass()
 
@@ -39,7 +39,7 @@ class BasicAccelPPPTest:
             cls.cli_delete(cls, cls._base_path)
 
         def setUp(self):
-            self._gateway = '192.0.2.1'
+            self._gateway = "192.0.2.1"
             # ensure we can also run this test on a live system - so lets clean
             # out the current configuration :)
             self.cli_delete(self._base_path)
@@ -60,84 +60,188 @@ class BasicAccelPPPTest:
         def delete(self, path):
             self.cli_delete(self._base_path + path)
 
-        def basic_config(self):
-            # PPPoE local auth mode requires local users to be configured!
-            self.set(['authentication', 'local-users', 'username', 'vyos', 'password', 'vyos'])
-            self.set(['authentication', 'mode', 'local'])
-            self.set(['gateway-address', self._gateway])
+        def basic_protocol_specific_config(self):
+            """
+            An astract method.
+            Initialize protocol scpecific configureations.
+            """
+            self.assertFalse(True, msg="Function must be defined")
+
+        def initial_auth_config(self):
+            """
+            Initialization of default authentication for all protocols
+            """
+            self.set(
+                [
+                    "authentication",
+                    "local-users",
+                    "username",
+                    "vyos",
+                    "password",
+                    "vyos",
+                ]
+            )
+            self.set(["authentication", "mode", "local"])
+
+        def initial_gateway_config(self):
+            """
+            Initialization of default gateway
+            """
+            self.set(["gateway-address", self._gateway])
+
+        def initial_pool_config(self):
+            """
+            Initialization of default client ip pool
+            """
+            first_pool = "SIMPLE-POOL"
+            self.set(["client-ip-pool", first_pool, "range", "192.0.2.0/24"])
+            self.set(["default-pool", first_pool])
+
+        def basic_config(self, is_auth=True, is_gateway=True, is_client_pool=True):
+            """
+            Initialization of basic configuration
+            :param is_auth: authentication initialization
+            :type is_auth: bool
+            :param is_gateway: gateway initialization
+            :type is_gateway: bool
+            :param is_client_pool: client ip pool initialization
+            :type is_client_pool: bool
+            """
+            self.basic_protocol_specific_config()
+            if is_auth:
+                self.initial_auth_config()
+            if is_gateway:
+                self.initial_gateway_config()
+            if is_client_pool:
+                self.initial_pool_config()
+
+        def getConfig(self, start, end="cli"):
+            """
+            Return part of configuration from line
+            where the first injection of start keyword to the line
+            where the first injection of end keyowrd
+            :param start: start keyword
+            :type start: str
+            :param end: end keyword
+            :type end: str
+            :return: part of config
+            :rtype: str
+            """
+            command = f'cat {self._config_file} | sed -n "/^\[{start}/,/^\[{end}/p"'
+            out = cmd(command)
+            return out
 
         def verify(self, conf):
-            self.assertEqual(conf['core']['thread-count'], str(get_half_cpus()))
+            self.assertEqual(conf["core"]["thread-count"], str(get_half_cpus()))
 
         def test_accel_name_servers(self):
             # Verify proper Name-Server configuration for IPv4 and IPv6
             self.basic_config()
 
-            nameserver = ['192.0.2.1', '192.0.2.2', '2001:db8::1']
+            nameserver = ["192.0.2.1", "192.0.2.2", "2001:db8::1"]
             for ns in nameserver:
-                self.set(['name-server', ns])
+                self.set(["name-server", ns])
 
             # commit changes
             self.cli_commit()
 
             # Validate configuration values
-            conf = ConfigParser(allow_no_value=True, delimiters='=')
+            conf = ConfigParser(allow_no_value=True, delimiters="=", strict=False)
             conf.read(self._config_file)
 
             # IPv4 and IPv6 nameservers must be checked individually
             for ns in nameserver:
                 if is_ipv4(ns):
-                    self.assertIn(ns, [conf['dns']['dns1'], conf['dns']['dns2']])
+                    self.assertIn(ns, [conf["dns"]["dns1"], conf["dns"]["dns2"]])
                 else:
-                    self.assertEqual(conf['ipv6-dns'][ns], None)
+                    self.assertEqual(conf["ipv6-dns"][ns], None)
 
         def test_accel_local_authentication(self):
             # Test configuration of local authentication
             self.basic_config()
 
             # upload / download limit
-            user = 'test'
-            password = 'test2'
-            static_ip = '100.100.100.101'
-            upload = '5000'
-            download = '10000'
-
-            self.set(['authentication', 'local-users', 'username', user, 'password', password])
-            self.set(['authentication', 'local-users', 'username', user, 'static-ip', static_ip])
-            self.set(['authentication', 'local-users', 'username', user, 'rate-limit', 'upload', upload])
+            user = "test"
+            password = "test2"
+            static_ip = "100.100.100.101"
+            upload = "5000"
+            download = "10000"
+            self.set(
+                [
+                    "authentication",
+                    "local-users",
+                    "username",
+                    user,
+                    "password",
+                    password,
+                ]
+            )
+            self.set(
+                [
+                    "authentication",
+                    "local-users",
+                    "username",
+                    user,
+                    "static-ip",
+                    static_ip,
+                ]
+            )
+            self.set(
+                [
+                    "authentication",
+                    "local-users",
+                    "username",
+                    user,
+                    "rate-limit",
+                    "upload",
+                    upload,
+                ]
+            )
 
             # upload rate-limit requires also download rate-limit
             with self.assertRaises(ConfigSessionError):
                 self.cli_commit()
-            self.set(['authentication', 'local-users', 'username', user, 'rate-limit', 'download', download])
+            self.set(
+                [
+                    "authentication",
+                    "local-users",
+                    "username",
+                    user,
+                    "rate-limit",
+                    "download",
+                    download,
+                ]
+            )
 
             # commit changes
             self.cli_commit()
 
             # Validate configuration values
-            conf = ConfigParser(allow_no_value=True, delimiters='=')
+            conf = ConfigParser(allow_no_value=True, delimiters="=", strict=False)
             conf.read(self._config_file)
 
             # check proper path to chap-secrets file
-            self.assertEqual(conf['chap-secrets']['chap-secrets'], self._chap_secrets)
+            self.assertEqual(conf["chap-secrets"]["chap-secrets"], self._chap_secrets)
 
             # basic verification
             self.verify(conf)
 
             # check local users
-            tmp = cmd(f'sudo cat {self._chap_secrets}')
-            regex = f'{user}\s+\*\s+{password}\s+{static_ip}\s+{download}/{upload}'
+            tmp = cmd(f"sudo cat {self._chap_secrets}")
+            regex = f"{user}\s+\*\s+{password}\s+{static_ip}\s+{download}/{upload}"
             tmp = re.findall(regex, tmp)
             self.assertTrue(tmp)
 
             # Check local-users default value(s)
-            self.delete(['authentication', 'local-users', 'username', user, 'static-ip'])
+            self.delete(
+                ["authentication", "local-users", "username", user, "static-ip"]
+            )
             # commit changes
             self.cli_commit()
 
             # check local users
-            tmp = cmd(f'sudo cat {self._chap_secrets}')
-            regex = f'{user}\s+\*\s+{password}\s+\*\s+{download}/{upload}'
+            tmp = cmd(f"sudo cat {self._chap_secrets}")
+            regex = f"{user}\s+\*\s+{password}\s+\*\s+{download}/{upload}"
             tmp = re.findall(regex, tmp)
             self.assertTrue(tmp)
 
@@ -145,74 +249,195 @@ class BasicAccelPPPTest:
             # Test configuration of RADIUS authentication for PPPoE server
             self.basic_config()
 
-            radius_server = '192.0.2.22'
-            radius_key = 'secretVyOS'
-            radius_port = '2000'
-            radius_port_acc = '3000'
-
-            self.set(['authentication', 'mode', 'radius'])
-            self.set(['authentication', 'radius', 'server', radius_server, 'key', radius_key])
-            self.set(['authentication', 'radius', 'server', radius_server, 'port', radius_port])
-            self.set(['authentication', 'radius', 'server', radius_server, 'acct-port', radius_port_acc])
-
-            coa_server = '4.4.4.4'
-            coa_key = 'testCoA'
-            self.set(['authentication', 'radius', 'dynamic-author', 'server', coa_server])
-            self.set(['authentication', 'radius', 'dynamic-author', 'key', coa_key])
-
-            nas_id = 'VyOS-PPPoE'
-            nas_ip = '7.7.7.7'
-            self.set(['authentication', 'radius', 'nas-identifier', nas_id])
-            self.set(['authentication', 'radius', 'nas-ip-address', nas_ip])
-
-            source_address = '1.2.3.4'
-            self.set(['authentication', 'radius', 'source-address', source_address])
+            radius_server = "192.0.2.22"
+            radius_key = "secretVyOS"
+            radius_port = "2000"
+            radius_port_acc = "3000"
+            acct_interim_jitter = '10'
+            acct_interim_interval = '10'
+            acct_timeout = '30'
+
+            self.set(["authentication", "mode", "radius"])
+            self.set(
+                ["authentication", "radius", "server", radius_server, "key", radius_key]
+            )
+            self.set(
+                [
+                    "authentication",
+                    "radius",
+                    "server",
+                    radius_server,
+                    "port",
+                    radius_port,
+                ]
+            )
+            self.set(
+                [
+                    "authentication",
+                    "radius",
+                    "server",
+                    radius_server,
+                    "acct-port",
+                    radius_port_acc,
+                ]
+            )
+            self.set(
+                [
+                    "authentication",
+                    "radius",
+                    "acct-interim-jitter",
+                    acct_interim_jitter,
+                ]
+            )
+            self.set(
+                [
+                    "authentication",
+                    "radius",
+                    "accounting-interim-interval",
+                    acct_interim_interval,
+                ]
+            )
+            self.set(
+                [
+                    "authentication",
+                    "radius",
+                    "acct-timeout",
+                    acct_timeout,
+                ]
+            )
+
+            coa_server = "4.4.4.4"
+            coa_key = "testCoA"
+            self.set(
+                ["authentication", "radius", "dynamic-author", "server", coa_server]
+            )
+            self.set(["authentication", "radius", "dynamic-author", "key", coa_key])
+
+            nas_id = "VyOS-PPPoE"
+            nas_ip = "7.7.7.7"
+            self.set(["authentication", "radius", "nas-identifier", nas_id])
+            self.set(["authentication", "radius", "nas-ip-address", nas_ip])
+
+            source_address = "1.2.3.4"
+            self.set(["authentication", "radius", "source-address", source_address])
 
             # commit changes
             self.cli_commit()
 
             # Validate configuration values
-            conf = ConfigParser(allow_no_value=True, delimiters='=')
+            conf = ConfigParser(allow_no_value=True, delimiters="=", strict=False)
             conf.read(self._config_file)
 
             # basic verification
             self.verify(conf)
 
             # check auth
-            self.assertTrue(conf['radius'].getboolean('verbose'))
-            self.assertEqual(conf['radius']['acct-timeout'], '3')
-            self.assertEqual(conf['radius']['timeout'], '3')
-            self.assertEqual(conf['radius']['max-try'], '3')
-
-            self.assertEqual(conf['radius']['dae-server'], f'{coa_server}:1700,{coa_key}')
-            self.assertEqual(conf['radius']['nas-identifier'], nas_id)
-            self.assertEqual(conf['radius']['nas-ip-address'], nas_ip)
-            self.assertEqual(conf['radius']['bind'], source_address)
-
-            server = conf['radius']['server'].split(',')
+            self.assertTrue(conf["radius"].getboolean("verbose"))
+            self.assertEqual(conf["radius"]["acct-timeout"], acct_timeout)
+            self.assertEqual(conf["radius"]["acct-interim-interval"], acct_interim_interval)
+            self.assertEqual(conf["radius"]["acct-interim-jitter"], acct_interim_jitter)
+            self.assertEqual(conf["radius"]["timeout"], "3")
+            self.assertEqual(conf["radius"]["max-try"], "3")
+
+            self.assertEqual(
+                conf["radius"]["dae-server"], f"{coa_server}:1700,{coa_key}"
+            )
+            self.assertEqual(conf["radius"]["nas-identifier"], nas_id)
+            self.assertEqual(conf["radius"]["nas-ip-address"], nas_ip)
+            self.assertEqual(conf["radius"]["bind"], source_address)
+
+            server = conf["radius"]["server"].split(",")
             self.assertEqual(radius_server, server[0])
             self.assertEqual(radius_key, server[1])
-            self.assertEqual(f'auth-port={radius_port}', server[2])
-            self.assertEqual(f'acct-port={radius_port_acc}', server[3])
-            self.assertEqual(f'req-limit=0', server[4])
-            self.assertEqual(f'fail-time=0', server[5])
+            self.assertEqual(f"auth-port={radius_port}", server[2])
+            self.assertEqual(f"acct-port={radius_port_acc}", server[3])
+            self.assertEqual(f"req-limit=0", server[4])
+            self.assertEqual(f"fail-time=0", server[5])
 
             #
             # Disable Radius Accounting
             #
-            self.delete(['authentication', 'radius', 'server', radius_server, 'acct-port'])
-            self.set(['authentication', 'radius', 'server', radius_server, 'disable-accounting'])
+            self.delete(
+                ["authentication", "radius", "server", radius_server, "acct-port"]
+            )
+            self.set(
+                [
+                    "authentication",
+                    "radius",
+                    "server",
+                    radius_server,
+                    "disable-accounting",
+                ]
+            )
 
             # commit changes
             self.cli_commit()
 
             conf.read(self._config_file)
 
-            server = conf['radius']['server'].split(',')
+            server = conf["radius"]["server"].split(",")
             self.assertEqual(radius_server, server[0])
             self.assertEqual(radius_key, server[1])
-            self.assertEqual(f'auth-port={radius_port}', server[2])
-            self.assertEqual(f'acct-port=0', server[3])
-            self.assertEqual(f'req-limit=0', server[4])
-            self.assertEqual(f'fail-time=0', server[5])
+            self.assertEqual(f"auth-port={radius_port}", server[2])
+            self.assertEqual(f"acct-port=0", server[3])
+            self.assertEqual(f"req-limit=0", server[4])
+            self.assertEqual(f"fail-time=0", server[5])
+
+        def test_accel_ipv4_pool(self):
+            self.basic_config(is_gateway=False, is_client_pool=False)
+            gateway = "192.0.2.1"
+            subnet = "172.16.0.0/24"
+            first_pool = "POOL1"
+            second_pool = "POOL2"
+            range = "192.0.2.10-192.0.2.20"
+            range_config = "192.0.2.10-20"
+
+            self.set(["gateway-address", gateway])
+            self.set(["client-ip-pool", first_pool, "range", subnet])
+            self.set(["client-ip-pool", first_pool, "next-pool", second_pool])
+            self.set(["client-ip-pool", second_pool, "range", range])
+            self.set(["default-pool", first_pool])
+            # commit changes
+
+            self.cli_commit()
+
+            # Validate configuration values
+            conf = ConfigParser(allow_no_value=True, delimiters="=", strict=False)
+            conf.read(self._config_file)
+
+            self.assertEqual(
+                f"{first_pool},next={second_pool}", conf["ip-pool"][f"{subnet},name"]
+            )
+            self.assertEqual(second_pool, conf["ip-pool"][f"{range_config},name"])
+            self.assertEqual(gateway, conf["ip-pool"]["gw-ip-address"])
+            self.assertEqual(first_pool, conf[self._protocol_section]["ip-pool"])
+
+        def test_accel_next_pool(self):
+            # T5099 required specific order
+            self.basic_config(is_gateway=False, is_client_pool=False)
+
+            gateway = "192.0.2.1"
+            first_pool = "VyOS-pool1"
+            first_subnet = "192.0.2.0/25"
+            second_pool = "Vyos-pool2"
+            second_subnet = "203.0.113.0/25"
+            third_pool = "Vyos-pool3"
+            third_subnet = "198.51.100.0/24"
+
+            self.set(["gateway-address", gateway])
+            self.set(["client-ip-pool", first_pool, "range", first_subnet])
+            self.set(["client-ip-pool", first_pool, "next-pool", second_pool])
+            self.set(["client-ip-pool", second_pool, "range", second_subnet])
+            self.set(["client-ip-pool", second_pool, "next-pool", third_pool])
+            self.set(["client-ip-pool", third_pool, "range", third_subnet])
+
+            # commit changes
+            self.cli_commit()
+
+            config = self.getConfig("ip-pool")
 
+            pool_config = f"""gw-ip-address={gateway}
+{third_subnet},name={third_pool}
+{second_subnet},name={second_pool},next={third_pool}
+{first_subnet},name={first_pool},next={second_pool}"""
+            self.assertIn(pool_config, config)
diff --git a/smoketest/scripts/cli/base_interfaces_test.py b/smoketest/scripts/cli/base_interfaces_test.py
index 51ccbc9e6..a40b762a8 100644
--- a/smoketest/scripts/cli/base_interfaces_test.py
+++ b/smoketest/scripts/cli/base_interfaces_test.py
@@ -12,9 +12,6 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-import os
-import unittest
-
 from binascii import hexlify
 
 from netifaces import AF_INET
@@ -24,7 +21,6 @@ from netifaces import interfaces
 
 from base_vyostest_shim import VyOSUnitTestSHIM
 
-from vyos.configsession import ConfigSession
 from vyos.configsession import ConfigSessionError
 from vyos.defaults import directories
 from vyos.ifconfig import Interface
@@ -162,25 +158,37 @@ class BasicInterfaceTest:
             if not self._test_dhcp or not self._test_vrf:
                 self.skipTest('not supported')
 
+            client_id = 'VyOS-router'
             distance = '100'
+            hostname = 'vyos'
+            vendor_class_id = 'vyos-vendor'
+            user_class = 'vyos'
 
             for interface in self._interfaces:
                 for option in self._options.get(interface, []):
                     self.cli_set(self._base_path + [interface] + option.split())
 
                 self.cli_set(self._base_path + [interface, 'address', 'dhcp'])
+                self.cli_set(self._base_path + [interface, 'dhcp-options', 'client-id', client_id])
                 self.cli_set(self._base_path + [interface, 'dhcp-options', 'default-route-distance', distance])
+                self.cli_set(self._base_path + [interface, 'dhcp-options', 'host-name', hostname])
+                self.cli_set(self._base_path + [interface, 'dhcp-options', 'vendor-class-id', vendor_class_id])
+                self.cli_set(self._base_path + [interface, 'dhcp-options', 'user-class', user_class])
 
             self.cli_commit()
 
             for interface in self._interfaces:
                 # Check if dhclient process runs
-                dhclient_pid = process_named_running(dhclient_process_name, cmdline=interface)
+                dhclient_pid = process_named_running(dhclient_process_name, cmdline=interface, timeout=10)
                 self.assertTrue(dhclient_pid)
 
                 dhclient_config = read_file(f'{dhclient_base_dir}/dhclient_{interface}.conf')
-                self.assertIn('request subnet-mask, broadcast-address, routers, domain-name-servers', dhclient_config)
-                self.assertIn('require subnet-mask;', dhclient_config)
+                self.assertIn(f'request subnet-mask, broadcast-address, routers, domain-name-servers', dhclient_config)
+                self.assertIn(f'require subnet-mask;', dhclient_config)
+                self.assertIn(f'send host-name "{hostname}";', dhclient_config)
+                self.assertIn(f'send dhcp-client-identifier "{client_id}";', dhclient_config)
+                self.assertIn(f'send vendor-class-identifier "{vendor_class_id}";', dhclient_config)
+                self.assertIn(f'send user-class "{user_class}";', dhclient_config)
 
                 # and the commandline has the appropriate options
                 cmdline = read_file(f'/proc/{dhclient_pid}/cmdline')
@@ -208,7 +216,7 @@ class BasicInterfaceTest:
                 self.assertEqual(tmp, vrf_name)
 
                 # Check if dhclient process runs
-                dhclient_pid = process_named_running(dhclient_process_name, cmdline=interface)
+                dhclient_pid = process_named_running(dhclient_process_name, cmdline=interface, timeout=10)
                 self.assertTrue(dhclient_pid)
                 # .. inside the appropriate VRF instance
                 vrf_pids = cmd(f'ip vrf pids {vrf_name}')
@@ -243,7 +251,7 @@ class BasicInterfaceTest:
                 self.assertEqual(tmp, vrf_name)
 
                 # Check if dhclient process runs
-                tmp = process_named_running(dhcp6c_process_name, cmdline=interface)
+                tmp = process_named_running(dhcp6c_process_name, cmdline=interface, timeout=10)
                 self.assertTrue(tmp)
                 # .. inside the appropriate VRF instance
                 vrf_pids = cmd(f'ip vrf pids {vrf_name}')
@@ -404,10 +412,9 @@ class BasicInterfaceTest:
 
             for intf in self._interfaces:
                 base = self._base_path + [intf]
-                self.cli_set(base + ['mtu', self._mtu])
-
                 for option in self._options.get(intf, []):
                     self.cli_set(base + option.split())
+                self.cli_set(base + ['mtu', self._mtu])
 
             # check validate() - can not set low MTU if 'no-default-link-local'
             # is not set on CLI
@@ -938,7 +945,7 @@ class BasicInterfaceTest:
                 duid_base += 1
 
                 # Better ask the process about it's commandline in the future
-                pid = process_named_running(dhcp6c_process_name, cmdline=interface)
+                pid = process_named_running(dhcp6c_process_name, cmdline=interface, timeout=10)
                 self.assertTrue(pid)
 
                 dhcp6c_options = read_file(f'/proc/{pid}/cmdline')
@@ -997,7 +1004,7 @@ class BasicInterfaceTest:
                     address = str(int(address) + 1)
 
                 # Check for running process
-                self.assertTrue(process_named_running(dhcp6c_process_name, cmdline=interface))
+                self.assertTrue(process_named_running(dhcp6c_process_name, cmdline=interface, timeout=10))
 
             for delegatee in delegatees:
                 # we can already cleanup the test delegatee interface here
@@ -1063,7 +1070,7 @@ class BasicInterfaceTest:
                     address = str(int(address) + 1)
 
                 # Check for running process
-                self.assertTrue(process_named_running(dhcp6c_process_name, cmdline=interface))
+                self.assertTrue(process_named_running(dhcp6c_process_name, cmdline=interface, timeout=10))
 
             for delegatee in delegatees:
                 # we can already cleanup the test delegatee interface here
diff --git a/smoketest/scripts/cli/base_vyostest_shim.py b/smoketest/scripts/cli/base_vyostest_shim.py
index f694f539d..140642806 100644
--- a/smoketest/scripts/cli/base_vyostest_shim.py
+++ b/smoketest/scripts/cli/base_vyostest_shim.py
@@ -78,9 +78,10 @@ class VyOSUnitTestSHIM:
             while run(f'sudo lsof -nP {commit_lock}') == 0:
                 sleep(0.250)
 
-        def getFRRconfig(self, string, end='$', endsection='^!', daemon=''):
+        def getFRRconfig(self, string=None, end='$', endsection='^!', daemon=''):
             """ Retrieve current "running configuration" from FRR """
-            command = f'vtysh -c "show run {daemon} no-header" | sed -n "/^{string}{end}/,/{endsection}/p"'
+            command = f'vtysh -c "show run {daemon} no-header"'
+            if string: command += f' | sed -n "/^{string}{end}/,/{endsection}/p"'
             out = cmd(command)
             if self.debug:
                 import pprint
diff --git a/smoketest/scripts/cli/test_component_version.py b/smoketest/scripts/cli/test_component_version.py
deleted file mode 100755
index 7b1b12c53..000000000
--- a/smoketest/scripts/cli/test_component_version.py
+++ /dev/null
@@ -1,50 +0,0 @@
-#!/usr/bin/env python3
-#
-# Copyright (C) 2022 VyOS maintainers and contributors
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 or later as
-# published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-import unittest
-
-import vyos.component_version as component_version
-
-# After T3474, component versions should be updated in the files in
-# vyos-1x/interface-definitions/include/version/
-# This test verifies that the legacy version in curver_DATA does not exceed
-# that in the xml cache.
-class TestComponentVersion(unittest.TestCase):
-    def setUp(self):
-        self.legacy_d = component_version.legacy_from_system()
-        self.xml_d = component_version.from_system()
-        self.set_legacy_d = set(self.legacy_d)
-        self.set_xml_d = set(self.xml_d)
-
-    def test_component_version(self):
-        bool_issubset = (self.set_legacy_d.issubset(self.set_xml_d))
-        if not bool_issubset:
-            missing = self.set_legacy_d.difference(self.set_xml_d)
-            print(f'\n\ncomponents in legacy but not in XML: {missing}')
-            print('new components must be listed in xml-component-version.xml.in')
-        self.assertTrue(bool_issubset)
-
-        bad_component_version = False
-        for k, v in self.legacy_d.items():
-            bool_inequality = (v <= self.xml_d[k])
-            if not bool_inequality:
-                print(f'\n\n{k} has not been updated in XML component versions:')
-                print(f'legacy version {v}; XML version {self.xml_d[k]}')
-                bad_component_version = True
-        self.assertFalse(bad_component_version)
-
-if __name__ == '__main__':
-    unittest.main(verbosity=2)
diff --git a/smoketest/scripts/cli/test_container.py b/smoketest/scripts/cli/test_container.py
index b43c05fae..cdf46a6e1 100755
--- a/smoketest/scripts/cli/test_container.py
+++ b/smoketest/scripts/cli/test_container.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 #
-# Copyright (C) 2021 VyOS maintainers and contributors
+# Copyright (C) 2021-2023 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
@@ -19,6 +19,7 @@ import glob
 import json
 
 from base_vyostest_shim import VyOSUnitTestSHIM
+from ipaddress import ip_interface
 
 from vyos.configsession import ConfigSessionError
 from vyos.utils.process import cmd
@@ -27,8 +28,6 @@ from vyos.utils.file import read_file
 
 base_path = ['container']
 cont_image = 'busybox:stable' # busybox is included in vyos-build
-prefix = '192.168.205.0/24'
-net_name = 'NET01'
 PROCESS_NAME = 'conmon'
 PROCESS_PIDFILE = '/run/vyos-container-{0}.service.pid'
 
@@ -37,10 +36,8 @@ busybox_image_path = '/usr/share/vyos/busybox-stable.tar'
 def cmd_to_json(command):
     c = cmd(command + ' --format=json')
     data = json.loads(c)[0]
-
     return data
 
-
 class TestContainer(VyOSUnitTestSHIM.TestCase):
     @classmethod
     def setUpClass(cls):
@@ -52,6 +49,10 @@ class TestContainer(VyOSUnitTestSHIM.TestCase):
         except:
             cls.skipTest(cls, reason='busybox image not available')
 
+        # ensure we can also run this test on a live system - so lets clean
+        # out the current configuration :)
+        cls.cli_delete(cls, base_path)
+
     @classmethod
     def tearDownClass(cls):
         super(TestContainer, cls).tearDownClass()
@@ -70,7 +71,7 @@ class TestContainer(VyOSUnitTestSHIM.TestCase):
         units = glob.glob('/run/systemd/system/vyos-container-*')
         self.assertEqual(units, [])
 
-    def test_01_basic_container(self):
+    def test_basic(self):
         cont_name = 'c1'
 
         self.cli_set(['interfaces', 'ethernet', 'eth0', 'address', '10.0.2.15/24'])
@@ -91,24 +92,101 @@ class TestContainer(VyOSUnitTestSHIM.TestCase):
         # Check for running process
         self.assertEqual(process_named_running(PROCESS_NAME), pid)
 
-    def test_02_container_network(self):
-        cont_name = 'c2'
-        cont_ip = '192.168.205.25'
+    def test_ipv4_network(self):
+        prefix = '192.0.2.0/24'
+        base_name = 'ipv4'
+        net_name = 'NET01'
+
         self.cli_set(base_path + ['network', net_name, 'prefix', prefix])
-        self.cli_set(base_path + ['name', cont_name, 'image', cont_image])
-        self.cli_set(base_path + ['name', cont_name, 'network', net_name, 'address', cont_ip])
 
-        # commit changes
+        for ii in range(1, 6):
+            name = f'{base_name}-{ii}'
+            self.cli_set(base_path + ['name', name, 'image', cont_image])
+            self.cli_set(base_path + ['name', name, 'network', net_name, 'address', str(ip_interface(prefix).ip + ii)])
+
+        # verify() - first IP address of a prefix can not be used by a container
+        with self.assertRaises(ConfigSessionError):
+            self.cli_commit()
+
+        tmp = f'{base_name}-1'
+        self.cli_delete(base_path + ['name', tmp])
         self.cli_commit()
 
         n = cmd_to_json(f'sudo podman network inspect {net_name}')
-        json_subnet = n['subnets'][0]['subnet']
+        self.assertEqual(n['subnets'][0]['subnet'], prefix)
 
-        c = cmd_to_json(f'sudo podman container inspect {cont_name}')
-        json_ip = c['NetworkSettings']['Networks'][net_name]['IPAddress']
+        # skipt first container, it was never created
+        for ii in range(2, 6):
+            name = f'{base_name}-{ii}'
+            c = cmd_to_json(f'sudo podman container inspect {name}')
+            self.assertEqual(c['NetworkSettings']['Networks'][net_name]['Gateway']  , str(ip_interface(prefix).ip + 1))
+            self.assertEqual(c['NetworkSettings']['Networks'][net_name]['IPAddress'], str(ip_interface(prefix).ip + ii))
 
-        self.assertEqual(json_subnet, prefix)
-        self.assertEqual(json_ip, cont_ip)
+    def test_ipv6_network(self):
+        prefix = '2001:db8::/64'
+        base_name = 'ipv6'
+        net_name = 'NET02'
+
+        self.cli_set(base_path + ['network', net_name, 'prefix', prefix])
+
+        for ii in range(1, 6):
+            name = f'{base_name}-{ii}'
+            self.cli_set(base_path + ['name', name, 'image', cont_image])
+            self.cli_set(base_path + ['name', name, 'network', net_name, 'address', str(ip_interface(prefix).ip + ii)])
+
+        # verify() - first IP address of a prefix can not be used by a container
+        with self.assertRaises(ConfigSessionError):
+            self.cli_commit()
+
+        tmp = f'{base_name}-1'
+        self.cli_delete(base_path + ['name', tmp])
+        self.cli_commit()
+
+        n = cmd_to_json(f'sudo podman network inspect {net_name}')
+        self.assertEqual(n['subnets'][0]['subnet'], prefix)
+
+        # skipt first container, it was never created
+        for ii in range(2, 6):
+            name = f'{base_name}-{ii}'
+            c = cmd_to_json(f'sudo podman container inspect {name}')
+            self.assertEqual(c['NetworkSettings']['Networks'][net_name]['IPv6Gateway']      , str(ip_interface(prefix).ip + 1))
+            self.assertEqual(c['NetworkSettings']['Networks'][net_name]['GlobalIPv6Address'], str(ip_interface(prefix).ip + ii))
+
+    def test_dual_stack_network(self):
+        prefix4 = '192.0.2.0/24'
+        prefix6 = '2001:db8::/64'
+        base_name = 'dual-stack'
+        net_name = 'net-4-6'
+
+        self.cli_set(base_path + ['network', net_name, 'prefix', prefix4])
+        self.cli_set(base_path + ['network', net_name, 'prefix', prefix6])
+
+        for ii in range(1, 6):
+            name = f'{base_name}-{ii}'
+            self.cli_set(base_path + ['name', name, 'image', cont_image])
+            self.cli_set(base_path + ['name', name, 'network', net_name, 'address', str(ip_interface(prefix4).ip + ii)])
+            self.cli_set(base_path + ['name', name, 'network', net_name, 'address', str(ip_interface(prefix6).ip + ii)])
+
+        # verify() - first IP address of a prefix can not be used by a container
+        with self.assertRaises(ConfigSessionError):
+            self.cli_commit()
+
+        tmp = f'{base_name}-1'
+        self.cli_delete(base_path + ['name', tmp])
+        self.cli_commit()
+
+        n = cmd_to_json(f'sudo podman network inspect {net_name}')
+        self.assertEqual(n['subnets'][0]['subnet'], prefix4)
+        self.assertEqual(n['subnets'][1]['subnet'], prefix6)
+
+        # skipt first container, it was never created
+        for ii in range(2, 6):
+            name = f'{base_name}-{ii}'
+            c = cmd_to_json(f'sudo podman container inspect {name}')
+            self.assertEqual(c['NetworkSettings']['Networks'][net_name]['IPv6Gateway']      , str(ip_interface(prefix6).ip + 1))
+            self.assertEqual(c['NetworkSettings']['Networks'][net_name]['GlobalIPv6Address'], str(ip_interface(prefix6).ip + ii))
+            self.assertEqual(c['NetworkSettings']['Networks'][net_name]['Gateway']          , str(ip_interface(prefix4).ip + 1))
+            self.assertEqual(c['NetworkSettings']['Networks'][net_name]['IPAddress']        , str(ip_interface(prefix4).ip + ii))
 
 if __name__ == '__main__':
     unittest.main(verbosity=2)
diff --git a/smoketest/scripts/cli/test_dependency_graph.py b/smoketest/scripts/cli/test_dependency_graph.py
deleted file mode 100755
index 45a40acc4..000000000
--- a/smoketest/scripts/cli/test_dependency_graph.py
+++ /dev/null
@@ -1,54 +0,0 @@
-#!/usr/bin/env python3
-#
-# Copyright (C) 2022 VyOS maintainers and contributors
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 or later as
-# published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-import json
-import unittest
-from graphlib import TopologicalSorter, CycleError
-
-DEP_FILE = '/usr/share/vyos/config-mode-dependencies.json'
-
-def graph_from_dict(d):
-    g = {}
-    for k in list(d):
-        g[k] = set()
-        # add the dependencies for every sub-case; should there be cases
-        # that are mutally exclusive in the future, the graphs will be
-        # distinguished
-        for el in list(d[k]):
-            g[k] |= set(d[k][el])
-    return g
-
-class TestDependencyGraph(unittest.TestCase):
-    def setUp(self):
-        with open(DEP_FILE) as f:
-            dd = json.load(f)
-            self.dependency_graph = graph_from_dict(dd)
-
-    def test_cycles(self):
-        ts = TopologicalSorter(self.dependency_graph)
-        out = None
-        try:
-            # get node iterator
-            order = ts.static_order()
-            # try iteration
-            _ = [*order]
-        except CycleError as e:
-            out = e.args
-
-        self.assertIsNone(out)
-
-if __name__ == '__main__':
-    unittest.main(verbosity=2)
diff --git a/smoketest/scripts/cli/test_firewall.py b/smoketest/scripts/cli/test_firewall.py
index 6f9093f4d..f74a33566 100755
--- a/smoketest/scripts/cli/test_firewall.py
+++ b/smoketest/scripts/cli/test_firewall.py
@@ -148,7 +148,7 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
         self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '3', 'action', 'accept'])
         self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '3', 'source', 'group', 'domain-group', 'smoketest_domain'])
         self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '4', 'action', 'accept'])
-        self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '4', 'outbound-interface', 'interface-group', '!smoketest_interface'])
+        self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '4', 'outbound-interface', 'group', '!smoketest_interface'])
 
         self.cli_commit()
 
@@ -209,28 +209,29 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
         conn_mark = '555'
 
         self.cli_set(['firewall', 'ipv4', 'name', name, 'default-action', 'drop'])
-        self.cli_set(['firewall', 'ipv4', 'name', name, 'enable-default-log'])
+        self.cli_set(['firewall', 'ipv4', 'name', name, 'default-log'])
         self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '1', 'action', 'accept'])
         self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '1', 'source', 'address', '172.16.20.10'])
         self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '1', 'destination', 'address', '172.16.10.10'])
-        self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '1', 'log', 'enable'])
+        self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '1', 'log'])
         self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '1', 'log-options', 'level', 'debug'])
         self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '1', 'ttl', 'eq', '15'])
         self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '2', 'action', 'reject'])
         self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '2', 'protocol', 'tcp'])
         self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '2', 'destination', 'port', '8888'])
-        self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '2', 'log', 'enable'])
+        self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '2', 'log'])
         self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '2', 'log-options', 'level', 'err'])
         self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '2', 'tcp', 'flags', 'syn'])
         self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '2', 'tcp', 'flags', 'not', 'ack'])
         self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '2', 'ttl', 'gt', '102'])
 
         self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'default-action', 'drop'])
+        self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'default-log'])
         self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '3', 'action', 'accept'])
         self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '3', 'protocol', 'tcp'])
         self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '3', 'destination', 'port', '22'])
         self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '3', 'limit', 'rate', '5/minute'])
-        self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '3', 'log', 'disable'])
+        self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '3', 'log'])
         self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '4', 'action', 'drop'])
         self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '4', 'protocol', 'tcp'])
         self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '4', 'destination', 'port', '22'])
@@ -243,15 +244,16 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
         self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '5', 'tcp', 'flags', 'syn'])
         self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '5', 'tcp', 'mss', mss_range])
         self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '5', 'packet-type', 'broadcast'])
-        self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '5', 'inbound-interface', 'interface-name', interface_wc])
+        self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '5', 'inbound-interface', 'name', interface_wc])
         self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '6', 'action', 'return'])
         self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '6', 'protocol', 'gre'])
         self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '6', 'connection-mark', conn_mark])
 
-        self.cli_set(['firewall', 'ipv4', 'output', 'filter', 'default-action', 'accept'])
+        self.cli_set(['firewall', 'ipv4', 'output', 'filter', 'default-action', 'drop'])
+        self.cli_set(['firewall', 'ipv4', 'output', 'filter', 'default-log'])
         self.cli_set(['firewall', 'ipv4', 'output', 'filter', 'rule', '5', 'action', 'drop'])
         self.cli_set(['firewall', 'ipv4', 'output', 'filter', 'rule', '5', 'protocol', 'gre'])
-        self.cli_set(['firewall', 'ipv4', 'output', 'filter', 'rule', '5', 'outbound-interface', 'interface-name', interface_inv])
+        self.cli_set(['firewall', 'ipv4', 'output', 'filter', 'rule', '5', 'outbound-interface', 'name', interface_inv])
         self.cli_set(['firewall', 'ipv4', 'output', 'filter', 'rule', '6', 'action', 'return'])
         self.cli_set(['firewall', 'ipv4', 'output', 'filter', 'rule', '6', 'protocol', 'icmp'])
         self.cli_set(['firewall', 'ipv4', 'output', 'filter', 'rule', '6', 'connection-mark', conn_mark])
@@ -262,21 +264,23 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
 
         nftables_search = [
             ['chain VYOS_FORWARD_filter'],
-            ['type filter hook forward priority filter; policy drop;'],
+            ['type filter hook forward priority filter; policy accept;'],
             ['tcp dport 22', 'limit rate 5/minute', 'accept'],
             ['tcp dport 22', 'add @RECENT_FWD_filter_4 { ip saddr limit rate over 10/minute burst 10 packets }', 'meta pkttype host', 'drop'],
+            ['log prefix "[ipv4-FWD-filter-default-D]"','FWD-filter default-action drop', 'drop'],
             ['chain VYOS_INPUT_filter'],
             ['type filter hook input priority filter; policy accept;'],
             ['tcp flags & syn == syn', f'tcp option maxseg size {mss_range}', f'iifname "{interface_wc}"', 'meta pkttype broadcast', 'accept'],
             ['meta l4proto gre', f'ct mark {mark_hex}', 'return'],
+            ['INP-filter default-action accept', 'accept'],
             ['chain VYOS_OUTPUT_filter'],
             ['type filter hook output priority filter; policy accept;'],
             ['meta l4proto gre', f'oifname != "{interface}"', 'drop'],
             ['meta l4proto icmp', f'ct mark {mark_hex}', 'return'],
             ['chain NAME_smoketest'],
-            ['saddr 172.16.20.10', 'daddr 172.16.10.10', 'log prefix "[smoketest-1-A]" log level debug', 'ip ttl 15', 'accept'],
-            ['tcp flags syn / syn,ack', 'tcp dport 8888', 'log prefix "[smoketest-2-R]" log level err', 'ip ttl > 102', 'reject'],
-            ['log prefix "[smoketest-default-D]"','smoketest default-action', 'drop']
+            ['saddr 172.16.20.10', 'daddr 172.16.10.10', 'log prefix "[ipv4-NAM-smoketest-1-A]" log level debug', 'ip ttl 15', 'accept'],
+            ['tcp flags syn / syn,ack', 'tcp dport 8888', 'log prefix "[ipv4-NAM-smoketest-2-R]" log level err', 'ip ttl > 102', 'reject'],
+            ['log prefix "[ipv4-smoketest-default-D]"','smoketest default-action', 'drop']
         ]
 
         self.verify_nftables(nftables_search, 'ip vyos_filter')
@@ -287,7 +291,7 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
         interface = 'eth0'
 
         self.cli_set(['firewall', 'ipv4', 'name', name, 'default-action', 'drop'])
-        self.cli_set(['firewall', 'ipv4', 'name', name, 'enable-default-log'])
+        self.cli_set(['firewall', 'ipv4', 'name', name, 'default-log'])
 
         self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '6', 'action', 'accept'])
         self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '6', 'packet-length', '64'])
@@ -295,7 +299,7 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
         self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '6', 'packet-length', '1024'])
         self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '6', 'dscp', '17'])
         self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '6', 'dscp', '52'])
-        self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '6', 'log', 'enable'])
+        self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '6', 'log'])
         self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '6', 'log-options', 'group', '66'])
         self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '6', 'log-options', 'snapshot-length', '6666'])
         self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '6', 'log-options', 'queue-threshold','32000'])
@@ -308,10 +312,12 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
 
         self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'default-action', 'drop'])
         self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '1', 'source', 'address', '198.51.100.1'])
+        self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '1', 'mark', '1010'])
         self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '1', 'action', 'jump'])
         self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '1', 'jump-target', name])
 
         self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '2', 'protocol', 'tcp'])
+        self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '2', 'mark', '!98765'])
         self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '2', 'action', 'queue'])
         self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '2', 'queue', '3'])
         self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '3', 'protocol', 'udp'])
@@ -324,16 +330,18 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
 
         nftables_search = [
             ['chain VYOS_FORWARD_filter'],
-            ['type filter hook forward priority filter; policy drop;'],
-            ['ip saddr 198.51.100.1', f'jump NAME_{name}'],
+            ['type filter hook forward priority filter; policy accept;'],
+            ['ip saddr 198.51.100.1', 'meta mark 0x000003f2', f'jump NAME_{name}'],
+            ['FWD-filter default-action drop', 'drop'],
             ['chain VYOS_INPUT_filter'],
             ['type filter hook input priority filter; policy accept;'],
-            [f'meta l4proto tcp','queue to 3'],
-            [f'meta l4proto udp','queue flags bypass,fanout to 0-15'],
+            ['meta mark != 0x000181cd', 'meta l4proto tcp','queue to 3'],
+            ['meta l4proto udp','queue flags bypass,fanout to 0-15'],
+            ['INP-filter default-action accept', 'accept'],
             [f'chain NAME_{name}'],
-            ['ip length { 64, 512, 1024 }', 'ip dscp { 0x11, 0x34 }', f'log prefix "[{name}-6-A]" log group 66 snaplen 6666 queue-threshold 32000', 'accept'],
+            ['ip length { 64, 512, 1024 }', 'ip dscp { 0x11, 0x34 }', f'log prefix "[ipv4-NAM-{name}-6-A]" log group 66 snaplen 6666 queue-threshold 32000', 'accept'],
             ['ip length 1-30000', 'ip length != 60000-65535', 'ip dscp 0x03-0x0b', 'ip dscp != 0x15-0x19', 'accept'],
-            [f'log prefix "[{name}-default-D]"', 'drop']
+            [f'log prefix "[ipv4-{name}-default-D]"', 'drop']
         ]
 
         self.verify_nftables(nftables_search, 'ip vyos_filter')
@@ -345,7 +353,7 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
         self.cli_set(['firewall', 'group', 'address-group', 'mask_group', 'address', '1.1.1.1'])
 
         self.cli_set(['firewall', 'ipv4', 'name', name, 'default-action', 'drop'])
-        self.cli_set(['firewall', 'ipv4', 'name', name, 'enable-default-log'])
+        self.cli_set(['firewall', 'ipv4', 'name', name, 'default-log'])
 
         self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '1', 'action', 'drop'])
         self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '1', 'destination', 'address', '0.0.1.2'])
@@ -374,30 +382,36 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
         name = 'v6-smoketest'
         interface = 'eth0'
 
+        self.cli_set(['firewall', 'global-options', 'state-policy', 'established', 'action', 'accept'])
+        self.cli_set(['firewall', 'global-options', 'state-policy', 'related', 'action', 'accept'])
+        self.cli_set(['firewall', 'global-options', 'state-policy', 'invalid', 'action', 'drop'])
+
         self.cli_set(['firewall', 'ipv6', 'name', name, 'default-action', 'drop'])
-        self.cli_set(['firewall', 'ipv6', 'name', name, 'enable-default-log'])
+        self.cli_set(['firewall', 'ipv6', 'name', name, 'default-log'])
 
         self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '1', 'action', 'accept'])
         self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '1', 'source', 'address', '2002::1'])
         self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '1', 'destination', 'address', '2002::1:1'])
-        self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '1', 'log', 'enable'])
+        self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '1', 'log'])
         self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '1', 'log-options', 'level', 'crit'])
 
         self.cli_set(['firewall', 'ipv6', 'forward', 'filter', 'default-action', 'accept'])
+        self.cli_set(['firewall', 'ipv6', 'forward', 'filter', 'default-log'])
         self.cli_set(['firewall', 'ipv6', 'forward', 'filter', 'rule', '2', 'action', 'reject'])
         self.cli_set(['firewall', 'ipv6', 'forward', 'filter', 'rule', '2', 'protocol', 'tcp_udp'])
         self.cli_set(['firewall', 'ipv6', 'forward', 'filter', 'rule', '2', 'destination', 'port', '8888'])
-        self.cli_set(['firewall', 'ipv6', 'forward', 'filter', 'rule', '2', 'inbound-interface', 'interface-name', interface])
+        self.cli_set(['firewall', 'ipv6', 'forward', 'filter', 'rule', '2', 'inbound-interface', 'name', interface])
 
         self.cli_set(['firewall', 'ipv6', 'output', 'filter', 'default-action', 'drop'])
+        self.cli_set(['firewall', 'ipv6', 'output', 'filter', 'default-log'])
         self.cli_set(['firewall', 'ipv6', 'output', 'filter', 'rule', '3', 'action', 'return'])
         self.cli_set(['firewall', 'ipv6', 'output', 'filter', 'rule', '3', 'protocol', 'gre'])
-        self.cli_set(['firewall', 'ipv6', 'output', 'filter', 'rule', '3', 'outbound-interface', 'interface-name', interface])
+        self.cli_set(['firewall', 'ipv6', 'output', 'filter', 'rule', '3', 'outbound-interface', 'name', interface])
 
         self.cli_set(['firewall', 'ipv6', 'input', 'filter', 'rule', '3', 'action', 'accept'])
         self.cli_set(['firewall', 'ipv6', 'input', 'filter', 'rule', '3', 'protocol', 'udp'])
         self.cli_set(['firewall', 'ipv6', 'input', 'filter', 'rule', '3', 'source', 'address', '2002::1:2'])
-        self.cli_set(['firewall', 'ipv6', 'input', 'filter', 'rule', '3', 'inbound-interface', 'interface-name', interface])
+        self.cli_set(['firewall', 'ipv6', 'input', 'filter', 'rule', '3', 'inbound-interface', 'name', interface])
 
         self.cli_commit()
 
@@ -405,15 +419,23 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
             ['chain VYOS_IPV6_FORWARD_filter'],
             ['type filter hook forward priority filter; policy accept;'],
             ['meta l4proto { tcp, udp }', 'th dport 8888', f'iifname "{interface}"', 'reject'],
+            ['log prefix "[ipv6-FWD-filter-default-A]"','FWD-filter default-action accept', 'accept'],
             ['chain VYOS_IPV6_INPUT_filter'],
             ['type filter hook input priority filter; policy accept;'],
             ['meta l4proto udp', 'ip6 saddr 2002::1:2', f'iifname "{interface}"', 'accept'],
+            ['INP-filter default-action accept', 'accept'],
             ['chain VYOS_IPV6_OUTPUT_filter'],
-            ['type filter hook output priority filter; policy drop;'],
+            ['type filter hook output priority filter; policy accept;'],
             ['meta l4proto gre', f'oifname "{interface}"', 'return'],
+            ['log prefix "[ipv6-OUT-filter-default-D]"','OUT-filter default-action drop', 'drop'],
             [f'chain NAME6_{name}'],
-            ['saddr 2002::1', 'daddr 2002::1:1', 'log prefix "[v6-smoketest-1-A]" log level crit', 'accept'],
-            [f'"{name} default-action drop"', f'log prefix "[{name}-default-D]"', 'drop']
+            ['saddr 2002::1', 'daddr 2002::1:1', 'log prefix "[ipv6-NAM-v6-smoketest-1-A]" log level crit', 'accept'],
+            [f'"{name} default-action drop"', f'log prefix "[ipv6-{name}-default-D]"', 'drop'],
+            ['jump VYOS_STATE_POLICY6'],
+            ['chain VYOS_STATE_POLICY6'],
+            ['ct state established', 'accept'],
+            ['ct state invalid', 'drop'],
+            ['ct state related', 'accept']
         ]
 
         self.verify_nftables(nftables_search, 'ip6 vyos_filter')
@@ -424,7 +446,7 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
         interface = 'eth0'
 
         self.cli_set(['firewall', 'ipv6', 'name', name, 'default-action', 'drop'])
-        self.cli_set(['firewall', 'ipv6', 'name', name, 'enable-default-log'])
+        self.cli_set(['firewall', 'ipv6', 'name', name, 'default-log'])
 
         self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '3', 'action', 'accept'])
         self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '3', 'packet-length', '65'])
@@ -455,7 +477,7 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
             ['ip6 saddr 2001:db8::/64', f'jump NAME6_{name}'],
             [f'chain NAME6_{name}'],
             ['ip6 length { 65, 513, 1025 }', 'ip6 dscp { af21, 0x35 }', 'accept'],
-            [f'log prefix "[{name}-default-D]"', 'drop']
+            [f'log prefix "[ipv6-{name}-default-D]"', 'drop']
         ]
 
         self.verify_nftables(nftables_search, 'ip6 vyos_filter')
@@ -467,7 +489,7 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
         self.cli_set(['firewall', 'group', 'ipv6-address-group', 'mask_group', 'address', '::beef'])
 
         self.cli_set(['firewall', 'ipv6', 'name', name, 'default-action', 'drop'])
-        self.cli_set(['firewall', 'ipv6', 'name', name, 'enable-default-log'])
+        self.cli_set(['firewall', 'ipv6', 'name', name, 'default-log'])
 
         self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '1', 'action', 'drop'])
         self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '1', 'destination', 'address', '::1111:2222:3333:4444'])
@@ -495,20 +517,27 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
         name = 'smoketest-state'
         interface = 'eth0'
 
+        self.cli_set(['firewall', 'global-options', 'state-policy', 'established', 'action', 'accept'])
+        self.cli_set(['firewall', 'global-options', 'state-policy', 'related', 'action', 'accept'])
+        self.cli_set(['firewall', 'global-options', 'state-policy', 'invalid', 'action', 'drop'])
+
         self.cli_set(['firewall', 'ipv4', 'name', name, 'default-action', 'drop'])
         self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '1', 'action', 'accept'])
-        self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '1', 'state', 'established', 'enable'])
-        self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '1', 'state', 'related', 'enable'])
+        self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '1', 'state', 'established'])
+        self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '1', 'state', 'related'])
         self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '2', 'action', 'reject'])
-        self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '2', 'state', 'invalid', 'enable'])
+        self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '2', 'state', 'invalid'])
         self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '3', 'action', 'accept'])
-        self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '3', 'state', 'new', 'enable'])
-
+        self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '3', 'state', 'new'])
         self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '3', 'connection-status', 'nat', 'destination'])
         self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '4', 'action', 'accept'])
-        self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '4', 'state', 'new', 'enable'])
-        self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '4', 'state', 'established', 'enable'])
+        self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '4', 'state', 'new'])
+        self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '4', 'state', 'established'])
         self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '4', 'connection-status', 'nat', 'source'])
+        self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '5', 'action', 'accept'])
+        self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '5', 'state', 'related'])
+        self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '5', 'conntrack-helper', 'ftp'])
+        self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '5', 'conntrack-helper', 'pptp'])
 
         self.cli_commit()
 
@@ -517,7 +546,13 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
             ['ct state invalid', 'reject'],
             ['ct state new', 'ct status dnat', 'accept'],
             ['ct state { established, new }', 'ct status snat', 'accept'],
-            ['drop', f'comment "{name} default-action drop"']
+            ['ct state related', 'ct helper { "ftp", "pptp" }', 'accept'],
+            ['drop', f'comment "{name} default-action drop"'],
+            ['jump VYOS_STATE_POLICY'],
+            ['chain VYOS_STATE_POLICY'],
+            ['ct state established', 'accept'],
+            ['ct state invalid', 'drop'],
+            ['ct state related', 'accept']
         ]
 
         self.verify_nftables(nftables_search, 'ip vyos_filter')
@@ -526,6 +561,42 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
         self.verify_nftables_chain([['accept']], 'raw', 'FW_CONNTRACK')
         self.verify_nftables_chain([['return']], 'ip6 raw', 'FW_CONNTRACK')
 
+    def test_bridge_basic_rules(self):
+        name = 'smoketest'
+        interface_in = 'eth0'
+        mac_address = '00:53:00:00:00:01'
+        vlan_id = '12'
+        vlan_prior = '3'
+
+        self.cli_set(['firewall', 'bridge', 'name', name, 'default-action', 'accept'])
+        self.cli_set(['firewall', 'bridge', 'name', name, 'default-log'])
+        self.cli_set(['firewall', 'bridge', 'name', name, 'rule', '1', 'action', 'accept'])
+        self.cli_set(['firewall', 'bridge', 'name', name, 'rule', '1', 'source', 'mac-address', mac_address])
+        self.cli_set(['firewall', 'bridge', 'name', name, 'rule', '1', 'inbound-interface', 'name', interface_in])
+        self.cli_set(['firewall', 'bridge', 'name', name, 'rule', '1', 'log'])
+        self.cli_set(['firewall', 'bridge', 'name', name, 'rule', '1', 'log-options', 'level', 'crit'])
+
+        self.cli_set(['firewall', 'bridge', 'forward', 'filter', 'default-action', 'drop'])
+        self.cli_set(['firewall', 'bridge', 'forward', 'filter', 'default-log'])
+        self.cli_set(['firewall', 'bridge', 'forward', 'filter', 'rule', '1', 'action', 'accept'])
+        self.cli_set(['firewall', 'bridge', 'forward', 'filter', 'rule', '1', 'vlan', 'id', vlan_id])
+        self.cli_set(['firewall', 'bridge', 'forward', 'filter', 'rule', '2', 'action', 'jump'])
+        self.cli_set(['firewall', 'bridge', 'forward', 'filter', 'rule', '2', 'jump-target', name])
+        self.cli_set(['firewall', 'bridge', 'forward', 'filter', 'rule', '2', 'vlan', 'priority', vlan_prior])
+
+        self.cli_commit()
+
+        nftables_search = [
+            ['chain VYOS_FORWARD_filter'],
+            ['type filter hook forward priority filter; policy drop;'],
+            [f'vlan id {vlan_id}', 'accept'],
+            [f'vlan pcp {vlan_prior}', f'jump NAME_{name}'],
+            [f'chain NAME_{name}'],
+            [f'ether saddr {mac_address}', f'iifname "{interface_in}"', f'log prefix "[bri-NAM-{name}-1-A]" log level crit', 'accept']
+        ]
+
+        self.verify_nftables(nftables_search, 'bridge vyos_filter')
+
     def test_source_validation(self):
         # Strict
         self.cli_set(['firewall', 'global-options', 'source-validation', 'strict'])
@@ -568,5 +639,125 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
                 with open(path, 'r') as f:
                     self.assertNotEqual(f.read().strip(), conf['default'], msg=path)
 
+### Zone
+    def test_zone_basic(self):
+        self.cli_set(['firewall', 'ipv4', 'name', 'smoketest', 'default-action', 'drop'])
+        self.cli_set(['firewall', 'zone', 'smoketest-eth0', 'interface', 'eth0'])
+        self.cli_set(['firewall', 'zone', 'smoketest-eth0', 'from', 'smoketest-local', 'firewall', 'name', 'smoketest'])
+        self.cli_set(['firewall', 'zone', 'smoketest-local', 'local-zone'])
+        self.cli_set(['firewall', 'zone', 'smoketest-local', 'from', 'smoketest-eth0', 'firewall', 'name', 'smoketest'])
+        self.cli_set(['firewall', 'global-options', 'state-policy', 'established', 'action', 'accept'])
+        self.cli_set(['firewall', 'global-options', 'state-policy', 'established', 'log'])
+        self.cli_set(['firewall', 'global-options', 'state-policy', 'related', 'action', 'accept'])
+        self.cli_set(['firewall', 'global-options', 'state-policy', 'invalid', 'action', 'drop'])
+
+        self.cli_commit()
+
+        nftables_search = [
+            ['chain VYOS_ZONE_FORWARD'],
+            ['type filter hook forward priority filter + 1'],
+            ['chain VYOS_ZONE_OUTPUT'],
+            ['type filter hook output priority filter + 1'],
+            ['chain VYOS_ZONE_LOCAL'],
+            ['type filter hook input priority filter + 1'],
+            ['chain VZONE_smoketest-eth0'],
+            ['chain VZONE_smoketest-local_IN'],
+            ['chain VZONE_smoketest-local_OUT'],
+            ['oifname "eth0"', 'jump VZONE_smoketest-eth0'],
+            ['jump VZONE_smoketest-local_IN'],
+            ['jump VZONE_smoketest-local_OUT'],
+            ['iifname "eth0"', 'jump NAME_smoketest'],
+            ['oifname "eth0"', 'jump NAME_smoketest'],
+            ['jump VYOS_STATE_POLICY'],
+            ['chain VYOS_STATE_POLICY'],
+            ['ct state established', 'log prefix "[STATE-POLICY-EST-A]"', 'accept'],
+            ['ct state invalid', 'drop'],
+            ['ct state related', 'accept']
+        ]
+
+        nftables_output = cmd('sudo nft list table ip vyos_filter')
+
+        for search in nftables_search:
+            matched = False
+            for line in nftables_output.split("\n"):
+                if all(item in line for item in search):
+                    matched = True
+                    break
+            self.assertTrue(matched)
+
+    def test_flow_offload(self):
+        self.cli_set(['firewall', 'flowtable', 'smoketest', 'interface', 'eth0'])
+        self.cli_set(['firewall', 'flowtable', 'smoketest', 'offload', 'hardware'])
+
+        # QEMU virtual NIC does not support hw-tc-offload
+        with self.assertRaises(ConfigSessionError):
+            self.cli_commit()
+
+        self.cli_set(['firewall', 'flowtable', 'smoketest', 'offload', 'software'])
+
+        self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '1', 'action', 'offload'])
+        self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '1', 'offload-target', 'smoketest'])
+        self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '1', 'protocol', 'tcp_udp'])
+        self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '1', 'state', 'established'])
+        self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '1', 'state', 'related'])
+
+        self.cli_set(['firewall', 'ipv6', 'forward', 'filter', 'rule', '1', 'action', 'offload'])
+        self.cli_set(['firewall', 'ipv6', 'forward', 'filter', 'rule', '1', 'offload-target', 'smoketest'])
+        self.cli_set(['firewall', 'ipv6', 'forward', 'filter', 'rule', '1', 'protocol', 'tcp_udp'])
+        self.cli_set(['firewall', 'ipv6', 'forward', 'filter', 'rule', '1', 'state', 'established'])
+        self.cli_set(['firewall', 'ipv6', 'forward', 'filter', 'rule', '1', 'state', 'related'])
+
+        self.cli_commit()
+
+        nftables_search = [
+            ['flowtable VYOS_FLOWTABLE_smoketest'],
+            ['hook ingress priority filter'],
+            ['devices = { eth0 }'],
+            ['ct state { established, related }', 'meta l4proto { tcp, udp }', 'flow add @VYOS_FLOWTABLE_smoketest'],
+        ]
+
+        self.verify_nftables(nftables_search, 'ip vyos_filter')
+        self.verify_nftables(nftables_search, 'ip6 vyos_filter')
+
+        # Check conntrack
+        #self.verify_nftables_chain([['accept']], 'ip vyos_conntrack', 'FW_CONNTRACK')
+        #self.verify_nftables_chain([['accept']], 'ip6 vyos_conntrack', 'FW_CONNTRACK')
+
+    def test_zone_flow_offload(self):
+        self.cli_set(['firewall', 'flowtable', 'smoketest', 'interface', 'eth0'])
+        self.cli_set(['firewall', 'flowtable', 'smoketest', 'offload', 'hardware'])
+
+        # QEMU virtual NIC does not support hw-tc-offload
+        with self.assertRaises(ConfigSessionError):
+            self.cli_commit()
+
+        self.cli_set(['firewall', 'flowtable', 'smoketest', 'offload', 'software'])
+
+        self.cli_set(['firewall', 'ipv4', 'name', 'smoketest', 'rule', '1', 'action', 'offload'])
+        self.cli_set(['firewall', 'ipv4', 'name', 'smoketest', 'rule', '1', 'offload-target', 'smoketest'])
+
+        self.cli_set(['firewall', 'ipv6', 'name', 'smoketest', 'rule', '1', 'action', 'offload'])
+        self.cli_set(['firewall', 'ipv6', 'name', 'smoketest', 'rule', '1', 'offload-target', 'smoketest'])
+
+        self.cli_commit()
+
+        nftables_search = [
+            ['chain NAME_smoketest'],
+            ['flow add @VYOS_FLOWTABLE_smoketest']
+        ]
+
+        self.verify_nftables(nftables_search, 'ip vyos_filter')
+
+        nftables_search = [
+            ['chain NAME6_smoketest'],
+            ['flow add @VYOS_FLOWTABLE_smoketest']
+        ]
+
+        self.verify_nftables(nftables_search, 'ip6 vyos_filter')
+
+        # Check conntrack
+        #self.verify_nftables_chain([['accept']], 'ip vyos_conntrack', 'FW_CONNTRACK')
+        #self.verify_nftables_chain([['accept']], 'ip6 vyos_conntrack', 'FW_CONNTRACK')
+
 if __name__ == '__main__':
     unittest.main(verbosity=2)
diff --git a/smoketest/scripts/cli/test_ha_virtual_server.py b/smoketest/scripts/cli/test_high-availability_virtual-server.py
index 51ccfa4df..51ccfa4df 100755
--- a/smoketest/scripts/cli/test_ha_virtual_server.py
+++ b/smoketest/scripts/cli/test_high-availability_virtual-server.py
diff --git a/smoketest/scripts/cli/test_ha_vrrp.py b/smoketest/scripts/cli/test_high-availability_vrrp.py
index 98259d830..98259d830 100755
--- a/smoketest/scripts/cli/test_ha_vrrp.py
+++ b/smoketest/scripts/cli/test_high-availability_vrrp.py
diff --git a/smoketest/scripts/cli/test_interfaces_bonding.py b/smoketest/scripts/cli/test_interfaces_bonding.py
index 8867cb427..419de774a 100755
--- a/smoketest/scripts/cli/test_interfaces_bonding.py
+++ b/smoketest/scripts/cli/test_interfaces_bonding.py
@@ -241,5 +241,45 @@ class BondingInterfaceTest(BasicInterfaceTest.TestCase):
             for member in self._members:
                 self.assertIn(member, slaves)
 
+    def test_bonding_evpn_multihoming(self):
+        id = '5'
+        for interface in self._interfaces:
+            for option in self._options.get(interface, []):
+                self.cli_set(self._base_path + [interface] + option.split())
+
+            self.cli_set(self._base_path + [interface, 'evpn', 'es-id', id])
+            self.cli_set(self._base_path + [interface, 'evpn', 'es-df-pref', id])
+            self.cli_set(self._base_path + [interface, 'evpn', 'es-sys-mac', f'00:12:34:56:78:0{id}'])
+            self.cli_set(self._base_path + [interface, 'evpn', 'uplink'])
+
+            id = int(id) + 1
+
+        self.cli_commit()
+
+        id = '5'
+        for interface in self._interfaces:
+            frrconfig = self.getFRRconfig(f'interface {interface}', daemon='zebra')
+
+            self.assertIn(f' evpn mh es-id {id}', frrconfig)
+            self.assertIn(f' evpn mh es-df-pref {id}', frrconfig)
+            self.assertIn(f' evpn mh es-sys-mac 00:12:34:56:78:0{id}', frrconfig)
+            self.assertIn(f' evpn mh uplink', frrconfig)
+
+            id = int(id) + 1
+
+        for interface in self._interfaces:
+            self.cli_delete(self._base_path + [interface, 'evpn', 'es-id'])
+            self.cli_delete(self._base_path + [interface, 'evpn', 'es-df-pref'])
+
+        self.cli_commit()
+
+        id = '5'
+        for interface in self._interfaces:
+            frrconfig = self.getFRRconfig(f'interface {interface}', daemon='zebra')
+            self.assertIn(f' evpn mh es-sys-mac 00:12:34:56:78:0{id}', frrconfig)
+            self.assertIn(f' evpn mh uplink', frrconfig)
+
+            id = int(id) + 1
+
 if __name__ == '__main__':
     unittest.main(verbosity=2)
diff --git a/smoketest/scripts/cli/test_interfaces_macsec.py b/smoketest/scripts/cli/test_interfaces_macsec.py
index ea0f00071..d8d564792 100755
--- a/smoketest/scripts/cli/test_interfaces_macsec.py
+++ b/smoketest/scripts/cli/test_interfaces_macsec.py
@@ -14,7 +14,6 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-import os
 import re
 import unittest
 
@@ -23,9 +22,10 @@ from netifaces import interfaces
 
 from vyos.configsession import ConfigSessionError
 from vyos.ifconfig import Section
-from vyos.utils.process import cmd
 from vyos.utils.file import read_file
 from vyos.utils.network import get_interface_config
+from vyos.utils.network import interface_exists
+from vyos.utils.process import cmd
 from vyos.utils.process import process_named_running
 
 PROCESS_NAME = 'wpa_supplicant'
@@ -35,10 +35,6 @@ def get_config_value(interface, key):
     tmp = re.findall(r'\n?{}=(.*)'.format(key), tmp)
     return tmp[0]
 
-def get_cipher(interface):
-    tmp = get_interface_config(interface)
-    return tmp['linkinfo']['info_data']['cipher_suite'].lower()
-
 class MACsecInterfaceTest(BasicInterfaceTest.TestCase):
     @classmethod
     def setUpClass(cls):
@@ -117,6 +113,10 @@ class MACsecInterfaceTest(BasicInterfaceTest.TestCase):
             tmp = read_file(f'/sys/class/net/{interface}/mtu')
             self.assertEqual(tmp, '1460')
 
+            # Encryption enabled?
+            tmp = get_interface_config(interface)
+            self.assertTrue(tmp['linkinfo']['info_data']['encrypt'])
+
         # Check for running process
         self.assertTrue(process_named_running(PROCESS_NAME))
 
@@ -138,10 +138,11 @@ class MACsecInterfaceTest(BasicInterfaceTest.TestCase):
 
         # final commit and verify
         self.cli_commit()
-        self.assertIn(interface, interfaces())
+        self.assertTrue(interface_exists(interface))
 
         # Verify proper cipher suite (T4537)
-        self.assertEqual(cipher, get_cipher(interface))
+        tmp = get_interface_config(interface)
+        self.assertEqual(cipher, tmp['linkinfo']['info_data']['cipher_suite'].lower())
 
     def test_macsec_gcm_aes_256(self):
         src_interface = 'eth0'
@@ -161,10 +162,11 @@ class MACsecInterfaceTest(BasicInterfaceTest.TestCase):
 
         # final commit and verify
         self.cli_commit()
-        self.assertIn(interface, interfaces())
+        self.assertTrue(interface_exists(interface))
 
         # Verify proper cipher suite (T4537)
-        self.assertEqual(cipher, get_cipher(interface))
+        tmp = get_interface_config(interface)
+        self.assertEqual(cipher, tmp['linkinfo']['info_data']['cipher_suite'].lower())
 
     def test_macsec_source_interface(self):
         # Ensure source-interface can bot be part of any other bond or bridge
@@ -191,7 +193,7 @@ class MACsecInterfaceTest(BasicInterfaceTest.TestCase):
 
             # final commit and verify
             self.cli_commit()
-            self.assertIn(interface, interfaces())
+            self.assertTrue(interface_exists(interface))
 
     def test_macsec_static_keys(self):
         src_interface = 'eth0'
@@ -205,7 +207,7 @@ class MACsecInterfaceTest(BasicInterfaceTest.TestCase):
         peer_mac = '00:11:22:33:44:55'
         self.cli_set(self._base_path + [interface])
 
-         # Encrypt link
+        # Encrypt link
         self.cli_set(self._base_path + [interface, 'security', 'encrypt'])
 
         # check validate() - source interface is mandatory
@@ -261,9 +263,12 @@ class MACsecInterfaceTest(BasicInterfaceTest.TestCase):
 
         # final commit and verify
         self.cli_commit()
-        self.assertIn(interface, interfaces())
-        self.assertEqual(cipher2, get_cipher(interface))
-        self.assertTrue(os.path.isdir(f'/sys/class/net/{interface}'))
+
+        self.assertTrue(interface_exists(interface))
+        tmp = get_interface_config(interface)
+        self.assertEqual(cipher2, tmp['linkinfo']['info_data']['cipher_suite'].lower())
+        # Encryption enabled?
+        self.assertTrue(tmp['linkinfo']['info_data']['encrypt'])
 
 if __name__ == '__main__':
     unittest.main(verbosity=2)
diff --git a/smoketest/scripts/cli/test_interfaces_openvpn.py b/smoketest/scripts/cli/test_interfaces_openvpn.py
index d1ece84d6..4a7e2418c 100755
--- a/smoketest/scripts/cli/test_interfaces_openvpn.py
+++ b/smoketest/scripts/cli/test_interfaces_openvpn.py
@@ -421,7 +421,7 @@ class TestInterfacesOpenVPN(VyOSUnitTestSHIM.TestCase):
             # IP pool configuration
             netmask = IPv4Network(subnet).netmask
             network = IPv4Network(subnet).network_address
-            self.assertIn(f'server {network} {netmask} nopool', config)
+            self.assertIn(f'server {network} {netmask}', config)
 
             # Verify client
             client_config = read_file(client_config_file)
@@ -442,80 +442,6 @@ class TestInterfacesOpenVPN(VyOSUnitTestSHIM.TestCase):
             interface = f'vtun{ii}'
             self.assertNotIn(interface, interfaces())
 
-    def test_openvpn_server_net30_topology(self):
-        # Create OpenVPN server interfaces (net30) using different client
-        # subnets. Validate configuration afterwards.
-        auth_hash = 'sha256'
-        num_range = range(20, 25)
-        port = ''
-        for ii in num_range:
-            interface = f'vtun{ii}'
-            subnet = f'192.0.{ii}.0/24'
-            path = base_path + [interface]
-            port = str(2000 + ii)
-
-            self.cli_set(path + ['device-type', 'tun'])
-            self.cli_set(path + ['encryption', 'cipher', 'aes192'])
-            self.cli_set(path + ['hash', auth_hash])
-            self.cli_set(path + ['mode', 'server'])
-            self.cli_set(path + ['local-port', port])
-            self.cli_set(path + ['server', 'subnet', subnet])
-            self.cli_set(path + ['server', 'topology', 'net30'])
-            self.cli_set(path + ['replace-default-route'])
-            self.cli_set(path + ['keep-alive', 'failure-count', '10'])
-            self.cli_set(path + ['keep-alive', 'interval', '5'])
-            self.cli_set(path + ['tls', 'ca-certificate', 'ovpn_test'])
-            self.cli_set(path + ['tls', 'certificate', 'ovpn_test'])
-            self.cli_set(path + ['tls', 'dh-params', 'ovpn_test'])
-            self.cli_set(path + ['vrf', vrf_name])
-
-        self.cli_commit()
-
-        for ii in num_range:
-            interface = f'vtun{ii}'
-            subnet = f'192.0.{ii}.0/24'
-            start_addr = inc_ip(subnet, '4')
-            stop_addr = dec_ip(last_host_address(subnet), '1')
-            port = str(2000 + ii)
-
-            config_file = f'/run/openvpn/{interface}.conf'
-            config = read_file(config_file)
-
-            self.assertIn(f'dev {interface}', config)
-            self.assertIn(f'dev-type tun', config)
-            self.assertIn(f'persist-key', config)
-            self.assertIn(f'proto udp', config) # default protocol
-            self.assertIn(f'auth {auth_hash}', config)
-            self.assertIn(f'cipher AES-192-CBC', config)
-            self.assertIn(f'topology net30', config)
-            self.assertIn(f'lport {port}', config)
-            self.assertIn(f'push "redirect-gateway def1"', config)
-            self.assertIn(f'keepalive 5 50', config)
-
-            # TLS options
-            self.assertIn(f'ca /run/openvpn/{interface}_ca.pem', config)
-            self.assertIn(f'cert /run/openvpn/{interface}_cert.pem', config)
-            self.assertIn(f'key /run/openvpn/{interface}_cert.key', config)
-            self.assertIn(f'dh /run/openvpn/{interface}_dh.pem', config)
-
-            # IP pool configuration
-            netmask = IPv4Network(subnet).netmask
-            network = IPv4Network(subnet).network_address
-            self.assertIn(f'server {network} {netmask} nopool', config)
-            self.assertIn(f'ifconfig-pool {start_addr} {stop_addr}', config)
-
-            self.assertTrue(process_named_running(PROCESS_NAME))
-            self.assertEqual(get_vrf(interface), vrf_name)
-            self.assertIn(interface, interfaces())
-
-        # check that no interface remained after deleting them
-        self.cli_delete(base_path)
-        self.cli_commit()
-
-        for ii in num_range:
-            interface = f'vtun{ii}'
-            self.assertNotIn(interface, interfaces())
-
     def test_openvpn_site2site_verify(self):
         # Create one OpenVPN site2site interface and check required
         # verify() stages
diff --git a/smoketest/scripts/cli/test_interfaces_pppoe.py b/smoketest/scripts/cli/test_interfaces_pppoe.py
index 0ce5e2fe0..e99d8b3d1 100755
--- a/smoketest/scripts/cli/test_interfaces_pppoe.py
+++ b/smoketest/scripts/cli/test_interfaces_pppoe.py
@@ -36,6 +36,9 @@ class PPPoEInterfaceTest(VyOSUnitTestSHIM.TestCase):
     @classmethod
     def setUpClass(cls):
         super(PPPoEInterfaceTest, cls).setUpClass()
+        # ensure we can also run this test on a live system - so lets clean
+        # out the current configuration :)
+        cls.cli_delete(cls, base_path)
 
         cls._interfaces = ['pppoe10', 'pppoe20', 'pppoe30']
         cls._source_interface = 'eth0'
@@ -53,7 +56,7 @@ class PPPoEInterfaceTest(VyOSUnitTestSHIM.TestCase):
         self.cli_delete(base_path)
         self.cli_commit()
 
-    def test_01_pppoe_client(self):
+    def test_pppoe_client(self):
         # Check if PPPoE dialer can be configured and runs
         for interface in self._interfaces:
             user = f'VyOS-user-{interface}'
@@ -80,6 +83,9 @@ class PPPoEInterfaceTest(VyOSUnitTestSHIM.TestCase):
 
             tmp = get_config_value(interface, 'mtu')[1]
             self.assertEqual(tmp, mtu)
+            # MRU must default to MTU if not specified on CLI
+            tmp = get_config_value(interface, 'mru')[1]
+            self.assertEqual(tmp, mtu)
             tmp = get_config_value(interface, 'user')[1].replace('"', '')
             self.assertEqual(tmp, user)
             tmp = get_config_value(interface, 'password')[1].replace('"', '')
@@ -87,7 +93,7 @@ class PPPoEInterfaceTest(VyOSUnitTestSHIM.TestCase):
             tmp = get_config_value(interface, 'ifname')[1]
             self.assertEqual(tmp, interface)
 
-    def test_02_pppoe_client_disabled_interface(self):
+    def test_pppoe_client_disabled_interface(self):
         # Check if PPPoE Client can be disabled
         for interface in self._interfaces:
             user = f'VyOS-user-{interface}'
@@ -116,16 +122,16 @@ class PPPoEInterfaceTest(VyOSUnitTestSHIM.TestCase):
         self.cli_commit()
 
 
-    def test_03_pppoe_authentication(self):
+    def test_pppoe_authentication(self):
         # When username or password is set - so must be the other
         for interface in self._interfaces:
             user = f'VyOS-user-{interface}'
             passwd = f'VyOS-passwd-{interface}'
 
-            self.cli_set(base_path + [interface, 'authentication', 'username', user])
             self.cli_set(base_path + [interface, 'source-interface', self._source_interface])
             self.cli_set(base_path + [interface, 'ipv6', 'address', 'autoconf'])
 
+            self.cli_set(base_path + [interface, 'authentication', 'username', user])
             # check validate() - if user is set, so must be the password
             with self.assertRaises(ConfigSessionError):
                 self.cli_commit()
@@ -134,7 +140,7 @@ class PPPoEInterfaceTest(VyOSUnitTestSHIM.TestCase):
 
         self.cli_commit()
 
-    def test_04_pppoe_dhcpv6pd(self):
+    def test_pppoe_dhcpv6pd(self):
         # Check if PPPoE dialer can be configured with DHCPv6-PD
         address = '1'
         sla_id = '0'
@@ -174,7 +180,7 @@ class PPPoEInterfaceTest(VyOSUnitTestSHIM.TestCase):
             tmp = get_config_value(interface, '+ipv6 ipv6cp-use-ipaddr')
             self.assertListEqual(tmp, ['+ipv6', 'ipv6cp-use-ipaddr'])
 
-    def test_05_pppoe_options(self):
+    def test_pppoe_options(self):
         # Check if PPPoE dialer can be configured with DHCPv6-PD
         for interface in self._interfaces:
             user = f'VyOS-user-{interface}'
@@ -206,5 +212,47 @@ class PPPoEInterfaceTest(VyOSUnitTestSHIM.TestCase):
             tmp = get_config_value(interface, 'pppoe-host-uniq')[1]
             self.assertEqual(tmp, f'"{host_uniq}"')
 
+    def test_pppoe_mtu_mru(self):
+        # Check if PPPoE dialer can be configured and runs
+        for interface in self._interfaces:
+            user = f'VyOS-user-{interface}'
+            passwd = f'VyOS-passwd-{interface}'
+            mtu = '1400'
+            mru = '1300'
+
+            self.cli_set(base_path + [interface, 'authentication', 'username', user])
+            self.cli_set(base_path + [interface, 'authentication', 'password', passwd])
+            self.cli_set(base_path + [interface, 'mtu', mtu])
+            self.cli_set(base_path + [interface, 'mru', '9000'])
+
+            # check validate() - a source-interface is required
+            with self.assertRaises(ConfigSessionError):
+                self.cli_commit()
+            self.cli_set(base_path + [interface, 'source-interface', self._source_interface])
+
+            # check validate() - MRU needs to be less or equal then MTU
+            with self.assertRaises(ConfigSessionError):
+                self.cli_commit()
+            self.cli_set(base_path + [interface, 'mru', mru])
+
+        # commit changes
+        self.cli_commit()
+
+        # verify configuration file(s)
+        for interface in self._interfaces:
+            user = f'VyOS-user-{interface}'
+            passwd = f'VyOS-passwd-{interface}'
+
+            tmp = get_config_value(interface, 'mtu')[1]
+            self.assertEqual(tmp, mtu)
+            tmp = get_config_value(interface, 'mru')[1]
+            self.assertEqual(tmp, mru)
+            tmp = get_config_value(interface, 'user')[1].replace('"', '')
+            self.assertEqual(tmp, user)
+            tmp = get_config_value(interface, 'password')[1].replace('"', '')
+            self.assertEqual(tmp, passwd)
+            tmp = get_config_value(interface, 'ifname')[1]
+            self.assertEqual(tmp, interface)
+
 if __name__ == '__main__':
     unittest.main(verbosity=2)
diff --git a/smoketest/scripts/cli/test_interfaces_pseudo_ethernet.py b/smoketest/scripts/cli/test_interfaces_pseudo-ethernet.py
index 0d6f5bc1f..0d6f5bc1f 100755
--- a/smoketest/scripts/cli/test_interfaces_pseudo_ethernet.py
+++ b/smoketest/scripts/cli/test_interfaces_pseudo-ethernet.py
diff --git a/smoketest/scripts/cli/test_interfaces_tunnel.py b/smoketest/scripts/cli/test_interfaces_tunnel.py
index 2a7a519fd..dd9f1d2d1 100755
--- a/smoketest/scripts/cli/test_interfaces_tunnel.py
+++ b/smoketest/scripts/cli/test_interfaces_tunnel.py
@@ -393,5 +393,21 @@ class TunnelInterfaceTest(BasicInterfaceTest.TestCase):
             self.assertEqual(tunnel_config['encapsulation'],    conf['linkinfo']['info_kind'])
             self.assertEqual(tunnel_config['remote'],           conf['linkinfo']['info_data']['remote'])
 
+    def test_tunnel_invalid_source_interface(self):
+        encapsulation = 'gre'
+        remote = '192.0.2.1'
+        interface = 'tun7543'
+
+        self.cli_set(self._base_path + [interface, 'encapsulation', encapsulation])
+        self.cli_set(self._base_path + [interface, 'remote', remote])
+
+        for dynamic_interface in ['l2tp0', 'ppp4220', 'sstpc0', 'ipoe654']:
+            self.cli_set(self._base_path + [interface, 'source-interface', dynamic_interface])
+            # verify() - we can not source from dynamic interfaces
+            with self.assertRaises(ConfigSessionError):
+                self.cli_commit()
+        self.cli_set(self._base_path + [interface, 'source-interface', 'eth0'])
+        self.cli_commit()
+
 if __name__ == '__main__':
     unittest.main(verbosity=2)
diff --git a/smoketest/scripts/cli/test_interfaces_virtual_ethernet.py b/smoketest/scripts/cli/test_interfaces_virtual-ethernet.py
index 7874589ca..7874589ca 100755
--- a/smoketest/scripts/cli/test_interfaces_virtual_ethernet.py
+++ b/smoketest/scripts/cli/test_interfaces_virtual-ethernet.py
diff --git a/smoketest/scripts/cli/test_interfaces_vxlan.py b/smoketest/scripts/cli/test_interfaces_vxlan.py
index f6b203de4..18676491b 100755
--- a/smoketest/scripts/cli/test_interfaces_vxlan.py
+++ b/smoketest/scripts/cli/test_interfaces_vxlan.py
@@ -18,8 +18,12 @@ import unittest
 
 from vyos.configsession import ConfigSessionError
 from vyos.ifconfig import Interface
+from vyos.ifconfig import Section
 from vyos.utils.network import get_bridge_fdb
 from vyos.utils.network import get_interface_config
+from vyos.utils.network import interface_exists
+from vyos.utils.network import get_vxlan_vlan_tunnels
+from vyos.utils.network import get_vxlan_vni_filter
 from vyos.template import is_ipv6
 from base_interfaces_test import BasicInterfaceTest
 
@@ -29,12 +33,13 @@ class VXLANInterfaceTest(BasicInterfaceTest.TestCase):
         cls._base_path = ['interfaces', 'vxlan']
         cls._options = {
             'vxlan10': ['vni 10', 'remote 127.0.0.2'],
-            'vxlan20': ['vni 20', 'group 239.1.1.1', 'source-interface eth0'],
+            'vxlan20': ['vni 20', 'group 239.1.1.1', 'source-interface eth0', 'mtu 1450'],
             'vxlan30': ['vni 30', 'remote 2001:db8:2000::1', 'source-address 2001:db8:1000::1', 'parameters ipv6 flowlabel 0x1000'],
             'vxlan40': ['vni 40', 'remote 127.0.0.2', 'remote 127.0.0.3'],
             'vxlan50': ['vni 50', 'remote 2001:db8:2000::1', 'remote 2001:db8:2000::2', 'parameters ipv6 flowlabel 0x1000'],
         }
         cls._interfaces = list(cls._options)
+        cls._mtu = '1450'
         # call base-classes classmethod
         super(VXLANInterfaceTest, cls).setUpClass()
 
@@ -105,7 +110,7 @@ class VXLANInterfaceTest(BasicInterfaceTest.TestCase):
     def test_vxlan_external(self):
         interface = 'vxlan0'
         source_address = '192.0.2.1'
-        self.cli_set(self._base_path + [interface, 'external'])
+        self.cli_set(self._base_path + [interface, 'parameters', 'external'])
         self.cli_set(self._base_path + [interface, 'source-address', source_address])
 
         # Both 'VNI' and 'external' can not be specified at the same time.
@@ -133,5 +138,182 @@ class VXLANInterfaceTest(BasicInterfaceTest.TestCase):
         self.assertTrue(options['linkinfo']['info_data']['external'])
         self.assertEqual('vxlan',    options['linkinfo']['info_kind'])
 
+    def test_vxlan_vlan_vni_mapping(self):
+        bridge = 'br0'
+        interface = 'vxlan0'
+        source_address = '192.0.2.99'
+
+        vlan_to_vni = {
+            '10': '10010',
+            '11': '10011',
+            '12': '10012',
+            '13': '10013',
+            '20': '10020',
+            '30': '10030',
+            '31': '10031',
+        }
+
+        self.cli_set(self._base_path + [interface, 'parameters', 'external'])
+        self.cli_set(self._base_path + [interface, 'source-address', source_address])
+
+        for vlan, vni in vlan_to_vni.items():
+            self.cli_set(self._base_path + [interface, 'vlan-to-vni', vlan, 'vni', vni])
+
+        # This must fail as this VXLAN interface is not associated with any bridge
+        with self.assertRaises(ConfigSessionError):
+            self.cli_commit()
+        self.cli_set(['interfaces', 'bridge', bridge, 'member', 'interface', interface])
+
+        # It is not allowed to use duplicate VNIs
+        self.cli_set(self._base_path + [interface, 'vlan-to-vni', '11', 'vni', vlan_to_vni['10']])
+        with self.assertRaises(ConfigSessionError):
+            self.cli_commit()
+        # restore VLAN - VNI mappings
+        for vlan, vni in vlan_to_vni.items():
+            self.cli_set(self._base_path + [interface, 'vlan-to-vni', vlan, 'vni', vni])
+
+        # commit configuration
+        self.cli_commit()
+
+        self.assertTrue(interface_exists(bridge))
+        self.assertTrue(interface_exists(interface))
+
+        tmp = get_interface_config(interface)
+        self.assertEqual(tmp['master'], bridge)
+        self.assertFalse(tmp['linkinfo']['info_slave_data']['neigh_suppress'])
+
+        tmp = get_vxlan_vlan_tunnels('vxlan0')
+        self.assertEqual(tmp, list(vlan_to_vni))
+
+        self.cli_delete(['interfaces', 'bridge', bridge])
+
+    def test_vxlan_neighbor_suppress(self):
+        bridge = 'br555'
+        interface = 'vxlan555'
+        source_interface = 'dum0'
+
+        self.cli_set(['interfaces', Section.section(source_interface), source_interface, 'mtu', '9000'])
+
+        self.cli_set(self._base_path + [interface, 'parameters', 'external'])
+        self.cli_set(self._base_path + [interface, 'source-interface', source_interface])
+        self.cli_set(self._base_path + [interface, 'parameters', 'neighbor-suppress'])
+
+        # This must fail as this VXLAN interface is not associated with any bridge
+        with self.assertRaises(ConfigSessionError):
+            self.cli_commit()
+        self.cli_set(['interfaces', 'bridge', bridge, 'member', 'interface', interface])
+
+        # commit configuration
+        self.cli_commit()
+
+        self.assertTrue(interface_exists(bridge))
+        self.assertTrue(interface_exists(interface))
+
+        tmp = get_interface_config(interface)
+        self.assertEqual(tmp['master'], bridge)
+        self.assertTrue(tmp['linkinfo']['info_slave_data']['neigh_suppress'])
+        self.assertFalse(tmp['linkinfo']['info_slave_data']['learning'])
+
+        # Remove neighbor suppress configuration and re-test
+        self.cli_delete(self._base_path + [interface, 'parameters', 'neighbor-suppress'])
+        # commit configuration
+        self.cli_commit()
+
+        tmp = get_interface_config(interface)
+        self.assertEqual(tmp['master'], bridge)
+        self.assertFalse(tmp['linkinfo']['info_slave_data']['neigh_suppress'])
+        self.assertTrue(tmp['linkinfo']['info_slave_data']['learning'])
+
+        self.cli_delete(['interfaces', 'bridge', bridge])
+        self.cli_delete(['interfaces', Section.section(source_interface), source_interface])
+
+    def test_vxlan_vni_filter(self):
+        interfaces = ['vxlan987', 'vxlan986', 'vxlan985']
+        source_address = '192.0.2.77'
+
+        for interface in interfaces:
+            self.cli_set(self._base_path + [interface, 'parameters', 'external'])
+            self.cli_set(self._base_path + [interface, 'source-address', source_address])
+
+        # This must fail as there can only be one "external" VXLAN device unless "vni-filter" is defined
+        with self.assertRaises(ConfigSessionError):
+            self.cli_commit()
+
+        # Enable "vni-filter" on the first VXLAN interface
+        self.cli_set(self._base_path + [interfaces[0], 'parameters', 'vni-filter'])
+
+        # This must fail as if it's enabled on one VXLAN interface, it must be enabled on all
+        # VXLAN interfaces
+        with self.assertRaises(ConfigSessionError):
+            self.cli_commit()
+        for interface in interfaces:
+            self.cli_set(self._base_path + [interface, 'parameters', 'vni-filter'])
+
+        # commit configuration
+        self.cli_commit()
+
+        for interface in interfaces:
+            self.assertTrue(interface_exists(interface))
+
+            tmp = get_interface_config(interface)
+            self.assertTrue(tmp['linkinfo']['info_data']['vnifilter'])
+
+    def test_vxlan_vni_filter_add_remove(self):
+        interface = 'vxlan987'
+        source_address = '192.0.2.66'
+        bridge = 'br0'
+
+        self.cli_set(self._base_path + [interface, 'parameters', 'external'])
+        self.cli_set(self._base_path + [interface, 'source-address', source_address])
+        self.cli_set(self._base_path + [interface, 'parameters', 'vni-filter'])
+
+        # commit configuration
+        self.cli_commit()
+
+        # Check if VXLAN interface got created
+        self.assertTrue(interface_exists(interface))
+
+        # VNI filter configured?
+        tmp = get_interface_config(interface)
+        self.assertTrue(tmp['linkinfo']['info_data']['vnifilter'])
+
+        # Now create some VLAN mappings and VNI filter
+        vlan_to_vni = {
+            '50': '10050',
+            '51': '10051',
+            '52': '10052',
+            '53': '10053',
+            '54': '10054',
+            '60': '10060',
+            '69': '10069',
+        }
+        for vlan, vni in vlan_to_vni.items():
+            self.cli_set(self._base_path + [interface, 'vlan-to-vni', vlan, 'vni', vni])
+        # we need a bridge ...
+        self.cli_set(['interfaces', 'bridge', bridge, 'member', 'interface', interface])
+        # commit configuration
+        self.cli_commit()
+
+        # All VNIs configured?
+        tmp = get_vxlan_vni_filter(interface)
+        self.assertListEqual(list(vlan_to_vni.values()), tmp)
+
+        #
+        # Delete a VLAN mappings and check if all VNIs are properly set up
+        #
+        vlan_to_vni.popitem()
+        self.cli_delete(self._base_path + [interface, 'vlan-to-vni'])
+        for vlan, vni in vlan_to_vni.items():
+            self.cli_set(self._base_path + [interface, 'vlan-to-vni', vlan, 'vni', vni])
+
+        # commit configuration
+        self.cli_commit()
+
+        # All VNIs configured?
+        tmp = get_vxlan_vni_filter(interface)
+        self.assertListEqual(list(vlan_to_vni.values()), tmp)
+
+        self.cli_delete(['interfaces', 'bridge', bridge])
+
 if __name__ == '__main__':
     unittest.main(verbosity=2)
diff --git a/smoketest/scripts/cli/test_interfaces_wireguard.py b/smoketest/scripts/cli/test_interfaces_wireguard.py
index 48c7cb6a1..4b994a659 100755
--- a/smoketest/scripts/cli/test_interfaces_wireguard.py
+++ b/smoketest/scripts/cli/test_interfaces_wireguard.py
@@ -20,6 +20,7 @@ import unittest
 from base_vyostest_shim import VyOSUnitTestSHIM
 from vyos.configsession import ConfigSessionError
 from vyos.utils.file import read_file
+from vyos.utils.process import cmd
 
 base_path = ['interfaces', 'wireguard']
 
@@ -152,5 +153,52 @@ class WireGuardInterfaceTest(VyOSUnitTestSHIM.TestCase):
         tmp = read_file(f'/sys/class/net/{interface}/threaded')
         self.assertTrue(tmp, "1")
 
+    def test_05_wireguard_peer_pubkey_change(self):
+        # T5707 changing WireGuard CLI public key of a peer - it's not removed
+
+        def get_peers(interface) -> list:
+            tmp = cmd(f'sudo wg show {interface} dump')
+            first_line = True
+            peers = []
+            for line in tmp.split('\n'):
+                if not line:
+                    continue # Skip empty lines and last line
+                items = line.split('\t')
+                if first_line:
+                    self.assertEqual(privkey, items[0])
+                    first_line = False
+                else:
+                    peers.append(items[0])
+            return peers
+
+
+        interface = 'wg1337'
+        port = '1337'
+        privkey = 'iJi4lb2HhkLx2KSAGOjji2alKkYsJjSPkHkrcpxgEVU='
+        pubkey_1 = 'srQ8VF6z/LDjKCzpxBzFpmaNUOeuHYzIfc2dcmoc/h4='
+        pubkey_2 = '8pbMHiQ7NECVP7F65Mb2W8+4ldGG2oaGvDSpSEsOBn8='
+
+        self.cli_set(base_path + [interface, 'address', '172.16.0.1/24'])
+        self.cli_set(base_path + [interface, 'port', port])
+        self.cli_set(base_path + [interface, 'private-key', privkey])
+
+        self.cli_set(base_path + [interface, 'peer', 'VyOS', 'public-key', pubkey_1])
+        self.cli_set(base_path + [interface, 'peer', 'VyOS', 'allowed-ips', '10.205.212.10/32'])
+
+        self.cli_commit()
+
+        peers = get_peers(interface)
+        self.assertIn(pubkey_1, peers)
+        self.assertNotIn(pubkey_2, peers)
+
+        # Now change the public key of our peer
+        self.cli_set(base_path + [interface, 'peer', 'VyOS', 'public-key', pubkey_2])
+        self.cli_commit()
+
+        # Verify config
+        peers = get_peers(interface)
+        self.assertNotIn(pubkey_1, peers)
+        self.assertIn(pubkey_2, peers)
+
 if __name__ == '__main__':
     unittest.main(verbosity=2)
diff --git a/smoketest/scripts/cli/test_load_balancing_reverse_proxy.py b/smoketest/scripts/cli/test_load-balancing_reverse-proxy.py
index a33fd5c18..274b97f22 100755
--- a/smoketest/scripts/cli/test_load_balancing_reverse_proxy.py
+++ b/smoketest/scripts/cli/test_load-balancing_reverse-proxy.py
@@ -74,6 +74,7 @@ class TestLoadBalancingReverseProxy(VyOSUnitTestSHIM.TestCase):
         self.cli_set(back_base + [bk_second_name, 'mode', mode])
         self.cli_set(back_base + [bk_second_name, 'server', bk_second_name, 'address', bk_server_second])
         self.cli_set(back_base + [bk_second_name, 'server', bk_second_name, 'port', bk_server_port])
+        self.cli_set(back_base + [bk_second_name, 'server', bk_second_name, 'backup'])
 
         self.cli_set(base_path + ['global-parameters', 'max-connections', max_connections])
 
@@ -106,6 +107,7 @@ class TestLoadBalancingReverseProxy(VyOSUnitTestSHIM.TestCase):
         self.assertIn(f'backend {bk_second_name}', config)
         self.assertIn(f'mode {mode}', config)
         self.assertIn(f'server {bk_second_name} {bk_server_second}:{bk_server_port}', config)
+        self.assertIn(f'server {bk_second_name} {bk_server_second}:{bk_server_port} backup', config)
 
 
 if __name__ == '__main__':
diff --git a/smoketest/scripts/cli/test_load_balancing_wan.py b/smoketest/scripts/cli/test_load-balancing_wan.py
index 9b2cb0fac..47ca19b27 100755
--- a/smoketest/scripts/cli/test_load_balancing_wan.py
+++ b/smoketest/scripts/cli/test_load-balancing_wan.py
@@ -124,11 +124,12 @@ class TestLoadBalancingWan(VyOSUnitTestSHIM.TestCase):
         self.assertEqual(tmp, original)
 
         # Delete veth interfaces and netns
-        for iface in [iface1, iface2, iface3, container_iface1, container_iface2, container_iface3]:
+        for iface in [iface1, iface2, iface3]:
             call(f'sudo ip link del dev {iface}')
 
         delete_netns(ns1)
         delete_netns(ns2)
+        delete_netns(ns3)
 
     def test_check_chains(self):
 
@@ -246,11 +247,13 @@ class TestLoadBalancingWan(VyOSUnitTestSHIM.TestCase):
         self.assertEqual(tmp, nat_vyos_pre_snat_hook)
 
         # Delete veth interfaces and netns
-        for iface in [iface1, iface2, iface3, container_iface1, container_iface2, container_iface3]:
+        for iface in [iface1, iface2, iface3]:
             call(f'sudo ip link del dev {iface}')
 
         delete_netns(ns1)
         delete_netns(ns2)
+        delete_netns(ns3)
+
 
 if __name__ == '__main__':
     unittest.main(verbosity=2)
diff --git a/smoketest/scripts/cli/test_nat.py b/smoketest/scripts/cli/test_nat.py
index 31dfcef87..1e6435df8 100755
--- a/smoketest/scripts/cli/test_nat.py
+++ b/smoketest/scripts/cli/test_nat.py
@@ -82,12 +82,12 @@ class TestNAT(VyOSUnitTestSHIM.TestCase):
             # or configured destination address for NAT
             if int(rule) < 200:
                 self.cli_set(src_path + ['rule', rule, 'source', 'address', network])
-                self.cli_set(src_path + ['rule', rule, 'outbound-interface', outbound_iface_100])
+                self.cli_set(src_path + ['rule', rule, 'outbound-interface', 'name', outbound_iface_100])
                 self.cli_set(src_path + ['rule', rule, 'translation', 'address', 'masquerade'])
                 nftables_search.append([f'saddr {network}', f'oifname "{outbound_iface_100}"', 'masquerade'])
             else:
                 self.cli_set(src_path + ['rule', rule, 'destination', 'address', network])
-                self.cli_set(src_path + ['rule', rule, 'outbound-interface', outbound_iface_200])
+                self.cli_set(src_path + ['rule', rule, 'outbound-interface', 'name', outbound_iface_200])
                 self.cli_set(src_path + ['rule', rule, 'exclude'])
                 nftables_search.append([f'daddr {network}', f'oifname "{outbound_iface_200}"', 'return'])
 
@@ -98,13 +98,15 @@ class TestNAT(VyOSUnitTestSHIM.TestCase):
     def test_snat_groups(self):
         address_group = 'smoketest_addr'
         address_group_member = '192.0.2.1'
+        interface_group = 'smoketest_ifaces'
+        interface_group_member = 'bond.99'
         rule = '100'
-        outbound_iface = 'eth0'
 
         self.cli_set(['firewall', 'group', 'address-group', address_group, 'address', address_group_member])
+        self.cli_set(['firewall', 'group', 'interface-group', interface_group, 'interface', interface_group_member])
 
         self.cli_set(src_path + ['rule', rule, 'source', 'group', 'address-group', address_group])
-        self.cli_set(src_path + ['rule', rule, 'outbound-interface', outbound_iface])
+        self.cli_set(src_path + ['rule', rule, 'outbound-interface', 'group', interface_group])
         self.cli_set(src_path + ['rule', rule, 'translation', 'address', 'masquerade'])
 
         self.cli_commit()
@@ -112,7 +114,7 @@ class TestNAT(VyOSUnitTestSHIM.TestCase):
         nftables_search = [
             [f'set A_{address_group}'],
             [f'elements = {{ {address_group_member} }}'],
-            [f'ip saddr @A_{address_group}', f'oifname "{outbound_iface}"', 'masquerade']
+            [f'ip saddr @A_{address_group}', f'oifname @I_{interface_group}', 'masquerade']
         ]
 
         self.verify_nftables(nftables_search, 'ip vyos_nat')
@@ -136,12 +138,12 @@ class TestNAT(VyOSUnitTestSHIM.TestCase):
             rule_search = [f'dnat to 192.0.2.1:{port}']
             if int(rule) < 200:
                 self.cli_set(dst_path + ['rule', rule, 'protocol', inbound_proto_100])
-                self.cli_set(dst_path + ['rule', rule, 'inbound-interface', inbound_iface_100])
+                self.cli_set(dst_path + ['rule', rule, 'inbound-interface', 'name', inbound_iface_100])
                 rule_search.append(f'{inbound_proto_100} sport {port}')
                 rule_search.append(f'iifname "{inbound_iface_100}"')
             else:
                 self.cli_set(dst_path + ['rule', rule, 'protocol', inbound_proto_200])
-                self.cli_set(dst_path + ['rule', rule, 'inbound-interface', inbound_iface_200])
+                self.cli_set(dst_path + ['rule', rule, 'inbound-interface', 'name', inbound_iface_200])
                 rule_search.append(f'iifname "{inbound_iface_200}"')
 
             nftables_search.append(rule_search)
@@ -155,11 +157,6 @@ class TestNAT(VyOSUnitTestSHIM.TestCase):
         rule = '5'
         self.cli_set(src_path + ['rule', rule, 'source', 'address', '192.0.2.0/24'])
 
-        # check validate() - outbound-interface must be defined
-        with self.assertRaises(ConfigSessionError):
-            self.cli_commit()
-        self.cli_set(src_path + ['rule', rule, 'outbound-interface', 'eth0'])
-
         # check validate() - translation address not specified
         with self.assertRaises(ConfigSessionError):
             self.cli_commit()
@@ -172,7 +169,7 @@ class TestNAT(VyOSUnitTestSHIM.TestCase):
         rule = '1000'
         self.cli_set(dst_path + ['rule', rule, 'destination', 'address', '!192.0.2.1'])
         self.cli_set(dst_path + ['rule', rule, 'destination', 'port', '53'])
-        self.cli_set(dst_path + ['rule', rule, 'inbound-interface', 'eth0'])
+        self.cli_set(dst_path + ['rule', rule, 'inbound-interface', 'name', 'eth0'])
         self.cli_set(dst_path + ['rule', rule, 'protocol', 'tcp_udp'])
         self.cli_set(dst_path + ['rule', rule, 'source', 'address', '!192.0.2.1'])
         self.cli_set(dst_path + ['rule', rule, 'translation', 'address', '192.0.2.1'])
@@ -191,7 +188,7 @@ class TestNAT(VyOSUnitTestSHIM.TestCase):
         self.cli_commit()
 
     def test_dnat_without_translation_address(self):
-        self.cli_set(dst_path + ['rule', '1', 'inbound-interface', 'eth1'])
+        self.cli_set(dst_path + ['rule', '1', 'inbound-interface', 'name', 'eth1'])
         self.cli_set(dst_path + ['rule', '1', 'destination', 'port', '443'])
         self.cli_set(dst_path + ['rule', '1', 'protocol', 'tcp'])
         self.cli_set(dst_path + ['rule', '1', 'packet-type', 'host'])
@@ -241,13 +238,13 @@ class TestNAT(VyOSUnitTestSHIM.TestCase):
         self.cli_set(dst_path + ['rule', '10', 'destination', 'address', dst_addr_1])
         self.cli_set(dst_path + ['rule', '10', 'destination', 'port', dest_port])
         self.cli_set(dst_path + ['rule', '10', 'protocol', protocol])
-        self.cli_set(dst_path + ['rule', '10', 'inbound-interface', ifname])
+        self.cli_set(dst_path + ['rule', '10', 'inbound-interface', 'name', ifname])
         self.cli_set(dst_path + ['rule', '10', 'translation', 'redirect', 'port', redirected_port])
 
         self.cli_set(dst_path + ['rule', '20', 'destination', 'address', dst_addr_1])
         self.cli_set(dst_path + ['rule', '20', 'destination', 'port', dest_port])
         self.cli_set(dst_path + ['rule', '20', 'protocol', protocol])
-        self.cli_set(dst_path + ['rule', '20', 'inbound-interface', ifname])
+        self.cli_set(dst_path + ['rule', '20', 'inbound-interface', 'name', ifname])
         self.cli_set(dst_path + ['rule', '20', 'translation', 'redirect'])
 
         self.cli_commit()
@@ -271,7 +268,7 @@ class TestNAT(VyOSUnitTestSHIM.TestCase):
         weight_4 = '65'
         dst_port = '443'
 
-        self.cli_set(dst_path + ['rule', '1', 'inbound-interface', ifname])
+        self.cli_set(dst_path + ['rule', '1', 'inbound-interface', 'name', ifname])
         self.cli_set(dst_path + ['rule', '1', 'protocol', 'tcp'])
         self.cli_set(dst_path + ['rule', '1', 'destination', 'port', dst_port])
         self.cli_set(dst_path + ['rule', '1', 'load-balance', 'hash', 'source-address'])
@@ -281,7 +278,7 @@ class TestNAT(VyOSUnitTestSHIM.TestCase):
         self.cli_set(dst_path + ['rule', '1', 'load-balance', 'backend', member_1, 'weight', weight_1])
         self.cli_set(dst_path + ['rule', '1', 'load-balance', 'backend', member_2, 'weight', weight_2])
 
-        self.cli_set(src_path + ['rule', '1', 'outbound-interface', ifname])
+        self.cli_set(src_path + ['rule', '1', 'outbound-interface', 'name', ifname])
         self.cli_set(src_path + ['rule', '1', 'load-balance', 'hash', 'random'])
         self.cli_set(src_path + ['rule', '1', 'load-balance', 'backend', member_3, 'weight', weight_3])
         self.cli_set(src_path + ['rule', '1', 'load-balance', 'backend', member_4, 'weight', weight_4])
@@ -295,5 +292,25 @@ class TestNAT(VyOSUnitTestSHIM.TestCase):
 
         self.verify_nftables(nftables_search, 'ip vyos_nat')
 
+    def test_snat_net_port_map(self):
+        self.cli_set(src_path + ['rule', '10', 'protocol', 'tcp_udp'])
+        self.cli_set(src_path + ['rule', '10', 'source', 'address', '100.64.0.0/25'])
+        self.cli_set(src_path + ['rule', '10', 'translation', 'address', '203.0.113.0/25'])
+        self.cli_set(src_path + ['rule', '10', 'translation', 'port', '1025-3072'])
+
+        self.cli_set(src_path + ['rule', '20', 'protocol', 'tcp_udp'])
+        self.cli_set(src_path + ['rule', '20', 'source', 'address', '100.64.0.128/25'])
+        self.cli_set(src_path + ['rule', '20', 'translation', 'address', '203.0.113.128/25'])
+        self.cli_set(src_path + ['rule', '20', 'translation', 'port', '1025-3072'])
+
+        self.cli_commit()
+
+        nftables_search = [
+            ['meta l4proto { tcp, udp }', 'snat ip prefix to ip saddr map { 100.64.0.0/25 : 203.0.113.0/25 . 1025-3072 }', 'comment "SRC-NAT-10"'],
+            ['meta l4proto { tcp, udp }', 'snat ip prefix to ip saddr map { 100.64.0.128/25 : 203.0.113.128/25 . 1025-3072 }', 'comment "SRC-NAT-20"']
+        ]
+
+        self.verify_nftables(nftables_search, 'ip vyos_nat')
+
 if __name__ == '__main__':
     unittest.main(verbosity=2)
diff --git a/smoketest/scripts/cli/test_nat64.py b/smoketest/scripts/cli/test_nat64.py
new file mode 100755
index 000000000..b5723ac7e
--- /dev/null
+++ b/smoketest/scripts/cli/test_nat64.py
@@ -0,0 +1,102 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2023 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+import json
+import os
+import unittest
+
+from base_vyostest_shim import VyOSUnitTestSHIM
+from vyos.configsession import ConfigSessionError
+from vyos.utils.process import cmd
+from vyos.utils.dict import dict_search
+
+base_path = ['nat64']
+src_path = base_path + ['source']
+
+jool_nat64_config = '/run/jool/instance-100.json'
+
+
+class TestNAT64(VyOSUnitTestSHIM.TestCase):
+    @classmethod
+    def setUpClass(cls):
+        super(TestNAT64, cls).setUpClass()
+
+        # ensure we can also run this test on a live system - so lets clean
+        # out the current configuration :)
+        cls.cli_delete(cls, base_path)
+
+    def tearDown(self):
+        self.cli_delete(base_path)
+        self.cli_commit()
+        self.assertFalse(os.path.exists(jool_nat64_config))
+
+    def test_snat64(self):
+        rule = '100'
+        translation_rule = '10'
+        prefix_v6 = '64:ff9b::/96'
+        pool = '192.0.2.10'
+        pool_port = '1-65535'
+
+        self.cli_set(src_path + ['rule', rule, 'source', 'prefix', prefix_v6])
+        self.cli_set(
+            src_path
+            + ['rule', rule, 'translation', 'pool', translation_rule, 'address', pool]
+        )
+        self.cli_set(
+            src_path
+            + ['rule', rule, 'translation', 'pool', translation_rule, 'port', pool_port]
+        )
+        self.cli_commit()
+
+        # Load the JSON file
+        with open(f'/run/jool/instance-{rule}.json', 'r') as json_file:
+            config_data = json.load(json_file)
+
+        # Assertions based on the content of the JSON file
+        self.assertEqual(config_data['instance'], f'instance-{rule}')
+        self.assertEqual(config_data['framework'], 'netfilter')
+        self.assertEqual(config_data['global']['pool6'], prefix_v6)
+        self.assertTrue(config_data['global']['manually-enabled'])
+
+        # Check the pool4 entries
+        pool4_entries = config_data.get('pool4', [])
+        self.assertIsInstance(pool4_entries, list)
+        self.assertGreater(len(pool4_entries), 0)
+
+        for entry in pool4_entries:
+            self.assertIn('protocol', entry)
+            self.assertIn('prefix', entry)
+            self.assertIn('port range', entry)
+
+            protocol = entry['protocol']
+            prefix = entry['prefix']
+            port_range = entry['port range']
+
+            if protocol == 'ICMP':
+                self.assertEqual(prefix, pool)
+                self.assertEqual(port_range, pool_port)
+            elif protocol == 'UDP':
+                self.assertEqual(prefix, pool)
+                self.assertEqual(port_range, pool_port)
+            elif protocol == 'TCP':
+                self.assertEqual(prefix, pool)
+                self.assertEqual(port_range, pool_port)
+            else:
+                self.fail(f'Unexpected protocol: {protocol}')
+
+
+if __name__ == '__main__':
+    unittest.main(verbosity=2)
diff --git a/smoketest/scripts/cli/test_nat66.py b/smoketest/scripts/cli/test_nat66.py
index e062f28a6..0607f6616 100755
--- a/smoketest/scripts/cli/test_nat66.py
+++ b/smoketest/scripts/cli/test_nat66.py
@@ -56,15 +56,15 @@ class TestNAT66(VyOSUnitTestSHIM.TestCase):
     def test_source_nat66(self):
         source_prefix = 'fc00::/64'
         translation_prefix = 'fc01::/64'
-        self.cli_set(src_path + ['rule', '1', 'outbound-interface', 'eth1'])
+        self.cli_set(src_path + ['rule', '1', 'outbound-interface', 'name', 'eth1'])
         self.cli_set(src_path + ['rule', '1', 'source', 'prefix', source_prefix])
         self.cli_set(src_path + ['rule', '1', 'translation', 'address', translation_prefix])
 
-        self.cli_set(src_path + ['rule', '2', 'outbound-interface', 'eth1'])
+        self.cli_set(src_path + ['rule', '2', 'outbound-interface', 'name', 'eth1'])
         self.cli_set(src_path + ['rule', '2', 'source', 'prefix', source_prefix])
         self.cli_set(src_path + ['rule', '2', 'translation', 'address', 'masquerade'])
 
-        self.cli_set(src_path + ['rule', '3', 'outbound-interface', 'eth1'])
+        self.cli_set(src_path + ['rule', '3', 'outbound-interface', 'name', 'eth1'])
         self.cli_set(src_path + ['rule', '3', 'source', 'prefix', source_prefix])
         self.cli_set(src_path + ['rule', '3', 'exclude'])
 
@@ -81,7 +81,7 @@ class TestNAT66(VyOSUnitTestSHIM.TestCase):
     def test_source_nat66_address(self):
         source_prefix = 'fc00::/64'
         translation_address = 'fc00::1'
-        self.cli_set(src_path + ['rule', '1', 'outbound-interface', 'eth1'])
+        self.cli_set(src_path + ['rule', '1', 'outbound-interface', 'name', 'eth1'])
         self.cli_set(src_path + ['rule', '1', 'source', 'prefix', source_prefix])
         self.cli_set(src_path + ['rule', '1', 'translation', 'address', translation_address])
 
@@ -98,11 +98,11 @@ class TestNAT66(VyOSUnitTestSHIM.TestCase):
         destination_address = 'fc00::1'
         translation_address = 'fc01::1'
         source_address = 'fc02::1'
-        self.cli_set(dst_path + ['rule', '1', 'inbound-interface', 'eth1'])
+        self.cli_set(dst_path + ['rule', '1', 'inbound-interface', 'name', 'eth1'])
         self.cli_set(dst_path + ['rule', '1', 'destination', 'address', destination_address])
         self.cli_set(dst_path + ['rule', '1', 'translation', 'address', translation_address])
 
-        self.cli_set(dst_path + ['rule', '2', 'inbound-interface', 'eth1'])
+        self.cli_set(dst_path + ['rule', '2', 'inbound-interface', 'name', 'eth1'])
         self.cli_set(dst_path + ['rule', '2', 'destination', 'address', destination_address])
         self.cli_set(dst_path + ['rule', '2', 'source', 'address', source_address])
         self.cli_set(dst_path + ['rule', '2', 'exclude'])
@@ -124,7 +124,7 @@ class TestNAT66(VyOSUnitTestSHIM.TestCase):
         sport = '8080'
         tport = '5555'
         proto = 'tcp'
-        self.cli_set(dst_path + ['rule', '1', 'inbound-interface', 'eth1'])
+        self.cli_set(dst_path + ['rule', '1', 'inbound-interface', 'name', 'eth1'])
         self.cli_set(dst_path + ['rule', '1', 'destination', 'port', dport])
         self.cli_set(dst_path + ['rule', '1', 'source', 'address', source_prefix])
         self.cli_set(dst_path + ['rule', '1', 'source', 'port', sport])
@@ -144,7 +144,7 @@ class TestNAT66(VyOSUnitTestSHIM.TestCase):
     def test_destination_nat66_prefix(self):
         destination_prefix = 'fc00::/64'
         translation_prefix = 'fc01::/64'
-        self.cli_set(dst_path + ['rule', '1', 'inbound-interface', 'eth1'])
+        self.cli_set(dst_path + ['rule', '1', 'inbound-interface', 'name', 'eth1'])
         self.cli_set(dst_path + ['rule', '1', 'destination', 'address', destination_prefix])
         self.cli_set(dst_path + ['rule', '1', 'translation', 'address', translation_prefix])
 
@@ -158,7 +158,7 @@ class TestNAT66(VyOSUnitTestSHIM.TestCase):
         self.verify_nftables(nftables_search, 'ip6 vyos_nat')
 
     def test_destination_nat66_without_translation_address(self):
-        self.cli_set(dst_path + ['rule', '1', 'inbound-interface', 'eth1'])
+        self.cli_set(dst_path + ['rule', '1', 'inbound-interface', 'name', 'eth1'])
         self.cli_set(dst_path + ['rule', '1', 'destination', 'port', '443'])
         self.cli_set(dst_path + ['rule', '1', 'protocol', 'tcp'])
         self.cli_set(dst_path + ['rule', '1', 'translation', 'port', '443'])
@@ -180,7 +180,7 @@ class TestNAT66(VyOSUnitTestSHIM.TestCase):
         # check validate() - outbound-interface must be defined
         with self.assertRaises(ConfigSessionError):
             self.cli_commit()
-        self.cli_set(src_path + ['rule', rule, 'outbound-interface', 'eth0'])
+        self.cli_set(src_path + ['rule', rule, 'outbound-interface', 'name', 'eth0'])
 
         # check validate() - translation address not specified
         with self.assertRaises(ConfigSessionError):
@@ -196,7 +196,7 @@ class TestNAT66(VyOSUnitTestSHIM.TestCase):
         sport = '8080'
         tport = '80'
         proto = 'tcp'
-        self.cli_set(src_path + ['rule', '1', 'outbound-interface', 'eth1'])
+        self.cli_set(src_path + ['rule', '1', 'outbound-interface', 'name', 'eth1'])
         self.cli_set(src_path + ['rule', '1', 'destination', 'port', dport])
         self.cli_set(src_path + ['rule', '1', 'source', 'prefix', source_prefix])
         self.cli_set(src_path + ['rule', '1', 'source', 'port', sport])
diff --git a/smoketest/scripts/cli/test_interfaces_netns.py b/smoketest/scripts/cli/test_netns.py
index b8bebb221..b8bebb221 100755
--- a/smoketest/scripts/cli/test_interfaces_netns.py
+++ b/smoketest/scripts/cli/test_netns.py
diff --git a/smoketest/scripts/cli/test_pki.py b/smoketest/scripts/cli/test_pki.py
index b18b0b039..02beafb26 100755
--- a/smoketest/scripts/cli/test_pki.py
+++ b/smoketest/scripts/cli/test_pki.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 #
-# Copyright (C) 2021 VyOS maintainers and contributors
+# Copyright (C) 2021-2024 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
@@ -19,6 +19,8 @@ import unittest
 from base_vyostest_shim import VyOSUnitTestSHIM
 from vyos.configsession import ConfigSessionError
 
+from vyos.utils.file import read_file
+
 base_path = ['pki']
 
 valid_ca_cert = """
@@ -153,10 +155,10 @@ class TestPKI(VyOSUnitTestSHIM.TestCase):
     @classmethod
     def setUpClass(cls):
         super(TestPKI, cls).setUpClass()
-
         # ensure we can also run this test on a live system - so lets clean
         # out the current configuration :)
         cls.cli_delete(cls, base_path)
+        cls.cli_delete(cls, ['service', 'https'])
 
     def tearDown(self):
         self.cli_delete(base_path)
@@ -181,92 +183,72 @@ class TestPKI(VyOSUnitTestSHIM.TestCase):
         self.cli_commit()
 
     def test_invalid_ca_valid_certificate(self):
-        self.cli_set(base_path + ['ca', 'smoketest', 'certificate', valid_cert.replace('\n','')])
-
-        with self.assertRaises(ConfigSessionError):
-            self.cli_commit()
-
-    def test_invalid_certificate(self):
-        self.cli_set(base_path + ['certificate', 'smoketest', 'certificate', 'invalidcertdata'])
-
-        with self.assertRaises(ConfigSessionError):
-            self.cli_commit()
-
-    def test_invalid_public_key(self):
-        self.cli_set(base_path + ['key-pair', 'smoketest', 'public', 'key', 'invalidkeydata'])
-
-        with self.assertRaises(ConfigSessionError):
-            self.cli_commit()
-
-    def test_invalid_private_key(self):
-        self.cli_set(base_path + ['key-pair', 'smoketest', 'private', 'key', 'invalidkeydata'])
-
-        with self.assertRaises(ConfigSessionError):
-            self.cli_commit()
-
-    def test_invalid_dh_parameters(self):
-        self.cli_set(base_path + ['dh', 'smoketest', 'parameters', 'thisisinvalid'])
+        self.cli_set(base_path + ['ca', 'invalid-ca', 'certificate', valid_cert.replace('\n','')])
 
         with self.assertRaises(ConfigSessionError):
             self.cli_commit()
 
     def test_certificate_in_use(self):
-        self.cli_set(base_path + ['certificate', 'smoketest', 'certificate', valid_ca_cert.replace('\n','')])
-        self.cli_set(base_path + ['certificate', 'smoketest', 'private', 'key', valid_ca_private_key.replace('\n','')])
+        cert_name = 'smoketest'
+
+        self.cli_set(base_path + ['certificate', cert_name, 'certificate', valid_ca_cert.replace('\n','')])
+        self.cli_set(base_path + ['certificate', cert_name, 'private', 'key', valid_ca_private_key.replace('\n','')])
         self.cli_commit()
 
-        self.cli_set(['service', 'https', 'certificates', 'certificate', 'smoketest'])
+        self.cli_set(['service', 'https', 'certificates', 'certificate', cert_name])
         self.cli_commit()
 
-        self.cli_delete(base_path + ['certificate', 'smoketest'])
+        self.cli_delete(base_path + ['certificate', cert_name])
         with self.assertRaises(ConfigSessionError):
             self.cli_commit()
 
         self.cli_delete(['service', 'https', 'certificates', 'certificate'])
 
     def test_certificate_https_update(self):
-        self.cli_set(base_path + ['certificate', 'smoketest', 'certificate', valid_ca_cert.replace('\n','')])
-        self.cli_set(base_path + ['certificate', 'smoketest', 'private', 'key', valid_ca_private_key.replace('\n','')])
+        cert_name = 'smoke-test_foo'
+        cert_path = f'/run/nginx/certs/{cert_name}_cert.pem'
+        self.cli_set(base_path + ['certificate', cert_name, 'certificate', valid_ca_cert.replace('\n','')])
+        self.cli_set(base_path + ['certificate', cert_name, 'private', 'key', valid_ca_private_key.replace('\n','')])
         self.cli_commit()
 
-        self.cli_set(['service', 'https', 'certificates', 'certificate', 'smoketest'])
+        self.cli_set(['service', 'https', 'certificates', 'certificate', cert_name])
         self.cli_commit()
 
         cert_data = None
 
-        with open('/etc/ssl/certs/smoketest.pem') as f:
-            cert_data = f.read()
+        cert_data = read_file(cert_path)
 
-        self.cli_set(base_path + ['certificate', 'smoketest', 'certificate', valid_update_cert.replace('\n','')])
-        self.cli_set(base_path + ['certificate', 'smoketest', 'private', 'key', valid_update_private_key.replace('\n','')])
+        self.cli_set(base_path + ['certificate', cert_name, 'certificate', valid_update_cert.replace('\n','')])
+        self.cli_set(base_path + ['certificate', cert_name, 'private', 'key', valid_update_private_key.replace('\n','')])
         self.cli_commit()
 
-        with open('/etc/ssl/certs/smoketest.pem') as f:
-            self.assertNotEqual(cert_data, f.read())
+        self.assertNotEqual(cert_data, read_file(cert_path))
 
         self.cli_delete(['service', 'https', 'certificates', 'certificate'])
 
     def test_certificate_eapol_update(self):
-        self.cli_set(base_path + ['certificate', 'smoketest', 'certificate', valid_ca_cert.replace('\n','')])
-        self.cli_set(base_path + ['certificate', 'smoketest', 'private', 'key', valid_ca_private_key.replace('\n','')])
+        cert_name = 'eapol'
+        interface = 'eth1'
+        self.cli_set(base_path + ['certificate', cert_name, 'certificate', valid_ca_cert.replace('\n','')])
+        self.cli_set(base_path + ['certificate', cert_name, 'private', 'key', valid_ca_private_key.replace('\n','')])
         self.cli_commit()
 
-        self.cli_set(['interfaces', 'ethernet', 'eth1', 'eapol', 'certificate', 'smoketest'])
+        self.cli_set(['interfaces', 'ethernet', interface, 'eapol', 'certificate', cert_name])
         self.cli_commit()
 
         cert_data = None
 
-        with open('/run/wpa_supplicant/eth1_cert.pem') as f:
+        with open(f'/run/wpa_supplicant/{interface}_cert.pem') as f:
             cert_data = f.read()
 
-        self.cli_set(base_path + ['certificate', 'smoketest', 'certificate', valid_update_cert.replace('\n','')])
-        self.cli_set(base_path + ['certificate', 'smoketest', 'private', 'key', valid_update_private_key.replace('\n','')])
+        self.cli_set(base_path + ['certificate', cert_name, 'certificate', valid_update_cert.replace('\n','')])
+        self.cli_set(base_path + ['certificate', cert_name, 'private', 'key', valid_update_private_key.replace('\n','')])
         self.cli_commit()
 
-        with open('/run/wpa_supplicant/eth1_cert.pem') as f:
+        with open(f'/run/wpa_supplicant/{interface}_cert.pem') as f:
             self.assertNotEqual(cert_data, f.read())
 
-        self.cli_delete(['interfaces', 'ethernet', 'eth1', 'eapol'])
+        self.cli_delete(['interfaces', 'ethernet', interface, 'eapol'])
 
 if __name__ == '__main__':
     unittest.main(verbosity=2)
diff --git a/smoketest/scripts/cli/test_policy.py b/smoketest/scripts/cli/test_policy.py
index 354f791bd..c21d8af4e 100755
--- a/smoketest/scripts/cli/test_policy.py
+++ b/smoketest/scripts/cli/test_policy.py
@@ -1107,6 +1107,33 @@ class TestPolicy(VyOSUnitTestSHIM.TestCase):
                             'metric' : '-20',
                         },
                     },
+                    '30': {
+                        'action': 'permit',
+                        'match': {
+                            'ip-nexthop-addr': ipv4_nexthop_address,
+                        },
+                        'set': {
+                            'metric': 'rtt',
+                        },
+                    },
+                    '40': {
+                        'action': 'permit',
+                        'match': {
+                            'ip-nexthop-addr': ipv4_nexthop_address,
+                        },
+                        'set': {
+                            'metric': '+rtt',
+                        },
+                    },
+                    '50': {
+                        'action': 'permit',
+                        'match': {
+                            'ip-nexthop-addr': ipv4_nexthop_address,
+                        },
+                        'set': {
+                            'metric': '-rtt',
+                        },
+                    },
                 },
             },
         }
@@ -1467,7 +1494,7 @@ class TestPolicy(VyOSUnitTestSHIM.TestCase):
         table = '23'
         for src in sources:
             self.cli_set(path + ['rule', rule, 'set', 'table', table])
-            self.cli_set(path + ['rule', rule, 'source', src])
+            self.cli_set(path + ['rule', rule, 'source', 'address', src])
 
         self.cli_commit()
 
@@ -1508,7 +1535,7 @@ class TestPolicy(VyOSUnitTestSHIM.TestCase):
         table = '154'
 
         self.cli_set(path + ['rule', rule, 'set', 'table', table])
-        self.cli_set(path + ['rule', rule, 'destination', dst])
+        self.cli_set(path + ['rule', rule, 'destination', 'address', dst])
 
         self.cli_commit()
 
@@ -1519,6 +1546,78 @@ class TestPolicy(VyOSUnitTestSHIM.TestCase):
 
         self.assertEqual(sort_ip(tmp), sort_ip(original))
 
+    # Test set table for destination and protocol
+    def test_protocol_destination_table_id(self):
+        path = base_path + ['local-route']
+
+        dst = '203.0.113.12'
+        rule = '85'
+        table = '104'
+        proto = 'tcp'
+
+        self.cli_set(path + ['rule', rule, 'set', 'table', table])
+        self.cli_set(path + ['rule', rule, 'destination', 'address', dst])
+        self.cli_set(path + ['rule', rule, 'protocol', proto])
+
+        self.cli_commit()
+
+        original = """
+        85:	from all to 203.0.113.12 ipproto tcp lookup 104
+        """
+        tmp = cmd('ip rule show prio 85')
+
+        self.assertEqual(sort_ip(tmp), sort_ip(original))
+
+    # Test set table for destination, source, protocol, fwmark and port
+    def test_protocol_port_address_fwmark_table_id(self):
+        path = base_path + ['local-route']
+
+        dst = '203.0.113.5'
+        src_list = ['203.0.113.1', '203.0.113.2']
+        rule = '23'
+        fwmark = '123456'
+        table = '123'
+        new_table = '111'
+        proto = 'udp'
+        new_proto = 'tcp'
+        src_port = '5555'
+        dst_port = '8888'
+
+        self.cli_set(path + ['rule', rule, 'set', 'table', table])
+        self.cli_set(path + ['rule', rule, 'destination', 'address', dst])
+        self.cli_set(path + ['rule', rule, 'source', 'port', src_port])
+        self.cli_set(path + ['rule', rule, 'protocol', proto])
+        self.cli_set(path + ['rule', rule, 'fwmark', fwmark])
+        self.cli_set(path + ['rule', rule, 'destination', 'port', dst_port])
+        for src in src_list:
+            self.cli_set(path + ['rule', rule, 'source', 'address', src])
+
+        self.cli_commit()
+
+        original = """
+        23:	from 203.0.113.1 to 203.0.113.5 fwmark 0x1e240 ipproto udp sport 5555 dport 8888 lookup 123
+        23:	from 203.0.113.2 to 203.0.113.5 fwmark 0x1e240 ipproto udp sport 5555 dport 8888 lookup 123
+        """
+        tmp = cmd(f'ip rule show prio {rule}')
+
+        self.assertEqual(sort_ip(tmp), sort_ip(original))
+
+        # Change table and protocol, delete fwmark and source port
+        self.cli_delete(path + ['rule', rule, 'fwmark'])
+        self.cli_delete(path + ['rule', rule, 'source', 'port'])
+        self.cli_set(path + ['rule', rule, 'set', 'table', new_table])
+        self.cli_set(path + ['rule', rule, 'protocol', new_proto])
+
+        self.cli_commit()
+
+        original = """
+        23:	from 203.0.113.1 to 203.0.113.5 ipproto tcp dport 8888 lookup 111
+        23:	from 203.0.113.2 to 203.0.113.5 ipproto tcp dport 8888 lookup 111
+        """
+        tmp = cmd(f'ip rule show prio {rule}')
+
+        self.assertEqual(sort_ip(tmp), sort_ip(original))
+
     # Test set table for sources with fwmark
     def test_fwmark_sources_table_id(self):
         path = base_path + ['local-route']
@@ -1529,7 +1628,7 @@ class TestPolicy(VyOSUnitTestSHIM.TestCase):
         table = '150'
         for src in sources:
             self.cli_set(path + ['rule', rule, 'set', 'table', table])
-            self.cli_set(path + ['rule', rule, 'source', src])
+            self.cli_set(path + ['rule', rule, 'source', 'address', src])
             self.cli_set(path + ['rule', rule, 'fwmark', fwmk])
 
         self.cli_commit()
@@ -1554,7 +1653,7 @@ class TestPolicy(VyOSUnitTestSHIM.TestCase):
         self.cli_set(path + ['rule', rule, 'set', 'table', table])
         self.cli_set(path + ['rule', rule, 'inbound-interface', iif])
         for src in sources:
-            self.cli_set(path + ['rule', rule, 'source', src])
+            self.cli_set(path + ['rule', rule, 'source', 'address', src])
 
         self.cli_commit()
 
@@ -1580,8 +1679,8 @@ class TestPolicy(VyOSUnitTestSHIM.TestCase):
         for src in sources:
             for dst in destinations:
                 self.cli_set(path + ['rule', rule, 'set', 'table', table])
-                self.cli_set(path + ['rule', rule, 'source', src])
-                self.cli_set(path + ['rule', rule, 'destination', dst])
+                self.cli_set(path + ['rule', rule, 'source', 'address', src])
+                self.cli_set(path + ['rule', rule, 'destination', 'address', dst])
                 self.cli_set(path + ['rule', rule, 'fwmark', fwmk])
 
         self.cli_commit()
@@ -1605,7 +1704,7 @@ class TestPolicy(VyOSUnitTestSHIM.TestCase):
         table = '23'
         for src in sources:
             self.cli_set(path + ['rule', rule, 'set', 'table', table])
-            self.cli_set(path + ['rule', rule, 'source', src])
+            self.cli_set(path + ['rule', rule, 'source', 'address', src])
 
         self.cli_commit()
 
@@ -1646,7 +1745,7 @@ class TestPolicy(VyOSUnitTestSHIM.TestCase):
         table = '154'
 
         self.cli_set(path + ['rule', rule, 'set', 'table', table])
-        self.cli_set(path + ['rule', rule, 'destination', dst])
+        self.cli_set(path + ['rule', rule, 'destination', 'address', dst])
 
         self.cli_commit()
 
@@ -1667,7 +1766,7 @@ class TestPolicy(VyOSUnitTestSHIM.TestCase):
         table = '150'
         for src in sources:
             self.cli_set(path + ['rule', rule, 'set', 'table', table])
-            self.cli_set(path + ['rule', rule, 'source', src])
+            self.cli_set(path + ['rule', rule, 'source', 'address', src])
             self.cli_set(path + ['rule', rule, 'fwmark', fwmk])
 
         self.cli_commit()
@@ -1690,7 +1789,7 @@ class TestPolicy(VyOSUnitTestSHIM.TestCase):
         table = '150'
         for src in sources:
             self.cli_set(path + ['rule', rule, 'set', 'table', table])
-            self.cli_set(path + ['rule', rule, 'source', src])
+            self.cli_set(path + ['rule', rule, 'source', 'address', src])
             self.cli_set(path + ['rule', rule, 'inbound-interface', iif])
 
         self.cli_commit()
@@ -1717,8 +1816,8 @@ class TestPolicy(VyOSUnitTestSHIM.TestCase):
         for src in sources:
             for dst in destinations:
                 self.cli_set(path + ['rule', rule, 'set', 'table', table])
-                self.cli_set(path + ['rule', rule, 'source', src])
-                self.cli_set(path + ['rule', rule, 'destination', dst])
+                self.cli_set(path + ['rule', rule, 'source', 'address', src])
+                self.cli_set(path + ['rule', rule, 'destination', 'address', dst])
                 self.cli_set(path + ['rule', rule, 'fwmark', fwmk])
 
         self.cli_commit()
@@ -1748,15 +1847,15 @@ class TestPolicy(VyOSUnitTestSHIM.TestCase):
         for src in sources:
             for dst in destinations:
                 self.cli_set(path + ['rule', rule, 'set', 'table', table])
-                self.cli_set(path + ['rule', rule, 'source', src])
-                self.cli_set(path + ['rule', rule, 'destination', dst])
+                self.cli_set(path + ['rule', rule, 'source', 'address', src])
+                self.cli_set(path + ['rule', rule, 'destination', 'address', dst])
                 self.cli_set(path + ['rule', rule, 'fwmark', fwmk])
 
         for src in sources_v6:
             for dst in destinations_v6:
                 self.cli_set(path_v6 + ['rule', rule, 'set', 'table', table])
-                self.cli_set(path_v6 + ['rule', rule, 'source', src])
-                self.cli_set(path_v6 + ['rule', rule, 'destination', dst])
+                self.cli_set(path_v6 + ['rule', rule, 'source', 'address', src])
+                self.cli_set(path_v6 + ['rule', rule, 'destination', 'address', dst])
                 self.cli_set(path_v6 + ['rule', rule, 'fwmark', fwmk])
 
         self.cli_commit()
@@ -1799,7 +1898,7 @@ class TestPolicy(VyOSUnitTestSHIM.TestCase):
         table = '151'
         self.cli_set(path + ['rule', rule, 'set', 'table', table])
         for src in sources:
-            self.cli_set(path + ['rule', rule, 'source', src])
+            self.cli_set(path + ['rule', rule, 'source', 'address', src])
 
         self.cli_commit()
 
@@ -1812,7 +1911,7 @@ class TestPolicy(VyOSUnitTestSHIM.TestCase):
         self.assertEqual(sort_ip(tmp), sort_ip(original_first))
 
         # Create second commit with added destination
-        self.cli_set(path + ['rule', rule, 'destination', destination])
+        self.cli_set(path + ['rule', rule, 'destination', 'address', destination])
         self.cli_commit()
 
         original_second = """
diff --git a/smoketest/scripts/cli/test_policy_route.py b/smoketest/scripts/cli/test_policy_route.py
index d9b64544a..c0b7c1fe7 100755
--- a/smoketest/scripts/cli/test_policy_route.py
+++ b/smoketest/scripts/cli/test_policy_route.py
@@ -33,6 +33,9 @@ class TestPolicyRoute(VyOSUnitTestSHIM.TestCase):
     @classmethod
     def setUpClass(cls):
         super(TestPolicyRoute, cls).setUpClass()
+        # Clear out current configuration to allow running this test on a live system
+        cls.cli_delete(cls, ['policy', 'route'])
+        cls.cli_delete(cls, ['policy', 'route6'])
 
         cls.cli_set(cls, ['interfaces', 'ethernet', interface, 'address', interface_ip])
         cls.cli_set(cls, ['protocols', 'static', 'table', table_id, 'route', '0.0.0.0/0', 'interface', interface])
@@ -189,29 +192,35 @@ class TestPolicyRoute(VyOSUnitTestSHIM.TestCase):
 
 
     def test_pbr_matching_criteria(self):
+        self.cli_set(['policy', 'route', 'smoketest', 'default-log'])
         self.cli_set(['policy', 'route', 'smoketest', 'rule', '1', 'protocol', 'udp'])
         self.cli_set(['policy', 'route', 'smoketest', 'rule', '1', 'action', 'drop'])
+        self.cli_set(['policy', 'route', 'smoketest', 'rule', '1', 'mark', '2020'])
         self.cli_set(['policy', 'route', 'smoketest', 'rule', '2', 'protocol', 'tcp'])
         self.cli_set(['policy', 'route', 'smoketest', 'rule', '2', 'tcp', 'flags', 'syn'])
         self.cli_set(['policy', 'route', 'smoketest', 'rule', '2', 'tcp', 'flags', 'not', 'ack'])
+        self.cli_set(['policy', 'route', 'smoketest', 'rule', '2', 'mark', '2-3000'])
         self.cli_set(['policy', 'route', 'smoketest', 'rule', '2', 'set', 'table', table_id])
         self.cli_set(['policy', 'route', 'smoketest', 'rule', '3', 'source', 'address', '198.51.100.0/24'])
         self.cli_set(['policy', 'route', 'smoketest', 'rule', '3', 'protocol', 'tcp'])
         self.cli_set(['policy', 'route', 'smoketest', 'rule', '3', 'destination', 'port', '22'])
-        self.cli_set(['policy', 'route', 'smoketest', 'rule', '3', 'state', 'new', 'enable'])
+        self.cli_set(['policy', 'route', 'smoketest', 'rule', '3', 'state', 'new'])
         self.cli_set(['policy', 'route', 'smoketest', 'rule', '3', 'ttl', 'gt', '2'])
+        self.cli_set(['policy', 'route', 'smoketest', 'rule', '3', 'mark', '!456'])
         self.cli_set(['policy', 'route', 'smoketest', 'rule', '3', 'set', 'table', table_id])
         self.cli_set(['policy', 'route', 'smoketest', 'rule', '4', 'protocol', 'icmp'])
         self.cli_set(['policy', 'route', 'smoketest', 'rule', '4', 'icmp', 'type-name', 'echo-request'])
         self.cli_set(['policy', 'route', 'smoketest', 'rule', '4', 'packet-length', '128'])
         self.cli_set(['policy', 'route', 'smoketest', 'rule', '4', 'packet-length', '1024-2048'])
         self.cli_set(['policy', 'route', 'smoketest', 'rule', '4', 'packet-type', 'other'])
-        self.cli_set(['policy', 'route', 'smoketest', 'rule', '4', 'log', 'enable'])
+        self.cli_set(['policy', 'route', 'smoketest', 'rule', '4', 'log'])
         self.cli_set(['policy', 'route', 'smoketest', 'rule', '4', 'set', 'table', table_id])
         self.cli_set(['policy', 'route', 'smoketest', 'rule', '5', 'dscp', '41'])
         self.cli_set(['policy', 'route', 'smoketest', 'rule', '5', 'dscp', '57-59'])
+        self.cli_set(['policy', 'route', 'smoketest', 'rule', '5', 'mark', '!456-500'])
         self.cli_set(['policy', 'route', 'smoketest', 'rule', '5', 'set', 'table', table_id])
 
+        self.cli_set(['policy', 'route6', 'smoketest6', 'default-log'])
         self.cli_set(['policy', 'route6', 'smoketest6', 'rule', '1', 'protocol', 'udp'])
         self.cli_set(['policy', 'route6', 'smoketest6', 'rule', '1', 'action', 'drop'])
         self.cli_set(['policy', 'route6', 'smoketest6', 'rule', '2', 'protocol', 'tcp'])
@@ -221,7 +230,7 @@ class TestPolicyRoute(VyOSUnitTestSHIM.TestCase):
         self.cli_set(['policy', 'route6', 'smoketest6', 'rule', '3', 'source', 'address', '2001:db8::0/64'])
         self.cli_set(['policy', 'route6', 'smoketest6', 'rule', '3', 'protocol', 'tcp'])
         self.cli_set(['policy', 'route6', 'smoketest6', 'rule', '3', 'destination', 'port', '22'])
-        self.cli_set(['policy', 'route6', 'smoketest6', 'rule', '3', 'state', 'new', 'enable'])
+        self.cli_set(['policy', 'route6', 'smoketest6', 'rule', '3', 'state', 'new'])
         self.cli_set(['policy', 'route6', 'smoketest6', 'rule', '3', 'hop-limit', 'gt', '2'])
         self.cli_set(['policy', 'route6', 'smoketest6', 'rule', '3', 'set', 'table', table_id])
         self.cli_set(['policy', 'route6', 'smoketest6', 'rule', '4', 'protocol', 'icmpv6'])
@@ -230,7 +239,7 @@ class TestPolicyRoute(VyOSUnitTestSHIM.TestCase):
         self.cli_set(['policy', 'route6', 'smoketest6', 'rule', '4', 'packet-length-exclude', '1024-2048'])
         self.cli_set(['policy', 'route6', 'smoketest6', 'rule', '4', 'packet-type', 'multicast'])
 
-        self.cli_set(['policy', 'route6', 'smoketest6', 'rule', '4', 'log', 'enable'])
+        self.cli_set(['policy', 'route6', 'smoketest6', 'rule', '4', 'log'])
         self.cli_set(['policy', 'route6', 'smoketest6', 'rule', '4', 'set', 'table', table_id])
         self.cli_set(['policy', 'route6', 'smoketest6', 'rule', '5', 'dscp-exclude', '61'])
         self.cli_set(['policy', 'route6', 'smoketest6', 'rule', '5', 'dscp-exclude', '14-19'])
@@ -247,11 +256,12 @@ class TestPolicyRoute(VyOSUnitTestSHIM.TestCase):
         # IPv4
         nftables_search = [
             ['iifname { "' + interface + '", "' + interface_wc + '" }', 'jump VYOS_PBR_UD_smoketest'],
-            ['meta l4proto udp', 'drop'],
-            ['tcp flags syn / syn,ack', 'meta mark set ' + mark_hex],
-            ['ct state new', 'tcp dport 22', 'ip saddr 198.51.100.0/24', 'ip ttl > 2', 'meta mark set ' + mark_hex],
-            ['meta l4proto icmp', 'log prefix "[smoketest-4-A]"', 'icmp type echo-request', 'ip length { 128, 1024-2048 }', 'meta pkttype other', 'meta mark set ' + mark_hex],
-            ['ip dscp { 0x29, 0x39-0x3b }', 'meta mark set ' + mark_hex]
+            ['meta l4proto udp', 'meta mark 0x000007e4', 'drop'],
+            ['tcp flags syn / syn,ack', 'meta mark 0x00000002-0x00000bb8', 'meta mark set ' + mark_hex],
+            ['ct state new', 'tcp dport 22', 'ip saddr 198.51.100.0/24', 'ip ttl > 2', 'meta mark != 0x000001c8', 'meta mark set ' + mark_hex],
+            ['log prefix "[ipv4-route-smoketest-4-A]"', 'icmp type echo-request', 'ip length { 128, 1024-2048 }', 'meta pkttype other', 'meta mark set ' + mark_hex],
+            ['ip dscp { 0x29, 0x39-0x3b }', 'meta mark != 0x000001c8-0x000001f4', 'meta mark set ' + mark_hex],
+            ['log prefix "[ipv4-smoketest-default]"']
         ]
 
         self.verify_nftables(nftables_search, 'ip vyos_mangle')
@@ -262,8 +272,9 @@ class TestPolicyRoute(VyOSUnitTestSHIM.TestCase):
             ['meta l4proto udp', 'drop'],
             ['tcp flags syn / syn,ack', 'meta mark set ' + mark_hex],
             ['ct state new', 'tcp dport 22', 'ip6 saddr 2001:db8::/64', 'ip6 hoplimit > 2', 'meta mark set ' + mark_hex],
-            ['meta l4proto ipv6-icmp', 'log prefix "[smoketest6-4-A]"', 'icmpv6 type echo-request', 'ip6 length != { 128, 1024-2048 }', 'meta pkttype multicast', 'meta mark set ' + mark_hex],
-            ['ip6 dscp != { 0x0e-0x13, 0x3d }', 'meta mark set ' + mark_hex]
+            ['log prefix "[ipv6-route6-smoketest6-4-A]"', 'icmpv6 type echo-request', 'ip6 length != { 128, 1024-2048 }', 'meta pkttype multicast', 'meta mark set ' + mark_hex],
+            ['ip6 dscp != { 0x0e-0x13, 0x3d }', 'meta mark set ' + mark_hex],
+            ['log prefix "[ipv6-smoketest6-default]"']
         ]
 
         self.verify_nftables(nftables6_search, 'ip6 vyos_mangle')
diff --git a/smoketest/scripts/cli/test_protocols_bfd.py b/smoketest/scripts/cli/test_protocols_bfd.py
index 451565664..f209eae3a 100755
--- a/smoketest/scripts/cli/test_protocols_bfd.py
+++ b/smoketest/scripts/cli/test_protocols_bfd.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 #
-# Copyright (C) 2021 VyOS maintainers and contributors
+# Copyright (C) 2021-2023 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
@@ -77,11 +77,23 @@ profiles = {
 }
 
 class TestProtocolsBFD(VyOSUnitTestSHIM.TestCase):
+    @classmethod
+    def setUpClass(cls):
+        super(TestProtocolsBFD, cls).setUpClass()
+
+        # Retrieve FRR daemon PID - it is not allowed to crash, thus PID must remain the same
+        cls.daemon_pid = process_named_running(PROCESS_NAME)
+
+        # ensure we can also run this test on a live system - so lets clean
+        # out the current configuration :)
+        cls.cli_delete(cls, base_path)
+
     def tearDown(self):
         self.cli_delete(base_path)
         self.cli_commit()
-        # Check for running process
-        self.assertTrue(process_named_running(PROCESS_NAME))
+
+        # check process health and continuity
+        self.assertEqual(self.daemon_pid, process_named_running(PROCESS_NAME))
 
     def test_bfd_peer(self):
         self.cli_set(['vrf', 'name', vrf_name, 'table', '1000'])
diff --git a/smoketest/scripts/cli/test_protocols_bgp.py b/smoketest/scripts/cli/test_protocols_bgp.py
index 77952d8d9..d5efae12c 100755
--- a/smoketest/scripts/cli/test_protocols_bgp.py
+++ b/smoketest/scripts/cli/test_protocols_bgp.py
@@ -16,12 +16,15 @@
 
 import unittest
 
+from time import sleep
+
 from base_vyostest_shim import VyOSUnitTestSHIM
 
 from vyos.ifconfig import Section
 from vyos.configsession import ConfigSessionError
 from vyos.template import is_ipv6
 from vyos.utils.process import process_named_running
+from vyos.utils.process import cmd
 
 PROCESS_NAME = 'bgpd'
 ASN = '64512'
@@ -44,6 +47,7 @@ neighbor_config = {
         'bfd'              : '',
         'cap_dynamic'      : '',
         'cap_ext_next'     : '',
+        'cap_ext_sver'     : '',
         'remote_as'        : '100',
         'adv_interv'       : '400',
         'passive'          : '',
@@ -71,6 +75,7 @@ neighbor_config = {
         'pfx_list_out'     : prefix_list_out,
         'no_send_comm_std' : '',
         'local_role'       : 'rs-client',
+        'p_attr_taw'       : '200',
         },
     '192.0.2.3' : {
         'advertise_map'    : route_map_in,
@@ -87,6 +92,7 @@ neighbor_config = {
         'exist_map'        : route_map_out,
         'cap_dynamic'      : '',
         'cap_ext_next'     : '',
+        'cap_ext_sver'     : '',
         'remote_as'        : '123',
         'adv_interv'       : '400',
         'passive'          : '',
@@ -137,6 +143,7 @@ peer_group_config = {
         'remote_as'        : '111',
         'graceful_rst_no'  : '',
         'port'             : '667',
+        'p_attr_taw'       : '126',
         },
     'foo-bar' : {
         'advertise_map'    : route_map_in,
@@ -170,9 +177,16 @@ class TestProtocolsBGP(VyOSUnitTestSHIM.TestCase):
     def setUpClass(cls):
         super(TestProtocolsBGP, cls).setUpClass()
 
+        # Retrieve FRR daemon PID - it is not allowed to crash, thus PID must remain the same
+        cls.daemon_pid = process_named_running(PROCESS_NAME)
+
         # ensure we can also run this test on a live system - so lets clean
         # out the current configuration :)
         cls.cli_delete(cls, base_path)
+        cls.cli_delete(cls, ['policy', 'route-map'])
+        cls.cli_delete(cls, ['policy', 'prefix-list'])
+        cls.cli_delete(cls, ['policy', 'prefix-list6'])
+        cls.cli_delete(cls, ['vrf'])
 
         cls.cli_set(cls, ['policy', 'route-map', route_map_in, 'rule', '10', 'action', 'permit'])
         cls.cli_set(cls, ['policy', 'route-map', route_map_out, 'rule', '10', 'action', 'permit'])
@@ -188,18 +202,23 @@ class TestProtocolsBGP(VyOSUnitTestSHIM.TestCase):
 
     @classmethod
     def tearDownClass(cls):
-        cls.cli_delete(cls, ['policy'])
+        cls.cli_delete(cls, ['policy', 'route-map'])
+        cls.cli_delete(cls, ['policy', 'prefix-list'])
+        cls.cli_delete(cls, ['policy', 'prefix-list6'])
 
     def setUp(self):
         self.cli_set(base_path + ['system-as', ASN])
 
     def tearDown(self):
+        # cleanup any possible VRF mess
         self.cli_delete(['vrf'])
+        # always destrox the entire bgpd configuration to make the processes
+        # life as hard as possible
         self.cli_delete(base_path)
         self.cli_commit()
 
-        # Check for running process
-        self.assertTrue(process_named_running(PROCESS_NAME))
+        # check process health and continuity
+        self.assertEqual(self.daemon_pid, process_named_running(PROCESS_NAME))
 
     def create_bgp_instances_for_import_test(self):
         table = '1000'
@@ -217,6 +236,8 @@ class TestProtocolsBGP(VyOSUnitTestSHIM.TestCase):
             self.assertIn(f' neighbor {peer} capability dynamic', frrconfig)
         if 'cap_ext_next' in peer_config:
             self.assertIn(f' neighbor {peer} capability extended-nexthop', frrconfig)
+        if 'cap_ext_sver' in peer_config:
+            self.assertIn(f' neighbor {peer} capability software-version', frrconfig)
         if 'description' in peer_config:
             self.assertIn(f' neighbor {peer} description {peer_config["description"]}', frrconfig)
         if 'no_cap_nego' in peer_config:
@@ -264,6 +285,8 @@ class TestProtocolsBGP(VyOSUnitTestSHIM.TestCase):
             self.assertIn(f' neighbor {peer} addpath-tx-all-paths', frrconfig)
         if 'p_attr_discard' in peer_config:
             self.assertIn(f' neighbor {peer} path-attribute discard {peer_config["p_attr_discard"]}', frrconfig)
+        if 'p_attr_taw' in peer_config:
+            self.assertIn(f' neighbor {peer} path-attribute treat-as-withdraw {peer_config["p_attr_taw"]}', frrconfig)
         if 'addpath_per_as' in peer_config:
             self.assertIn(f' neighbor {peer} addpath-tx-bestpath-per-AS', frrconfig)
         if 'advertise_map' in peer_config:
@@ -332,6 +355,8 @@ class TestProtocolsBGP(VyOSUnitTestSHIM.TestCase):
         # AFI maximum path support
         self.cli_set(base_path + ['address-family', 'ipv4-unicast', 'maximum-paths', 'ebgp', max_path_v4])
         self.cli_set(base_path + ['address-family', 'ipv4-unicast', 'maximum-paths', 'ibgp', max_path_v4ibgp])
+        self.cli_set(base_path + ['address-family', 'ipv4-labeled-unicast', 'maximum-paths', 'ebgp', max_path_v4])
+        self.cli_set(base_path + ['address-family', 'ipv4-labeled-unicast', 'maximum-paths', 'ibgp', max_path_v4ibgp])
         self.cli_set(base_path + ['address-family', 'ipv6-unicast', 'maximum-paths', 'ebgp', max_path_v6])
         self.cli_set(base_path + ['address-family', 'ipv6-unicast', 'maximum-paths', 'ibgp', max_path_v6ibgp])
 
@@ -365,6 +390,10 @@ class TestProtocolsBGP(VyOSUnitTestSHIM.TestCase):
         self.assertIn(f'  maximum-paths {max_path_v4}', afiv4_config)
         self.assertIn(f'  maximum-paths ibgp {max_path_v4ibgp}', afiv4_config)
 
+        afiv4_config = self.getFRRconfig(' address-family ipv4 labeled-unicast')
+        self.assertIn(f'  maximum-paths {max_path_v4}', afiv4_config)
+        self.assertIn(f'  maximum-paths ibgp {max_path_v4ibgp}', afiv4_config)
+
         afiv6_config = self.getFRRconfig(' address-family ipv6 unicast')
         self.assertIn(f'  maximum-paths {max_path_v6}', afiv6_config)
         self.assertIn(f'  maximum-paths ibgp {max_path_v6ibgp}', afiv6_config)
@@ -390,6 +419,8 @@ class TestProtocolsBGP(VyOSUnitTestSHIM.TestCase):
                 self.cli_set(base_path + ['neighbor', peer, 'capability', 'dynamic'])
             if 'cap_ext_next' in peer_config:
                 self.cli_set(base_path + ['neighbor', peer, 'capability', 'extended-nexthop'])
+            if 'cap_ext_sver' in peer_config:
+                self.cli_set(base_path + ['neighbor', peer, 'capability', 'software-version'])
             if 'description' in peer_config:
                 self.cli_set(base_path + ['neighbor', peer, 'description', peer_config["description"]])
             if 'no_cap_nego' in peer_config:
@@ -424,6 +455,8 @@ class TestProtocolsBGP(VyOSUnitTestSHIM.TestCase):
                 self.cli_set(base_path + ['neighbor', peer, 'update-source', peer_config["update_src"]])
             if 'p_attr_discard' in peer_config:
                 self.cli_set(base_path + ['neighbor', peer, 'path-attribute', 'discard', peer_config["p_attr_discard"]])
+            if 'p_attr_taw' in peer_config:
+                self.cli_set(base_path + ['neighbor', peer, 'path-attribute', 'treat-as-withdraw', peer_config["p_attr_taw"]])
             if 'route_map_in' in peer_config:
                 self.cli_set(base_path + ['neighbor', peer, 'address-family', afi, 'route-map', 'import', peer_config["route_map_in"]])
             if 'route_map_out' in peer_config:
@@ -490,6 +523,8 @@ class TestProtocolsBGP(VyOSUnitTestSHIM.TestCase):
                 self.cli_set(base_path + ['peer-group', peer_group, 'capability', 'dynamic'])
             if 'cap_ext_next' in config:
                 self.cli_set(base_path + ['peer-group', peer_group, 'capability', 'extended-nexthop'])
+            if 'cap_ext_sver' in config:
+                self.cli_set(base_path + ['peer-group', peer_group, 'capability', 'software-version'])
             if 'description' in config:
                 self.cli_set(base_path + ['peer-group', peer_group, 'description', config["description"]])
             if 'no_cap_nego' in config:
@@ -544,6 +579,8 @@ class TestProtocolsBGP(VyOSUnitTestSHIM.TestCase):
                 self.cli_set(base_path + ['peer-group', peer_group, 'disable-connected-check'])
             if 'p_attr_discard' in config:
                 self.cli_set(base_path + ['peer-group', peer_group, 'path-attribute', 'discard', config["p_attr_discard"]])
+            if 'p_attr_taw' in config:
+                self.cli_set(base_path + ['peer-group', peer_group, 'path-attribute', 'treat-as-withdraw', config["p_attr_taw"]])
 
             # Conditional advertisement
             if 'advertise_map' in config:
@@ -706,15 +743,25 @@ class TestProtocolsBGP(VyOSUnitTestSHIM.TestCase):
     def test_bgp_07_l2vpn_evpn(self):
         vnis = ['10010', '10020', '10030']
         neighbors = ['192.0.2.10', '192.0.2.20', '192.0.2.30']
+        evi_limit = '1000'
+        route_targets = ['1.1.1.1:100', '1.1.1.1:200', '1.1.1.1:300']
 
         self.cli_set(base_path + ['address-family', 'l2vpn-evpn', 'advertise-all-vni'])
         self.cli_set(base_path + ['address-family', 'l2vpn-evpn', 'advertise-default-gw'])
         self.cli_set(base_path + ['address-family', 'l2vpn-evpn', 'advertise-svi-ip'])
         self.cli_set(base_path + ['address-family', 'l2vpn-evpn', 'flooding', 'disable'])
+        self.cli_set(base_path + ['address-family', 'l2vpn-evpn', 'default-originate', 'ipv4'])
+        self.cli_set(base_path + ['address-family', 'l2vpn-evpn', 'default-originate', 'ipv6'])
+        self.cli_set(base_path + ['address-family', 'l2vpn-evpn', 'disable-ead-evi-rx'])
+        self.cli_set(base_path + ['address-family', 'l2vpn-evpn', 'disable-ead-evi-tx'])
         for vni in vnis:
             self.cli_set(base_path + ['address-family', 'l2vpn-evpn', 'vni', vni, 'advertise-default-gw'])
             self.cli_set(base_path + ['address-family', 'l2vpn-evpn', 'vni', vni, 'advertise-svi-ip'])
 
+        self.cli_set(base_path + ['address-family', 'l2vpn-evpn', 'ead-es-frag', 'evi-limit', evi_limit])
+        for route_target in route_targets:
+            self.cli_set(base_path + ['address-family', 'l2vpn-evpn', 'ead-es-route-target', 'export', route_target])
+
         # commit changes
         self.cli_commit()
 
@@ -725,12 +772,20 @@ class TestProtocolsBGP(VyOSUnitTestSHIM.TestCase):
         self.assertIn(f'  advertise-all-vni', frrconfig)
         self.assertIn(f'  advertise-default-gw', frrconfig)
         self.assertIn(f'  advertise-svi-ip', frrconfig)
+        self.assertIn(f'  default-originate ipv4', frrconfig)
+        self.assertIn(f'  default-originate ipv6', frrconfig)
+        self.assertIn(f'  disable-ead-evi-rx', frrconfig)
+        self.assertIn(f'  disable-ead-evi-tx', frrconfig)
         self.assertIn(f'  flooding disable', frrconfig)
         for vni in vnis:
             vniconfig = self.getFRRconfig(f'  vni {vni}')
             self.assertIn(f'vni {vni}', vniconfig)
             self.assertIn(f'   advertise-default-gw', vniconfig)
             self.assertIn(f'   advertise-svi-ip', vniconfig)
+        self.assertIn(f'  ead-es-frag evi-limit {evi_limit}', frrconfig)
+        for route_target in route_targets:
+            self.assertIn(f'  ead-es-route-target export {route_target}', frrconfig)
+
 
     def test_bgp_09_distance_and_flowspec(self):
         distance_external = '25'
@@ -1081,5 +1136,112 @@ class TestProtocolsBGP(VyOSUnitTestSHIM.TestCase):
             self.assertIn(f' mpls bgp forwarding', frrconfig)
             self.cli_delete(['interfaces', 'ethernet', interface, 'vrf'])
 
+    def test_bgp_24_srv6_sid(self):
+        locator_name = 'VyOS_foo'
+        sid = 'auto'
+
+        self.cli_set(base_path + ['srv6', 'locator', locator_name])
+        self.cli_set(base_path + ['sid', 'vpn', 'per-vrf', 'export', sid])
+
+        self.cli_commit()
+
+        frrconfig = self.getFRRconfig(f'router bgp {ASN}')
+        self.assertIn(f'router bgp {ASN}', frrconfig)
+        self.assertIn(f' segment-routing srv6', frrconfig)
+        self.assertIn(f'  locator {locator_name}', frrconfig)
+        self.assertIn(f' sid vpn per-vrf export {sid}', frrconfig)
+
+    def test_bgp_25_ipv4_ipv6_labeled_unicast_peer_group(self):
+        pg_ipv4 = 'foo4'
+        pg_ipv6 = 'foo6'
+
+        ipv4_max_prefix = '20'
+        ipv6_max_prefix = '200'
+        ipv4_prefix = '192.0.2.0/24'
+        ipv6_prefix = '2001:db8:1000::/64'
+
+        self.cli_set(base_path + ['listen', 'range', ipv4_prefix, 'peer-group', pg_ipv4])
+        self.cli_set(base_path + ['listen', 'range', ipv6_prefix, 'peer-group', pg_ipv6])
+
+        self.cli_set(base_path + ['peer-group', pg_ipv4, 'address-family', 'ipv4-labeled-unicast', 'maximum-prefix', ipv4_max_prefix])
+        self.cli_set(base_path + ['peer-group', pg_ipv4, 'remote-as', 'external'])
+        self.cli_set(base_path + ['peer-group', pg_ipv6, 'address-family', 'ipv6-labeled-unicast', 'maximum-prefix', ipv6_max_prefix])
+        self.cli_set(base_path + ['peer-group', pg_ipv6, 'remote-as', 'external'])
+
+        self.cli_commit()
+
+        frrconfig = self.getFRRconfig(f'router bgp {ASN}')
+        self.assertIn(f'router bgp {ASN}', frrconfig)
+        self.assertIn(f' neighbor {pg_ipv4} peer-group', frrconfig)
+        self.assertIn(f' neighbor {pg_ipv4} remote-as external', frrconfig)
+        self.assertIn(f' neighbor {pg_ipv6} peer-group', frrconfig)
+        self.assertIn(f' neighbor {pg_ipv6} remote-as external', frrconfig)
+        self.assertIn(f' bgp listen range {ipv4_prefix} peer-group {pg_ipv4}', frrconfig)
+        self.assertIn(f' bgp listen range {ipv6_prefix} peer-group {pg_ipv6}', frrconfig)
+
+        afiv4_config = self.getFRRconfig(' address-family ipv4 labeled-unicast')
+        self.assertIn(f'  neighbor {pg_ipv4} activate', afiv4_config)
+        self.assertIn(f'  neighbor {pg_ipv4} maximum-prefix {ipv4_max_prefix}', afiv4_config)
+
+        afiv6_config = self.getFRRconfig(' address-family ipv6 labeled-unicast')
+        self.assertIn(f'  neighbor {pg_ipv6} activate', afiv6_config)
+        self.assertIn(f'  neighbor {pg_ipv6} maximum-prefix {ipv6_max_prefix}', afiv6_config)
+
+    def test_bgp_99_bmp(self):
+        target_name = 'instance-bmp'
+        target_address = '127.0.0.1'
+        target_port = '5000'
+        min_retry = '1024'
+        max_retry = '2048'
+        monitor_ipv4 = 'pre-policy'
+        monitor_ipv6 = 'pre-policy'
+        mirror_buffer = '32000000'
+        bmp_path = base_path + ['bmp']
+        target_path = bmp_path + ['target', target_name]
+
+        # by default the 'bmp' module not loaded for the bgpd expect Error
+        self.cli_set(bmp_path)
+        if not process_named_running('bgpd', 'bmp'):
+            with self.assertRaises(ConfigSessionError):
+                self.cli_commit()
+
+        # add required 'bmp' module to bgpd and restart bgpd
+        self.cli_delete(bmp_path)
+        self.cli_set(['system', 'frr', 'bmp'])
+        self.cli_commit()
+
+        # restart bgpd to apply "-M bmp" and update PID
+        cmd(f'sudo kill -9 {self.daemon_pid}')
+        # let the bgpd process recover
+        sleep(10)
+        # update daemon PID - this was a planned daemon restart
+        self.daemon_pid = process_named_running(PROCESS_NAME)
+
+        # set bmp config but not set address
+        self.cli_set(target_path + ['port', target_port])
+        # address is not set, expect Error
+        with self.assertRaises(ConfigSessionError):
+            self.cli_commit()
+
+        # config other bmp options
+        self.cli_set(target_path + ['address', target_address])
+        self.cli_set(bmp_path + ['mirror-buffer-limit', mirror_buffer])
+        self.cli_set(target_path + ['port', target_port])
+        self.cli_set(target_path + ['min-retry', min_retry])
+        self.cli_set(target_path + ['max-retry', max_retry])
+        self.cli_set(target_path + ['mirror'])
+        self.cli_set(target_path + ['monitor', 'ipv4-unicast', monitor_ipv4])
+        self.cli_set(target_path + ['monitor', 'ipv6-unicast', monitor_ipv6])
+        self.cli_commit()
+
+        # Verify bgpd bmp configuration
+        frrconfig = self.getFRRconfig(f'router bgp {ASN}')
+        self.assertIn(f'bmp mirror buffer-limit {mirror_buffer}', frrconfig)
+        self.assertIn(f'bmp targets {target_name}', frrconfig)
+        self.assertIn(f'bmp mirror', frrconfig)
+        self.assertIn(f'bmp monitor ipv4 unicast {monitor_ipv4}', frrconfig)
+        self.assertIn(f'bmp monitor ipv6 unicast {monitor_ipv6}', frrconfig)
+        self.assertIn(f'bmp connect {target_address} port {target_port} min-retry {min_retry} max-retry {max_retry}', frrconfig)
+
 if __name__ == '__main__':
     unittest.main(verbosity=2)
diff --git a/smoketest/scripts/cli/test_protocols_igmp-proxy.py b/smoketest/scripts/cli/test_protocols_igmp-proxy.py
index a75003b12..df10442ea 100755
--- a/smoketest/scripts/cli/test_protocols_igmp-proxy.py
+++ b/smoketest/scripts/cli/test_protocols_igmp-proxy.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 #
-# Copyright (C) 2019-2020 VyOS maintainers and contributors
+# Copyright (C) 2019-2023 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
@@ -29,14 +29,32 @@ upstream_if = 'eth1'
 downstream_if = 'eth2'
 
 class TestProtocolsIGMPProxy(VyOSUnitTestSHIM.TestCase):
-    def setUp(self):
-        self.cli_set(['interfaces', 'ethernet', upstream_if, 'address', '172.16.1.1/24'])
+    @classmethod
+    def setUpClass(cls):
+        # call base-classes classmethod
+        super(TestProtocolsIGMPProxy, cls).setUpClass()
+        # ensure we can also run this test on a live system - so lets clean
+        # out the current configuration :)
+        cls.cli_delete(cls, base_path)
+        cls.cli_set(cls, ['interfaces', 'ethernet', upstream_if, 'address', '172.16.1.1/24'])
+
+    @classmethod
+    def tearDownClass(cls):
+        cls.cli_delete(cls, ['interfaces', 'ethernet', upstream_if, 'address'])
+
+        # call base-classes classmethod
+        super(TestProtocolsIGMPProxy, cls).tearDownClass()
 
     def tearDown(self):
-        self.cli_delete(['interfaces', 'ethernet', upstream_if, 'address'])
+        # Check for running process
+        self.assertTrue(process_named_running(PROCESS_NAME))
+
         self.cli_delete(base_path)
         self.cli_commit()
 
+        # Check for no longer running process
+        self.assertFalse(process_named_running(PROCESS_NAME))
+
     def test_igmpproxy(self):
         threshold = '20'
         altnet = '192.0.2.0/24'
@@ -74,8 +92,5 @@ class TestProtocolsIGMPProxy(VyOSUnitTestSHIM.TestCase):
         self.assertIn(f'whitelist {whitelist}', config)
         self.assertIn(f'phyint {downstream_if} downstream ratelimit 0 threshold 1', config)
 
-        # Check for running process
-        self.assertTrue(process_named_running(PROCESS_NAME))
-
 if __name__ == '__main__':
     unittest.main(verbosity=2)
diff --git a/smoketest/scripts/cli/test_protocols_isis.py b/smoketest/scripts/cli/test_protocols_isis.py
index 5ab7fae14..94f4ec5c9 100755
--- a/smoketest/scripts/cli/test_protocols_isis.py
+++ b/smoketest/scripts/cli/test_protocols_isis.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 #
-# Copyright (C) 2021-2022 VyOS maintainers and contributors
+# Copyright (C) 2021-2023 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
@@ -31,20 +31,25 @@ class TestProtocolsISIS(VyOSUnitTestSHIM.TestCase):
     @classmethod
     def setUpClass(cls):
         cls._interfaces = Section.interfaces('ethernet')
-
         # call base-classes classmethod
         super(TestProtocolsISIS, cls).setUpClass()
-
+        # Retrieve FRR daemon PID - it is not allowed to crash, thus PID must remain the same
+        cls.daemon_pid = process_named_running(PROCESS_NAME)
         # ensure we can also run this test on a live system - so lets clean
         # out the current configuration :)
         cls.cli_delete(cls, base_path)
+        cls.cli_delete(cls, ['vrf'])
 
     def tearDown(self):
+        # cleanup any possible VRF mess
+        self.cli_delete(['vrf'])
+        # always destrox the entire isisd configuration to make the processes
+        # life as hard as possible
         self.cli_delete(base_path)
         self.cli_commit()
 
-        # Check for running process
-        self.assertTrue(process_named_running(PROCESS_NAME))
+        # check process health and continuity
+        self.assertEqual(self.daemon_pid, process_named_running(PROCESS_NAME))
 
     def isis_base_config(self):
         self.cli_set(base_path + ['net', net])
@@ -100,6 +105,8 @@ class TestProtocolsISIS(VyOSUnitTestSHIM.TestCase):
         self.cli_set(vrf_base + ['table', table])
         self.cli_set(vrf_base + ['protocols', 'isis', 'net', net])
         self.cli_set(vrf_base + ['protocols', 'isis', 'interface', vrf_iface])
+        self.cli_set(vrf_base + ['protocols', 'isis', 'advertise-high-metrics'])
+        self.cli_set(vrf_base + ['protocols', 'isis', 'advertise-passive-only'])
         self.cli_set(['interfaces', 'ethernet', vrf_iface, 'vrf', vrf])
 
         # Also set a default VRF IS-IS config
@@ -115,6 +122,8 @@ class TestProtocolsISIS(VyOSUnitTestSHIM.TestCase):
         tmp = self.getFRRconfig(f'router isis {domain} vrf {vrf}', daemon='isisd')
         self.assertIn(f'router isis {domain} vrf {vrf}', tmp)
         self.assertIn(f' net {net}', tmp)
+        self.assertIn(f' advertise-high-metrics', tmp)
+        self.assertIn(f' advertise-passive-only', tmp)
 
         self.cli_delete(['vrf', 'name', vrf])
         self.cli_delete(['interfaces', 'ethernet', vrf_iface, 'vrf'])
@@ -320,5 +329,65 @@ class TestProtocolsISIS(VyOSUnitTestSHIM.TestCase):
             self.assertIn(f' ipv6 router isis {domain}', tmp)
             self.assertIn(f' no isis mpls ldp-sync', tmp)
 
+    def test_isis_09_lfa(self):
+        prefix_list = 'lfa-prefix-list-test-1'
+        prefix_list_address = '192.168.255.255/32'
+        interface = 'lo'
+
+        self.cli_set(base_path + ['net', net])
+        self.cli_set(base_path + ['interface', interface])
+        self.cli_set(['policy', 'prefix-list', prefix_list, 'rule', '1', 'action', 'permit'])
+        self.cli_set(['policy', 'prefix-list', prefix_list, 'rule', '1', 'prefix', prefix_list_address])
+        
+        # Commit main ISIS changes
+        self.cli_commit()
+
+        # Add remote portion of LFA with prefix list with validation
+        for level in ['level-1', 'level-2']:
+            self.cli_set(base_path + ['fast-reroute', 'lfa', 'remote', 'prefix-list', prefix_list, level])
+            self.cli_commit()
+            tmp = self.getFRRconfig(f'router isis {domain}', daemon='isisd')
+            self.assertIn(f' net {net}', tmp)
+            self.assertIn(f' fast-reroute remote-lfa prefix-list {prefix_list} {level}', tmp)
+            self.cli_delete(base_path + ['fast-reroute'])
+            self.cli_commit()
+
+        # Add local portion of LFA load-sharing portion with validation
+        for level in ['level-1', 'level-2']:
+            self.cli_set(base_path + ['fast-reroute', 'lfa', 'local', 'load-sharing', 'disable', level])
+            self.cli_commit()
+            tmp = self.getFRRconfig(f'router isis {domain}', daemon='isisd')
+            self.assertIn(f' net {net}', tmp)
+            self.assertIn(f' fast-reroute load-sharing disable {level}', tmp)
+            self.cli_delete(base_path + ['fast-reroute'])
+            self.cli_commit()
+
+        # Add local portion of LFA priority-limit portion with validation
+        for priority in ['critical', 'high', 'medium']:
+            for level in ['level-1', 'level-2']:
+                self.cli_set(base_path + ['fast-reroute', 'lfa', 'local', 'priority-limit', priority, level])
+                self.cli_commit()
+                tmp = self.getFRRconfig(f'router isis {domain}', daemon='isisd')
+                self.assertIn(f' net {net}', tmp)
+                self.assertIn(f' fast-reroute priority-limit {priority} {level}', tmp)
+                self.cli_delete(base_path + ['fast-reroute'])
+                self.cli_commit()
+
+        # Add local portion of LFA tiebreaker portion with validation
+        index = '100'
+        for tiebreaker in ['downstream','lowest-backup-metric','node-protecting']:
+            for level in ['level-1', 'level-2']:
+                self.cli_set(base_path + ['fast-reroute', 'lfa', 'local', 'tiebreaker', tiebreaker, 'index', index, level])
+                self.cli_commit()
+                tmp = self.getFRRconfig(f'router isis {domain}', daemon='isisd')
+                self.assertIn(f' net {net}', tmp)
+                self.assertIn(f' fast-reroute lfa tiebreaker {tiebreaker} index {index} {level}', tmp)
+                self.cli_delete(base_path + ['fast-reroute'])
+                self.cli_commit()
+
+        # Clean up and remove prefix list
+        self.cli_delete(['policy', 'prefix-list', prefix_list])
+        self.cli_commit()
+
 if __name__ == '__main__':
-    unittest.main(verbosity=2)
+    unittest.main(verbosity=2)
\ No newline at end of file
diff --git a/smoketest/scripts/cli/test_protocols_mpls.py b/smoketest/scripts/cli/test_protocols_mpls.py
index 06f21c6e1..0c1599f9b 100755
--- a/smoketest/scripts/cli/test_protocols_mpls.py
+++ b/smoketest/scripts/cli/test_protocols_mpls.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 #
-# Copyright (C) 2021 VyOS maintainers and contributors
+# Copyright (C) 2021-2023 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
@@ -70,6 +70,9 @@ class TestProtocolsMPLS(VyOSUnitTestSHIM.TestCase):
     def setUpClass(cls):
         super(TestProtocolsMPLS, cls).setUpClass()
 
+        # Retrieve FRR daemon PID - it is not allowed to crash, thus PID must remain the same
+        cls.daemon_pid = process_named_running(PROCESS_NAME)
+
         # ensure we can also run this test on a live system - so lets clean
         # out the current configuration :)
         cls.cli_delete(cls, base_path)
@@ -77,8 +80,9 @@ class TestProtocolsMPLS(VyOSUnitTestSHIM.TestCase):
     def tearDown(self):
         self.cli_delete(base_path)
         self.cli_commit()
-        # Check for running process
-        self.assertTrue(process_named_running(PROCESS_NAME))
+
+        # check process health and continuity
+        self.assertEqual(self.daemon_pid, process_named_running(PROCESS_NAME))
 
     def test_mpls_basic(self):
         router_id = '1.2.3.4'
diff --git a/smoketest/scripts/cli/test_protocols_ospf.py b/smoketest/scripts/cli/test_protocols_ospf.py
index a6850db71..6bffc7c45 100755
--- a/smoketest/scripts/cli/test_protocols_ospf.py
+++ b/smoketest/scripts/cli/test_protocols_ospf.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 #
-# Copyright (C) 2021-2022 VyOS maintainers and contributors
+# Copyright (C) 2021-2023 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
@@ -32,6 +32,9 @@ class TestProtocolsOSPF(VyOSUnitTestSHIM.TestCase):
     def setUpClass(cls):
         super(TestProtocolsOSPF, cls).setUpClass()
 
+        # Retrieve FRR daemon PID - it is not allowed to crash, thus PID must remain the same
+        cls.daemon_pid = process_named_running(PROCESS_NAME)
+
         cls.cli_set(cls, ['policy', 'route-map', route_map, 'rule', '10', 'action', 'permit'])
         cls.cli_set(cls, ['policy', 'route-map', route_map, 'rule', '20', 'action', 'permit'])
 
@@ -45,11 +48,12 @@ class TestProtocolsOSPF(VyOSUnitTestSHIM.TestCase):
         super(TestProtocolsOSPF, cls).tearDownClass()
 
     def tearDown(self):
-        # Check for running process
-        self.assertTrue(process_named_running(PROCESS_NAME))
         self.cli_delete(base_path)
         self.cli_commit()
 
+        # check process health and continuity
+        self.assertEqual(self.daemon_pid, process_named_running(PROCESS_NAME))
+
     def test_ospf_01_defaults(self):
         # commit changes
         self.cli_set(base_path)
diff --git a/smoketest/scripts/cli/test_protocols_ospfv3.py b/smoketest/scripts/cli/test_protocols_ospfv3.py
index 0d6c6c691..4ae7f05d9 100755
--- a/smoketest/scripts/cli/test_protocols_ospfv3.py
+++ b/smoketest/scripts/cli/test_protocols_ospfv3.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 #
-# Copyright (C) 2021-2022 VyOS maintainers and contributors
+# Copyright (C) 2021-2023 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
@@ -35,6 +35,9 @@ class TestProtocolsOSPFv3(VyOSUnitTestSHIM.TestCase):
     def setUpClass(cls):
         super(TestProtocolsOSPFv3, cls).setUpClass()
 
+        # Retrieve FRR daemon PID - it is not allowed to crash, thus PID must remain the same
+        cls.daemon_pid = process_named_running(PROCESS_NAME)
+
         cls.cli_set(cls, ['policy', 'route-map', route_map, 'rule', '10', 'action', 'permit'])
         cls.cli_set(cls, ['policy', 'route-map', route_map, 'rule', '20', 'action', 'permit'])
 
@@ -48,11 +51,12 @@ class TestProtocolsOSPFv3(VyOSUnitTestSHIM.TestCase):
         super(TestProtocolsOSPFv3, cls).tearDownClass()
 
     def tearDown(self):
-        # Check for running process
-        self.assertTrue(process_named_running(PROCESS_NAME))
         self.cli_delete(base_path)
         self.cli_commit()
 
+        # check process health and continuity
+        self.assertEqual(self.daemon_pid, process_named_running(PROCESS_NAME))
+
     def test_ospfv3_01_basic(self):
         seq = '10'
         prefix = '2001:db8::/32'
diff --git a/smoketest/scripts/cli/test_protocols_pim.py b/smoketest/scripts/cli/test_protocols_pim.py
new file mode 100755
index 000000000..ccfced138
--- /dev/null
+++ b/smoketest/scripts/cli/test_protocols_pim.py
@@ -0,0 +1,192 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2023 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+import unittest
+
+from base_vyostest_shim import VyOSUnitTestSHIM
+
+from vyos.configsession import ConfigSessionError
+from vyos.ifconfig import Section
+from vyos.utils.process import process_named_running
+
+PROCESS_NAME = 'pimd'
+base_path = ['protocols', 'pim']
+
+class TestProtocolsPIM(VyOSUnitTestSHIM.TestCase):
+    def tearDown(self):
+        # pimd process must be running
+        self.assertTrue(process_named_running(PROCESS_NAME))
+
+        self.cli_delete(base_path)
+        self.cli_commit()
+
+        # pimd process must be stopped by now
+        self.assertFalse(process_named_running(PROCESS_NAME))
+
+    def test_01_pim_basic(self):
+        rp = '127.0.0.1'
+        group = '224.0.0.0/4'
+        hello = '100'
+        dr_priority = '64'
+
+        self.cli_set(base_path + ['rp', 'address', rp, 'group', group])
+
+        interfaces = Section.interfaces('ethernet')
+        for interface in interfaces:
+            self.cli_set(base_path + ['interface', interface , 'bfd'])
+            self.cli_set(base_path + ['interface', interface , 'dr-priority', dr_priority])
+            self.cli_set(base_path + ['interface', interface , 'hello', hello])
+            self.cli_set(base_path + ['interface', interface , 'no-bsm'])
+            self.cli_set(base_path + ['interface', interface , 'no-unicast-bsm'])
+            self.cli_set(base_path + ['interface', interface , 'passive'])
+
+        # commit changes
+        self.cli_commit()
+
+        # Verify FRR pimd configuration
+        frrconfig = self.getFRRconfig(daemon=PROCESS_NAME)
+        self.assertIn(f'ip pim rp {rp} {group}', frrconfig)
+
+        for interface in interfaces:
+            frrconfig = self.getFRRconfig(f'interface {interface}', daemon=PROCESS_NAME)
+            self.assertIn(f'interface {interface}', frrconfig)
+            self.assertIn(f' ip pim', frrconfig)
+            self.assertIn(f' ip pim bfd', frrconfig)
+            self.assertIn(f' ip pim drpriority {dr_priority}', frrconfig)
+            self.assertIn(f' ip pim hello {hello}', frrconfig)
+            self.assertIn(f' no ip pim bsm', frrconfig)
+            self.assertIn(f' no ip pim unicast-bsm', frrconfig)
+            self.assertIn(f' ip pim passive', frrconfig)
+
+        self.cli_commit()
+
+    def test_02_pim_advanced(self):
+        rp = '127.0.0.2'
+        group = '224.0.0.0/4'
+        join_prune_interval = '123'
+        rp_keep_alive_timer = '190'
+        keep_alive_timer = '180'
+        packets = '10'
+        prefix_list = 'pim-test'
+        register_suppress_time = '300'
+
+        self.cli_set(base_path + ['rp', 'address', rp, 'group', group])
+        self.cli_set(base_path + ['rp', 'keep-alive-timer', rp_keep_alive_timer])
+
+        self.cli_set(base_path + ['ecmp', 'rebalance'])
+        self.cli_set(base_path + ['join-prune-interval', join_prune_interval])
+        self.cli_set(base_path + ['keep-alive-timer', keep_alive_timer])
+        self.cli_set(base_path + ['packets', packets])
+        self.cli_set(base_path + ['register-accept-list', 'prefix-list', prefix_list])
+        self.cli_set(base_path + ['register-suppress-time', register_suppress_time])
+        self.cli_set(base_path + ['no-v6-secondary'])
+        self.cli_set(base_path + ['spt-switchover', 'infinity-and-beyond', 'prefix-list', prefix_list])
+        self.cli_set(base_path + ['ssm', 'prefix-list', prefix_list])
+
+        # check validate() - PIM require defined interfaces!
+        with self.assertRaises(ConfigSessionError):
+            self.cli_commit()
+
+        interfaces = Section.interfaces('ethernet')
+        for interface in interfaces:
+            self.cli_set(base_path + ['interface', interface])
+
+        # commit changes
+        self.cli_commit()
+
+        # Verify FRR pimd configuration
+        frrconfig = self.getFRRconfig(daemon=PROCESS_NAME)
+        self.assertIn(f'ip pim rp {rp} {group}', frrconfig)
+        self.assertIn(f'ip pim rp keep-alive-timer {rp_keep_alive_timer}', frrconfig)
+        self.assertIn(f'ip pim ecmp rebalance', frrconfig)
+        self.assertIn(f'ip pim join-prune-interval {join_prune_interval}', frrconfig)
+        self.assertIn(f'ip pim keep-alive-timer {keep_alive_timer}', frrconfig)
+        self.assertIn(f'ip pim packets {packets}', frrconfig)
+        self.assertIn(f'ip pim register-accept-list {prefix_list}', frrconfig)
+        self.assertIn(f'ip pim register-suppress-time {register_suppress_time}', frrconfig)
+        self.assertIn(f'no ip pim send-v6-secondary', frrconfig)
+        self.assertIn(f'ip pim spt-switchover infinity-and-beyond prefix-list {prefix_list}', frrconfig)
+        self.assertIn(f'ip pim ssm prefix-list {prefix_list}', frrconfig)
+
+    def test_03_pim_igmp_proxy(self):
+        igmp_proxy = ['protocols', 'igmp-proxy']
+        rp = '127.0.0.1'
+        group = '224.0.0.0/4'
+
+        self.cli_set(base_path)
+        self.cli_set(igmp_proxy)
+
+        # check validate() - can not set both IGMP proxy and PIM
+        with self.assertRaises(ConfigSessionError):
+            self.cli_commit()
+
+        self.cli_delete(igmp_proxy)
+
+        self.cli_set(base_path + ['rp', 'address', rp, 'group', group])
+        interfaces = Section.interfaces('ethernet')
+        for interface in interfaces:
+            self.cli_set(base_path + ['interface', interface , 'bfd'])
+
+        # commit changes
+        self.cli_commit()
+
+    def test_04_igmp(self):
+        watermark_warning = '2000'
+        query_interval = '1000'
+        query_max_response_time = '200'
+        version = '2'
+
+        igmp_join = {
+            '224.1.1.1' : { 'source' : ['1.1.1.1', '2.2.2.2', '3.3.3.3'] },
+            '224.1.2.2' : { 'source' : [] },
+            '224.1.3.3' : {},
+        }
+
+        self.cli_set(base_path + ['igmp', 'watermark-warning', watermark_warning])
+        interfaces = Section.interfaces('ethernet')
+        for interface in interfaces:
+            self.cli_set(base_path + ['interface', interface , 'igmp', 'version', version])
+            self.cli_set(base_path + ['interface', interface , 'igmp', 'query-interval', query_interval])
+            self.cli_set(base_path + ['interface', interface , 'igmp', 'query-max-response-time', query_max_response_time])
+
+            for join, join_config in igmp_join.items():
+                self.cli_set(base_path + ['interface', interface , 'igmp', 'join', join])
+                if 'source' in join_config:
+                    for source in join_config['source']:
+                        self.cli_set(base_path + ['interface', interface , 'igmp', 'join', join, 'source-address', source])
+
+        self.cli_commit()
+
+        frrconfig = self.getFRRconfig(daemon=PROCESS_NAME)
+        self.assertIn(f'ip igmp watermark-warn {watermark_warning}', frrconfig)
+
+        for interface in interfaces:
+            frrconfig = self.getFRRconfig(f'interface {interface}', daemon=PROCESS_NAME)
+            self.assertIn(f'interface {interface}', frrconfig)
+            self.assertIn(f' ip igmp', frrconfig)
+            self.assertIn(f' ip igmp version {version}', frrconfig)
+            self.assertIn(f' ip igmp query-interval {query_interval}', frrconfig)
+            self.assertIn(f' ip igmp query-max-response-time {query_max_response_time}', frrconfig)
+
+            for join, join_config in igmp_join.items():
+                if 'source' in join_config:
+                    for source in join_config['source']:
+                        self.assertIn(f' ip igmp join {join} {source}', frrconfig)
+                else:
+                    self.assertIn(f' ip igmp join {join}', frrconfig)
+
+if __name__ == '__main__':
+    unittest.main(verbosity=2)
diff --git a/smoketest/scripts/cli/test_protocols_pim6.py b/smoketest/scripts/cli/test_protocols_pim6.py
new file mode 100755
index 000000000..ba24edca2
--- /dev/null
+++ b/smoketest/scripts/cli/test_protocols_pim6.py
@@ -0,0 +1,146 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2023 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+import unittest
+
+from base_vyostest_shim import VyOSUnitTestSHIM
+from vyos.configsession import ConfigSessionError
+from vyos.ifconfig import Section
+from vyos.utils.process import process_named_running
+
+PROCESS_NAME = 'pim6d'
+base_path = ['protocols', 'pim6']
+
+class TestProtocolsPIMv6(VyOSUnitTestSHIM.TestCase):
+    @classmethod
+    def setUpClass(cls):
+        # call base-classes classmethod
+        super(TestProtocolsPIMv6, cls).setUpClass()
+        # Retrieve FRR daemon PID - it is not allowed to crash, thus PID must remain the same
+        cls.daemon_pid = process_named_running(PROCESS_NAME)
+        # ensure we can also run this test on a live system - so lets clean
+        # out the current configuration :)
+        cls.cli_delete(cls, base_path)
+
+    def tearDown(self):
+        self.cli_delete(base_path)
+        self.cli_commit()
+
+        # check process health and continuity
+        self.assertEqual(self.daemon_pid, process_named_running(PROCESS_NAME))
+
+    def test_pim6_01_mld_simple(self):
+        # commit changes
+        interfaces = Section.interfaces('ethernet')
+        for interface in interfaces:
+            self.cli_set(base_path + ['interface', interface])
+
+        self.cli_commit()
+
+        # Verify FRR pim6d configuration
+        for interface in interfaces:
+            config = self.getFRRconfig(f'interface {interface}', daemon=PROCESS_NAME)
+            self.assertIn(f'interface {interface}', config)
+            self.assertIn(f' ipv6 mld', config)
+            self.assertNotIn(f' ipv6 mld version 1', config)
+
+        # Change to MLD version 1
+        for interface in interfaces:
+            self.cli_set(base_path + ['interface', interface, 'mld', 'version', '1'])
+
+        self.cli_commit()
+
+        # Verify FRR pim6d configuration
+        for interface in interfaces:
+            config = self.getFRRconfig(f'interface {interface}', daemon=PROCESS_NAME)
+            self.assertIn(f'interface {interface}', config)
+            self.assertIn(f' ipv6 mld', config)
+            self.assertIn(f' ipv6 mld version 1', config)
+
+    def test_pim6_02_mld_join(self):
+        interfaces = Section.interfaces('ethernet')
+        # Use an invalid multicast group address
+        for interface in interfaces:
+            self.cli_set(base_path + ['interface', interface, 'mld', 'join', 'fd00::1234'])
+
+        with self.assertRaises(ConfigSessionError):
+            self.cli_commit()
+        self.cli_delete(base_path + ['interface'])
+
+        # Use a valid multicast group address
+        for interface in interfaces:
+            self.cli_set(base_path + ['interface', interface, 'mld', 'join', 'ff18::1234'])
+
+        self.cli_commit()
+
+        # Verify FRR pim6d configuration
+        for interface in interfaces:
+            config = self.getFRRconfig(f'interface {interface}', daemon=PROCESS_NAME)
+            self.assertIn(f'interface {interface}', config)
+            self.assertIn(f' ipv6 mld join ff18::1234', config)
+
+        # Join a source-specific multicast group
+        for interface in interfaces:
+            self.cli_set(base_path + ['interface', interface, 'mld', 'join', 'ff38::5678', 'source', '2001:db8::5678'])
+
+        self.cli_commit()
+
+        # Verify FRR pim6d configuration
+        for interface in interfaces:
+            config = self.getFRRconfig(f'interface {interface}', daemon=PROCESS_NAME)
+            self.assertIn(f'interface {interface}', config)
+            self.assertIn(f' ipv6 mld join ff38::5678 2001:db8::5678', config)
+
+    def test_pim6_03_basic(self):
+        interfaces = Section.interfaces('ethernet')
+        join_prune_interval = '123'
+        keep_alive_timer = '77'
+        packets = '5'
+        register_suppress_time = '99'
+        dr_priority = '100'
+        hello = '50'
+
+        self.cli_set(base_path + ['join-prune-interval', join_prune_interval])
+        self.cli_set(base_path + ['keep-alive-timer', keep_alive_timer])
+        self.cli_set(base_path + ['packets', packets])
+        self.cli_set(base_path + ['register-suppress-time', register_suppress_time])
+
+        for interface in interfaces:
+            self.cli_set(base_path + ['interface', interface, 'dr-priority', dr_priority])
+            self.cli_set(base_path + ['interface', interface, 'hello', hello])
+            self.cli_set(base_path + ['interface', interface, 'no-bsm'])
+            self.cli_set(base_path + ['interface', interface, 'no-unicast-bsm'])
+            self.cli_set(base_path + ['interface', interface, 'passive'])
+
+        self.cli_commit()
+
+        # Verify FRR pim6d configuration
+        config = self.getFRRconfig(daemon=PROCESS_NAME)
+        self.assertIn(f'ipv6 pim join-prune-interval {join_prune_interval}', config)
+        self.assertIn(f'ipv6 pim keep-alive-timer {keep_alive_timer}', config)
+        self.assertIn(f'ipv6 pim packets {packets}', config)
+        self.assertIn(f'ipv6 pim register-suppress-time {register_suppress_time}', config)
+
+        for interface in interfaces:
+            config = self.getFRRconfig(f'interface {interface}', daemon=PROCESS_NAME)
+            self.assertIn(f' ipv6 pim drpriority {dr_priority}', config)
+            self.assertIn(f' ipv6 pim hello {hello}', config)
+            self.assertIn(f' no ipv6 pim bsm', config)
+            self.assertIn(f' no ipv6 pim unicast-bsm', config)
+            self.assertIn(f' ipv6 pim passive', config)
+
+if __name__ == '__main__':
+    unittest.main(verbosity=2)
diff --git a/smoketest/scripts/cli/test_protocols_rip.py b/smoketest/scripts/cli/test_protocols_rip.py
index 925499fc8..bfc327fd4 100755
--- a/smoketest/scripts/cli/test_protocols_rip.py
+++ b/smoketest/scripts/cli/test_protocols_rip.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 #
-# Copyright (C) 2021 VyOS maintainers and contributors
+# Copyright (C) 2021-2023 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
@@ -34,7 +34,8 @@ class TestProtocolsRIP(VyOSUnitTestSHIM.TestCase):
     @classmethod
     def setUpClass(cls):
         super(TestProtocolsRIP, cls).setUpClass()
-
+        # Retrieve FRR daemon PID - it is not allowed to crash, thus PID must remain the same
+        cls.daemon_pid = process_named_running(PROCESS_NAME)
         # ensure we can also run this test on a live system - so lets clean
         # out the current configuration :)
         cls.cli_delete(cls, base_path)
@@ -65,8 +66,8 @@ class TestProtocolsRIP(VyOSUnitTestSHIM.TestCase):
         self.cli_delete(base_path)
         self.cli_commit()
 
-        # Check for running process
-        self.assertTrue(process_named_running(PROCESS_NAME))
+        # check process health and continuity
+        self.assertEqual(self.daemon_pid, process_named_running(PROCESS_NAME))
 
     def test_rip_01_parameters(self):
         distance = '40'
diff --git a/smoketest/scripts/cli/test_protocols_ripng.py b/smoketest/scripts/cli/test_protocols_ripng.py
index 0a8ce7eef..0cfb065c6 100755
--- a/smoketest/scripts/cli/test_protocols_ripng.py
+++ b/smoketest/scripts/cli/test_protocols_ripng.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 #
-# Copyright (C) 2021 VyOS maintainers and contributors
+# Copyright (C) 2021-2023 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
@@ -31,28 +31,43 @@ route_map = 'FooBar123'
 base_path = ['protocols', 'ripng']
 
 class TestProtocolsRIPng(VyOSUnitTestSHIM.TestCase):
-    def setUp(self):
-        self.cli_set(['policy', 'access-list6', acl_in, 'rule', '10', 'action', 'permit'])
-        self.cli_set(['policy', 'access-list6', acl_in, 'rule', '10', 'source', 'any'])
-        self.cli_set(['policy', 'access-list6', acl_out, 'rule', '20', 'action', 'deny'])
-        self.cli_set(['policy', 'access-list6', acl_out, 'rule', '20', 'source', 'any'])
-        self.cli_set(['policy', 'prefix-list6', prefix_list_in, 'rule', '100', 'action', 'permit'])
-        self.cli_set(['policy', 'prefix-list6', prefix_list_in, 'rule', '100', 'prefix', '2001:db8::/32'])
-        self.cli_set(['policy', 'prefix-list6', prefix_list_out, 'rule', '200', 'action', 'deny'])
-        self.cli_set(['policy', 'prefix-list6', prefix_list_out, 'rule', '200', 'prefix', '2001:db8::/32'])
-        self.cli_set(['policy', 'route-map', route_map, 'rule', '10', 'action', 'permit'])
+    @classmethod
+    def setUpClass(cls):
+        # call base-classes classmethod
+        super(TestProtocolsRIPng, cls).setUpClass()
+        # Retrieve FRR daemon PID - it is not allowed to crash, thus PID must remain the same
+        cls.daemon_pid = process_named_running(PROCESS_NAME)
+        # ensure we can also run this test on a live system - so lets clean
+        # out the current configuration :)
+        cls.cli_delete(cls, base_path)
+
+        cls.cli_set(cls, ['policy', 'access-list6', acl_in, 'rule', '10', 'action', 'permit'])
+        cls.cli_set(cls, ['policy', 'access-list6', acl_in, 'rule', '10', 'source', 'any'])
+        cls.cli_set(cls, ['policy', 'access-list6', acl_out, 'rule', '20', 'action', 'deny'])
+        cls.cli_set(cls, ['policy', 'access-list6', acl_out, 'rule', '20', 'source', 'any'])
+        cls.cli_set(cls, ['policy', 'prefix-list6', prefix_list_in, 'rule', '100', 'action', 'permit'])
+        cls.cli_set(cls, ['policy', 'prefix-list6', prefix_list_in, 'rule', '100', 'prefix', '2001:db8::/32'])
+        cls.cli_set(cls, ['policy', 'prefix-list6', prefix_list_out, 'rule', '200', 'action', 'deny'])
+        cls.cli_set(cls, ['policy', 'prefix-list6', prefix_list_out, 'rule', '200', 'prefix', '2001:db8::/32'])
+        cls.cli_set(cls, ['policy', 'route-map', route_map, 'rule', '10', 'action', 'permit'])
+
+    @classmethod
+    def tearDownClass(cls):
+        # call base-classes classmethod
+        super(TestProtocolsRIPng, cls).tearDownClass()
+
+        cls.cli_delete(cls, ['policy', 'access-list6', acl_in])
+        cls.cli_delete(cls, ['policy', 'access-list6', acl_out])
+        cls.cli_delete(cls, ['policy', 'prefix-list6', prefix_list_in])
+        cls.cli_delete(cls, ['policy', 'prefix-list6', prefix_list_out])
+        cls.cli_delete(cls, ['policy', 'route-map', route_map])
 
     def tearDown(self):
         self.cli_delete(base_path)
-        self.cli_delete(['policy', 'access-list6', acl_in])
-        self.cli_delete(['policy', 'access-list6', acl_out])
-        self.cli_delete(['policy', 'prefix-list6', prefix_list_in])
-        self.cli_delete(['policy', 'prefix-list6', prefix_list_out])
-        self.cli_delete(['policy', 'route-map', route_map])
         self.cli_commit()
 
-        # Check for running process
-        self.assertTrue(process_named_running(PROCESS_NAME))
+        # check process health and continuity
+        self.assertEqual(self.daemon_pid, process_named_running(PROCESS_NAME))
 
     def test_ripng_01_parameters(self):
         metric = '8'
diff --git a/smoketest/scripts/cli/test_protocols_rpki.py b/smoketest/scripts/cli/test_protocols_rpki.py
index f4aedcbc3..ab3f076ac 100755
--- a/smoketest/scripts/cli/test_protocols_rpki.py
+++ b/smoketest/scripts/cli/test_protocols_rpki.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 #
-# Copyright (C) 2021 VyOS maintainers and contributors
+# Copyright (C) 2021-2023 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
@@ -31,6 +31,16 @@ rpki_ssh_key = '/config/auth/id_rsa_rpki'
 rpki_ssh_pub = f'{rpki_ssh_key}.pub'
 
 class TestProtocolsRPKI(VyOSUnitTestSHIM.TestCase):
+    @classmethod
+    def setUpClass(cls):
+        # call base-classes classmethod
+        super(TestProtocolsRPKI, cls).setUpClass()
+        # Retrieve FRR daemon PID - it is not allowed to crash, thus PID must remain the same
+        cls.daemon_pid = process_named_running(PROCESS_NAME)
+        # ensure we can also run this test on a live system - so lets clean
+        # out the current configuration :)
+        cls.cli_delete(cls, base_path)
+
     def tearDown(self):
         self.cli_delete(base_path)
         self.cli_commit()
@@ -39,8 +49,8 @@ class TestProtocolsRPKI(VyOSUnitTestSHIM.TestCase):
         # frrconfig = self.getFRRconfig('rpki')
         # self.assertNotIn('rpki', frrconfig)
 
-        # Check for running process
-        self.assertTrue(process_named_running(PROCESS_NAME))
+        # check process health and continuity
+        self.assertEqual(self.daemon_pid, process_named_running(PROCESS_NAME))
 
     def test_rpki(self):
         polling = '7200'
diff --git a/smoketest/scripts/cli/test_protocols_segment-routing.py b/smoketest/scripts/cli/test_protocols_segment-routing.py
new file mode 100755
index 000000000..403c05924
--- /dev/null
+++ b/smoketest/scripts/cli/test_protocols_segment-routing.py
@@ -0,0 +1,112 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2023 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+import os
+import unittest
+
+from base_vyostest_shim import VyOSUnitTestSHIM
+
+from vyos.configsession import ConfigSessionError
+from vyos.ifconfig import Section
+from vyos.utils.process import cmd
+from vyos.utils.process import process_named_running
+from vyos.utils.system import sysctl_read
+
+base_path = ['protocols', 'segment-routing']
+PROCESS_NAME = 'zebra'
+
+class TestProtocolsSegmentRouting(VyOSUnitTestSHIM.TestCase):
+    @classmethod
+    def setUpClass(cls):
+        # call base-classes classmethod
+        super(TestProtocolsSegmentRouting, cls).setUpClass()
+        # Retrieve FRR daemon PID - it is not allowed to crash, thus PID must remain the same
+        cls.daemon_pid = process_named_running(PROCESS_NAME)
+        # ensure we can also run this test on a live system - so lets clean
+        # out the current configuration :)
+        cls.cli_delete(cls, base_path)
+
+    def tearDown(self):
+        self.cli_delete(base_path)
+        self.cli_commit()
+
+        # check process health and continuity
+        self.assertEqual(self.daemon_pid, process_named_running(PROCESS_NAME))
+
+    def test_srv6(self):
+        interfaces = Section.interfaces('ethernet', vlan=False)
+        locators = {
+            'foo' : { 'prefix' : '2001:a::/64' },
+            'foo' : { 'prefix' : '2001:b::/64', 'usid' : {} },
+        }
+
+        for locator, locator_config in locators.items():
+            self.cli_set(base_path + ['srv6', 'locator', locator, 'prefix', locator_config['prefix']])
+            if 'usid' in locator_config:
+                self.cli_set(base_path + ['srv6', 'locator', locator, 'behavior-usid'])
+
+        # verify() - SRv6 should be enabled on at least one interface!
+        with self.assertRaises(ConfigSessionError):
+            self.cli_commit()
+        for interface in interfaces:
+            self.cli_set(base_path + ['interface', interface, 'srv6'])
+
+        self.cli_commit()
+
+        for interface in interfaces:
+            self.assertEqual(sysctl_read(f'net.ipv6.conf.{interface}.seg6_enabled'), '1')
+            self.assertEqual(sysctl_read(f'net.ipv6.conf.{interface}.seg6_require_hmac'), '0') # default
+
+        frrconfig = self.getFRRconfig(f'segment-routing', daemon='zebra')
+        self.assertIn(f'segment-routing', frrconfig)
+        self.assertIn(f' srv6', frrconfig)
+        self.assertIn(f'  locators', frrconfig)
+        for locator, locator_config in locators.items():
+            self.assertIn(f'   locator {locator}', frrconfig)
+            self.assertIn(f'    prefix {locator_config["prefix"]} block-len 40 node-len 24 func-bits 16', frrconfig)
+
+    def test_srv6_sysctl(self):
+        interfaces = Section.interfaces('ethernet', vlan=False)
+
+        # HMAC accept
+        for interface in interfaces:
+            self.cli_set(base_path + ['interface', interface, 'srv6'])
+            self.cli_set(base_path + ['interface', interface, 'srv6', 'hmac', 'ignore'])
+        self.cli_commit()
+
+        for interface in interfaces:
+            self.assertEqual(sysctl_read(f'net.ipv6.conf.{interface}.seg6_enabled'), '1')
+            self.assertEqual(sysctl_read(f'net.ipv6.conf.{interface}.seg6_require_hmac'), '-1') # ignore
+
+        # HMAC drop
+        for interface in interfaces:
+            self.cli_set(base_path + ['interface', interface, 'srv6'])
+            self.cli_set(base_path + ['interface', interface, 'srv6', 'hmac', 'drop'])
+        self.cli_commit()
+
+        for interface in interfaces:
+            self.assertEqual(sysctl_read(f'net.ipv6.conf.{interface}.seg6_enabled'), '1')
+            self.assertEqual(sysctl_read(f'net.ipv6.conf.{interface}.seg6_require_hmac'), '1') # drop
+
+        # Disable SRv6 on first interface
+        first_if = interfaces[-1]
+        self.cli_delete(base_path + ['interface', first_if])
+        self.cli_commit()
+
+        self.assertEqual(sysctl_read(f'net.ipv6.conf.{first_if}.seg6_enabled'), '0')
+
+if __name__ == '__main__':
+    unittest.main(verbosity=2)
diff --git a/smoketest/scripts/cli/test_qos.py b/smoketest/scripts/cli/test_qos.py
index 3743be788..81e7326f8 100755
--- a/smoketest/scripts/cli/test_qos.py
+++ b/smoketest/scripts/cli/test_qos.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 #
-# Copyright (C) 2022 VyOS maintainers and contributors
+# Copyright (C) 2022-2023 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
@@ -543,5 +543,60 @@ class TestQoS(VyOSUnitTestSHIM.TestCase):
                         dport = int(match_config['dport'])
                         self.assertEqual(f'{dport:x}', filter['options']['match']['value'])
 
+
+    def test_11_shaper(self):
+        bandwidth = 250
+        default_bandwidth = 20
+        default_ceil = 30
+        class_bandwidth = 50
+        class_ceil = 80
+        dst_address = '192.0.2.8/32'
+
+        for interface in self._interfaces:
+            shaper_name = f'qos-shaper-{interface}'
+
+            self.cli_set(base_path + ['interface', interface, 'egress', shaper_name])
+            self.cli_set(base_path + ['policy', 'shaper', shaper_name, 'bandwidth', f'{bandwidth}mbit'])
+            self.cli_set(base_path + ['policy', 'shaper', shaper_name, 'default', 'bandwidth', f'{default_bandwidth}mbit'])
+            self.cli_set(base_path + ['policy', 'shaper', shaper_name, 'default', 'ceiling', f'{default_ceil}mbit'])
+            self.cli_set(base_path + ['policy', 'shaper', shaper_name, 'default', 'queue-type', 'fair-queue'])
+            self.cli_set(base_path + ['policy', 'shaper', shaper_name, 'class', '23', 'bandwidth', f'{class_bandwidth}mbit'])
+            self.cli_set(base_path + ['policy', 'shaper', shaper_name, 'class', '23', 'ceiling', f'{class_ceil}mbit'])
+            self.cli_set(base_path + ['policy', 'shaper', shaper_name, 'class', '23', 'match', '10', 'ip', 'destination', 'address', dst_address])
+
+            bandwidth += 1
+            default_bandwidth += 1
+            default_ceil += 1
+            class_bandwidth += 1
+            class_ceil += 1
+
+        # commit changes
+        self.cli_commit()
+
+        bandwidth = 250
+        default_bandwidth = 20
+        default_ceil = 30
+        class_bandwidth = 50
+        class_ceil = 80
+
+        for interface in self._interfaces:
+            config_entries = (
+                f'root rate {bandwidth}Mbit ceil {bandwidth}Mbit',
+                f'prio 0 rate {class_bandwidth}Mbit ceil {class_ceil}Mbit',
+                f'prio 7 rate {default_bandwidth}Mbit ceil {default_ceil}Mbit'
+            )
+
+            output = cmd(f'tc class show dev {interface}')
+
+            for config_entry in config_entries:
+                self.assertIn(config_entry, output)
+
+            bandwidth += 1
+            default_bandwidth += 1
+            default_ceil += 1
+            class_bandwidth += 1
+            class_ceil += 1
+
+
 if __name__ == '__main__':
     unittest.main(verbosity=2)
diff --git a/smoketest/scripts/cli/test_service_bcast-relay.py b/smoketest/scripts/cli/test_service_broadcast-relay.py
index 87901869e..87901869e 100755
--- a/smoketest/scripts/cli/test_service_bcast-relay.py
+++ b/smoketest/scripts/cli/test_service_broadcast-relay.py
diff --git a/smoketest/scripts/cli/test_service_dns_dynamic.py b/smoketest/scripts/cli/test_service_dns_dynamic.py
index ee8a07b37..ae46b18ba 100755
--- a/smoketest/scripts/cli/test_service_dns_dynamic.py
+++ b/smoketest/scripts/cli/test_service_dns_dynamic.py
@@ -24,16 +24,26 @@ from vyos.configsession import ConfigSessionError
 from vyos.utils.process import cmd
 from vyos.utils.process import process_running
 
+DDCLIENT_SYSTEMD_UNIT = '/run/systemd/system/ddclient.service.d/override.conf'
 DDCLIENT_CONF = '/run/ddclient/ddclient.conf'
 DDCLIENT_PID = '/run/ddclient/ddclient.pid'
+DDCLIENT_PNAME = 'ddclient'
 
 base_path = ['service', 'dns', 'dynamic']
+name_path = base_path + ['name']
+server = 'ddns.vyos.io'
 hostname = 'test.ddns.vyos.io'
 zone = 'vyos.io'
+username = 'vyos_user'
 password = 'paSS_@4ord'
+ttl = '300'
 interface = 'eth0'
 
 class TestServiceDDNS(VyOSUnitTestSHIM.TestCase):
+    def setUp(self):
+        # Always start with a clean CLI instance
+        self.cli_delete(base_path)
+
     def tearDown(self):
         # Check for running process
         self.assertTrue(process_running(DDCLIENT_PID))
@@ -47,30 +57,36 @@ class TestServiceDDNS(VyOSUnitTestSHIM.TestCase):
 
     # IPv4 standard DDNS service configuration
     def test_01_dyndns_service_standard(self):
-        ddns = ['address', interface, 'service']
         services = {'cloudflare': {'protocol': 'cloudflare'},
-                    'freedns': {'protocol': 'freedns', 'username': 'vyos_user'},
-                    'zoneedit': {'protocol': 'zoneedit1', 'username': 'vyos_user'}}
+                    'freedns': {'protocol': 'freedns', 'username': username},
+                    'zoneedit': {'protocol': 'zoneedit1', 'username': username}}
 
         for svc, details in services.items():
-            # Always start with a clean CLI instance
-            self.cli_delete(base_path)
-
-            self.cli_set(base_path + ddns + [svc, 'host-name', hostname])
-            self.cli_set(base_path + ddns + [svc, 'password', password])
-            self.cli_set(base_path + ddns + [svc, 'zone', zone])
+            self.cli_set(name_path + [svc, 'address', interface])
+            self.cli_set(name_path + [svc, 'host-name', hostname])
+            self.cli_set(name_path + [svc, 'password', password])
             for opt, value in details.items():
-                self.cli_set(base_path + ddns + [svc, opt, value])
+                self.cli_set(name_path + [svc, opt, value])
 
-            # commit changes
+            # 'zone' option is supported by 'cloudfare' and 'zoneedit1', but not 'freedns'
+            self.cli_set(name_path + [svc, 'zone', zone])
+            if details['protocol'] in ['cloudflare', 'zoneedit1']:
+                pass
+            else:
+                # exception is raised for unsupported ones
+                with self.assertRaises(ConfigSessionError):
+                    self.cli_commit()
+                self.cli_delete(name_path + [svc, 'zone'])
+
+            # 'ttl' option is supported by 'cloudfare', but not 'freedns' and 'zoneedit'
+            self.cli_set(name_path + [svc, 'ttl', ttl])
             if details['protocol'] == 'cloudflare':
                 pass
             else:
-                # zone option does not work on all protocols, an exception is
-                # raised for all others
+                # exception is raised for unsupported ones
                 with self.assertRaises(ConfigSessionError):
                     self.cli_commit()
-                self.cli_delete(base_path + ddns + [svc, 'zone', zone])
+                self.cli_delete(name_path + [svc, 'ttl'])
 
             # commit changes
             self.cli_commit()
@@ -79,9 +95,9 @@ class TestServiceDDNS(VyOSUnitTestSHIM.TestCase):
             ddclient_conf = cmd(f'sudo cat {DDCLIENT_CONF}')
             # default value 300 seconds
             self.assertIn(f'daemon=300', ddclient_conf)
-            self.assertIn(f'use=if', ddclient_conf)
-            self.assertIn(f'if={interface}', ddclient_conf)
-            self.assertIn(f'password={password}', ddclient_conf)
+            self.assertIn(f'usev4=ifv4', ddclient_conf)
+            self.assertIn(f'ifv4={interface}', ddclient_conf)
+            self.assertIn(f'password=\'{password}\'', ddclient_conf)
 
             for opt in details.keys():
                 if opt == 'username':
@@ -93,63 +109,81 @@ class TestServiceDDNS(VyOSUnitTestSHIM.TestCase):
 
     # IPv6 only DDNS service configuration
     def test_02_dyndns_service_ipv6(self):
-        timeout = '60'
-        ddns = ['address', interface, 'service', 'dynv6']
+        interval = '60'
+        svc_path = name_path + ['dynv6']
         proto = 'dyndns2'
-        user = 'none'
-        password = 'paSS_4ord'
-        srv = 'ddns.vyos.io'
         ip_version = 'ipv6'
+        wait_time = '600'
+        expiry_time_good = '3600'
+        expiry_time_bad = '360'
 
-        self.cli_set(base_path + ['timeout', timeout])
-        self.cli_set(base_path + ddns + ['ip-version', ip_version])
-        self.cli_set(base_path + ddns + ['protocol', proto])
-        self.cli_set(base_path + ddns + ['server', srv])
-        self.cli_set(base_path + ddns + ['username', user])
-        self.cli_set(base_path + ddns + ['password', password])
-        self.cli_set(base_path + ddns + ['host-name', hostname])
+        self.cli_set(base_path + ['interval', interval])
+        self.cli_set(svc_path + ['address', interface])
+        self.cli_set(svc_path + ['ip-version', ip_version])
+        self.cli_set(svc_path + ['protocol', proto])
+        self.cli_set(svc_path + ['server', server])
+        self.cli_set(svc_path + ['username', username])
+        self.cli_set(svc_path + ['password', password])
+        self.cli_set(svc_path + ['host-name', hostname])
+        self.cli_set(svc_path + ['wait-time', wait_time])
+
+        # expiry-time must be greater than wait-time, exception is raised otherwise
+        with self.assertRaises(ConfigSessionError):
+            self.cli_set(svc_path + ['expiry-time', expiry_time_bad])
+            self.cli_commit()
+        self.cli_set(svc_path + ['expiry-time', expiry_time_good])
 
         # commit changes
         self.cli_commit()
 
         # Check the generating config parameters
         ddclient_conf = cmd(f'sudo cat {DDCLIENT_CONF}')
-        self.assertIn(f'daemon={timeout}', ddclient_conf)
+        self.assertIn(f'daemon={interval}', ddclient_conf)
         self.assertIn(f'usev6=ifv6', ddclient_conf)
         self.assertIn(f'ifv6={interface}', ddclient_conf)
         self.assertIn(f'protocol={proto}', ddclient_conf)
-        self.assertIn(f'server={srv}', ddclient_conf)
-        self.assertIn(f'login={user}', ddclient_conf)
-        self.assertIn(f'password={password}', ddclient_conf)
+        self.assertIn(f'server={server}', ddclient_conf)
+        self.assertIn(f'login={username}', ddclient_conf)
+        self.assertIn(f'password=\'{password}\'', ddclient_conf)
+        self.assertIn(f'min-interval={wait_time}', ddclient_conf)
+        self.assertIn(f'max-interval={expiry_time_good}', ddclient_conf)
 
     # IPv4+IPv6 dual DDNS service configuration
     def test_03_dyndns_service_dual_stack(self):
-        ddns = ['address', interface, 'service']
-        services = {'cloudflare': {'protocol': 'cloudflare', 'zone': 'vyos.io'},
-                    'freedns': {'protocol': 'freedns', 'username': 'vyos_user'}}
-        password = 'vyos_pass'
+        services = {'cloudflare': {'protocol': 'cloudflare', 'zone': zone},
+                    'freedns': {'protocol': 'freedns', 'username': username},
+                    'google': {'protocol': 'googledomains', 'username': username}}
         ip_version = 'both'
 
-        for svc, details in services.items():
-            # Always start with a clean CLI instance
-            self.cli_delete(base_path)
-
-            self.cli_set(base_path + ddns + [svc, 'host-name', hostname])
-            self.cli_set(base_path + ddns + [svc, 'password', password])
-            self.cli_set(base_path + ddns + [svc, 'ip-version', ip_version])
+        for name, details in services.items():
+            self.cli_set(name_path + [name, 'address', interface])
+            self.cli_set(name_path + [name, 'host-name', hostname])
+            self.cli_set(name_path + [name, 'password', password])
             for opt, value in details.items():
-                self.cli_set(base_path + ddns + [svc, opt, value])
+                self.cli_set(name_path + [name, opt, value])
+
+            # Dual stack is supported by 'cloudfare' and 'freedns' but not 'googledomains'
+            # exception is raised for unsupported ones
+            self.cli_set(name_path + [name, 'ip-version', ip_version])
+            if details['protocol'] not in ['cloudflare', 'freedns']:
+                with self.assertRaises(ConfigSessionError):
+                    self.cli_commit()
+                self.cli_delete(name_path + [name, 'ip-version'])
 
             # commit changes
             self.cli_commit()
 
             # Check the generating config parameters
             ddclient_conf = cmd(f'sudo cat {DDCLIENT_CONF}')
-            self.assertIn(f'usev4=ifv4', ddclient_conf)
-            self.assertIn(f'usev6=ifv6', ddclient_conf)
-            self.assertIn(f'ifv4={interface}', ddclient_conf)
-            self.assertIn(f'ifv6={interface}', ddclient_conf)
-            self.assertIn(f'password={password}', ddclient_conf)
+            if details['protocol'] not in ['cloudflare', 'freedns']:
+                self.assertIn(f'usev4=ifv4', ddclient_conf)
+                self.assertIn(f'ifv4={interface}', ddclient_conf)
+            else:
+                self.assertIn(f'usev4=ifv4', ddclient_conf)
+                self.assertIn(f'usev6=ifv6', ddclient_conf)
+                self.assertIn(f'ifv4={interface}', ddclient_conf)
+                self.assertIn(f'ifv6={interface}', ddclient_conf)
+            self.assertIn(f'password=\'{password}\'', ddclient_conf)
 
             for opt in details.keys():
                 if opt == 'username':
@@ -161,19 +195,19 @@ class TestServiceDDNS(VyOSUnitTestSHIM.TestCase):
 
     def test_04_dyndns_rfc2136(self):
         # Check if DDNS service can be configured and runs
-        ddns = ['address', interface, 'rfc2136', 'vyos']
-        srv = 'ns1.vyos.io'
-        zone = 'vyos.io'
-        ttl = '300'
+        svc_path = name_path + ['vyos']
+        proto = 'nsupdate'
 
         with tempfile.NamedTemporaryFile(prefix='/config/auth/') as key_file:
             key_file.write(b'S3cretKey')
 
-            self.cli_set(base_path + ddns + ['server', srv])
-            self.cli_set(base_path + ddns + ['zone', zone])
-            self.cli_set(base_path + ddns + ['key', key_file.name])
-            self.cli_set(base_path + ddns + ['ttl', ttl])
-            self.cli_set(base_path + ddns + ['host-name', hostname])
+            self.cli_set(svc_path + ['address', interface])
+            self.cli_set(svc_path + ['protocol', proto])
+            self.cli_set(svc_path + ['server', server])
+            self.cli_set(svc_path + ['zone', zone])
+            self.cli_set(svc_path + ['key', key_file.name])
+            self.cli_set(svc_path + ['ttl', ttl])
+            self.cli_set(svc_path + ['host-name', hostname])
 
             # commit changes
             self.cli_commit()
@@ -182,11 +216,137 @@ class TestServiceDDNS(VyOSUnitTestSHIM.TestCase):
             ddclient_conf = cmd(f'sudo cat {DDCLIENT_CONF}')
             self.assertIn(f'use=if', ddclient_conf)
             self.assertIn(f'if={interface}', ddclient_conf)
-            self.assertIn(f'protocol=nsupdate', ddclient_conf)
-            self.assertIn(f'server={srv}', ddclient_conf)
+            self.assertIn(f'protocol={proto}', ddclient_conf)
+            self.assertIn(f'server={server}', ddclient_conf)
             self.assertIn(f'zone={zone}', ddclient_conf)
-            self.assertIn(f'password={key_file.name}', ddclient_conf)
+            self.assertIn(f'password=\'{key_file.name}\'', ddclient_conf)
             self.assertIn(f'ttl={ttl}', ddclient_conf)
 
+    def test_05_dyndns_hostname(self):
+        # Check if DDNS service can be configured and runs
+        svc_path = name_path + ['namecheap']
+        proto = 'namecheap'
+        hostnames = ['@', 'www', hostname, f'@.{hostname}']
+
+        for name in hostnames:
+            self.cli_set(svc_path + ['address', interface])
+            self.cli_set(svc_path + ['protocol', proto])
+            self.cli_set(svc_path + ['server', server])
+            self.cli_set(svc_path + ['username', username])
+            self.cli_set(svc_path + ['password', password])
+            self.cli_set(svc_path + ['host-name', name])
+
+            # commit changes
+            self.cli_commit()
+
+            # Check the generating config parameters
+            ddclient_conf = cmd(f'sudo cat {DDCLIENT_CONF}')
+            self.assertIn(f'protocol={proto}', ddclient_conf)
+            self.assertIn(f'server={server}', ddclient_conf)
+            self.assertIn(f'login={username}', ddclient_conf)
+            self.assertIn(f'password=\'{password}\'', ddclient_conf)
+            self.assertIn(f'{name}', ddclient_conf)
+
+    def test_06_dyndns_web_options(self):
+        # Check if DDNS service can be configured and runs
+        svc_path = name_path + ['cloudflare']
+        proto = 'cloudflare'
+        web_url_good = 'https://ifconfig.me/ip'
+        web_url_bad = 'http:/ifconfig.me/ip'
+
+        self.cli_set(svc_path + ['protocol', proto])
+        self.cli_set(svc_path + ['zone', zone])
+        self.cli_set(svc_path + ['password', password])
+        self.cli_set(svc_path + ['host-name', hostname])
+        self.cli_set(svc_path + ['web-options', 'url', web_url_good])
+
+        # web-options is supported only with web service based address lookup
+        # exception is raised for interface based address lookup
+        with self.assertRaises(ConfigSessionError):
+            self.cli_set(svc_path + ['address', interface])
+            self.cli_commit()
+        self.cli_set(svc_path + ['address', 'web'])
+
+        # commit changes
+        self.cli_commit()
+
+        # web-options must be a valid URL
+        with self.assertRaises(ConfigSessionError):
+            self.cli_set(svc_path + ['web-options', 'url', web_url_bad])
+            self.cli_commit()
+        self.cli_set(svc_path + ['web-options', 'url', web_url_good])
+
+        # commit changes
+        self.cli_commit()
+
+        # Check the generating config parameters
+        ddclient_conf = cmd(f'sudo cat {DDCLIENT_CONF}')
+        self.assertIn(f'usev4=webv4', ddclient_conf)
+        self.assertIn(f'webv4={web_url_good}', ddclient_conf)
+        self.assertIn(f'protocol={proto}', ddclient_conf)
+        self.assertIn(f'zone={zone}', ddclient_conf)
+        self.assertIn(f'password=\'{password}\'', ddclient_conf)
+        self.assertIn(f'{hostname}', ddclient_conf)
+
+    def test_07_dyndns_dynamic_interface(self):
+        # Check if DDNS service can be configured and runs
+        svc_path = name_path + ['namecheap']
+        proto = 'namecheap'
+        dyn_interface = 'pppoe587'
+
+        self.cli_set(svc_path + ['address', dyn_interface])
+        self.cli_set(svc_path + ['protocol', proto])
+        self.cli_set(svc_path + ['server', server])
+        self.cli_set(svc_path + ['username', username])
+        self.cli_set(svc_path + ['password', password])
+        self.cli_set(svc_path + ['host-name', hostname])
+
+        # Dynamic interface will raise a warning but still go through
+        # XXX: We should have idiomatic class "ConfigSessionWarning" wrapping
+        #      "Warning" similar to "ConfigSessionError".
+        # with self.assertWarns(Warning):
+        #     self.cli_commit()
+        self.cli_commit()
+
+        # Check the generating config parameters
+        ddclient_conf = cmd(f'sudo cat {DDCLIENT_CONF}')
+        self.assertIn(f'ifv4={dyn_interface}', ddclient_conf)
+        self.assertIn(f'protocol={proto}', ddclient_conf)
+        self.assertIn(f'server={server}', ddclient_conf)
+        self.assertIn(f'login={username}', ddclient_conf)
+        self.assertIn(f'password=\'{password}\'', ddclient_conf)
+        self.assertIn(f'{hostname}', ddclient_conf)
+
+    def test_08_dyndns_vrf(self):
+        # Table number randomized, but should be within range 100-65535
+        vrf_table = '58710'
+        vrf_name = f'vyos-test-{vrf_table}'
+        svc_path = name_path + ['cloudflare']
+        proto = 'cloudflare'
+
+        self.cli_set(['vrf', 'name', vrf_name, 'table', vrf_table])
+        self.cli_set(base_path + ['vrf', vrf_name])
+
+        self.cli_set(svc_path + ['address', interface])
+        self.cli_set(svc_path + ['protocol', proto])
+        self.cli_set(svc_path + ['host-name', hostname])
+        self.cli_set(svc_path + ['zone', zone])
+        self.cli_set(svc_path + ['password', password])
+
+        # commit changes
+        self.cli_commit()
+
+        # Check for process in VRF
+        systemd_override = cmd(f'cat {DDCLIENT_SYSTEMD_UNIT}')
+        self.assertIn(f'ExecStart=ip vrf exec {vrf_name} /usr/bin/ddclient -file {DDCLIENT_CONF}',
+                      systemd_override)
+
+        # Check for process in VRF
+        proc = cmd(f'ip vrf pids {vrf_name}')
+        self.assertIn(DDCLIENT_PNAME, proc)
+
+        # Cleanup VRF
+        self.cli_delete(['vrf', 'name', vrf_name])
+
 if __name__ == '__main__':
     unittest.main(verbosity=2)
diff --git a/smoketest/scripts/cli/test_service_dns_forwarding.py b/smoketest/scripts/cli/test_service_dns_forwarding.py
index bc50a4ffe..85a5f1448 100755
--- a/smoketest/scripts/cli/test_service_dns_forwarding.py
+++ b/smoketest/scripts/cli/test_service_dns_forwarding.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 #
-# Copyright (C) 2019-2022 VyOS maintainers and contributors
+# Copyright (C) 2019-2024 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
@@ -43,7 +43,6 @@ class TestServicePowerDNS(VyOSUnitTestSHIM.TestCase):
     @classmethod
     def setUpClass(cls):
         super(TestServicePowerDNS, cls).setUpClass()
-
         # ensure we can also run this test on a live system - so lets clean
         # out the current configuration :)
         cls.cli_delete(cls, base_path)
@@ -239,6 +238,45 @@ class TestServicePowerDNS(VyOSUnitTestSHIM.TestCase):
         tmp = get_config_value('dns64-prefix')
         self.assertEqual(tmp, dns_prefix)
 
+    def test_exclude_throttle_adress(self):
+        exclude_throttle_adress_examples = [
+            '192.168.128.255',
+            '10.0.0.0/25',
+            '2001:db8:85a3:8d3:1319:8a2e:370:7348',
+            '64:ff9b::/96'
+        ]
+
+        for network in allow_from:
+            self.cli_set(base_path + ['allow-from', network])
+        for address in listen_adress:
+            self.cli_set(base_path + ['listen-address', address])
+
+        for exclude_throttle_adress in exclude_throttle_adress_examples:
+            self.cli_set(base_path + ['exclude-throttle-address', exclude_throttle_adress])
+
+        # commit changes
+        self.cli_commit()
+
+        # verify dont-throttle-netmasks configuration
+        tmp = get_config_value('dont-throttle-netmasks')
+        self.assertEqual(tmp, ','.join(exclude_throttle_adress_examples))
+
+    def test_serve_stale_extension(self):
+        server_stale = '20'
+        for network in allow_from:
+            self.cli_set(base_path + ['allow-from', network])
+        for address in listen_adress:
+            self.cli_set(base_path + ['listen-address', address])
+
+        self.cli_set(base_path + ['serve-stale-extension', server_stale])
+
+        # commit changes
+        self.cli_commit()
+
+        # verify configuration
+        tmp = get_config_value('serve-stale-extensions')
+        self.assertEqual(tmp, server_stale)
+
     def test_listening_port(self):
         # We can listen on a different port compared to '53' but only one at a time
         for port in ['1053', '5353']:
diff --git a/smoketest/scripts/cli/test_service_https.py b/smoketest/scripts/cli/test_service_https.py
index 1ae5c104c..8d9b8459e 100755
--- a/smoketest/scripts/cli/test_service_https.py
+++ b/smoketest/scripts/cli/test_service_https.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 #
-# Copyright (C) 2019-2023 VyOS maintainers and contributors
+# Copyright (C) 2019-2024 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
@@ -15,6 +15,7 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 import unittest
+import json
 
 from requests import request
 from urllib3.exceptions import InsecureRequestWarning
@@ -22,7 +23,11 @@ from urllib3.exceptions import InsecureRequestWarning
 from base_vyostest_shim import VyOSUnitTestSHIM
 from base_vyostest_shim import ignore_warning
 from vyos.utils.file import read_file
-from vyos.utils.process import run
+from vyos.utils.file import write_file
+from vyos.utils.process import call
+from vyos.utils.process import process_named_running
+
+from vyos.configsession import ConfigSessionError
 
 base_path = ['service', 'https']
 pki_base = ['pki']
@@ -48,78 +53,114 @@ MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgPLpD0Ohhoq0g4nhx
 u8/3jHMM7sDwL3aWzW/zp54/LhCWUoLMjDdDEEigK4fal4ZF9aA9F0Ww
 """
 
+dh_1024 = """
+MIGHAoGBAM3nvMkHGi/xmRs8cYg4pcl5sAanxel9EM+1XobVhUViXw8JvlmSEVOj
+n2aXUifc4SEs3WDzVPRC8O8qQWjvErpTq/HOgt3aqBCabMgvflmt706XP0KiqnpW
+EyvNiI27J3wBUzEXLIS110MxPAX5Tcug974PecFcOxn1RWrbWcx/AgEC
+"""
+
+dh_2048 = """
+MIIBCAKCAQEA1mld/V7WnxxRinkOlhx/BoZkRELtIUQFYxyARBqYk4C5G3YnZNNu
+zjaGyPnfIKHu8SIUH85OecM+5/co9nYlcUJuph2tbR6qNgPw7LOKIhf27u7WhvJk
+iVsJhwZiWmvvMV4jTParNEI2svoooMyhHXzeweYsg6YtgLVmwiwKj3XP3gRH2i3B
+Mq8CDS7X6xaKvjfeMPZBFqOM5nb6HhsbaAUyiZxrfipLvXxtnbzd/eJUQVfVdxM3
+pn0i+QrO2tuNAzX7GoPc9pefrbb5xJmGS50G0uqsR59+7LhYmyZSBASA0lxTEW9t
+kv/0LPvaYTY57WL7hBeqqHy/WPZHPzDI3wIBAg==
+"""
+# to test load config via HTTP URL
+nginx_tmp_site = '/etc/nginx/sites-enabled/smoketest'
+nginx_conf_smoketest = """
+server {
+    listen 8000;
+    server_name localhost;
+
+    root /tmp;
+
+    index index.html;
+
+    location / {
+        try_files $uri $uri/ =404;
+        autoindex on;
+    }
+}
+"""
+
+PROCESS_NAME = 'nginx'
+
 class TestHTTPSService(VyOSUnitTestSHIM.TestCase):
-    def setUp(self):
+    @classmethod
+    def setUpClass(cls):
+        super(TestHTTPSService, cls).setUpClass()
+
         # ensure we can also run this test on a live system - so lets clean
         # out the current configuration :)
-        self.cli_delete(base_path)
-        self.cli_delete(pki_base)
+        cls.cli_delete(cls, base_path)
+        cls.cli_delete(cls, pki_base)
+
+    @classmethod
+    def tearDownClass(cls):
+        super(TestHTTPSService, cls).tearDownClass()
+        call(f'sudo rm -f {nginx_tmp_site}')
 
     def tearDown(self):
         self.cli_delete(base_path)
         self.cli_delete(pki_base)
         self.cli_commit()
 
-    def test_default(self):
-        self.cli_set(base_path)
-        self.cli_commit()
-
-        ret = run('sudo /usr/sbin/nginx -t')
-        self.assertEqual(ret, 0)
-
-    def test_server_block(self):
-        vhost_id = 'example'
-        address = '0.0.0.0'
-        port = '8443'
-        name = 'example.org'
-
-        test_path = base_path + ['virtual-host', vhost_id]
-
-        self.cli_set(test_path + ['listen-address', address])
-        self.cli_set(test_path + ['listen-port', port])
-        self.cli_set(test_path + ['server-name', name])
-
-        self.cli_commit()
-
-        ret = run('sudo /usr/sbin/nginx -t')
-        self.assertEqual(ret, 0)
-
-        nginx_config = read_file('/etc/nginx/sites-enabled/default')
-        self.assertIn(f'listen {address}:{port} ssl;', nginx_config)
-        self.assertIn(f'ssl_protocols TLSv1.2 TLSv1.3;', nginx_config)
+        # Check for stopped  process
+        self.assertFalse(process_named_running(PROCESS_NAME))
 
     def test_certificate(self):
-        self.cli_set(pki_base + ['certificate', 'test_https', 'certificate', cert_data.replace('\n','')])
-        self.cli_set(pki_base + ['certificate', 'test_https', 'private', 'key', key_data.replace('\n','')])
-
-        self.cli_set(base_path + ['certificates', 'certificate', 'test_https'])
+        cert_name = 'test_https'
+        dh_name = 'dh-test'
+
+        self.cli_set(base_path + ['certificates', 'certificate', cert_name])
+        # verify() - certificates do not exist (yet)
+        with self.assertRaises(ConfigSessionError):
+            self.cli_commit()
+        self.cli_set(pki_base + ['certificate', cert_name, 'certificate', cert_data.replace('\n','')])
+        self.cli_set(pki_base + ['certificate', cert_name, 'private', 'key', key_data.replace('\n','')])
+
+        self.cli_set(base_path + ['certificates', 'dh-params', dh_name])
+        # verify() - dh-params do not exist (yet)
+        with self.assertRaises(ConfigSessionError):
+            self.cli_commit()
+
+        self.cli_set(pki_base + ['dh', dh_name, 'parameters', dh_1024.replace('\n','')])
+        # verify() - dh-param minimum length is 2048 bit
+        with self.assertRaises(ConfigSessionError):
+            self.cli_commit()
+        self.cli_set(pki_base + ['dh', dh_name, 'parameters', dh_2048.replace('\n','')])
 
         self.cli_commit()
+        self.assertTrue(process_named_running(PROCESS_NAME))
+        self.debug = False
+
+    def test_api_missing_keys(self):
+        self.cli_set(base_path + ['api'])
+        self.assertRaises(ConfigSessionError, self.cli_commit)
 
-        ret = run('sudo /usr/sbin/nginx -t')
-        self.assertEqual(ret, 0)
+    def test_api_incomplete_key(self):
+        self.cli_set(base_path + ['api', 'keys', 'id', 'key-01'])
+        self.assertRaises(ConfigSessionError, self.cli_commit)
 
     @ignore_warning(InsecureRequestWarning)
     def test_api_auth(self):
         vhost_id = 'example'
         address = '127.0.0.1'
-        port = '443'
+        port = '443' # default value
         name = 'localhost'
 
-        self.cli_set(base_path + ['api', 'socket'])
         key = 'MySuperSecretVyOS'
         self.cli_set(base_path + ['api', 'keys', 'id', 'key-01', 'key', key])
 
-        test_path = base_path + ['virtual-host', vhost_id]
-        self.cli_set(test_path + ['listen-address', address])
-        self.cli_set(test_path + ['listen-port', port])
-        self.cli_set(test_path + ['server-name', name])
+        self.cli_set(base_path + ['listen-address', address])
 
         self.cli_commit()
 
         nginx_config = read_file('/etc/nginx/sites-enabled/default')
         self.assertIn(f'listen {address}:{port} ssl;', nginx_config)
-        self.assertIn(f'ssl_protocols TLSv1.2 TLSv1.3;', nginx_config)
+        self.assertIn(f'ssl_protocols TLSv1.2 TLSv1.3;', nginx_config) # default
 
         url = f'https://{address}/retrieve'
         payload = {'data': '{"op": "showConfig", "path": []}', 'key': f'{key}'}
@@ -138,6 +179,13 @@ class TestHTTPSService(VyOSUnitTestSHIM.TestCase):
         # Must get HTTP code 401 on missing key (Unauthorized)
         self.assertEqual(r.status_code, 401)
 
+        # Check path config
+        payload = {'data': '{"op": "showConfig", "path": ["system", "login"]}', 'key': f'{key}'}
+        r = request('POST', url, verify=False, headers=headers, data=payload)
+        response = r.json()
+        vyos_user_exists = 'vyos' in response.get('data', {}).get('user', {})
+        self.assertTrue(vyos_user_exists, "The 'vyos' user does not exist in the response.")
+
         # GraphQL auth test: a missing key will return status code 400, as
         # 'key' is a non-nullable field in the schema; an incorrect key is
         # caught by the resolver, and returns success 'False', so one must
@@ -240,5 +288,174 @@ class TestHTTPSService(VyOSUnitTestSHIM.TestCase):
         success = r.json()['data']['ShowVersion']['success']
         self.assertTrue(success)
 
+    @ignore_warning(InsecureRequestWarning)
+    def test_api_add_delete(self):
+        address = '127.0.0.1'
+        key = 'VyOS-key'
+        url = f'https://{address}/retrieve'
+        payload = {'data': '{"op": "showConfig", "path": []}', 'key': f'{key}'}
+        headers = {}
+
+        self.cli_set(base_path)
+        self.cli_commit()
+
+        r = request('POST', url, verify=False, headers=headers, data=payload)
+        # api not configured; expect 503
+        self.assertEqual(r.status_code, 503)
+
+        self.cli_set(base_path + ['api', 'keys', 'id', 'key-01', 'key', key])
+        self.cli_commit()
+
+        r = request('POST', url, verify=False, headers=headers, data=payload)
+        # api configured; expect 200
+        self.assertEqual(r.status_code, 200)
+
+        self.cli_delete(base_path + ['api'])
+        self.cli_commit()
+
+        r = request('POST', url, verify=False, headers=headers, data=payload)
+        # api deleted; expect 503
+        self.assertEqual(r.status_code, 503)
+
+    @ignore_warning(InsecureRequestWarning)
+    def test_api_show(self):
+        address = '127.0.0.1'
+        key = 'VyOS-key'
+        url = f'https://{address}/show'
+        headers = {}
+
+        self.cli_set(base_path + ['api', 'keys', 'id', 'key-01', 'key', key])
+        self.cli_commit()
+
+        payload = {
+            'data': '{"op": "show", "path": ["system", "image"]}',
+            'key': f'{key}',
+        }
+        r = request('POST', url, verify=False, headers=headers, data=payload)
+        self.assertEqual(r.status_code, 200)
+
+    @ignore_warning(InsecureRequestWarning)
+    def test_api_generate(self):
+        address = '127.0.0.1'
+        key = 'VyOS-key'
+        url = f'https://{address}/generate'
+        headers = {}
+
+        self.cli_set(base_path + ['api', 'keys', 'id', 'key-01', 'key', key])
+        self.cli_commit()
+
+        payload = {
+            'data': '{"op": "generate", "path": ["macsec", "mka", "cak", "gcm-aes-256"]}',
+            'key': f'{key}',
+        }
+        r = request('POST', url, verify=False, headers=headers, data=payload)
+        self.assertEqual(r.status_code, 200)
+
+    @ignore_warning(InsecureRequestWarning)
+    def test_api_configure(self):
+        address = '127.0.0.1'
+        key = 'VyOS-key'
+        url = f'https://{address}/configure'
+        headers = {}
+        conf_interface = 'dum0'
+        conf_address = '192.0.2.44/32'
+
+        self.cli_set(base_path + ['api', 'keys', 'id', 'key-01', 'key', key])
+        self.cli_commit()
+
+        payload_path = [
+            "interfaces",
+            "dummy",
+            f"{conf_interface}",
+            "address",
+            f"{conf_address}",
+        ]
+
+        payload = {'data': json.dumps({"op": "set", "path": payload_path}), 'key': key}
+
+        r = request('POST', url, verify=False, headers=headers, data=payload)
+        self.assertEqual(r.status_code, 200)
+
+    @ignore_warning(InsecureRequestWarning)
+    def test_api_config_file(self):
+        address = '127.0.0.1'
+        key = 'VyOS-key'
+        url = f'https://{address}/config-file'
+        headers = {}
+
+        self.cli_set(base_path + ['api', 'keys', 'id', 'key-01', 'key', key])
+        self.cli_commit()
+
+        payload = {
+            'data': '{"op": "save"}',
+            'key': f'{key}',
+        }
+        r = request('POST', url, verify=False, headers=headers, data=payload)
+        self.assertEqual(r.status_code, 200)
+
+    @ignore_warning(InsecureRequestWarning)
+    def test_api_reset(self):
+        address = '127.0.0.1'
+        key = 'VyOS-key'
+        url = f'https://{address}/reset'
+        headers = {}
+
+        self.cli_set(base_path + ['api', 'keys', 'id', 'key-01', 'key', key])
+        self.cli_commit()
+
+        payload = {
+            'data': '{"op": "reset", "path": ["ip", "arp", "table"]}',
+            'key': f'{key}',
+        }
+        r = request('POST', url, verify=False, headers=headers, data=payload)
+        self.assertEqual(r.status_code, 200)
+
+    @ignore_warning(InsecureRequestWarning)
+    def test_api_config_file_load_http(self):
+        # Test load config from HTTP URL
+        address = '127.0.0.1'
+        key = 'VyOS-key'
+        url = f'https://{address}/config-file'
+        url_config = f'https://{address}/configure'
+        headers = {}
+        tmp_file = 'tmp-config.boot'
+
+        self.cli_set(base_path + ['api', 'keys', 'id', 'key-01', 'key', key])
+        self.cli_commit()
+
+        # load config via HTTP requires nginx config
+        call(f'sudo touch {nginx_tmp_site}')
+        call(f'sudo chmod 666 {nginx_tmp_site}')
+        write_file(nginx_tmp_site, nginx_conf_smoketest)
+        call('sudo systemctl reload nginx')
+
+        # save config
+        payload = {
+            'data': '{"op": "save", "file": "/tmp/tmp-config.boot"}',
+            'key': f'{key}',
+        }
+        r = request('POST', url, verify=False, headers=headers, data=payload)
+        self.assertEqual(r.status_code, 200)
+
+        # change config
+        payload = {
+            'data': '{"op": "set", "path": ["interfaces", "dummy", "dum1", "address", "192.0.2.31/32"]}',
+            'key': f'{key}',
+        }
+        r = request('POST', url_config, verify=False, headers=headers, data=payload)
+        self.assertEqual(r.status_code, 200)
+
+        # load config from URL
+        payload = {
+            'data': '{"op": "load", "file": "http://localhost:8000/tmp-config.boot"}',
+            'key': f'{key}',
+        }
+        r = request('POST', url, verify=False, headers=headers, data=payload)
+        self.assertEqual(r.status_code, 200)
+
+        # cleanup tmp nginx conf
+        call(f'sudo rm -f {nginx_tmp_site}')
+        call('sudo systemctl reload nginx')
+
 if __name__ == '__main__':
-    unittest.main(verbosity=2)
+    unittest.main(verbosity=5)
diff --git a/smoketest/scripts/cli/test_service_ids.py b/smoketest/scripts/cli/test_service_ids_ddos-protection.py
index 91b056eea..91b056eea 100755
--- a/smoketest/scripts/cli/test_service_ids.py
+++ b/smoketest/scripts/cli/test_service_ids_ddos-protection.py
diff --git a/smoketest/scripts/cli/test_service_ipoe-server.py b/smoketest/scripts/cli/test_service_ipoe-server.py
index 4dd3e761c..6e95b3bd1 100755
--- a/smoketest/scripts/cli/test_service_ipoe-server.py
+++ b/smoketest/scripts/cli/test_service_ipoe-server.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 #
-# Copyright (C) 2022 VyOS maintainers and contributors
+# Copyright (C) 2022-2023 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
@@ -17,28 +17,35 @@
 import re
 import unittest
 
+from collections import OrderedDict
 from base_accel_ppp_test import BasicAccelPPPTest
 from vyos.configsession import ConfigSessionError
 from vyos.utils.process import cmd
-
 from configparser import ConfigParser
+from configparser import RawConfigParser
 
-ac_name = 'ACN'
-interface = 'eth0'
+ac_name = "ACN"
+interface = "eth0"
 
 
-def getConfig(string, end='cli'):
-    command = f'cat /run/accel-pppd/ipoe.conf | sed -n "/^{string}/,/^{end}/p"'
-    out = cmd(command)
-    return out
+class MultiOrderedDict(OrderedDict):
+    # Accel-ppp has duplicate keys in config file (gw-ip-address)
+    # This class is used to define dictionary which can contain multiple values
+    # in one key.
+    def __setitem__(self, key, value):
+        if isinstance(value, list) and key in self:
+            self[key].extend(value)
+        else:
+            super(OrderedDict, self).__setitem__(key, value)
 
 
 class TestServiceIPoEServer(BasicAccelPPPTest.TestCase):
     @classmethod
     def setUpClass(cls):
-        cls._base_path = ['service', 'ipoe-server']
-        cls._config_file = '/run/accel-pppd/ipoe.conf'
-        cls._chap_secrets = '/run/accel-pppd/ipoe.chap-secrets'
+        cls._base_path = ["service", "ipoe-server"]
+        cls._config_file = "/run/accel-pppd/ipoe.conf"
+        cls._chap_secrets = "/run/accel-pppd/ipoe.chap-secrets"
+        cls._protocol_section = "ipoe"
 
         # call base-classes classmethod
         super(TestServiceIPoEServer, cls).setUpClass()
@@ -47,22 +54,29 @@ class TestServiceIPoEServer(BasicAccelPPPTest.TestCase):
         super().verify(conf)
 
         # Validate configuration values
-        accel_modules = list(conf['modules'].keys())
-        self.assertIn('log_syslog', accel_modules)
-        self.assertIn('ipoe', accel_modules)
-        self.assertIn('shaper', accel_modules)
-        self.assertIn('ipv6pool', accel_modules)
-        self.assertIn('ipv6_nd', accel_modules)
-        self.assertIn('ipv6_dhcp', accel_modules)
-        self.assertIn('ippool', accel_modules)
-
-    def basic_config(self):
-        self.set(['interface', interface, 'client-subnet', '192.168.0.0/24'])
+        accel_modules = list(conf["modules"].keys())
+        self.assertIn("log_syslog", accel_modules)
+        self.assertIn("ipoe", accel_modules)
+        self.assertIn("shaper", accel_modules)
+        self.assertIn("ipv6pool", accel_modules)
+        self.assertIn("ipv6_nd", accel_modules)
+        self.assertIn("ipv6_dhcp", accel_modules)
+        self.assertIn("ippool", accel_modules)
+
+    def initial_gateway_config(self):
+        self._gateway = "192.0.2.1/24"
+        super().initial_gateway_config()
+
+    def initial_auth_config(self):
+        self.set(["authentication", "mode", "noauth"])
+
+    def basic_protocol_specific_config(self):
+        self.set(["interface", interface, "client-subnet", "192.168.0.0/24"])
 
     def test_accel_local_authentication(self):
-        mac_address = '08:00:27:2f:d8:06'
-        self.set(['authentication', 'interface', interface, 'mac', mac_address])
-        self.set(['authentication', 'mode', 'local'])
+        mac_address = "08:00:27:2f:d8:06"
+        self.set(["authentication", "interface", interface, "mac", mac_address])
+        self.set(["authentication", "mode", "local"])
 
         # No IPoE interface configured
         with self.assertRaises(ConfigSessionError):
@@ -70,115 +84,110 @@ class TestServiceIPoEServer(BasicAccelPPPTest.TestCase):
 
         # Test configuration of local authentication for PPPoE server
         self.basic_config()
-
+        # Rewrite authentication from basic_config
+        self.set(["authentication", "interface", interface, "mac", mac_address])
+        self.set(["authentication", "mode", "local"])
         # commit changes
         self.cli_commit()
 
         # Validate configuration values
-        conf = ConfigParser(allow_no_value=True, delimiters='=')
+        conf = ConfigParser(allow_no_value=True, delimiters="=", strict=False)
         conf.read(self._config_file)
 
         # check proper path to chap-secrets file
-        self.assertEqual(conf['chap-secrets']['chap-secrets'], self._chap_secrets)
+        self.assertEqual(conf["chap-secrets"]["chap-secrets"], self._chap_secrets)
 
-        accel_modules = list(conf['modules'].keys())
-        self.assertIn('chap-secrets', accel_modules)
+        accel_modules = list(conf["modules"].keys())
+        self.assertIn("chap-secrets", accel_modules)
 
         # basic verification
         self.verify(conf)
 
         # check local users
-        tmp = cmd(f'sudo cat {self._chap_secrets}')
-        regex = f'{interface}\s+\*\s+{mac_address}\s+\*'
+        tmp = cmd(f"sudo cat {self._chap_secrets}")
+        regex = f"{interface}\s+\*\s+{mac_address}\s+\*"
         tmp = re.findall(regex, tmp)
         self.assertTrue(tmp)
 
-    def test_accel_named_pool(self):
-        first_pool = 'VyOS-pool1'
-        first_subnet = '192.0.2.0/25'
-        first_gateway = '192.0.2.1'
-        second_pool = 'Vyos-pool2'
-        second_subnet = '203.0.113.0/25'
-        second_gateway = '203.0.113.1'
-
-        self.set(['authentication', 'mode', 'noauth'])
-        self.set(['client-ip-pool', 'name', first_pool, 'gateway-address', first_gateway])
-        self.set(['client-ip-pool', 'name', first_pool, 'subnet', first_subnet])
-        self.set(['client-ip-pool', 'name', second_pool, 'gateway-address', second_gateway])
-        self.set(['client-ip-pool', 'name', second_pool, 'subnet', second_subnet])
-        self.set(['interface', interface])
+    def test_accel_ipv4_pool(self):
+        self.basic_config(is_gateway=False, is_client_pool=False)
 
+        gateway = ["172.16.0.1/25", "192.0.2.1/24"]
+        subnet = "172.16.0.0/24"
+        first_pool = "POOL1"
+        second_pool = "POOL2"
+        range = "192.0.2.10-192.0.2.20"
+        range_config = "192.0.2.10-20"
+
+        for gw in gateway:
+            self.set(["gateway-address", gw])
+
+        self.set(["client-ip-pool", first_pool, "range", subnet])
+        self.set(["client-ip-pool", first_pool, "next-pool", second_pool])
+        self.set(["client-ip-pool", second_pool, "range", range])
+        self.set(["default-pool", first_pool])
         # commit changes
-        self.cli_commit()
 
+        self.cli_commit()
 
         # Validate configuration values
-        conf = ConfigParser(allow_no_value=True, delimiters='=', strict=False)
+        conf = RawConfigParser(
+            allow_no_value=True,
+            delimiters="=",
+            strict=False,
+            dict_type=MultiOrderedDict,
+        )
         conf.read(self._config_file)
 
-        self.assertTrue(conf['ipoe']['interface'], f'{interface},shared=1,mode=L2,ifcfg=1,start=dhcpv4,ipv6=1')
-        self.assertTrue(conf['ipoe']['noauth'], '1')
-        self.assertTrue(conf['ipoe']['ip-pool'], first_pool)
-        self.assertTrue(conf['ipoe']['ip-pool'], second_pool)
-        self.assertTrue(conf['ipoe']['gw-ip-address'], f'{first_gateway}/25')
-        self.assertTrue(conf['ipoe']['gw-ip-address'], f'{second_gateway}/25')
-
-        config = getConfig('[ip-pool]')
-        pool_config = f'''{second_subnet},name={second_pool}
-{first_subnet},name={first_pool}
-gw-ip-address={second_gateway}/25
-gw-ip-address={first_gateway}/25'''
-        self.assertIn(pool_config, config)
+        self.assertIn(
+            f"{first_pool},next={second_pool}", conf["ip-pool"][f"{subnet},name"]
+        )
+        self.assertIn(second_pool, conf["ip-pool"][f"{range_config},name"])
+
+        gw_pool_config_list = conf.get("ip-pool", "gw-ip-address")
+        gw_ipoe_config_list = conf.get(self._protocol_section, "gw-ip-address")
+        for gw in gateway:
+            self.assertIn(gw.split("/")[0], gw_pool_config_list)
+            self.assertIn(gw, gw_ipoe_config_list)
 
+        self.assertIn(first_pool, conf[self._protocol_section]["ip-pool"])
 
     def test_accel_next_pool(self):
-        first_pool = 'VyOS-pool1'
-        first_subnet = '192.0.2.0/25'
-        first_gateway = '192.0.2.1'
-        second_pool = 'Vyos-pool2'
-        second_subnet = '203.0.113.0/25'
-        second_gateway = '203.0.113.1'
-        third_pool = 'Vyos-pool3'
-        third_subnet = '198.51.100.0/24'
-        third_gateway = '198.51.100.1'
-
-        self.set(['authentication', 'mode', 'noauth'])
-        self.set(['client-ip-pool', 'name', first_pool, 'gateway-address', first_gateway])
-        self.set(['client-ip-pool', 'name', first_pool, 'subnet', first_subnet])
-        self.set(['client-ip-pool', 'name', first_pool, 'next-pool', second_pool])
-        self.set(['client-ip-pool', 'name', second_pool, 'gateway-address', second_gateway])
-        self.set(['client-ip-pool', 'name', second_pool, 'subnet', second_subnet])
-        self.set(['client-ip-pool', 'name', second_pool, 'next-pool', third_pool])
-        self.set(['client-ip-pool', 'name', third_pool, 'gateway-address', third_gateway])
-        self.set(['client-ip-pool', 'name', third_pool, 'subnet', third_subnet])
-        self.set(['interface', interface])
+        self.basic_config(is_gateway=False, is_client_pool=False)
+
+        first_pool = "VyOS-pool1"
+        first_subnet = "192.0.2.0/25"
+        first_gateway = "192.0.2.1/24"
+        second_pool = "Vyos-pool2"
+        second_subnet = "203.0.113.0/25"
+        second_gateway = "203.0.113.1/24"
+        third_pool = "Vyos-pool3"
+        third_subnet = "198.51.100.0/24"
+        third_gateway = "198.51.100.1/24"
+
+        self.set(["gateway-address", f"{first_gateway}"])
+        self.set(["gateway-address", f"{second_gateway}"])
+        self.set(["gateway-address", f"{third_gateway}"])
+
+        self.set(["client-ip-pool", first_pool, "range", first_subnet])
+        self.set(["client-ip-pool", first_pool, "next-pool", second_pool])
+        self.set(["client-ip-pool", second_pool, "range", second_subnet])
+        self.set(["client-ip-pool", second_pool, "next-pool", third_pool])
+        self.set(["client-ip-pool", third_pool, "range", third_subnet])
 
         # commit changes
         self.cli_commit()
 
-
-        # Validate configuration values
-        conf = ConfigParser(allow_no_value=True, delimiters='=', strict=False)
-        conf.read(self._config_file)
-
-        self.assertTrue(conf['ipoe']['interface'], f'{interface},shared=1,mode=L2,ifcfg=1,start=dhcpv4,ipv6=1')
-        self.assertTrue(conf['ipoe']['noauth'], '1')
-        self.assertTrue(conf['ipoe']['ip-pool'], first_pool)
-        self.assertTrue(conf['ipoe']['gw-ip-address'], f'{first_gateway}/25')
-        self.assertTrue(conf['ipoe']['gw-ip-address'], f'{second_gateway}/25')
-        self.assertTrue(conf['ipoe']['gw-ip-address'], f'{third_gateway}/24')
-
-        config = getConfig('[ip-pool]')
+        config = self.getConfig("ip-pool")
         # T5099 required specific order
-        pool_config = f'''{third_subnet},name={third_pool}
+        pool_config = f"""gw-ip-address={first_gateway.split('/')[0]}
+gw-ip-address={second_gateway.split('/')[0]}
+gw-ip-address={third_gateway.split('/')[0]}
+{third_subnet},name={third_pool}
 {second_subnet},name={second_pool},next={third_pool}
-{first_subnet},name={first_pool},next={second_pool}
-gw-ip-address={third_gateway}/24
-gw-ip-address={second_gateway}/25
-gw-ip-address={first_gateway}/25'''
+{first_subnet},name={first_pool},next={second_pool}"""
         self.assertIn(pool_config, config)
 
 
-if __name__ == '__main__':
+if __name__ == "__main__":
     unittest.main(verbosity=2)
-
diff --git a/smoketest/scripts/cli/test_service_lldp.py b/smoketest/scripts/cli/test_service_lldp.py
index ee26844ab..7e30b43f5 100755
--- a/smoketest/scripts/cli/test_service_lldp.py
+++ b/smoketest/scripts/cli/test_service_lldp.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 #
-# Copyright (C) 2022 VyOS maintainers and contributors
+# Copyright (C) 2022-2023 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
@@ -122,6 +122,20 @@ class TestServiceLLDP(VyOSUnitTestSHIM.TestCase):
         self.assertIn(f'configure ports {interface} med location elin "{elin}"', config)
         self.assertIn(f'configure system interface pattern "{interface}"', config)
 
+    def test_06_lldp_snmp(self):
+        self.cli_set(base_path + ['snmp'])
+
+        # verify - can not start lldp snmp without snmp beeing configured
+        with self.assertRaises(ConfigSessionError):
+            self.cli_commit()
+        self.cli_set(['service', 'snmp'])
+        self.cli_commit()
+
+        # SNMP required process to be started with -x option
+        tmp = read_file('/etc/default/lldpd')
+        self.assertIn('-x', tmp)
+
+        self.cli_delete(['service', 'snmp'])
 
 if __name__ == '__main__':
     unittest.main(verbosity=2)
diff --git a/smoketest/scripts/cli/test_service_mdns-repeater.py b/smoketest/scripts/cli/test_service_mdns-repeater.py
deleted file mode 100755
index 9a9839025..000000000
--- a/smoketest/scripts/cli/test_service_mdns-repeater.py
+++ /dev/null
@@ -1,74 +0,0 @@
-#!/usr/bin/env python3
-#
-# Copyright (C) 2020-2023 VyOS maintainers and contributors
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 or later as
-# published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-import unittest
-
-from base_vyostest_shim import VyOSUnitTestSHIM
-
-from configparser import ConfigParser
-from vyos.utils.process import process_named_running
-
-base_path = ['service', 'mdns', 'repeater']
-intf_base = ['interfaces', 'dummy']
-config_file = '/run/avahi-daemon/avahi-daemon.conf'
-
-
-class TestServiceMDNSrepeater(VyOSUnitTestSHIM.TestCase):
-    def tearDown(self):
-        # Check for running process
-        self.assertTrue(process_named_running('avahi-daemon'))
-
-        self.cli_delete(base_path)
-        self.cli_delete(intf_base + ['dum10'])
-        self.cli_delete(intf_base + ['dum20'])
-        self.cli_commit()
-
-        # Check that there is no longer a running process
-        self.assertFalse(process_named_running('avahi-daemon'))
-
-    def test_service(self):
-        # mDNS browsing domains in addition to the default one (local)
-        domains = ['dom1.home.arpa', 'dom2.home.arpa']
-
-        # mDNS services to be repeated
-        services = ['_ipp._tcp', '_smb._tcp', '_ssh._tcp']
-
-        # Service required a configured IP address on the interface
-        self.cli_set(intf_base + ['dum10', 'address', '192.0.2.1/30'])
-        self.cli_set(intf_base + ['dum20', 'address', '192.0.2.5/30'])
-
-        self.cli_set(base_path + ['interface', 'dum10'])
-        self.cli_set(base_path + ['interface', 'dum20'])
-
-        for domain in domains:
-            self.cli_set(base_path + ['browse-domain', domain])
-
-        for service in services:
-            self.cli_set(base_path + ['allow-service', service])
-
-        self.cli_commit()
-
-        # Validate configuration values
-        conf = ConfigParser(delimiters='=')
-        conf.read(config_file)
-
-        self.assertEqual(conf['server']['allow-interfaces'], 'dum10, dum20')
-        self.assertEqual(conf['server']['browse-domains'], ', '.join(domains))
-        self.assertEqual(conf['reflector']['enable-reflector'], 'yes')
-        self.assertEqual(conf['reflector']['reflect-filters'], ', '.join(services))
-
-if __name__ == '__main__':
-    unittest.main(verbosity=2)
diff --git a/smoketest/scripts/cli/test_service_mdns_repeater.py b/smoketest/scripts/cli/test_service_mdns_repeater.py
new file mode 100755
index 000000000..f2fb3b509
--- /dev/null
+++ b/smoketest/scripts/cli/test_service_mdns_repeater.py
@@ -0,0 +1,134 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2020-2023 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+import unittest
+
+from base_vyostest_shim import VyOSUnitTestSHIM
+
+from configparser import ConfigParser
+from vyos.configsession import ConfigSessionError
+from vyos.utils.process import process_named_running
+
+base_path = ['service', 'mdns', 'repeater']
+intf_base = ['interfaces', 'dummy']
+config_file = '/run/avahi-daemon/avahi-daemon.conf'
+
+
+class TestServiceMDNSrepeater(VyOSUnitTestSHIM.TestCase):
+    def setUp(self):
+        # Start with a clean CLI instance
+        self.cli_delete(base_path)
+
+        # Service required a configured IP address on the interface
+        self.cli_set(intf_base + ['dum10', 'address', '192.0.2.1/30'])
+        self.cli_set(intf_base + ['dum10', 'ipv6', 'address', 'no-default-link-local'])
+        self.cli_set(intf_base + ['dum20', 'address', '192.0.2.5/30'])
+        self.cli_set(intf_base + ['dum20', 'address', '2001:db8:0:2::5/64'])
+        self.cli_set(intf_base + ['dum30', 'address', '192.0.2.9/30'])
+        self.cli_set(intf_base + ['dum30', 'address', '2001:db8:0:2::9/64'])
+        self.cli_set(intf_base + ['dum40', 'address', '2001:db8:0:2::11/64'])
+        self.cli_commit()
+
+    def tearDown(self):
+        # Check for running process
+        self.assertTrue(process_named_running('avahi-daemon'))
+
+        self.cli_delete(base_path)
+        self.cli_delete(intf_base + ['dum10'])
+        self.cli_delete(intf_base + ['dum20'])
+        self.cli_delete(intf_base + ['dum30'])
+        self.cli_delete(intf_base + ['dum40'])
+        self.cli_commit()
+
+        # Check that there is no longer a running process
+        self.assertFalse(process_named_running('avahi-daemon'))
+
+    def test_service_dual_stack(self):
+        # mDNS browsing domains in addition to the default one (local)
+        domains = ['dom1.home.arpa', 'dom2.home.arpa']
+
+        # mDNS services to be repeated
+        services = ['_ipp._tcp', '_smb._tcp', '_ssh._tcp']
+
+        self.cli_set(base_path + ['ip-version', 'both'])
+        self.cli_set(base_path + ['interface', 'dum20'])
+        self.cli_set(base_path + ['interface', 'dum30'])
+
+        for domain in domains:
+            self.cli_set(base_path + ['browse-domain', domain])
+
+        for service in services:
+            self.cli_set(base_path + ['allow-service', service])
+
+        self.cli_commit()
+
+        # Validate configuration values
+        conf = ConfigParser(delimiters='=')
+        conf.read(config_file)
+
+        self.assertEqual(conf['server']['use-ipv4'], 'yes')
+        self.assertEqual(conf['server']['use-ipv6'], 'yes')
+        self.assertEqual(conf['server']['allow-interfaces'], 'dum20, dum30')
+        self.assertEqual(conf['server']['browse-domains'], ', '.join(domains))
+        self.assertEqual(conf['reflector']['enable-reflector'], 'yes')
+        self.assertEqual(conf['reflector']['reflect-filters'], ', '.join(services))
+
+    def test_service_ipv4(self):
+        # partcipating interfaces should have IPv4 addresses
+        self.cli_set(base_path + ['ip-version', 'ipv4'])
+        self.cli_set(base_path + ['interface', 'dum10'])
+        self.cli_set(base_path + ['interface', 'dum40'])
+
+        # exception is raised if partcipating interfaces do not have IPv4 address
+        with self.assertRaises(ConfigSessionError):
+            self.cli_commit()
+        self.cli_delete(base_path + ['interface', 'dum40'])
+        self.cli_set(base_path + ['interface', 'dum20'])
+        self.cli_commit()
+
+        # Validate configuration values
+        conf = ConfigParser(delimiters='=')
+        conf.read(config_file)
+
+        self.assertEqual(conf['server']['use-ipv4'], 'yes')
+        self.assertEqual(conf['server']['use-ipv6'], 'no')
+        self.assertEqual(conf['server']['allow-interfaces'], 'dum10, dum20')
+        self.assertEqual(conf['reflector']['enable-reflector'], 'yes')
+
+    def test_service_ipv6(self):
+        # partcipating interfaces should have IPv6 addresses
+        self.cli_set(base_path + ['ip-version', 'ipv6'])
+        self.cli_set(base_path + ['interface', 'dum10'])
+        self.cli_set(base_path + ['interface', 'dum30'])
+
+        # exception is raised if partcipating interfaces do not have IPv4 address
+        with self.assertRaises(ConfigSessionError):
+            self.cli_commit()
+        self.cli_delete(base_path + ['interface', 'dum10'])
+        self.cli_set(base_path + ['interface', 'dum40'])
+        self.cli_commit()
+
+        # Validate configuration values
+        conf = ConfigParser(delimiters='=')
+        conf.read(config_file)
+
+        self.assertEqual(conf['server']['use-ipv4'], 'no')
+        self.assertEqual(conf['server']['use-ipv6'], 'yes')
+        self.assertEqual(conf['server']['allow-interfaces'], 'dum30, dum40')
+        self.assertEqual(conf['reflector']['enable-reflector'], 'yes')
+
+if __name__ == '__main__':
+    unittest.main(verbosity=2)
diff --git a/smoketest/scripts/cli/test_service_ndp-proxy.py b/smoketest/scripts/cli/test_service_ndp-proxy.py
new file mode 100755
index 000000000..a947ec478
--- /dev/null
+++ b/smoketest/scripts/cli/test_service_ndp-proxy.py
@@ -0,0 +1,70 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2023 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+import unittest
+
+from base_vyostest_shim import VyOSUnitTestSHIM
+
+from vyos.configsession import ConfigSessionError
+from vyos.ifconfig import Section
+from vyos.utils.process import cmd
+from vyos.utils.process import process_named_running
+
+PROCESS_NAME = 'ndppd'
+NDPPD_CONF = '/run/ndppd/ndppd.conf'
+base_path = ['service', 'ndp-proxy']
+
+def getConfigSection(string=None, end=' {', endsection='^}'):
+    tmp = f'cat {NDPPD_CONF} | sed -n "/^{string}{end}/,/{endsection}/p"'
+    out = cmd(tmp)
+    return out
+
+class TestServiceNDPProxy(VyOSUnitTestSHIM.TestCase):
+    @classmethod
+    def setUpClass(cls):
+        super(TestServiceNDPProxy, cls).setUpClass()
+
+        # ensure we can also run this test on a live system - so lets clean
+        # out the current configuration :)
+        cls.cli_delete(cls, base_path)
+
+    def tearDown(self):
+        # Check for running process
+        self.assertTrue(process_named_running(PROCESS_NAME))
+
+        # delete testing SSH config
+        self.cli_delete(base_path)
+        self.cli_commit()
+
+        self.assertFalse(process_named_running(PROCESS_NAME))
+
+    def test_basic(self):
+        interfaces = Section.interfaces('ethernet')
+        for interface in interfaces:
+            self.cli_set(base_path + ['interface', interface])
+            self.cli_set(base_path + ['interface', interface, 'enable-router-bit'])
+
+        self.cli_commit()
+
+        for interface in interfaces:
+            config = getConfigSection(f'proxy {interface}')
+            self.assertIn(f'proxy {interface}', config)
+            self.assertIn(f'router yes', config)
+            self.assertIn(f'timeout 500', config) # default value
+            self.assertIn(f'ttl 30000', config) # default value
+
+if __name__ == '__main__':
+    unittest.main(verbosity=2)
diff --git a/smoketest/scripts/cli/test_service_pppoe-server.py b/smoketest/scripts/cli/test_service_pppoe-server.py
index 963784f0a..fa3bb87db 100755
--- a/smoketest/scripts/cli/test_service_pppoe-server.py
+++ b/smoketest/scripts/cli/test_service_pppoe-server.py
@@ -32,7 +32,7 @@ class TestServicePPPoEServer(BasicAccelPPPTest.TestCase):
         cls._base_path = ['service', 'pppoe-server']
         cls._config_file = '/run/accel-pppd/pppoe.conf'
         cls._chap_secrets = '/run/accel-pppd/pppoe.chap-secrets'
-
+        cls._protocol_section = 'pppoe'
         # call base-classes classmethod
         super(TestServicePPPoEServer, cls).setUpClass()
 
@@ -65,13 +65,11 @@ class TestServicePPPoEServer(BasicAccelPPPTest.TestCase):
 
         super().verify(conf)
 
-    def basic_config(self):
+    def basic_protocol_specific_config(self):
         self.cli_set(local_if + ['address', '192.0.2.1/32'])
-
         self.set(['access-concentrator', ac_name])
         self.set(['interface', interface])
 
-        super().basic_config()
 
     def test_pppoe_server_ppp_options(self):
         # Test configuration of local authentication for PPPoE server
@@ -120,7 +118,6 @@ class TestServicePPPoEServer(BasicAccelPPPTest.TestCase):
         # check interface-cache
         self.assertEqual(conf['ppp']['unit-cache'], interface_cache)
 
-
     def test_pppoe_server_authentication_protocols(self):
         # Test configuration of local authentication for PPPoE server
         self.basic_config()
@@ -137,68 +134,25 @@ class TestServicePPPoEServer(BasicAccelPPPTest.TestCase):
 
         self.assertEqual(conf['modules']['auth_mschap_v2'], None)
 
-
-    def test_pppoe_server_client_ip_pool(self):
-        # Test configuration of IPv6 client pools
-        self.basic_config()
-
-        subnet = '172.18.0.0/24'
+    def test_pppoe_server_shaper(self):
         fwmark = '223'
-        limiter = 'htb'
-
-        self.set(['client-ip-pool', 'subnet', subnet])
+        limiter = 'tbf'
+        self.basic_config()
 
-        start = '192.0.2.10'
-        stop = '192.0.2.20'
-        stop_octet = stop.split('.')[3]
-        start_stop = f'{start}-{stop_octet}'
-        self.set(['client-ip-pool', 'start', start])
-        self.set(['client-ip-pool', 'stop', stop])
         self.set(['shaper', 'fwmark', fwmark])
-
         # commit changes
-        self.cli_commit()
-
-        # Validate configuration values
-        conf = ConfigParser(allow_no_value=True)
-        conf.read(self._config_file)
 
-        # check configured subnet
-        self.assertEqual(conf['ip-pool'][subnet], None)
-        self.assertEqual(conf['ip-pool'][start_stop], None)
-        self.assertEqual(conf['ip-pool']['gw-ip-address'], self._gateway)
-        self.assertEqual(conf['shaper']['fwmark'], fwmark)
-        self.assertEqual(conf['shaper']['down-limiter'], limiter)
-
-
-    def test_pppoe_server_client_ip_pool_name(self):
-        # Test configuration of named client pools
-        self.basic_config()
-
-        subnet = '192.0.2.0/24'
-        gateway = '192.0.2.1'
-        pool = 'VYOS'
-
-        subnet_name = f'{subnet},name'
-        gw_ip_prefix = f'{gateway}/24'
-
-        self.set(['client-ip-pool', 'name', pool, 'subnet', subnet])
-        self.set(['client-ip-pool', 'name', pool, 'gateway-address', gateway])
-        self.cli_delete(self._base_path + ['gateway-address'])
-
-        # commit changes
         self.cli_commit()
 
         # Validate configuration values
         conf = ConfigParser(allow_no_value=True, delimiters='=')
         conf.read(self._config_file)
 
-        # Validate configuration
-        self.assertEqual(conf['ip-pool'][subnet_name], pool)
-        self.assertEqual(conf['ip-pool']['gw-ip-address'], gateway)
-        self.assertEqual(conf['pppoe']['ip-pool'], pool)
-        self.assertEqual(conf['pppoe']['gw-ip-address'], gw_ip_prefix)
+        # basic verification
+        self.verify(conf)
 
+        self.assertEqual(conf['shaper']['fwmark'], fwmark)
+        self.assertEqual(conf['shaper']['down-limiter'], limiter)
 
     def test_pppoe_server_client_ipv6_pool(self):
         # Test configuration of IPv6 client pools
@@ -239,15 +193,10 @@ class TestServicePPPoEServer(BasicAccelPPPTest.TestCase):
         self.assertEqual(conf['ipv6-pool'][client_prefix], None)
         self.assertEqual(conf['ipv6-pool']['delegate'], f'{delegate_prefix},{delegate_mask}')
 
-
     def test_accel_radius_authentication(self):
         radius_called_sid = 'ifname:mac'
-        radius_acct_interim_jitter = '9'
-        radius_acct_interim_interval = '60'
 
         self.set(['authentication', 'radius', 'called-sid-format', radius_called_sid])
-        self.set(['authentication', 'radius', 'acct-interim-jitter', radius_acct_interim_jitter])
-        self.set(['authentication', 'radius', 'accounting-interim-interval', radius_acct_interim_interval])
 
         # run common tests
         super().test_accel_radius_authentication()
@@ -258,9 +207,6 @@ class TestServicePPPoEServer(BasicAccelPPPTest.TestCase):
 
         # Validate configuration
         self.assertEqual(conf['pppoe']['called-sid'], radius_called_sid)
-        self.assertEqual(conf['radius']['acct-interim-jitter'], radius_acct_interim_jitter)
-        self.assertEqual(conf['radius']['acct-interim-interval'], radius_acct_interim_interval)
-
 
     def test_pppoe_server_vlan(self):
 
@@ -284,5 +230,6 @@ class TestServicePPPoEServer(BasicAccelPPPTest.TestCase):
         tmp = ','.join(vlans)
         self.assertIn(f'vlan-mon={interface},{tmp}', config)
 
+
 if __name__ == '__main__':
     unittest.main(verbosity=2)
diff --git a/smoketest/scripts/cli/test_service_salt.py b/smoketest/scripts/cli/test_service_salt-minion.py
index 48a588b72..48a588b72 100755
--- a/smoketest/scripts/cli/test_service_salt.py
+++ b/smoketest/scripts/cli/test_service_salt-minion.py
diff --git a/smoketest/scripts/cli/test_system_frr.py b/smoketest/scripts/cli/test_system_frr.py
index 3eb0cd0ab..a2ce58bf6 100755
--- a/smoketest/scripts/cli/test_system_frr.py
+++ b/smoketest/scripts/cli/test_system_frr.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 #
-# Copyright (C) 2019-2020 VyOS maintainers and contributors
+# Copyright (C) 2021-2023 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
@@ -16,13 +16,13 @@
 
 import re
 import unittest
+
 from base_vyostest_shim import VyOSUnitTestSHIM
 from vyos.utils.file import read_file
 
 config_file = '/etc/frr/daemons'
 base_path = ['system', 'frr']
 
-
 def daemons_config_parse(daemons_config):
     # create regex for parsing daemons options
     regex_daemon_config = re.compile(
@@ -33,13 +33,20 @@ def daemons_config_parse(daemons_config):
     for daemon in regex_daemon_config.finditer(daemons_config):
         daemon_name = daemon.group('daemon_name')
         daemon_options = daemon.group('daemon_options')
-        daemons_config_dict[daemon_name] = daemon_options
+        daemons_config_dict[daemon_name] = daemon_options.lstrip()
 
     # return daemons config
     return (daemons_config_dict)
 
 
 class TestSystemFRR(VyOSUnitTestSHIM.TestCase):
+    @classmethod
+    def setUpClass(cls):
+        super(TestSystemFRR, cls).setUpClass()
+
+        # ensure we can also run this test on a live system - so lets clean
+        # out the current configuration :)
+        cls.cli_delete(cls, base_path)
 
     def tearDown(self):
         self.cli_delete(base_path)
@@ -64,7 +71,7 @@ class TestSystemFRR(VyOSUnitTestSHIM.TestCase):
             else:
                 self.assertFalse(snmp_enabled)
 
-    def test_frr_snmp_addandremove(self):
+    def test_frr_snmp_add_remove(self):
         # test enabling and disabling of SNMP integration
         test_daemon_names = ['ospfd', 'bgpd']
         for test_daemon_name in test_daemon_names:
@@ -124,7 +131,7 @@ class TestSystemFRR(VyOSUnitTestSHIM.TestCase):
         irdp_enabled = regex_irdp.match(daemons_config_dict['zebra'])
         self.assertTrue(irdp_enabled)
 
-    def test_frr_bmpandsnmp(self):
+    def test_frr_bmp_and_snmp(self):
         # test empty config section
         self.cli_set(base_path + ['bmp'])
         self.cli_set(base_path + ['snmp', 'bgpd'])
@@ -141,6 +148,15 @@ class TestSystemFRR(VyOSUnitTestSHIM.TestCase):
         self.assertTrue(bmp_enabled)
         self.assertTrue(snmp_enabled)
 
+    def test_frr_file_descriptors(self):
+        file_descriptors = '4096'
+
+        self.cli_set(base_path + ['descriptors', file_descriptors])
+        self.cli_commit()
+
+        # read the config file and check content
+        daemons_config = read_file(config_file)
+        self.assertIn(f'MAX_FDS={file_descriptors}', daemons_config)
 
 if __name__ == '__main__':
     unittest.main(verbosity=2)
diff --git a/smoketest/scripts/cli/test_system_nameserver.py b/smoketest/scripts/cli/test_system_nameserver.py
deleted file mode 100755
index 4979a7c72..000000000
--- a/smoketest/scripts/cli/test_system_nameserver.py
+++ /dev/null
@@ -1,63 +0,0 @@
-#!/usr/bin/env python3
-#
-# Copyright (C) 2019-2020 VyOS maintainers and contributors
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 or later as
-# published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-import re
-import unittest
-
-from base_vyostest_shim import VyOSUnitTestSHIM
-
-from vyos.configsession import ConfigSessionError
-
-from vyos.utils.file import read_file
-
-RESOLV_CONF = '/etc/resolv.conf'
-
-test_servers = ['192.0.2.10', '2001:db8:1::100']
-base_path = ['system', 'name-server']
-
-def get_name_servers():
-    resolv_conf = read_file(RESOLV_CONF)
-    return re.findall(r'\n?nameserver\s+(.*)', resolv_conf)
-
-class TestSystemNameServer(VyOSUnitTestSHIM.TestCase):
-    def tearDown(self):
-        # Delete existing name servers
-        self.cli_delete(base_path)
-        self.cli_commit()
-
-    def test_nameserver_add(self):
-        # Check if server is added to resolv.conf
-        for s in test_servers:
-            self.cli_set(base_path + [s])
-        self.cli_commit()
-
-        servers = get_name_servers()
-        for s in servers:
-            self.assertTrue(s in servers)
-
-    def test_nameserver_delete(self):
-        # Test if a deleted server disappears from resolv.conf
-        for s in test_servers:
-          self.cli_delete(base_path + [s])
-        self.cli_commit()
-
-        servers = get_name_servers()
-        for s in servers:
-            self.assertTrue(test_server_1 not in servers)
-
-if __name__ == '__main__':
-    unittest.main(verbosity=2)
-
diff --git a/smoketest/scripts/cli/test_system_resolvconf.py b/smoketest/scripts/cli/test_system_resolvconf.py
new file mode 100755
index 000000000..d8726a301
--- /dev/null
+++ b/smoketest/scripts/cli/test_system_resolvconf.py
@@ -0,0 +1,112 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2019-2023 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+import re
+import unittest
+
+from base_vyostest_shim import VyOSUnitTestSHIM
+
+from vyos.utils.file import read_file
+
+RESOLV_CONF = '/etc/resolv.conf'
+
+name_servers = ['192.0.2.10', '2001:db8:1::100']
+domain_name = 'vyos.net'
+domain_search = ['vyos.net', 'vyos.io']
+
+base_path_nameserver = ['system', 'name-server']
+base_path_domainname = ['system', 'domain-name']
+base_path_domainsearch = ['system', 'domain-search']
+
+def get_name_servers():
+    resolv_conf = read_file(RESOLV_CONF)
+    return re.findall(r'\n?nameserver\s+(.*)', resolv_conf)
+
+def get_domain_name():
+    resolv_conf = read_file(RESOLV_CONF)
+    res = re.findall(r'\n?domain\s+(.*)', resolv_conf)
+    return res[0] if res else None
+
+def get_domain_searches():
+    resolv_conf = read_file(RESOLV_CONF)
+    res = re.findall(r'\n?search\s+(.*)', resolv_conf)
+    return res[0].split() if res else []
+
+class TestSystemResolvConf(VyOSUnitTestSHIM.TestCase):
+    @classmethod
+    def setUpClass(cls):
+        super(TestSystemResolvConf, cls).setUpClass()
+       # Clear out current configuration to allow running this test on a live system
+        cls.cli_delete(cls, base_path_nameserver)
+        cls.cli_delete(cls, base_path_domainname)
+        cls.cli_delete(cls, base_path_domainsearch)
+
+    def tearDown(self):
+        # Delete test entries servers
+        self.cli_delete(base_path_nameserver)
+        self.cli_delete(base_path_domainname)
+        self.cli_delete(base_path_domainsearch)
+        self.cli_commit()
+
+    def test_nameserver(self):
+        # Check if server is added to resolv.conf
+        for s in name_servers:
+            self.cli_set(base_path_nameserver + [s])
+        self.cli_commit()
+
+        for s in get_name_servers():
+            self.assertTrue(s in name_servers)
+
+        # Test if a deleted server disappears from resolv.conf
+        for s in name_servers:
+          self.cli_delete(base_path_nameserver + [s])
+        self.cli_commit()
+
+        for s in get_name_servers():
+            self.assertTrue(s not in name_servers)
+
+    def test_domainname(self):
+        # Check if domain-name is added to resolv.conf
+        self.cli_set(base_path_domainname + [domain_name])
+        self.cli_commit()
+
+        self.assertEqual(get_domain_name(), domain_name)
+
+        # Test if domain-name disappears from resolv.conf
+        self.cli_delete(base_path_domainname + [domain_name])
+        self.cli_commit()
+
+        self.assertTrue(get_domain_name() is None)
+
+    def test_domainsearch(self):
+        # Check if domain-search is added to resolv.conf
+        for s in domain_search:
+            self.cli_set(base_path_domainsearch + [s])
+        self.cli_commit()
+
+        for s in get_domain_searches():
+            self.assertTrue(s in domain_search)
+
+        # Test if domain-search disappears from resolv.conf
+        for s in domain_search:
+            self.cli_delete(base_path_domainsearch + [s])
+        self.cli_commit()
+
+        for s in get_domain_searches():
+            self.assertTrue(s not in domain_search)
+
+if __name__ == '__main__':
+    unittest.main(verbosity=2)
diff --git a/smoketest/scripts/cli/test_system_syslog.py b/smoketest/scripts/cli/test_system_syslog.py
new file mode 100755
index 000000000..933a5704c
--- /dev/null
+++ b/smoketest/scripts/cli/test_system_syslog.py
@@ -0,0 +1,85 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2019-2023 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+import re
+import unittest
+
+from base_vyostest_shim import VyOSUnitTestSHIM
+
+from vyos.configsession import ConfigSessionError
+from vyos.template import is_ipv4
+from vyos.template import address_from_cidr
+from vyos.utils.process import call
+from vyos.utils.process import DEVNULL
+from vyos.utils.file import read_file
+from vyos.utils.process import process_named_running
+from vyos.version import get_version_data
+
+PROCESS_NAME = 'rsyslogd'
+RSYSLOG_CONF = '/etc/rsyslog.d/00-vyos.conf'
+
+base_path = ['system', 'syslog']
+
+def get_config_value(key):
+    tmp = read_file(RSYSLOG_CONF)
+    tmp = re.findall(r'\n?{}\s+(.*)'.format(key), tmp)
+    return tmp[0]
+
+class TestRSYSLOGService(VyOSUnitTestSHIM.TestCase): 
+    @classmethod
+    def setUpClass(cls):
+        super(TestRSYSLOGService, cls).setUpClass()  
+
+        # ensure we can also run this test on a live system - so lets clean
+        # out the current configuration :)
+        cls.cli_delete(cls, base_path)
+
+    def tearDown(self):
+        # Check for running process
+        self.assertTrue(process_named_running(PROCESS_NAME))
+
+        # delete testing SYSLOG config
+        self.cli_delete(base_path)
+        self.cli_commit()
+
+        # Check for running process
+        self.assertFalse(process_named_running(PROCESS_NAME))
+
+    def test_syslog_basic(self):
+        host1 = '198.51.100.1'
+        host2 = '192.0.2.1'
+
+        self.cli_set(base_path + ['host', host1, 'port', '999'])
+        self.cli_set(base_path + ['host', host1, 'facility', 'all', 'level', 'all'])
+        self.cli_set(base_path + ['host', host2, 'facility', 'kern', 'level', 'err'])
+        self.cli_set(base_path + ['console', 'facility', 'all', 'level', 'warning'])
+
+
+        self.cli_commit()
+        # verify log level and facilities in config file
+        # *.warning /dev/console
+        # *.* @198.51.100.1:999
+        # kern.err @192.0.2.1:514
+        config = [get_config_value('\*.\*'), get_config_value('kern.err'), get_config_value('\*.warning')]
+        expected = ['@198.51.100.1:999', '@192.0.2.1:514', '/dev/console']
+
+        for i in range(0,3):
+            self.assertIn(expected[i], config[i])
+        # Check for running process
+        self.assertTrue(process_named_running(PROCESS_NAME))
+
+if __name__ == '__main__':
+    unittest.main(verbosity=2)
diff --git a/smoketest/scripts/cli/test_vpn_ipsec.py b/smoketest/scripts/cli/test_vpn_ipsec.py
index 01b0406bf..f5369ee7a 100755
--- a/smoketest/scripts/cli/test_vpn_ipsec.py
+++ b/smoketest/scripts/cli/test_vpn_ipsec.py
@@ -18,6 +18,8 @@ import os
 import unittest
 
 from base_vyostest_shim import VyOSUnitTestSHIM
+
+from vyos.configsession import ConfigSessionError
 from vyos.utils.process import call
 from vyos.utils.process import process_named_running
 from vyos.utils.file import read_file
@@ -44,78 +46,66 @@ secret = 'MYSECRETKEY'
 PROCESS_NAME = 'charon-systemd'
 regex_uuid4 = '[0-9a-fA-F]{8}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{12}'
 
+ca_name = 'MyVyOS-CA'
 ca_pem = """
-MIIDSzCCAjOgAwIBAgIUQHK+ZgTUYZksvXY2/MyW+Jiels4wDQYJKoZIhvcNAQEL
-BQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMjEwNjE0MTk0NTI3WhcNMzEw
-NjEyMTk0NTI3WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcN
-AQEBBQADggEPADCCAQoCggEBAKCAzpatA8yywXhGunWD//6Qg9EMJMb+7didNr10
-DuYPPGyTOXwG4Xicbr0FJ6cNkWg4wj3ZXEqqBzgS1Z9u78yuYPt5LE9eM8Wtawp7
-qIUCMTlSu4uD3/4A3c1xfHDpTOEl1BDvxMtQxQZcMNQVUG5ZMdcWQvqvQG6F7Nak
-+jgkaQ+Gyhwq++KVTEHJsA6+POuD0uaqAJv3tLGrRf4y4zdOn4thuTQ9swIBjKW6
-ci78Dk0F4u24YYV2BHKsPEPIyCQxKSRrMvqVWWljX9HmNsGawyEhLvW34aphj0aD
-JL/n1kWm+DnGyM+Rp6pXQz5y3xAnmKeYziaQNnvHoQi+gY0CAwEAAaOBkDCBjTAd
-BgNVHQ4EFgQUy43jkjE+CORrxeddqofQztZ9UxYwUQYDVR0jBEowSIAUy43jkjE+
-CORrxeddqofQztZ9UxahGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghRAcr5m
-BNRhmSy9djb8zJb4mJ6WzjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkq
-hkiG9w0BAQsFAAOCAQEALHdd1JXq6EUF9dSUijPLEiDVwn2TTIBIxvQqFzpWDDHg
-EWLzRJESyNUbIiwuUGwvqcVki0TmQcFR9XwmcDFDotlXz9OQISBlCW+Twuf4/XAL
-11njH8qXSaWF/wPbF35NOPhV5xOOCZ6K7Vilp3tK6LeOWvz2AUtwiVE1prNV3cIA
-B2ham0JASS0HIkfrcjpZNcx4NlSBaFf4MK5A11p13zPqMqzdEqn6n8fbYEADfVzy
-TfdqX1dPVc9zaM8uwyh5VyYBMDV7DoL384ZHJZYLENK/pT4kbl+sM/Cnhvyu0UCe
-RVqJGQtCdChZpDAVkzJRQYw3/FR8Mj+M+8GrgOrJ0w==
+MIICMDCCAdegAwIBAgIUBCzIjYvD7SPbx5oU18IYg7NVxQ0wCgYIKoZIzj0EAwIw
+ZzELMAkGA1UEBhMCR0IxEzARBgNVBAgMClNvbWUtU3RhdGUxEjAQBgNVBAcMCVNv
+bWUtQ2l0eTENMAsGA1UECgwEVnlPUzEgMB4GA1UEAwwXSVBTZWMgU21va2V0ZXN0
+IFJvb3QgQ0EwHhcNMjMwOTI0MTIwMzQxWhcNMzMwOTIxMTIwMzQxWjBnMQswCQYD
+VQQGEwJHQjETMBEGA1UECAwKU29tZS1TdGF0ZTESMBAGA1UEBwwJU29tZS1DaXR5
+MQ0wCwYDVQQKDARWeU9TMSAwHgYDVQQDDBdJUFNlYyBTbW9rZXRlc3QgUm9vdCBD
+QTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABEh8/yU572B3zmFxrGgHk+H7grYt
+EHUJodY3gXNWMHz0gySrbGhsGtECDfP/G+T4Suk7cuVzB1wnLocSafD8TcqjYTBf
+MA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQGCCsG
+AQUFBwMCBggrBgEFBQcDATAdBgNVHQ4EFgQUTYoQJNlk7X87/gRegHnCnPef39Aw
+CgYIKoZIzj0EAwIDRwAwRAIgX1spXjrUc10r3g/Zm4O31LU5O08J2vVqFo94zHE5
+0VgCIG4JK9Zg5O/yn4mYksZux7efiHRUzL2y2TXQ9IqrqM8W
+"""
+
+int_ca_name = 'MyVyOS-IntCA'
+int_ca_pem = """
+MIICYDCCAgWgAwIBAgIUcFx2BVYErHI+SneyPYHijxXt1cgwCgYIKoZIzj0EAwIw
+ZzELMAkGA1UEBhMCR0IxEzARBgNVBAgMClNvbWUtU3RhdGUxEjAQBgNVBAcMCVNv
+bWUtQ2l0eTENMAsGA1UECgwEVnlPUzEgMB4GA1UEAwwXSVBTZWMgU21va2V0ZXN0
+IFJvb3QgQ0EwHhcNMjMwOTI0MTIwNTE5WhcNMzMwOTIwMTIwNTE5WjBvMQswCQYD
+VQQGEwJHQjETMBEGA1UECAwKU29tZS1TdGF0ZTESMBAGA1UEBwwJU29tZS1DaXR5
+MQ0wCwYDVQQKDARWeU9TMSgwJgYDVQQDDB9JUFNlYyBTbW9rZXRlc3QgSW50ZXJt
+ZWRpYXRlIENBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIHw2G5dq3c715AcA
+tzR++dYu1fLRFmHzRGTZOT7hLrh2Fg4hnKFPLOeUA5Qi50xCvjJ9JnonTyy2RfRH
+axYizKOBhjCBgzASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIBhjAd
+BgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwHQYDVR0OBBYEFC9KrFYtA+hO
+l7vdMbWxTMAyLB7BMB8GA1UdIwQYMBaAFE2KECTZZO1/O/4EXoB5wpz3n9/QMAoG
+CCqGSM49BAMCA0kAMEYCIQCnqWbElgOL9dGO3iLxasFNq/hM7vM/DzaiHi4BowxW
+0gIhAMohefNj+QgLfPhvyODHIPE9LMyfp7lJEaCC2K8PCSFD
 """
 
+peer_name = 'peer1'
 peer_cert = """
-MIIDZjCCAk6gAwIBAgIRAKHpoE0rTcB/YXhnFpeckngwDQYJKoZIhvcNAQELBQAw
-FjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMjEwNjE0MjAwNDQ3WhcNMjQwNTI5
-MjAwNDQ3WjAQMQ4wDAYDVQQDDAVwZWVyMTCCASIwDQYJKoZIhvcNAQEBBQADggEP
-ADCCAQoCggEBALNwjDC1Lj2ojfCi1TESsyD0MLuqUVLTBZaXCXFtQdB/Aw3b3eBc
-J8+FUYQ6xMplmklXcjJEyXSMvqENpLX6xEDNWWvqTf22eEWt36QTfBeyFyDKtXnm
-4Y+ufXAHl3sLtyZN/7q+Xl4ubYvtAHVRLYzkXAtj1tVdaYEZQy8x/F3ZFFUsCfxR
-RqJBKTxcENP8STpIz9X8dS9iif9SBA42C0eHqMWv1tYW1IHO9gQxYFS3cvoPDPlD
-AJ3ihu5x3fO892S7FtZLVN/GsN1TKRKL217eVPyW0+QcnUwbrXWc7fnmm1btXVmh
-9YKPdtX8WnEeOtMCVZGKqdydnI3iAqvPmd0CAwEAAaOBtDCBsTAJBgNVHRMEAjAA
-MB0GA1UdDgQWBBQGsAPY4cHnTNUv7l+l8OYRSqcX8jBRBgNVHSMESjBIgBTLjeOS
-MT4I5GvF512qh9DO1n1TFqEapBgwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0GCFEBy
-vmYE1GGZLL12NvzMlviYnpbOMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAsGA1UdDwQE
-AwIFoDAQBgNVHREECTAHggVwZWVyMTANBgkqhkiG9w0BAQsFAAOCAQEAdJr+11eG
-FvChxu/LkwsXe2V+OZzGRq+hmQlaK3kG/AyI5hVA/IVHJkDe281wbBNKBWYxeSMn
-lAKbwuhPluO99oldzY9ZVkSiRmLh3r27wy/y+1plvoNxyTN7644Hvtk/8P/LV67R
-amXvVgkhpvIQSBfgifXzqUs+BV/x7TSeN3isxNOB8FP6imODsw8lF0Ir1Ze34emr
-TMNo5wNR5xp2dUa9OkzjRpgpifh20zM3UeVOixIPoq78IDjT0aZP8Lve2/g4Ccc6
-RHNF31r/2UL8rZfQRUAMijVdAvIINCk0kRBhNcr9MCi3czmmgiXXMGwLWLvSkfnE
-W06wKX1lpPSptg==
+MIICSTCCAfCgAwIBAgIUPxYleUgCo/glVVePze3QmAFgi6MwCgYIKoZIzj0EAwIw
+bzELMAkGA1UEBhMCR0IxEzARBgNVBAgMClNvbWUtU3RhdGUxEjAQBgNVBAcMCVNv
+bWUtQ2l0eTENMAsGA1UECgwEVnlPUzEoMCYGA1UEAwwfSVBTZWMgU21va2V0ZXN0
+IEludGVybWVkaWF0ZSBDQTAeFw0yMzA5MjQxMjA2NDJaFw0yODA5MjIxMjA2NDJa
+MGQxCzAJBgNVBAYTAkdCMRMwEQYDVQQIDApTb21lLVN0YXRlMRIwEAYDVQQHDAlT
+b21lLUNpdHkxDTALBgNVBAoMBFZ5T1MxHTAbBgNVBAMMFElQU2VjIFNtb2tldGVz
+dCBQZWVyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEZJtuTDu84uy++GMwRNLl
+10JAXZxXQSDl+CdTWwjbQZURcdY+ia7BoaoYX/0VKPel3Se64rIUQQLQoY/9MJb9
+UKN1MHMwDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYI
+KwYBBQUHAwEwHQYDVR0OBBYEFNJCdnkm3cAmf04UwOKL7IqMJ6OXMB8GA1UdIwQY
+MBaAFC9KrFYtA+hOl7vdMbWxTMAyLB7BMAoGCCqGSM49BAMCA0cAMEQCIGVnDRUy
+UJ0U/deDvrBo1+AakZndkNAMN/XNo5a5GzhEAiBCY7E/3b0BIO8FiIbVB3iDcaxg
+g7ET2RgWxvhEoN3ZRw==
 """
 
 peer_key = """
-MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQCzcIwwtS49qI3w
-otUxErMg9DC7qlFS0wWWlwlxbUHQfwMN293gXCfPhVGEOsTKZZpJV3IyRMl0jL6h
-DaS1+sRAzVlr6k39tnhFrd+kE3wXshcgyrV55uGPrn1wB5d7C7cmTf+6vl5eLm2L
-7QB1US2M5FwLY9bVXWmBGUMvMfxd2RRVLAn8UUaiQSk8XBDT/Ek6SM/V/HUvYon/
-UgQONgtHh6jFr9bWFtSBzvYEMWBUt3L6Dwz5QwCd4obucd3zvPdkuxbWS1TfxrDd
-UykSi9te3lT8ltPkHJ1MG611nO355ptW7V1ZofWCj3bV/FpxHjrTAlWRiqncnZyN
-4gKrz5ndAgMBAAECggEACvAya4mv3uxWcrPKYSptpvWbvuTb/juE3LAqUDLDz0ze
-x8p+VP3pI1pSJMhcVKYq6IufF3df/G3T9Qda4gj+S6D48X4f8PZdkInP1zWk2+Ds
-TgBtXZf4agTN+rVLw6FsMbaRfzW5lO4pmV0CKSSgrTUCc2NLpkgCdW8vzEG0y5ek
-15uBOyvuydWM4CFgZT/cUvnu4UtPFL1vaTdD4Lw0FfZq4iS8SWsGbbMoTPKkJRlS
-k9oMEOvhA1WIfSgiG0FyaidoNEormB6J1SKVo27P8SOYu2etiFdF9SJUYg9cBzM3
-z3HcAsXeSh2kpc8Fc2yOS6zI5AsC0Len2SQmKQD8YQKBgQDlgg5cZV5AY2Ji6b+T
-nTHjna7dg/kzUOYs0AmK9DHHziZJ2SKucJlB9smynPLjY/MQbKcNWQ1Cad+olDNP
-Ts4lLhs4kbITkmgPQME3it1fGstHy/sGcF0m+YRsSxfwt5bxLXH86+d067C0XMhg
-URMgGv9ZBTe/P1LuhIUTEjYzlQKBgQDIJvl7sSXHRRB0k7NU/uV3Tut3NTqIzXiz
-pq9hMyF+3aIqaA7kdjIIJczv1grVYz+RUdX3Gu1FyHMl8ynoEz5NNWsbe+Ay/moa
-ztijak3UH3M+d6WsxSRehdYl6DaMstHwWfKZvWNJCGyl7ckz9gGjc3DY/qYqZDrx
-p3LlZsY7KQKBgQCj3ur2GgLkIpI7Yf9CHPlkNlCHJhYnB9pxoNFPf/CTY6R/EiTr
-PMaRDO8TM3FR3ynMTmgw5abMBuCFc9v3AqO6dGNHTvBBfUYDrg7H48UQhQckaocA
-H/bDP2HIGQ4s+Ek0R2ieWKpZF3iCL8V60CjBwcUVAN6/FS3X1JNX/KbqyQKBgQDA
-8dlk5PN/MlPXnZ6t2/7G0bxpsVVZFYI65P+CGvE6RFuUt7VLhalbc10pAtR0unVI
-GHTD/iAnOkHOnqeSQiK3+TvkRbluTxVn/GiYt9yJFTxaRqrebzlNKYW0CzOy1JtP
-MNaOYCS6/bUHC7//KDKSJ7HsbScwDGlKFVrMTBPiaQKBgQCjkIJDZ4pC3er7QiC3
-RXWPyxIG5iTjn4fizphaBt6+pkBAlBh0V6inmleAWa5DJSpgU4jQv4mZsAQs6ctq
-usmoy47ke8pTXPHgQ8ZUwsfM4IztqOm+w0X6mSZi6HdJCnMdxCZBBpO225UvonSR
-rgiyCHemtMepq57Pl1Nmj49eEA==
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgVDEZDK7q/T+tiJUV
+WLKS3ZYDfZ4lZv0C1gJpYq0gWP2hRANCAARkm25MO7zi7L74YzBE0uXXQkBdnFdB
+IOX4J1NbCNtBlRFx1j6JrsGhqhhf/RUo96XdJ7rishRBAtChj/0wlv1Q
 """
 
+swanctl_dir = '/etc/swanctl'
+CERT_PATH   = f'{swanctl_dir}/x509/'
+CA_PATH     = f'{swanctl_dir}/x509ca/'
+
 class TestVPNIPsec(VyOSUnitTestSHIM.TestCase):
     skip_process_check = False
 
@@ -125,6 +115,7 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase):
         # ensure we can also run this test on a live system - so lets clean
         # out the current configuration :)
         cls.cli_delete(cls, base_path)
+        cls.cli_delete(cls, ['pki'])
 
         cls.cli_set(cls, base_path + ['interface', f'{interface}.{vif}'])
 
@@ -155,6 +146,15 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase):
         # Check for no longer running process
         self.assertFalse(process_named_running(PROCESS_NAME))
 
+    def setupPKI(self):
+        self.cli_set(['pki', 'ca', ca_name, 'certificate', ca_pem.replace('\n','')])
+        self.cli_set(['pki', 'ca', int_ca_name, 'certificate', int_ca_pem.replace('\n','')])
+        self.cli_set(['pki', 'certificate', peer_name, 'certificate', peer_cert.replace('\n','')])
+        self.cli_set(['pki', 'certificate', peer_name, 'private', 'key', peer_key.replace('\n','')])
+
+    def tearDownPKI(self):
+        self.cli_delete(['pki'])
+
     def test_01_dhcp_fail_handling(self):
         # Skip process check - connection is not created for this test
         self.skip_process_check = True
@@ -398,11 +398,7 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase):
 
     def test_05_x509_site2site(self):
         # Enable PKI
-        peer_name = 'peer1'
-        ca_name = 'MyVyOS-CA'
-        self.cli_set(['pki', 'ca', ca_name, 'certificate', ca_pem.replace('\n','')])
-        self.cli_set(['pki', 'certificate', peer_name, 'certificate', peer_cert.replace('\n','')])
-        self.cli_set(['pki', 'certificate', peer_name, 'private', 'key', peer_key.replace('\n','')])
+        self.setupPKI()
 
         vti = 'vti20'
         self.cli_set(vti_path + [vti, 'address', '192.168.0.1/31'])
@@ -415,7 +411,7 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase):
         self.cli_set(peer_base_path + ['authentication', 'local-id', peer_name])
         self.cli_set(peer_base_path + ['authentication', 'mode', 'x509'])
         self.cli_set(peer_base_path + ['authentication', 'remote-id', 'peer2'])
-        self.cli_set(peer_base_path + ['authentication', 'x509', 'ca-certificate', ca_name])
+        self.cli_set(peer_base_path + ['authentication', 'x509', 'ca-certificate', int_ca_name])
         self.cli_set(peer_base_path + ['authentication', 'x509', 'certificate', peer_name])
         self.cli_set(peer_base_path + ['connection-type', 'initiate'])
         self.cli_set(peer_base_path + ['ike-group', ike_group])
@@ -466,9 +462,17 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase):
         for line in swanctl_secrets_lines:
             self.assertIn(line, swanctl_conf)
 
+        # Check Root CA, Intermediate CA and Peer cert/key pair is present
+        self.assertTrue(os.path.exists(os.path.join(CA_PATH, f'{int_ca_name}_1.pem')))
+        self.assertTrue(os.path.exists(os.path.join(CA_PATH, f'{int_ca_name}_2.pem')))
+        self.assertTrue(os.path.exists(os.path.join(CERT_PATH, f'{peer_name}.pem')))
+
         # There is only one VTI test so no need to delete this globally in tearDown()
         self.cli_delete(vti_path)
 
+        # Disable PKI
+        self.tearDownPKI()
+
 
     def test_06_flex_vpn_vips(self):
         local_address = '192.0.2.5'
@@ -545,5 +549,351 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase):
             self.assertIn(line, charon_conf)
 
 
+    def test_07_ikev2_road_warrior(self):
+        # This is a known to be good configuration for Microsoft Windows 10 and Apple iOS 17
+        self.setupPKI()
+
+        ike_group = 'IKE-RW'
+        esp_group = 'ESP-RW'
+
+        conn_name = 'vyos-rw'
+        local_address = '192.0.2.1'
+        ip_pool_name = 'ra-rw-ipv4'
+        username = 'vyos'
+        password = 'secret'
+        ike_lifetime = '7200'
+        eap_lifetime = '3600'
+        local_id = 'ipsec.vyos.net'
+
+        name_servers = ['172.16.254.100', '172.16.254.101']
+        prefix = '172.16.250.0/28'
+
+        # IKE
+        self.cli_set(base_path + ['ike-group', ike_group, 'key-exchange', 'ikev2'])
+        self.cli_set(base_path + ['ike-group', ike_group, 'lifetime', ike_lifetime])
+        self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '1',  'dh-group', '14'])
+        self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '1',  'encryption', 'aes256'])
+        self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '1',  'hash', 'sha512'])
+        self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '2',  'dh-group', '14'])
+        self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '2',  'encryption', 'aes256'])
+        self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '2',  'hash', 'sha256'])
+        self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '3',  'dh-group', '2'])
+        self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '3',  'encryption', 'aes256'])
+        self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '3',  'hash', 'sha256'])
+        self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '10', 'dh-group', '14'])
+        self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '10', 'encryption', 'aes128gcm128'])
+        self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '10', 'hash', 'sha256'])
+
+        # ESP
+        self.cli_set(base_path + ['esp-group', esp_group, 'lifetime', eap_lifetime])
+        self.cli_set(base_path + ['esp-group', esp_group, 'pfs', 'disable'])
+        self.cli_set(base_path + ['esp-group', esp_group, 'proposal', '1',  'encryption', 'aes256'])
+        self.cli_set(base_path + ['esp-group', esp_group, 'proposal', '1',  'hash', 'sha512'])
+        self.cli_set(base_path + ['esp-group', esp_group, 'proposal', '2',  'encryption', 'aes256'])
+        self.cli_set(base_path + ['esp-group', esp_group, 'proposal', '2',  'hash', 'sha384'])
+        self.cli_set(base_path + ['esp-group', esp_group, 'proposal', '3',  'encryption', 'aes256'])
+        self.cli_set(base_path + ['esp-group', esp_group, 'proposal', '3',  'hash', 'sha256'])
+        self.cli_set(base_path + ['esp-group', esp_group, 'proposal', '4',  'encryption', 'aes256'])
+        self.cli_set(base_path + ['esp-group', esp_group, 'proposal', '4',  'hash', 'sha1'])
+        self.cli_set(base_path + ['esp-group', esp_group, 'proposal', '10', 'encryption', 'aes128gcm128'])
+        self.cli_set(base_path + ['esp-group', esp_group, 'proposal', '10', 'hash', 'sha256'])
+
+        self.cli_set(base_path + ['remote-access', 'connection', conn_name, 'authentication', 'local-id', local_id])
+        self.cli_set(base_path + ['remote-access', 'connection', conn_name, 'authentication', 'local-users', 'username', username, 'password', password])
+        self.cli_set(base_path + ['remote-access', 'connection', conn_name, 'authentication', 'server-mode', 'x509'])
+
+        self.cli_set(base_path + ['remote-access', 'connection', conn_name, 'authentication', 'x509', 'certificate', peer_name])
+        # verify() - CA cert required for x509 auth
+        with self.assertRaises(ConfigSessionError):
+            self.cli_commit()
+        self.cli_set(base_path + ['remote-access', 'connection', conn_name, 'authentication', 'x509', 'ca-certificate', ca_name])
+
+        self.cli_set(base_path + ['remote-access', 'connection', conn_name, 'esp-group', esp_group])
+        self.cli_set(base_path + ['remote-access', 'connection', conn_name, 'ike-group', ike_group])
+        self.cli_set(base_path + ['remote-access', 'connection', conn_name, 'local-address', local_address])
+        self.cli_set(base_path + ['remote-access', 'connection', conn_name, 'pool', ip_pool_name])
+
+        for ns in name_servers:
+            self.cli_set(base_path + ['remote-access', 'pool', ip_pool_name, 'name-server', ns])
+        self.cli_set(base_path + ['remote-access', 'pool', ip_pool_name, 'prefix', prefix])
+
+        self.cli_commit()
+
+        # verify applied configuration
+        swanctl_conf = read_file(swanctl_file)
+        swanctl_lines = [
+            f'{conn_name}',
+            f'remote_addrs = %any',
+            f'local_addrs = {local_address}',
+            f'proposals = aes256-sha512-modp2048,aes256-sha256-modp2048,aes256-sha256-modp1024,aes128gcm128-sha256-modp2048',
+            f'version = 2',
+            f'send_certreq = no',
+            f'rekey_time = {ike_lifetime}s',
+            f'keyingtries = 0',
+            f'pools = {ip_pool_name}',
+            f'id = "{local_id}"',
+            f'auth = pubkey',
+            f'certs = peer1.pem',
+            f'auth = eap-mschapv2',
+            f'eap_id = %any',
+            f'esp_proposals = aes256-sha512,aes256-sha384,aes256-sha256,aes256-sha1,aes128gcm128-sha256',
+            f'rekey_time = {eap_lifetime}s',
+            f'rand_time = 540s',
+            f'dpd_action = clear',
+            f'inactivity = 28800',
+            f'local_ts = 0.0.0.0/0,::/0',
+        ]
+        for line in swanctl_lines:
+            self.assertIn(line, swanctl_conf)
+
+        swanctl_secrets_lines = [
+            f'eap-{conn_name}-{username}',
+            f'secret = "{password}"',
+            f'id-{conn_name}-{username} = "{username}"',
+        ]
+        for line in swanctl_secrets_lines:
+            self.assertIn(line, swanctl_conf)
+
+        swanctl_pool_lines = [
+            f'{ip_pool_name}',
+            f'addrs = {prefix}',
+            f'dns = {",".join(name_servers)}',
+        ]
+        for line in swanctl_pool_lines:
+            self.assertIn(line, swanctl_conf)
+
+        # Check Root CA, Intermediate CA and Peer cert/key pair is present
+        self.assertTrue(os.path.exists(os.path.join(CA_PATH, f'{ca_name}_1.pem')))
+        self.assertTrue(os.path.exists(os.path.join(CERT_PATH, f'{peer_name}.pem')))
+
+        self.tearDownPKI()
+
+    def test_08_ikev2_road_warrior_client_auth_eap_tls(self):
+        # This is a known to be good configuration for Microsoft Windows 10 and Apple iOS 17
+        self.setupPKI()
+
+        ike_group = 'IKE-RW'
+        esp_group = 'ESP-RW'
+
+        conn_name = 'vyos-rw'
+        local_address = '192.0.2.1'
+        ip_pool_name = 'ra-rw-ipv4'
+        username = 'vyos'
+        password = 'secret'
+        ike_lifetime = '7200'
+        eap_lifetime = '3600'
+        local_id = 'ipsec.vyos.net'
+
+        name_servers = ['172.16.254.100', '172.16.254.101']
+        prefix = '172.16.250.0/28'
+
+        # IKE
+        self.cli_set(base_path + ['ike-group', ike_group, 'key-exchange', 'ikev2'])
+        self.cli_set(base_path + ['ike-group', ike_group, 'lifetime', ike_lifetime])
+        self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '1',  'dh-group', '14'])
+        self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '1',  'encryption', 'aes256'])
+        self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '1',  'hash', 'sha512'])
+        self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '2',  'dh-group', '14'])
+        self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '2',  'encryption', 'aes256'])
+        self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '2',  'hash', 'sha256'])
+        self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '3',  'dh-group', '2'])
+        self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '3',  'encryption', 'aes256'])
+        self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '3',  'hash', 'sha256'])
+        self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '10', 'dh-group', '14'])
+        self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '10', 'encryption', 'aes128gcm128'])
+        self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '10', 'hash', 'sha256'])
+
+        # ESP
+        self.cli_set(base_path + ['esp-group', esp_group, 'lifetime', eap_lifetime])
+        self.cli_set(base_path + ['esp-group', esp_group, 'pfs', 'disable'])
+        self.cli_set(base_path + ['esp-group', esp_group, 'proposal', '1',  'encryption', 'aes256'])
+        self.cli_set(base_path + ['esp-group', esp_group, 'proposal', '1',  'hash', 'sha512'])
+        self.cli_set(base_path + ['esp-group', esp_group, 'proposal', '2',  'encryption', 'aes256'])
+        self.cli_set(base_path + ['esp-group', esp_group, 'proposal', '2',  'hash', 'sha384'])
+        self.cli_set(base_path + ['esp-group', esp_group, 'proposal', '3',  'encryption', 'aes256'])
+        self.cli_set(base_path + ['esp-group', esp_group, 'proposal', '3',  'hash', 'sha256'])
+        self.cli_set(base_path + ['esp-group', esp_group, 'proposal', '4',  'encryption', 'aes256'])
+        self.cli_set(base_path + ['esp-group', esp_group, 'proposal', '4',  'hash', 'sha1'])
+        self.cli_set(base_path + ['esp-group', esp_group, 'proposal', '10', 'encryption', 'aes128gcm128'])
+        self.cli_set(base_path + ['esp-group', esp_group, 'proposal', '10', 'hash', 'sha256'])
+
+        self.cli_set(base_path + ['remote-access', 'connection', conn_name, 'authentication', 'local-id', local_id])
+        # Use EAP-TLS auth instead of default EAP-MSCHAPv2
+        self.cli_set(base_path + ['remote-access', 'connection', conn_name, 'authentication', 'client-mode', 'eap-tls'])
+        self.cli_set(base_path + ['remote-access', 'connection', conn_name, 'authentication', 'server-mode', 'x509'])
+
+        self.cli_set(base_path + ['remote-access', 'connection', conn_name, 'authentication', 'x509', 'certificate', peer_name])
+        # verify() - CA cert required for x509 auth
+        with self.assertRaises(ConfigSessionError):
+            self.cli_commit()
+        self.cli_set(base_path + ['remote-access', 'connection', conn_name, 'authentication', 'x509', 'ca-certificate', ca_name])
+
+        self.cli_set(base_path + ['remote-access', 'connection', conn_name, 'esp-group', esp_group])
+        self.cli_set(base_path + ['remote-access', 'connection', conn_name, 'ike-group', ike_group])
+        self.cli_set(base_path + ['remote-access', 'connection', conn_name, 'local-address', local_address])
+        self.cli_set(base_path + ['remote-access', 'connection', conn_name, 'pool', ip_pool_name])
+
+        for ns in name_servers:
+            self.cli_set(base_path + ['remote-access', 'pool', ip_pool_name, 'name-server', ns])
+        self.cli_set(base_path + ['remote-access', 'pool', ip_pool_name, 'prefix', prefix])
+
+        self.cli_commit()
+
+        # verify applied configuration
+        swanctl_conf = read_file(swanctl_file)
+        swanctl_lines = [
+            f'{conn_name}',
+            f'remote_addrs = %any',
+            f'local_addrs = {local_address}',
+            f'proposals = aes256-sha512-modp2048,aes256-sha256-modp2048,aes256-sha256-modp1024,aes128gcm128-sha256-modp2048',
+            f'version = 2',
+            f'send_certreq = no',
+            f'rekey_time = {ike_lifetime}s',
+            f'keyingtries = 0',
+            f'pools = {ip_pool_name}',
+            f'id = "{local_id}"',
+            f'auth = pubkey',
+            f'certs = peer1.pem',
+            f'auth = eap-tls',
+            f'eap_id = %any',
+            f'esp_proposals = aes256-sha512,aes256-sha384,aes256-sha256,aes256-sha1,aes128gcm128-sha256',
+            f'rekey_time = {eap_lifetime}s',
+            f'rand_time = 540s',
+            f'dpd_action = clear',
+            f'inactivity = 28800',
+            f'local_ts = 0.0.0.0/0,::/0',
+        ]
+        for line in swanctl_lines:
+            self.assertIn(line, swanctl_conf)
+
+        swanctl_pool_lines = [
+            f'{ip_pool_name}',
+            f'addrs = {prefix}',
+            f'dns = {",".join(name_servers)}',
+        ]
+        for line in swanctl_pool_lines:
+            self.assertIn(line, swanctl_conf)
+
+        # Check Root CA, Intermediate CA and Peer cert/key pair is present
+        self.assertTrue(os.path.exists(os.path.join(CA_PATH, f'{ca_name}_1.pem')))
+        self.assertTrue(os.path.exists(os.path.join(CERT_PATH, f'{peer_name}.pem')))
+
+        self.tearDownPKI()
+
+    def test_09_ikev2_road_warrior_client_auth_x509(self):
+        # This is a known to be good configuration for Microsoft Windows 10 and Apple iOS 17
+        self.setupPKI()
+
+        ike_group = 'IKE-RW'
+        esp_group = 'ESP-RW'
+
+        conn_name = 'vyos-rw'
+        local_address = '192.0.2.1'
+        ip_pool_name = 'ra-rw-ipv4'
+        ike_lifetime = '7200'
+        eap_lifetime = '3600'
+        local_id = 'ipsec.vyos.net'
+
+        name_servers = ['172.16.254.100', '172.16.254.101']
+        prefix = '172.16.250.0/28'
+
+        # IKE
+        self.cli_set(base_path + ['ike-group', ike_group, 'key-exchange', 'ikev2'])
+        self.cli_set(base_path + ['ike-group', ike_group, 'lifetime', ike_lifetime])
+        self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '1',  'dh-group', '14'])
+        self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '1',  'encryption', 'aes256'])
+        self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '1',  'hash', 'sha512'])
+        self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '2',  'dh-group', '14'])
+        self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '2',  'encryption', 'aes256'])
+        self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '2',  'hash', 'sha256'])
+        self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '3',  'dh-group', '2'])
+        self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '3',  'encryption', 'aes256'])
+        self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '3',  'hash', 'sha256'])
+        self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '10', 'dh-group', '14'])
+        self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '10', 'encryption', 'aes128gcm128'])
+        self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '10', 'hash', 'sha256'])
+
+        # ESP
+        self.cli_set(base_path + ['esp-group', esp_group, 'lifetime', eap_lifetime])
+        self.cli_set(base_path + ['esp-group', esp_group, 'pfs', 'disable'])
+        self.cli_set(base_path + ['esp-group', esp_group, 'proposal', '1',  'encryption', 'aes256'])
+        self.cli_set(base_path + ['esp-group', esp_group, 'proposal', '1',  'hash', 'sha512'])
+        self.cli_set(base_path + ['esp-group', esp_group, 'proposal', '2',  'encryption', 'aes256'])
+        self.cli_set(base_path + ['esp-group', esp_group, 'proposal', '2',  'hash', 'sha384'])
+        self.cli_set(base_path + ['esp-group', esp_group, 'proposal', '3',  'encryption', 'aes256'])
+        self.cli_set(base_path + ['esp-group', esp_group, 'proposal', '3',  'hash', 'sha256'])
+        self.cli_set(base_path + ['esp-group', esp_group, 'proposal', '4',  'encryption', 'aes256'])
+        self.cli_set(base_path + ['esp-group', esp_group, 'proposal', '4',  'hash', 'sha1'])
+        self.cli_set(base_path + ['esp-group', esp_group, 'proposal', '10', 'encryption', 'aes128gcm128'])
+        self.cli_set(base_path + ['esp-group', esp_group, 'proposal', '10', 'hash', 'sha256'])
+
+        self.cli_set(base_path + ['remote-access', 'connection', conn_name, 'authentication', 'local-id', local_id])
+        # Use client-mode x509 instead of default EAP-MSCHAPv2
+        self.cli_set(base_path + ['remote-access', 'connection', conn_name, 'authentication', 'client-mode', 'x509'])
+        self.cli_set(base_path + ['remote-access', 'connection', conn_name, 'authentication', 'server-mode', 'x509'])
+
+        self.cli_set(base_path + ['remote-access', 'connection', conn_name, 'authentication', 'x509', 'certificate', peer_name])
+        # verify() - CA cert required for x509 auth
+        with self.assertRaises(ConfigSessionError):
+            self.cli_commit()
+        self.cli_set(base_path + ['remote-access', 'connection', conn_name, 'authentication', 'x509', 'ca-certificate', ca_name])
+
+        self.cli_set(base_path + ['remote-access', 'connection', conn_name, 'esp-group', esp_group])
+        self.cli_set(base_path + ['remote-access', 'connection', conn_name, 'ike-group', ike_group])
+        self.cli_set(base_path + ['remote-access', 'connection', conn_name, 'local-address', local_address])
+        self.cli_set(base_path + ['remote-access', 'connection', conn_name, 'pool', ip_pool_name])
+
+        for ns in name_servers:
+            self.cli_set(base_path + ['remote-access', 'pool', ip_pool_name, 'name-server', ns])
+        self.cli_set(base_path + ['remote-access', 'pool', ip_pool_name, 'prefix', prefix])
+
+        self.cli_commit()
+
+        # verify applied configuration
+        swanctl_conf = read_file(swanctl_file)
+        swanctl_lines = [
+            f'{conn_name}',
+            f'remote_addrs = %any',
+            f'local_addrs = {local_address}',
+            f'proposals = aes256-sha512-modp2048,aes256-sha256-modp2048,aes256-sha256-modp1024,aes128gcm128-sha256-modp2048',
+            f'version = 2',
+            f'send_certreq = no',
+            f'rekey_time = {ike_lifetime}s',
+            f'keyingtries = 0',
+            f'pools = {ip_pool_name}',
+            f'id = "{local_id}"',
+            f'auth = pubkey',
+            f'certs = peer1.pem',
+            f'esp_proposals = aes256-sha512,aes256-sha384,aes256-sha256,aes256-sha1,aes128gcm128-sha256',
+            f'rekey_time = {eap_lifetime}s',
+            f'rand_time = 540s',
+            f'dpd_action = clear',
+            f'inactivity = 28800',
+            f'local_ts = 0.0.0.0/0,::/0',
+        ]
+        for line in swanctl_lines:
+            self.assertIn(line, swanctl_conf)
+
+        swanctl_unexpected_lines = [
+            f'auth = eap-',
+            f'eap_id'
+        ]
+        for unexpected_line in swanctl_unexpected_lines:
+            self.assertNotIn(unexpected_line, swanctl_conf)
+
+        swanctl_pool_lines = [
+            f'{ip_pool_name}',
+            f'addrs = {prefix}',
+            f'dns = {",".join(name_servers)}',
+        ]
+        for line in swanctl_pool_lines:
+            self.assertIn(line, swanctl_conf)
+
+        # Check Root CA, Intermediate CA and Peer cert/key pair is present
+        self.assertTrue(os.path.exists(os.path.join(CA_PATH, f'{ca_name}_1.pem')))
+        self.assertTrue(os.path.exists(os.path.join(CERT_PATH, f'{peer_name}.pem')))
+
+        self.tearDownPKI()
+
 if __name__ == '__main__':
     unittest.main(verbosity=2)
diff --git a/smoketest/scripts/cli/test_vpn_l2tp.py b/smoketest/scripts/cli/test_vpn_l2tp.py
new file mode 100755
index 000000000..5b3e419bd
--- /dev/null
+++ b/smoketest/scripts/cli/test_vpn_l2tp.py
@@ -0,0 +1,135 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2023 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+import re
+import unittest
+
+from base_accel_ppp_test import BasicAccelPPPTest
+from configparser import ConfigParser
+from vyos.utils.process import cmd
+
+
+class TestVPNL2TPServer(BasicAccelPPPTest.TestCase):
+    @classmethod
+    def setUpClass(cls):
+        cls._base_path = ['vpn', 'l2tp', 'remote-access']
+        cls._config_file = '/run/accel-pppd/l2tp.conf'
+        cls._chap_secrets = '/run/accel-pppd/l2tp.chap-secrets'
+        cls._protocol_section = 'l2tp'
+        # call base-classes classmethod
+        super(TestVPNL2TPServer, cls).setUpClass()
+
+    @classmethod
+    def tearDownClass(cls):
+        super(TestVPNL2TPServer, cls).tearDownClass()
+
+    def basic_protocol_specific_config(self):
+        pass
+
+    def test_l2tp_server_ppp_options(self):
+        # Test configuration of local authentication for PPPoE server
+        self.basic_config()
+        mtu = '1425'
+        lcp_echo_failure = '5'
+        lcp_echo_interval = '40'
+        lcp_echo_timeout = '3000'
+        # other settings
+        mppe = 'require'
+        self.set(['ccp-disable'])
+        self.set(['ppp-options', 'mppe', mppe])
+        self.set(['authentication', 'radius', 'preallocate-vif'])
+        self.set(['mtu', mtu])
+        self.set(['ppp-options', 'lcp-echo-failure', lcp_echo_failure])
+        self.set(['ppp-options', 'lcp-echo-interval', lcp_echo_interval])
+        self.set(['ppp-options', 'lcp-echo-timeout', lcp_echo_timeout])
+
+        # commit changes
+        self.cli_commit()
+
+        # Validate configuration values
+        conf = ConfigParser(allow_no_value=True, delimiters='=')
+        conf.read(self._config_file)
+
+        # basic verification
+        self.verify(conf)
+
+        # check ppp
+        self.assertEqual(conf['ppp']['mppe'], mppe)
+        self.assertFalse(conf['ppp'].getboolean('ccp'))
+        self.assertEqual(conf['ppp']['unit-preallocate'], '1')
+        self.assertTrue(conf['ppp'].getboolean('verbose'))
+        self.assertTrue(conf['ppp'].getboolean('check-ip'))
+        self.assertEqual(conf['ppp']['mtu'], mtu)
+        self.assertEqual(conf['ppp']['lcp-echo-interval'], lcp_echo_interval)
+        self.assertEqual(conf['ppp']['lcp-echo-timeout'], lcp_echo_timeout)
+        self.assertEqual(conf['ppp']['lcp-echo-failure'], lcp_echo_failure)
+
+    def test_l2tp_server_authentication_protocols(self):
+        # Test configuration of local authentication for PPPoE server
+        self.basic_config()
+
+        # explicitly test mschap-v2 - no special reason
+        self.set( ['authentication', 'protocols', 'mschap-v2'])
+
+        # commit changes
+        self.cli_commit()
+
+        # Validate configuration values
+        conf = ConfigParser(allow_no_value=True)
+        conf.read(self._config_file)
+
+        self.assertEqual(conf['modules']['auth_mschap_v2'], None)
+
+    def test_l2tp_server_client_ipv6_pool(self):
+        # Test configuration of IPv6 client pools
+        self.basic_config()
+
+        # Enable IPv6
+        allow_ipv6 = 'allow'
+        random = 'random'
+        self.set(['ppp-options', 'ipv6', allow_ipv6])
+        self.set(['ppp-options', 'ipv6-intf-id', random])
+        self.set(['ppp-options', 'ipv6-accept-peer-intf-id'])
+        self.set(['ppp-options', 'ipv6-peer-intf-id', random])
+
+        prefix = '2001:db8:ffff::/64'
+        prefix_mask = '128'
+        client_prefix = f'{prefix},{prefix_mask}'
+        self.set(['client-ipv6-pool', 'prefix', prefix, 'mask', prefix_mask])
+
+        delegate_prefix = '2001:db8::/40'
+        delegate_mask = '56'
+        self.set(['client-ipv6-pool', 'delegate', delegate_prefix, 'delegation-prefix', delegate_mask])
+
+        # commit changes
+        self.cli_commit()
+
+        # Validate configuration values
+        conf = ConfigParser(allow_no_value=True, delimiters='=')
+        conf.read(self._config_file)
+
+        for tmp in ['ipv6pool', 'ipv6_nd', 'ipv6_dhcp']:
+            self.assertEqual(conf['modules'][tmp], None)
+
+        self.assertEqual(conf['ppp']['ipv6'], allow_ipv6)
+        self.assertEqual(conf['ppp']['ipv6-intf-id'], random)
+        self.assertEqual(conf['ppp']['ipv6-peer-intf-id'], random)
+        self.assertTrue(conf['ppp'].getboolean('ipv6-accept-peer-intf-id'))
+
+        self.assertEqual(conf['ipv6-pool'][client_prefix], None)
+        self.assertEqual(conf['ipv6-pool']['delegate'], f'{delegate_prefix},{delegate_mask}')
+
+if __name__ == '__main__':
+    unittest.main(verbosity=2)
diff --git a/smoketest/scripts/cli/test_vpn_openconnect.py b/smoketest/scripts/cli/test_vpn_openconnect.py
index 04abeb1aa..c4502fada 100755
--- a/smoketest/scripts/cli/test_vpn_openconnect.py
+++ b/smoketest/scripts/cli/test_vpn_openconnect.py
@@ -141,5 +141,26 @@ class TestVPNOpenConnect(VyOSUnitTestSHIM.TestCase):
         otp_config = read_file(otp_file)
         self.assertIn(f'HOTP/T30/6 {user} - {otp}', otp_config)
 
+
+        # Verify HTTP security headers
+        self.cli_set(base_path + ['http-security-headers'])
+        self.cli_commit()
+
+        daemon_config = read_file(config_file)
+
+        self.assertIn('included-http-headers = Strict-Transport-Security: max-age=31536000 ; includeSubDomains', daemon_config)
+        self.assertIn('included-http-headers = X-Frame-Options: deny', daemon_config)
+        self.assertIn('included-http-headers = X-Content-Type-Options: nosniff', daemon_config)
+        self.assertIn('included-http-headers = Content-Security-Policy: default-src "none"', daemon_config)
+        self.assertIn('included-http-headers = X-Permitted-Cross-Domain-Policies: none', daemon_config)
+        self.assertIn('included-http-headers = Referrer-Policy: no-referrer', daemon_config)
+        self.assertIn('included-http-headers = Clear-Site-Data: "cache","cookies","storage"', daemon_config)
+        self.assertIn('included-http-headers = Cross-Origin-Embedder-Policy: require-corp', daemon_config)
+        self.assertIn('included-http-headers = Cross-Origin-Opener-Policy: same-origin', daemon_config)
+        self.assertIn('included-http-headers = Cross-Origin-Resource-Policy: same-origin', daemon_config)
+        self.assertIn('included-http-headers = X-XSS-Protection: 0', daemon_config)
+        self.assertIn('included-http-headers = Pragma: no-cache', daemon_config)
+        self.assertIn('included-http-headers = Cache-control: no-store, no-cache', daemon_config)
+
 if __name__ == '__main__':
     unittest.main(verbosity=2)
diff --git a/smoketest/scripts/cli/test_vpn_pptp.py b/smoketest/scripts/cli/test_vpn_pptp.py
new file mode 100755
index 000000000..0d9ea312e
--- /dev/null
+++ b/smoketest/scripts/cli/test_vpn_pptp.py
@@ -0,0 +1,223 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2023 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+import re
+import unittest
+
+from configparser import ConfigParser
+from vyos.utils.process import cmd
+from base_accel_ppp_test import BasicAccelPPPTest
+from vyos.template import is_ipv4
+
+
+class TestVPNPPTPServer(BasicAccelPPPTest.TestCase):
+    @classmethod
+    def setUpClass(cls):
+        cls._base_path = ['vpn', 'pptp', 'remote-access']
+        cls._config_file = '/run/accel-pppd/pptp.conf'
+        cls._chap_secrets = '/run/accel-pppd/pptp.chap-secrets'
+        cls._protocol_section = 'pptp'
+        # call base-classes classmethod
+        super(TestVPNPPTPServer, cls).setUpClass()
+
+    @classmethod
+    def tearDownClass(cls):
+        super(TestVPNPPTPServer, cls).tearDownClass()
+
+    def basic_protocol_specific_config(self):
+        pass
+
+    def test_accel_name_servers(self):
+        # Verify proper Name-Server configuration for IPv4
+        self.basic_config()
+
+        nameserver = ["192.0.2.1", "192.0.2.2"]
+        for ns in nameserver:
+            self.set(["name-server", ns])
+
+        # commit changes
+        self.cli_commit()
+
+        # Validate configuration values
+        conf = ConfigParser(allow_no_value=True, delimiters="=", strict=False)
+        conf.read(self._config_file)
+
+        # IPv4 and IPv6 nameservers must be checked individually
+        for ns in nameserver:
+            self.assertIn(ns, [conf["dns"]["dns1"], conf["dns"]["dns2"]])
+
+    def test_accel_local_authentication(self):
+        # Test configuration of local authentication
+        self.basic_config()
+
+        # upload / download limit
+        user = "test"
+        password = "test2"
+        static_ip = "100.100.100.101"
+        upload = "5000"
+        download = "10000"
+
+        self.set(
+            [
+                "authentication",
+                "local-users",
+                "username",
+                user,
+                "password",
+                password,
+            ]
+        )
+        self.set(
+            [
+                "authentication",
+                "local-users",
+                "username",
+                user,
+                "static-ip",
+                static_ip,
+            ]
+        )
+
+        # commit changes
+        self.cli_commit()
+
+        # Validate configuration values
+        conf = ConfigParser(allow_no_value=True, delimiters="=", strict=False)
+        conf.read(self._config_file)
+
+        # check proper path to chap-secrets file
+        self.assertEqual(conf["chap-secrets"]["chap-secrets"], self._chap_secrets)
+
+        # basic verification
+        self.verify(conf)
+
+        # check local users
+        tmp = cmd(f"sudo cat {self._chap_secrets}")
+        regex = f"{user}\s+\*\s+{password}\s+{static_ip}\s"
+        tmp = re.findall(regex, tmp)
+        self.assertTrue(tmp)
+
+        # Check local-users default value(s)
+        self.delete(["authentication", "local-users", "username", user, "static-ip"])
+        # commit changes
+        self.cli_commit()
+
+        # check local users
+        tmp = cmd(f"sudo cat {self._chap_secrets}")
+        regex = f"{user}\s+\*\s+{password}\s+\*\s"
+        tmp = re.findall(regex, tmp)
+        self.assertTrue(tmp)
+
+    def test_accel_radius_authentication(self):
+        # Test configuration of RADIUS authentication for PPPoE server
+        self.basic_config()
+
+        radius_server = "192.0.2.22"
+        radius_key = "secretVyOS"
+        radius_port = "2000"
+        radius_port_acc = "3000"
+
+        self.set(["authentication", "mode", "radius"])
+        self.set(
+            ["authentication", "radius", "server", radius_server, "key", radius_key]
+        )
+        self.set(
+            [
+                "authentication",
+                "radius",
+                "server",
+                radius_server,
+                "port",
+                radius_port,
+            ]
+        )
+        self.set(
+            [
+                "authentication",
+                "radius",
+                "server",
+                radius_server,
+                "acct-port",
+                radius_port_acc,
+            ]
+        )
+
+        nas_id = "VyOS-PPPoE"
+        nas_ip = "7.7.7.7"
+        self.set(["authentication", "radius", "nas-identifier", nas_id])
+        self.set(["authentication", "radius", "nas-ip-address", nas_ip])
+
+        source_address = "1.2.3.4"
+        self.set(["authentication", "radius", "source-address", source_address])
+
+        # commit changes
+        self.cli_commit()
+
+        # Validate configuration values
+        conf = ConfigParser(allow_no_value=True, delimiters="=", strict=False)
+        conf.read(self._config_file)
+
+        # basic verification
+        self.verify(conf)
+
+        # check auth
+        self.assertTrue(conf["radius"].getboolean("verbose"))
+        self.assertEqual(conf["radius"]["acct-timeout"], "30")
+        self.assertEqual(conf["radius"]["timeout"], "30")
+        self.assertEqual(conf["radius"]["max-try"], "3")
+
+        self.assertEqual(conf["radius"]["nas-identifier"], nas_id)
+        self.assertEqual(conf["radius"]["nas-ip-address"], nas_ip)
+        self.assertEqual(conf["radius"]["bind"], source_address)
+
+        server = conf["radius"]["server"].split(",")
+        self.assertEqual(radius_server, server[0])
+        self.assertEqual(radius_key, server[1])
+        self.assertEqual(f"auth-port={radius_port}", server[2])
+        self.assertEqual(f"acct-port={radius_port_acc}", server[3])
+        self.assertEqual(f"req-limit=0", server[4])
+        self.assertEqual(f"fail-time=0", server[5])
+
+        #
+        # Disable Radius Accounting
+        #
+        self.delete(["authentication", "radius", "server", radius_server, "acct-port"])
+        self.set(
+            [
+                "authentication",
+                "radius",
+                "server",
+                radius_server,
+                "disable-accounting",
+            ]
+        )
+
+        # commit changes
+        self.cli_commit()
+
+        conf.read(self._config_file)
+
+        server = conf["radius"]["server"].split(",")
+        self.assertEqual(radius_server, server[0])
+        self.assertEqual(radius_key, server[1])
+        self.assertEqual(f"auth-port={radius_port}", server[2])
+        self.assertEqual(f"acct-port=0", server[3])
+        self.assertEqual(f"req-limit=0", server[4])
+        self.assertEqual(f"fail-time=0", server[5])
+
+
+if __name__ == '__main__':
+    unittest.main(verbosity=2)
diff --git a/smoketest/scripts/cli/test_vpn_sstp.py b/smoketest/scripts/cli/test_vpn_sstp.py
index 232eafcf2..f0695d577 100755
--- a/smoketest/scripts/cli/test_vpn_sstp.py
+++ b/smoketest/scripts/cli/test_vpn_sstp.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 #
-# Copyright (C) 2020-2022 VyOS maintainers and contributors
+# Copyright (C) 2020-2023 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
@@ -47,7 +47,7 @@ class TestVPNSSTPServer(BasicAccelPPPTest.TestCase):
         cls._base_path = ['vpn', 'sstp']
         cls._config_file = '/run/accel-pppd/sstp.conf'
         cls._chap_secrets = '/run/accel-pppd/sstp.chap-secrets'
-
+        cls._protocol_section = 'sstp'
         # call base-classes classmethod
         super(TestVPNSSTPServer, cls).setUpClass()
 
@@ -58,26 +58,23 @@ class TestVPNSSTPServer(BasicAccelPPPTest.TestCase):
     @classmethod
     def tearDownClass(cls):
         cls.cli_delete(cls, pki_path)
-
         super(TestVPNSSTPServer, cls).tearDownClass()
 
-    def basic_config(self):
-        # SSL is mandatory
+    def basic_protocol_specific_config(self):
         self.set(['ssl', 'ca-certificate', 'sstp'])
         self.set(['ssl', 'certificate', 'sstp'])
-        self.set(['client-ip-pool', 'subnet', '192.0.2.0/24'])
-
-        super().basic_config()
 
     def test_accel_local_authentication(self):
         # Change default port
         port = '8443'
         self.set(['port', port])
 
+        self.basic_config()
         super().test_accel_local_authentication()
 
         config = read_file(self._config_file)
         self.assertIn(f'port={port}', config)
 
+
 if __name__ == '__main__':
     unittest.main(verbosity=2)
diff --git a/smoketest/scripts/cli/test_vrf.py b/smoketest/scripts/cli/test_vrf.py
index 0f658f366..6207a1b41 100755
--- a/smoketest/scripts/cli/test_vrf.py
+++ b/smoketest/scripts/cli/test_vrf.py
@@ -30,6 +30,7 @@ from vyos.utils.process import cmd
 from vyos.utils.file import read_file
 from vyos.utils.network import get_interface_config
 from vyos.utils.network import is_intf_addr_assigned
+from vyos.utils.system import sysctl_read
 
 base_path = ['vrf']
 vrfs = ['red', 'green', 'blue', 'foo-bar', 'baz_foo']
@@ -58,6 +59,8 @@ class VRFTest(VyOSUnitTestSHIM.TestCase):
         self.cli_commit()
         for vrf in vrfs:
             self.assertNotIn(vrf, interfaces())
+        # If there is no VRF defined, strict_mode should be off
+        self.assertEqual(sysctl_read('net.vrf.strict_mode'), '0')
 
     def test_vrf_vni_and_table_id(self):
         base_table = '1000'
@@ -130,8 +133,9 @@ class VRFTest(VyOSUnitTestSHIM.TestCase):
             # Ensure VRF was created
             self.assertIn(vrf, interfaces())
             # Verify IP forwarding is 1 (enabled)
-            self.assertEqual(read_file(f'/proc/sys/net/ipv4/conf/{vrf}/forwarding'), '1')
-            self.assertEqual(read_file(f'/proc/sys/net/ipv6/conf/{vrf}/forwarding'), '1')
+            self.assertEqual(sysctl_read(f'net.ipv4.conf.{vrf}.forwarding'), '1')
+            self.assertEqual(sysctl_read(f'net.ipv6.conf.{vrf}.forwarding'), '1')
+
             # Test for proper loopback IP assignment
             for addr in loopbacks:
                 self.assertTrue(is_intf_addr_assigned(vrf, addr))
@@ -149,10 +153,11 @@ class VRFTest(VyOSUnitTestSHIM.TestCase):
         self.cli_commit()
 
         # Verify VRF configuration
-        tmp = read_file('/proc/sys/net/ipv4/tcp_l3mdev_accept')
-        self.assertIn(tmp, '1')
-        tmp = read_file('/proc/sys/net/ipv4/udp_l3mdev_accept')
-        self.assertIn(tmp, '1')
+        self.assertEqual(sysctl_read('net.ipv4.tcp_l3mdev_accept'), '1')
+        self.assertEqual(sysctl_read('net.ipv4.udp_l3mdev_accept'), '1')
+
+        # If there is any VRF defined, strict_mode should be on
+        self.assertEqual(sysctl_read('net.vrf.strict_mode'), '1')
 
     def test_vrf_table_id_is_unalterable(self):
         # Linux Kernel prohibits the change of a VRF table  on the fly.
@@ -290,8 +295,8 @@ class VRFTest(VyOSUnitTestSHIM.TestCase):
             # Ensure VRF was created
             self.assertIn(vrf, interfaces())
             # Verify IP forwarding is 0 (disabled)
-            self.assertEqual(read_file(f'/proc/sys/net/ipv4/conf/{vrf}/forwarding'), '0')
-            self.assertEqual(read_file(f'/proc/sys/net/ipv6/conf/{vrf}/forwarding'), '0')
+            self.assertEqual(sysctl_read(f'net.ipv4.conf.{vrf}.forwarding'), '0')
+            self.assertEqual(sysctl_read(f'net.ipv6.conf.{vrf}.forwarding'), '0')
 
     def test_vrf_ip_protocol_route_map(self):
         table = '6000'
@@ -489,4 +494,4 @@ class VRFTest(VyOSUnitTestSHIM.TestCase):
 
 
 if __name__ == '__main__':
-    unittest.main(verbosity=2, failfast=True)
+    unittest.main(verbosity=2)
diff --git a/smoketest/scripts/system/test_module_load.py b/smoketest/scripts/system/test_module_load.py
index 9d94f01e6..fc60c7220 100755
--- a/smoketest/scripts/system/test_module_load.py
+++ b/smoketest/scripts/system/test_module_load.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 #
-# Copyright (C) 2019-2023 VyOS maintainers and contributors
+# Copyright (C) 2019-2024 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
@@ -18,7 +18,7 @@ import unittest
 from vyos.utils.process import cmd
 
 modules = {
-    "intel": ["e1000", "e1000e", "igb", "ixgb", "ixgbe", "ixgbevf", "i40e",
+    "intel": ["e1000", "e1000e", "igb", "ixgbe", "ixgbevf", "i40e",
               "i40evf", "iavf"],
     "intel_qat": ["qat_200xx", "qat_200xxvf", "qat_c3xxx", "qat_c3xxxvf",
                   "qat_c62x", "qat_c62xvf", "qat_d15xx", "qat_d15xxvf",
diff --git a/src/completion/list_ddclient_protocols.sh b/src/completion/list_ddclient_protocols.sh
index 75fb0cf44..634981660 100755
--- a/src/completion/list_ddclient_protocols.sh
+++ b/src/completion/list_ddclient_protocols.sh
@@ -14,4 +14,4 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-echo -n $(ddclient -list-protocols)
+echo -n $(ddclient -list-protocols | grep  -vE 'cloudns|porkbun')
diff --git a/src/conf_mode/container.py b/src/conf_mode/container.py
index 46eb10714..59d11c5a3 100755
--- a/src/conf_mode/container.py
+++ b/src/conf_mode/container.py
@@ -142,11 +142,17 @@ def verify(container):
                     for address in container_config['network'][network_name]['address']:
                         network = None
                         if is_ipv4(address):
-                            network = [x for x in container['network'][network_name]['prefix'] if is_ipv4(x)][0]
-                            cnt_ipv4 += 1
+                            try:
+                                network = [x for x in container['network'][network_name]['prefix'] if is_ipv4(x)][0]
+                                cnt_ipv4 += 1
+                            except:
+                                raise ConfigError(f'Network "{network_name}" does not contain an IPv4 prefix!')
                         elif is_ipv6(address):
-                            network = [x for x in container['network'][network_name]['prefix'] if is_ipv6(x)][0]
-                            cnt_ipv6 += 1
+                            try:
+                                network = [x for x in container['network'][network_name]['prefix'] if is_ipv6(x)][0]
+                                cnt_ipv6 += 1
+                            except:
+                                raise ConfigError(f'Network "{network_name}" does not contain an IPv6 prefix!')
 
                         # Specified container IP address must belong to network prefix
                         if ip_address(address) not in ip_network(network):
@@ -232,9 +238,9 @@ def verify(container):
     # A network attached to a container can not be deleted
     if {'network_remove', 'name'} <= set(container):
         for network in container['network_remove']:
-            for container, container_config in container['name'].items():
-                if 'network' in container_config and network in container_config['network']:
-                    raise ConfigError(f'Can not remove network "{network}", used by container "{container}"!')
+            for c, c_config in container['name'].items():
+                if 'network' in c_config and network in c_config['network']:
+                    raise ConfigError(f'Can not remove network "{network}", used by container "{c}"!')
 
     if 'registry' in container:
         for registry, registry_config in container['registry'].items():
@@ -274,10 +280,10 @@ def generate_run_arguments(name, container_config):
             env_opt += f" --env \"{k}={v['value']}\""
 
     # Check/set label options "--label foo=bar"
-    env_opt = ''
+    label = ''
     if 'label' in container_config:
         for k, v in container_config['label'].items():
-            env_opt += f" --label \"{k}={v['value']}\""
+            label += f" --label \"{k}={v['value']}\""
 
     hostname = ''
     if 'host_name' in container_config:
@@ -314,7 +320,7 @@ def generate_run_arguments(name, container_config):
 
     container_base_cmd = f'--detach --interactive --tty --replace {cap_add} ' \
                          f'--memory {memory}m --shm-size {shared_memory}m --memory-swap 0 --restart {restart} ' \
-                         f'--name {name} {hostname} {device} {port} {volume} {env_opt}'
+                         f'--name {name} {hostname} {device} {port} {volume} {env_opt} {label}'
 
     entrypoint = ''
     if 'entrypoint' in container_config:
@@ -349,7 +355,7 @@ def generate_run_arguments(name, container_config):
             else:
                 ip_param += f' --ip {address}'
 
-    return f'{container_base_cmd} --net {networks} {ip_param} {entrypoint} {image} {command} {command_arguments}'.strip()
+    return f'{container_base_cmd} --no-healthcheck --net {networks} {ip_param} {entrypoint} {image} {command} {command_arguments}'.strip()
 
 def generate(container):
     # bail out early - looks like removal from running config
diff --git a/src/conf_mode/dns_dynamic.py b/src/conf_mode/dns_dynamic.py
deleted file mode 100755
index ab80defe8..000000000
--- a/src/conf_mode/dns_dynamic.py
+++ /dev/null
@@ -1,134 +0,0 @@
-#!/usr/bin/env python3
-#
-# Copyright (C) 2018-2023 VyOS maintainers and contributors
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 or later as
-# published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-import os
-
-from sys import exit
-
-from vyos.config import Config
-from vyos.template import render
-from vyos.utils.process import call
-from vyos import ConfigError
-from vyos import airbag
-airbag.enable()
-
-config_file = r'/run/ddclient/ddclient.conf'
-systemd_override = r'/run/systemd/system/ddclient.service.d/override.conf'
-
-# Protocols that require zone
-zone_allowed = ['cloudflare', 'godaddy', 'hetzner', 'gandi', 'nfsn']
-
-# Protocols that do not require username
-username_unnecessary = ['1984', 'cloudflare', 'cloudns', 'duckdns', 'freemyip', 'hetzner', 'keysystems', 'njalla']
-
-# Protocols that support both IPv4 and IPv6
-dualstack_supported = ['cloudflare', 'dyndns2', 'freedns', 'njalla']
-
-def get_config(config=None):
-    if config:
-        conf = config
-    else:
-        conf = Config()
-
-    base_level = ['service', 'dns', 'dynamic']
-    if not conf.exists(base_level):
-        return None
-
-    dyndns = conf.get_config_dict(base_level, key_mangling=('-', '_'),
-                                  no_tag_node_value_mangle=True,
-                                  get_first_key=True,
-                                  with_recursive_defaults=True)
-
-    dyndns['config_file'] = config_file
-    return dyndns
-
-def verify(dyndns):
-    # bail out early - looks like removal from running config
-    if not dyndns or 'address' not in dyndns:
-        return None
-
-    for address in dyndns['address']:
-        # RFC2136 - configuration validation
-        if 'rfc2136' in dyndns['address'][address]:
-            for config in dyndns['address'][address]['rfc2136'].values():
-                for field in ['host_name', 'zone', 'server', 'key']:
-                    if field not in config:
-                        raise ConfigError(f'"{field.replace("_", "-")}" is required for RFC2136 '
-                                          f'based Dynamic DNS service on "{address}"')
-
-        # Dynamic DNS service provider - configuration validation
-        if 'service' in dyndns['address'][address]:
-            for service, config in dyndns['address'][address]['service'].items():
-                error_msg = f'is required for Dynamic DNS service "{service}" on "{address}"'
-
-                for field in ['host_name', 'password', 'protocol']:
-                    if field not in config:
-                        raise ConfigError(f'"{field.replace("_", "-")}" {error_msg}')
-
-                if config['protocol'] in zone_allowed and 'zone' not in config:
-                        raise ConfigError(f'"zone" {error_msg}')
-
-                if config['protocol'] not in zone_allowed and 'zone' in config:
-                        raise ConfigError(f'"{config["protocol"]}" does not support "zone"')
-
-                if config['protocol'] not in username_unnecessary:
-                    if 'username' not in config:
-                        raise ConfigError(f'"username" {error_msg}')
-
-                if config['ip_version'] == 'both':
-                    if config['protocol'] not in dualstack_supported:
-                        raise ConfigError(f'"{config["protocol"]}" does not support '
-                                          f'both IPv4 and IPv6 at the same time')
-                    # dyndns2 protocol in ddclient honors dual stack only for dyn.com (dyndns.org)
-                    if config['protocol'] == 'dyndns2' and 'server' in config and config['server'] != 'members.dyndns.org':
-                        raise ConfigError(f'"{config["protocol"]}" does not support '
-                                          f'both IPv4 and IPv6 at the same time for "{config["server"]}"')
-
-    return None
-
-def generate(dyndns):
-    # bail out early - looks like removal from running config
-    if not dyndns or 'address' not in dyndns:
-        return None
-
-    render(config_file, 'dns-dynamic/ddclient.conf.j2', dyndns)
-    render(systemd_override, 'dns-dynamic/override.conf.j2', dyndns)
-    return None
-
-def apply(dyndns):
-    systemd_service = 'ddclient.service'
-    # Reload systemd manager configuration
-    call('systemctl daemon-reload')
-
-    # bail out early - looks like removal from running config
-    if not dyndns or 'address' not in dyndns:
-        call(f'systemctl stop {systemd_service}')
-        if os.path.exists(config_file):
-            os.unlink(config_file)
-    else:
-        call(f'systemctl reload-or-restart {systemd_service}')
-
-    return None
-
-if __name__ == '__main__':
-    try:
-        c = get_config()
-        verify(c)
-        generate(c)
-        apply(c)
-    except ConfigError as e:
-        print(e)
-        exit(1)
diff --git a/src/conf_mode/firewall.py b/src/conf_mode/firewall.py
index c3b1ee015..ee19555c4 100755
--- a/src/conf_mode/firewall.py
+++ b/src/conf_mode/firewall.py
@@ -23,10 +23,11 @@ from sys import exit
 
 from vyos.base import Warning
 from vyos.config import Config
-from vyos.configdict import node_changed
+from vyos.configdict import is_node_changed
 from vyos.configdiff import get_config_diff, Diff
 from vyos.configdep import set_dependents, call_dependents
-# from vyos.configverify import verify_interface_exists
+from vyos.configverify import verify_interface_exists
+from vyos.ethtool import Ethtool
 from vyos.firewall import fqdn_config_parse
 from vyos.firewall import geoip_update
 from vyos.template import render
@@ -40,9 +41,6 @@ from vyos import ConfigError
 from vyos import airbag
 airbag.enable()
 
-nat_conf_script = 'nat.py'
-policy_route_conf_script = 'policy-route.py'
-
 nftables_conf = '/run/nftables.conf'
 
 sysfs_config = {
@@ -131,7 +129,7 @@ def get_config(config=None):
                                     with_recursive_defaults=True)
 
 
-    firewall['group_resync'] = bool('group' in firewall or node_changed(conf, base + ['group']))
+    firewall['group_resync'] = bool('group' in firewall or is_node_changed(conf, base + ['group']))
     if firewall['group_resync']:
         # Update nat and policy-route as firewall groups were updated
         set_dependents('group_resync', conf)
@@ -160,6 +158,15 @@ def verify_rule(firewall, rule_conf, ipv6):
             if target not in dict_search_args(firewall, 'ipv6', 'name'):
                 raise ConfigError(f'Invalid jump-target. Firewall ipv6 name {target} does not exist on the system')
 
+    if rule_conf['action'] == 'offload':
+        if 'offload_target' not in rule_conf:
+            raise ConfigError('Action set to offload, but no offload-target specified')
+
+        offload_target = rule_conf['offload_target']
+
+        if not dict_search_args(firewall, 'flowtable', offload_target):
+            raise ConfigError(f'Invalid offload-target. Flowtable "{offload_target}" does not exist on the system')
+
     if 'queue_options' in rule_conf:
         if 'queue' not in rule_conf['action']:
             raise ConfigError('queue-options defined, but action queue needed and it is not defined')
@@ -249,7 +256,7 @@ def verify_rule(firewall, rule_conf, ipv6):
                 raise ConfigError(f'{side} port-group and port cannot both be defined')
 
     if 'log_options' in rule_conf:
-        if 'log' not in rule_conf or 'enable' not in rule_conf['log']:
+        if 'log' not in rule_conf:
             raise ConfigError('log-options defined, but log is not enable')
 
         if 'snapshot_length' in rule_conf['log_options'] and 'group' not in rule_conf['log_options']:
@@ -260,8 +267,8 @@ def verify_rule(firewall, rule_conf, ipv6):
 
     for direction in ['inbound_interface','outbound_interface']:
         if direction in rule_conf:
-            if 'interface_name' in rule_conf[direction] and 'interface_group' in rule_conf[direction]:
-                raise ConfigError(f'Cannot specify both interface-group and interface-name for {direction}')
+            if 'name' in rule_conf[direction] and 'group' in rule_conf[direction]:
+                raise ConfigError(f'Cannot specify both interface group and interface name for {direction}')
 
 def verify_nested_group(group_name, group, groups, seen):
     if 'include' not in group:
@@ -279,7 +286,31 @@ def verify_nested_group(group_name, group, groups, seen):
         if 'include' in groups[g]:
             verify_nested_group(g, groups[g], groups, seen)
 
+def verify_hardware_offload(ifname):
+    ethtool = Ethtool(ifname)
+    enabled, fixed = ethtool.get_hw_tc_offload()
+
+    if not enabled and fixed:
+        raise ConfigError(f'Interface "{ifname}" does not support hardware offload')
+
+    if not enabled:
+        raise ConfigError(f'Interface "{ifname}" requires "offload hw-tc-offload"')
+
 def verify(firewall):
+    if 'flowtable' in firewall:
+        for flowtable, flowtable_conf in firewall['flowtable'].items():
+            if 'interface' not in flowtable_conf:
+                raise ConfigError(f'Flowtable "{flowtable}" requires at least one interface')
+
+            for ifname in flowtable_conf['interface']:
+                verify_interface_exists(ifname)
+
+            if dict_search_args(flowtable_conf, 'offload') == 'hardware':
+                interfaces = flowtable_conf['interface']
+
+                for ifname in interfaces:
+                    verify_hardware_offload(ifname)
+
     if 'group' in firewall:
         for group_type in nested_group_types:
             if group_type in firewall['group']:
@@ -327,12 +358,82 @@ def verify(firewall):
                         for rule_id, rule_conf in name_conf['rule'].items():
                             verify_rule(firewall, rule_conf, True)
 
+    #### ZONESSSS
+    local_zone = False
+    zone_interfaces = []
+
+    if 'zone' in firewall:
+        for zone, zone_conf in firewall['zone'].items():
+            if 'local_zone' not in zone_conf and 'interface' not in zone_conf:
+                raise ConfigError(f'Zone "{zone}" has no interfaces and is not the local zone')
+
+            if 'local_zone' in zone_conf:
+                if local_zone:
+                    raise ConfigError('There cannot be multiple local zones')
+                if 'interface' in zone_conf:
+                    raise ConfigError('Local zone cannot have interfaces assigned')
+                if 'intra_zone_filtering' in zone_conf:
+                    raise ConfigError('Local zone cannot use intra-zone-filtering')
+                local_zone = True
+
+            if 'interface' in zone_conf:
+                found_duplicates = [intf for intf in zone_conf['interface'] if intf in zone_interfaces]
+
+                if found_duplicates:
+                    raise ConfigError(f'Interfaces cannot be assigned to multiple zones')
+
+                zone_interfaces += zone_conf['interface']
+
+            if 'intra_zone_filtering' in zone_conf:
+                intra_zone = zone_conf['intra_zone_filtering']
+
+                if len(intra_zone) > 1:
+                    raise ConfigError('Only one intra-zone-filtering action must be specified')
+
+                if 'firewall' in intra_zone:
+                    v4_name = dict_search_args(intra_zone, 'firewall', 'name')
+                    if v4_name and not dict_search_args(firewall, 'ipv4', 'name', v4_name):
+                        raise ConfigError(f'Firewall name "{v4_name}" does not exist')
+
+                    v6_name = dict_search_args(intra_zone, 'firewall', 'ipv6_name')
+                    if v6_name and not dict_search_args(firewall, 'ipv6', 'name', v6_name):
+                        raise ConfigError(f'Firewall ipv6-name "{v6_name}" does not exist')
+
+                    if not v4_name and not v6_name:
+                        raise ConfigError('No firewall names specified for intra-zone-filtering')
+
+            if 'from' in zone_conf:
+                for from_zone, from_conf in zone_conf['from'].items():
+                    if from_zone not in firewall['zone']:
+                        raise ConfigError(f'Zone "{zone}" refers to a non-existent or deleted zone "{from_zone}"')
+
+                    v4_name = dict_search_args(from_conf, 'firewall', 'name')
+                    if v4_name and not dict_search_args(firewall, 'ipv4', 'name', v4_name):
+                        raise ConfigError(f'Firewall name "{v4_name}" does not exist')
+
+                    v6_name = dict_search_args(from_conf, 'firewall', 'ipv6_name')
+                    if v6_name and not dict_search_args(firewall, 'ipv6', 'name', v6_name):
+                        raise ConfigError(f'Firewall ipv6-name "{v6_name}" does not exist')
+
     return None
 
 def generate(firewall):
     if not os.path.exists(nftables_conf):
         firewall['first_install'] = True
 
+    if 'zone' in firewall:
+        for local_zone, local_zone_conf in firewall['zone'].items():
+            if 'local_zone' not in local_zone_conf:
+                continue
+
+            local_zone_conf['from_local'] = {}
+
+            for zone, zone_conf in firewall['zone'].items():
+                if zone == local_zone or 'from' not in zone_conf:
+                    continue
+                if local_zone in zone_conf['from']:
+                    local_zone_conf['from_local'][zone] = zone_conf['from'][local_zone]
+
     # Determine if conntrack is needed
     firewall['ipv4_conntrack_action'] = 'return'
     firewall['ipv6_conntrack_action'] = 'return'
diff --git a/src/conf_mode/high-availability.py b/src/conf_mode/high-availability.py
index 0121df11c..b3b27b14e 100755
--- a/src/conf_mode/high-availability.py
+++ b/src/conf_mode/high-availability.py
@@ -15,6 +15,7 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 
+import os
 import time
 
 from sys import exit
@@ -24,6 +25,7 @@ from ipaddress import IPv6Interface
 
 from vyos.base import Warning
 from vyos.config import Config
+from vyos.configdict import leaf_node_changed
 from vyos.ifconfig.vrrp import VRRP
 from vyos.template import render
 from vyos.template import is_ipv4
@@ -35,6 +37,9 @@ from vyos import airbag
 airbag.enable()
 
 
+systemd_override = r'/run/systemd/system/keepalived.service.d/10-override.conf'
+
+
 def get_config(config=None):
     if config:
         conf = config
@@ -54,6 +59,9 @@ def get_config(config=None):
     if conf.exists(conntrack_path):
         ha['conntrack_sync_group'] = conf.return_value(conntrack_path)
 
+    if leaf_node_changed(conf, base + ['vrrp', 'snmp']):
+        ha.update({'restart_required': {}})
+
     return ha
 
 def verify(ha):
@@ -164,19 +172,23 @@ def verify(ha):
 
 def generate(ha):
     if not ha or 'disable' in ha:
+        if os.path.isfile(systemd_override):
+            os.unlink(systemd_override)
         return None
 
     render(VRRP.location['config'], 'high-availability/keepalived.conf.j2', ha)
+    render(systemd_override, 'high-availability/10-override.conf.j2', ha)
     return None
 
 def apply(ha):
     service_name = 'keepalived.service'
+    call('systemctl daemon-reload')
     if not ha or 'disable' in ha:
         call(f'systemctl stop {service_name}')
         return None
 
     # Check if IPv6 address is tentative T5533
-    for group, group_config in ha['vrrp']['group'].items():
+    for group, group_config in ha.get('vrrp', {}).get('group', {}).items():
         if 'hello_source_address' in group_config:
             if is_ipv6(group_config['hello_source_address']):
                 ipv6_address = group_config['hello_source_address']
@@ -187,7 +199,11 @@ def apply(ha):
                     if is_ipv6_tentative(interface, ipv6_address):
                         time.sleep(interval)
 
-    call(f'systemctl reload-or-restart {service_name}')
+    systemd_action = 'reload-or-restart'
+    if 'restart_required' in ha:
+        systemd_action = 'restart'
+
+    call(f'systemctl {systemd_action} {service_name}')
     return None
 
 if __name__ == '__main__':
diff --git a/src/conf_mode/http-api.py b/src/conf_mode/http-api.py
deleted file mode 100755
index 793a90d88..000000000
--- a/src/conf_mode/http-api.py
+++ /dev/null
@@ -1,150 +0,0 @@
-#!/usr/bin/env python3
-#
-# Copyright (C) 2019-2021 VyOS maintainers and contributors
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 or later as
-# published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-import sys
-import os
-import json
-
-from time import sleep
-from copy import deepcopy
-
-import vyos.defaults
-
-from vyos.config import Config
-from vyos.configdep import set_dependents, call_dependents
-from vyos.template import render
-from vyos.utils.process import call
-from vyos import ConfigError
-from vyos import airbag
-airbag.enable()
-
-api_conf_file = '/etc/vyos/http-api.conf'
-systemd_service = '/run/systemd/system/vyos-http-api.service'
-
-vyos_conf_scripts_dir=vyos.defaults.directories['conf_mode']
-
-def _translate_values_to_boolean(d: dict) -> dict:
-    for k in list(d):
-        if d[k] == {}:
-            d[k] = True
-        elif isinstance(d[k], dict):
-            _translate_values_to_boolean(d[k])
-        else:
-            pass
-
-def get_config(config=None):
-    http_api = deepcopy(vyos.defaults.api_data)
-    x = http_api.get('api_keys')
-    if x is None:
-        default_key = None
-    else:
-        default_key = x[0]
-    keys_added = False
-
-    if config:
-        conf = config
-    else:
-        conf = Config()
-
-    # reset on creation/deletion of 'api' node
-    https_base = ['service', 'https']
-    if conf.exists(https_base):
-        set_dependents("https", conf)
-
-    base = ['service', 'https', 'api']
-    if not conf.exists(base):
-        return None
-
-    api_dict = conf.get_config_dict(base, key_mangling=('-', '_'),
-                                    no_tag_node_value_mangle=True,
-                                    get_first_key=True,
-                                    with_recursive_defaults=True)
-
-    # One needs to 'flatten' the keys dict from the config into the
-    # http-api.conf format for api_keys:
-    if 'keys' in api_dict:
-        api_dict['api_keys'] = []
-        for el in list(api_dict['keys'].get('id', {})):
-            key = api_dict['keys']['id'][el].get('key', '')
-            if key:
-                api_dict['api_keys'].append({'id': el, 'key': key})
-        del api_dict['keys']
-
-    # Do we run inside a VRF context?
-    vrf_path = ['service', 'https', 'vrf']
-    if conf.exists(vrf_path):
-        http_api['vrf'] = conf.return_value(vrf_path)
-
-    if 'api_keys' in api_dict:
-        keys_added = True
-
-    if api_dict.from_defaults(['graphql']):
-        del api_dict['graphql']
-
-    http_api.update(api_dict)
-
-    if keys_added and default_key:
-        if default_key in http_api['api_keys']:
-            http_api['api_keys'].remove(default_key)
-
-    # Finally, translate entries in http_api into boolean settings for
-    # backwards compatability of JSON http-api.conf file
-    _translate_values_to_boolean(http_api)
-
-    return http_api
-
-def verify(http_api):
-    return None
-
-def generate(http_api):
-    if http_api is None:
-        if os.path.exists(systemd_service):
-            os.unlink(systemd_service)
-        return None
-
-    if not os.path.exists('/etc/vyos'):
-        os.mkdir('/etc/vyos')
-
-    with open(api_conf_file, 'w') as f:
-        json.dump(http_api, f, indent=2)
-
-    render(systemd_service, 'https/vyos-http-api.service.j2', http_api)
-    return None
-
-def apply(http_api):
-    # Reload systemd manager configuration
-    call('systemctl daemon-reload')
-    service_name = 'vyos-http-api.service'
-
-    if http_api is not None:
-        call(f'systemctl restart {service_name}')
-    else:
-        call(f'systemctl stop {service_name}')
-
-    # Let uvicorn settle before restarting Nginx
-    sleep(1)
-
-    call_dependents()
-
-if __name__ == '__main__':
-    try:
-        c = get_config()
-        verify(c)
-        generate(c)
-        apply(c)
-    except ConfigError as e:
-        print(e)
-        sys.exit(1)
diff --git a/src/conf_mode/https.py b/src/conf_mode/https.py
deleted file mode 100755
index 010490c7e..000000000
--- a/src/conf_mode/https.py
+++ /dev/null
@@ -1,266 +0,0 @@
-#!/usr/bin/env python3
-#
-# Copyright (C) 2019-2022 VyOS maintainers and contributors
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 or later as
-# published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-import os
-import sys
-
-from copy import deepcopy
-
-import vyos.defaults
-import vyos.certbot_util
-
-from vyos.config import Config
-from vyos.configverify import verify_vrf
-from vyos import ConfigError
-from vyos.pki import wrap_certificate
-from vyos.pki import wrap_private_key
-from vyos.template import render
-from vyos.utils.process import call
-from vyos.utils.network import check_port_availability
-from vyos.utils.network import is_listen_port_bind_service
-from vyos.utils.file import write_file
-
-from vyos import airbag
-airbag.enable()
-
-config_file = '/etc/nginx/sites-available/default'
-systemd_override = r'/run/systemd/system/nginx.service.d/override.conf'
-cert_dir = '/etc/ssl/certs'
-key_dir = '/etc/ssl/private'
-certbot_dir = vyos.defaults.directories['certbot']
-
-# https config needs to coordinate several subsystems: api, certbot,
-# self-signed certificate, as well as the virtual hosts defined within the
-# https config definition itself. Consequently, one needs a general dict,
-# encompassing the https and other configs, and a list of such virtual hosts
-# (server blocks in nginx terminology) to pass to the jinja2 template.
-default_server_block = {
-    'id'        : '',
-    'address'   : '*',
-    'port'      : '443',
-    'name'      : ['_'],
-    'api'       : {},
-    'vyos_cert' : {},
-    'certbot'   : False
-}
-
-def get_config(config=None):
-    if config:
-        conf = config
-    else:
-        conf = Config()
-
-    base = ['service', 'https']
-    if not conf.exists(base):
-        return None
-
-    https = conf.get_config_dict(base, get_first_key=True)
-
-    if https:
-        https['pki'] = conf.get_config_dict(['pki'], key_mangling=('-', '_'),
-                                get_first_key=True, no_tag_node_value_mangle=True)
-
-    return https
-
-def verify(https):
-    if https is None:
-        return None
-
-    if 'certificates' in https:
-        certificates = https['certificates']
-
-        if 'certificate' in certificates:
-            if not https['pki']:
-                raise ConfigError("PKI is not configured")
-
-            cert_name = certificates['certificate']
-
-            if cert_name not in https['pki']['certificate']:
-                raise ConfigError("Invalid certificate on https configuration")
-
-            pki_cert = https['pki']['certificate'][cert_name]
-
-            if 'certificate' not in pki_cert:
-                raise ConfigError("Missing certificate on https configuration")
-
-            if 'private' not in pki_cert or 'key' not in pki_cert['private']:
-                raise ConfigError("Missing certificate private key on https configuration")
-
-        if 'certbot' in https['certificates']:
-            vhost_names = []
-            for vh, vh_conf in https.get('virtual-host', {}).items():
-                vhost_names += vh_conf.get('server-name', [])
-            domains = https['certificates']['certbot'].get('domain-name', [])
-            domains_found = [domain for domain in domains if domain in vhost_names]
-            if not domains_found:
-                raise ConfigError("At least one 'virtual-host <id> server-name' "
-                              "matching the 'certbot domain-name' is required.")
-
-    server_block_list = []
-
-    # organize by vhosts
-    vhost_dict = https.get('virtual-host', {})
-
-    if not vhost_dict:
-        # no specified virtual hosts (server blocks); use default
-        server_block_list.append(default_server_block)
-    else:
-        for vhost in list(vhost_dict):
-            server_block = deepcopy(default_server_block)
-            data = vhost_dict.get(vhost, {})
-            server_block['address'] = data.get('listen-address', '*')
-            server_block['port'] = data.get('listen-port', '443')
-            server_block_list.append(server_block)
-
-    for entry in server_block_list:
-        _address = entry.get('address')
-        _address = '0.0.0.0' if _address == '*' else _address
-        _port = entry.get('port')
-        proto = 'tcp'
-        if check_port_availability(_address, int(_port), proto) is not True and \
-                not is_listen_port_bind_service(int(_port), 'nginx'):
-            raise ConfigError(f'"{proto}" port "{_port}" is used by another service')
-
-    verify_vrf(https)
-    return None
-
-def generate(https):
-    if https is None:
-        return None
-
-    server_block_list = []
-
-    # organize by vhosts
-
-    vhost_dict = https.get('virtual-host', {})
-
-    if not vhost_dict:
-        # no specified virtual hosts (server blocks); use default
-        server_block_list.append(default_server_block)
-    else:
-        for vhost in list(vhost_dict):
-            server_block = deepcopy(default_server_block)
-            server_block['id'] = vhost
-            data = vhost_dict.get(vhost, {})
-            server_block['address'] = data.get('listen-address', '*')
-            server_block['port'] = data.get('listen-port', '443')
-            name = data.get('server-name', ['_'])
-            server_block['name'] = name
-            allow_client = data.get('allow-client', {})
-            server_block['allow_client'] = allow_client.get('address', [])
-            server_block_list.append(server_block)
-
-    # get certificate data
-
-    cert_dict = https.get('certificates', {})
-
-    if 'certificate' in cert_dict:
-        cert_name = cert_dict['certificate']
-        pki_cert = https['pki']['certificate'][cert_name]
-
-        cert_path = os.path.join(cert_dir, f'{cert_name}.pem')
-        key_path = os.path.join(key_dir, f'{cert_name}.pem')
-
-        server_cert = str(wrap_certificate(pki_cert['certificate']))
-        if 'ca-certificate' in cert_dict:
-            ca_cert = cert_dict['ca-certificate']
-            server_cert += '\n' + str(wrap_certificate(https['pki']['ca'][ca_cert]['certificate']))
-
-        write_file(cert_path, server_cert)
-        write_file(key_path, wrap_private_key(pki_cert['private']['key']))
-
-        vyos_cert_data = {
-            'crt': cert_path,
-            'key': key_path
-        }
-
-        for block in server_block_list:
-            block['vyos_cert'] = vyos_cert_data
-
-    # letsencrypt certificate using certbot
-
-    certbot = False
-    cert_domains = cert_dict.get('certbot', {}).get('domain-name', [])
-    if cert_domains:
-        certbot = True
-        for domain in cert_domains:
-            sub_list = vyos.certbot_util.choose_server_block(server_block_list,
-                                                             domain)
-            if sub_list:
-                for sb in sub_list:
-                    sb['certbot'] = True
-                    sb['certbot_dir'] = certbot_dir
-                    # certbot organizes certificates by first domain
-                    sb['certbot_domain_dir'] = cert_domains[0]
-
-    # get api data
-
-    api_set = False
-    api_data = {}
-    if 'api' in list(https):
-        api_set = True
-        api_data = vyos.defaults.api_data
-    api_settings = https.get('api', {})
-    if api_settings:
-        port = api_settings.get('port', '')
-        if port:
-            api_data['port'] = port
-        vhosts = https.get('api-restrict', {}).get('virtual-host', [])
-        if vhosts:
-            api_data['vhost'] = vhosts[:]
-        if 'socket' in list(api_settings):
-            api_data['socket'] = True
-
-    if api_data:
-        vhost_list = api_data.get('vhost', [])
-        if not vhost_list:
-            for block in server_block_list:
-                block['api'] = api_data
-        else:
-            for block in server_block_list:
-                if block['id'] in vhost_list:
-                    block['api'] = api_data
-
-    if 'server_block_list' not in https or not https['server_block_list']:
-        https['server_block_list'] = [default_server_block]
-
-    data = {
-        'server_block_list': server_block_list,
-        'api_set': api_set,
-        'certbot': certbot
-    }
-
-    render(config_file, 'https/nginx.default.j2', data)
-    render(systemd_override, 'https/override.conf.j2', https)
-    return None
-
-def apply(https):
-    # Reload systemd manager configuration
-    call('systemctl daemon-reload')
-    if https is not None:
-        call('systemctl restart nginx.service')
-    else:
-        call('systemctl stop nginx.service')
-
-if __name__ == '__main__':
-    try:
-        c = get_config()
-        verify(c)
-        generate(c)
-        apply(c)
-    except ConfigError as e:
-        print(e)
-        sys.exit(1)
diff --git a/src/conf_mode/interfaces-ethernet.py b/src/conf_mode/interfaces-ethernet.py
deleted file mode 100755
index f3e65ad5e..000000000
--- a/src/conf_mode/interfaces-ethernet.py
+++ /dev/null
@@ -1,225 +0,0 @@
-#!/usr/bin/env python3
-#
-# Copyright (C) 2019-2021 VyOS maintainers and contributors
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 or later as
-# published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-import os
-
-from glob import glob
-from sys import exit
-
-from vyos.base import Warning
-from vyos.config import Config
-from vyos.configdict import get_interface_dict
-from vyos.configdict import is_node_changed
-from vyos.configverify import verify_address
-from vyos.configverify import verify_dhcpv6
-from vyos.configverify import verify_eapol
-from vyos.configverify import verify_interface_exists
-from vyos.configverify import verify_mirror_redirect
-from vyos.configverify import verify_mtu
-from vyos.configverify import verify_mtu_ipv6
-from vyos.configverify import verify_vlan_config
-from vyos.configverify import verify_vrf
-from vyos.configverify import verify_bond_bridge_member
-from vyos.ethtool import Ethtool
-from vyos.ifconfig import EthernetIf
-from vyos.pki import find_chain
-from vyos.pki import encode_certificate
-from vyos.pki import load_certificate
-from vyos.pki import wrap_private_key
-from vyos.template import render
-from vyos.utils.process import call
-from vyos.utils.dict import dict_search
-from vyos.utils.file import write_file
-from vyos import ConfigError
-from vyos import airbag
-airbag.enable()
-
-# XXX: wpa_supplicant works on the source interface
-cfg_dir = '/run/wpa_supplicant'
-wpa_suppl_conf = '/run/wpa_supplicant/{ifname}.conf'
-
-def get_config(config=None):
-    """
-    Retrive CLI config as dictionary. Dictionary can never be empty, as at least the
-    interface name will be added or a deleted flag
-    """
-    if config:
-        conf = config
-    else:
-        conf = Config()
-
-    # This must be called prior to get_interface_dict(), as this function will
-    # alter the config level (config.set_level())
-    pki = conf.get_config_dict(['pki'], key_mangling=('-', '_'),
-                               get_first_key=True, no_tag_node_value_mangle=True)
-
-    base = ['interfaces', 'ethernet']
-    ifname, ethernet = get_interface_dict(conf, base)
-
-    if 'deleted' not in ethernet:
-       if pki: ethernet['pki'] = pki
-
-    tmp = is_node_changed(conf, base + [ifname, 'speed'])
-    if tmp: ethernet.update({'speed_duplex_changed': {}})
-
-    tmp = is_node_changed(conf, base + [ifname, 'duplex'])
-    if tmp: ethernet.update({'speed_duplex_changed': {}})
-
-    return ethernet
-
-def verify(ethernet):
-    if 'deleted' in ethernet:
-        return None
-
-    ifname = ethernet['ifname']
-    verify_interface_exists(ifname)
-    verify_mtu(ethernet)
-    verify_mtu_ipv6(ethernet)
-    verify_dhcpv6(ethernet)
-    verify_address(ethernet)
-    verify_vrf(ethernet)
-    verify_bond_bridge_member(ethernet)
-    verify_eapol(ethernet)
-    verify_mirror_redirect(ethernet)
-
-    ethtool = Ethtool(ifname)
-    # No need to check speed and duplex keys as both have default values.
-    if ((ethernet['speed'] == 'auto' and ethernet['duplex'] != 'auto') or
-        (ethernet['speed'] != 'auto' and ethernet['duplex'] == 'auto')):
-            raise ConfigError('Speed/Duplex missmatch. Must be both auto or manually configured')
-
-    if ethernet['speed'] != 'auto' and ethernet['duplex'] != 'auto':
-        # We need to verify if the requested speed and duplex setting is
-        # supported by the underlaying NIC.
-        speed = ethernet['speed']
-        duplex = ethernet['duplex']
-        if not ethtool.check_speed_duplex(speed, duplex):
-            raise ConfigError(f'Adapter does not support changing speed and duplex '\
-                              f'settings to: {speed}/{duplex}!')
-
-    if 'disable_flow_control' in ethernet:
-        if not ethtool.check_flow_control():
-            raise ConfigError('Adapter does not support changing flow-control settings!')
-
-    if 'ring_buffer' in ethernet:
-        max_rx = ethtool.get_ring_buffer_max('rx')
-        if not max_rx:
-            raise ConfigError('Driver does not support RX ring-buffer configuration!')
-
-        max_tx = ethtool.get_ring_buffer_max('tx')
-        if not max_tx:
-            raise ConfigError('Driver does not support TX ring-buffer configuration!')
-
-        rx = dict_search('ring_buffer.rx', ethernet)
-        if rx and int(rx) > int(max_rx):
-            raise ConfigError(f'Driver only supports a maximum RX ring-buffer '\
-                              f'size of "{max_rx}" bytes!')
-
-        tx = dict_search('ring_buffer.tx', ethernet)
-        if tx and int(tx) > int(max_tx):
-            raise ConfigError(f'Driver only supports a maximum TX ring-buffer '\
-                              f'size of "{max_tx}" bytes!')
-
-    # verify offloading capabilities
-    if dict_search('offload.rps', ethernet) != None:
-        if not os.path.exists(f'/sys/class/net/{ifname}/queues/rx-0/rps_cpus'):
-            raise ConfigError('Interface does not suport RPS!')
-
-    driver = ethtool.get_driver_name()
-    # T3342 - Xen driver requires special treatment
-    if driver == 'vif':
-        if int(ethernet['mtu']) > 1500 and dict_search('offload.sg', ethernet) == None:
-            raise ConfigError('Xen netback drivers requires scatter-gatter offloading '\
-                              'for MTU size larger then 1500 bytes')
-
-    if {'is_bond_member', 'mac'} <= set(ethernet):
-        Warning(f'changing mac address "{mac}" will be ignored as "{ifname}" ' \
-                f'is a member of bond "{is_bond_member}"'.format(**ethernet))
-
-    # use common function to verify VLAN configuration
-    verify_vlan_config(ethernet)
-    return None
-
-def generate(ethernet):
-    # render real configuration file once
-    wpa_supplicant_conf = wpa_suppl_conf.format(**ethernet)
-
-    if 'deleted' in ethernet:
-        # delete configuration on interface removal
-        if os.path.isfile(wpa_supplicant_conf):
-            os.unlink(wpa_supplicant_conf)
-        return None
-
-    if 'eapol' in ethernet:
-        ifname = ethernet['ifname']
-
-        render(wpa_supplicant_conf, 'ethernet/wpa_supplicant.conf.j2', ethernet)
-
-        cert_file_path = os.path.join(cfg_dir, f'{ifname}_cert.pem')
-        cert_key_path = os.path.join(cfg_dir, f'{ifname}_cert.key')
-
-        cert_name = ethernet['eapol']['certificate']
-        pki_cert = ethernet['pki']['certificate'][cert_name]
-
-        loaded_pki_cert = load_certificate(pki_cert['certificate'])
-        loaded_ca_certs = {load_certificate(c['certificate'])
-            for c in ethernet['pki']['ca'].values()} if 'ca' in ethernet['pki'] else {}
-
-        cert_full_chain = find_chain(loaded_pki_cert, loaded_ca_certs)
-
-        write_file(cert_file_path,
-                   '\n'.join(encode_certificate(c) for c in cert_full_chain))
-        write_file(cert_key_path, wrap_private_key(pki_cert['private']['key']))
-
-        if 'ca_certificate' in ethernet['eapol']:
-            ca_cert_file_path = os.path.join(cfg_dir, f'{ifname}_ca.pem')
-            ca_chains = []
-
-            for ca_cert_name in ethernet['eapol']['ca_certificate']:
-                pki_ca_cert = ethernet['pki']['ca'][ca_cert_name]
-                loaded_ca_cert = load_certificate(pki_ca_cert['certificate'])
-                ca_full_chain = find_chain(loaded_ca_cert, loaded_ca_certs)
-                ca_chains.append('\n'.join(encode_certificate(c) for c in ca_full_chain))
-
-            write_file(ca_cert_file_path, '\n'.join(ca_chains))
-
-    return None
-
-def apply(ethernet):
-    ifname = ethernet['ifname']
-    # take care about EAPoL supplicant daemon
-    eapol_action='stop'
-
-    e = EthernetIf(ifname)
-    if 'deleted' in ethernet:
-        # delete interface
-        e.remove()
-    else:
-        e.update(ethernet)
-        if 'eapol' in ethernet:
-            eapol_action='reload-or-restart'
-
-    call(f'systemctl {eapol_action} wpa_supplicant-wired@{ifname}')
-
-if __name__ == '__main__':
-    try:
-        c = get_config()
-        verify(c)
-        generate(c)
-        apply(c)
-    except ConfigError as e:
-        print(e)
-        exit(1)
diff --git a/src/conf_mode/interfaces-bonding.py b/src/conf_mode/interfaces_bonding.py
index 0bd306ed0..8184d8415 100755
--- a/src/conf_mode/interfaces-bonding.py
+++ b/src/conf_mode/interfaces_bonding.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 #
-# Copyright (C) 2019-2022 VyOS maintainers and contributors
+# Copyright (C) 2019-2023 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
@@ -18,7 +18,6 @@ import os
 
 from sys import exit
 from netifaces import interfaces
-
 from vyos.config import Config
 from vyos.configdict import get_interface_dict
 from vyos.configdict import is_node_changed
@@ -34,11 +33,16 @@ from vyos.configverify import verify_source_interface
 from vyos.configverify import verify_vlan_config
 from vyos.configverify import verify_vrf
 from vyos.ifconfig import BondIf
+from vyos.ifconfig.ethernet import EthernetIf
 from vyos.ifconfig import Section
+from vyos.template import render_to_string
 from vyos.utils.dict import dict_search
+from vyos.utils.dict import dict_to_paths_values
 from vyos.configdict import has_address_configured
 from vyos.configdict import has_vrf_configured
+from vyos.configdep import set_dependents, call_dependents
 from vyos import ConfigError
+from vyos import frr
 from vyos import airbag
 airbag.enable()
 
@@ -90,7 +94,6 @@ def get_config(config=None):
 
     # determine which members have been removed
     interfaces_removed = leaf_node_changed(conf, base + [ifname, 'member', 'interface'])
-
     # Reset config level to interfaces
     old_level = conf.get_level()
     conf.set_level(['interfaces'])
@@ -102,6 +105,10 @@ def get_config(config=None):
 
         tmp = {}
         for interface in interfaces_removed:
+            # if member is deleted from bond, add dependencies to call
+            # ethernet commit again in apply function
+            # to apply options under ethernet section
+            set_dependents('ethernet', conf, interface)
             section = Section.section(interface) # this will be 'ethernet' for 'eth0'
             if conf.exists([section, interface, 'disable']):
                 tmp[interface] = {'disable': ''}
@@ -116,9 +123,21 @@ def get_config(config=None):
 
     if dict_search('member.interface', bond):
         for interface, interface_config in bond['member']['interface'].items():
+
+            interface_ethernet_config = conf.get_config_dict(
+                ['interfaces', 'ethernet', interface],
+                key_mangling=('-', '_'),
+                get_first_key=True,
+                no_tag_node_value_mangle=True,
+                with_defaults=False,
+                with_recursive_defaults=False)
+
+            interface_config['config_paths'] = dict_to_paths_values(interface_ethernet_config)
+
             # Check if member interface is a new member
             if not conf.exists_effective(base + [ifname, 'member', 'interface', interface]):
                 bond['shutdown_required'] = {}
+                interface_config['new_added'] = {}
 
             # Check if member interface is disabled
             conf.set_level(['interfaces'])
@@ -151,7 +170,6 @@ def get_config(config=None):
             # bond members must not have a VRF attached
             tmp = has_vrf_configured(conf, interface)
             if tmp: interface_config['has_vrf'] = {}
-
     return bond
 
 
@@ -212,6 +230,14 @@ def verify(bond):
             if 'has_vrf' in interface_config:
                 raise ConfigError(error_msg + 'it has a VRF assigned!')
 
+            if 'new_added' in interface_config and 'config_paths' in interface_config:
+                for option_path, option_value in interface_config['config_paths'].items():
+                    if option_path in EthernetIf.get_bond_member_allowed_options() :
+                        continue
+                    if option_path in BondIf.get_inherit_bond_options():
+                        continue
+                    raise ConfigError(error_msg + f'it has a "{option_path.replace(".", " ")}" assigned!')
+
     if 'primary' in bond:
         if bond['primary'] not in bond['member']['interface']:
             raise ConfigError(f'Primary interface of bond "{bond_name}" must be a member interface')
@@ -223,17 +249,38 @@ def verify(bond):
     return None
 
 def generate(bond):
+    bond['frr_zebra_config'] = ''
+    if 'deleted' not in bond:
+        bond['frr_zebra_config'] = render_to_string('frr/evpn.mh.frr.j2', bond)
     return None
 
 def apply(bond):
-    b = BondIf(bond['ifname'])
-
+    ifname = bond['ifname']
+    b = BondIf(ifname)
     if 'deleted' in bond:
         # delete interface
         b.remove()
     else:
         b.update(bond)
 
+    if dict_search('member.interface_remove', bond):
+        try:
+            call_dependents()
+        except ConfigError:
+            raise ConfigError('Error in updating ethernet interface '
+                              'after deleting it from bond')
+
+    zebra_daemon = 'zebra'
+    # Save original configuration prior to starting any commit actions
+    frr_cfg = frr.FRRConfig()
+
+    # The route-map used for the FIB (zebra) is part of the zebra daemon
+    frr_cfg.load_configuration(zebra_daemon)
+    frr_cfg.modify_section(f'^interface {ifname}', stop_pattern='^exit', remove_stop_mark=True)
+    if 'frr_zebra_config' in bond:
+        frr_cfg.add_before(frr.default_add_before, bond['frr_zebra_config'])
+    frr_cfg.commit_configuration(zebra_daemon)
+
     return None
 
 if __name__ == '__main__':
diff --git a/src/conf_mode/interfaces-bridge.py b/src/conf_mode/interfaces_bridge.py
index c82f01e53..29991e2da 100755
--- a/src/conf_mode/interfaces-bridge.py
+++ b/src/conf_mode/interfaces_bridge.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 #
-# Copyright (C) 2019-2020 VyOS maintainers and contributors
+# Copyright (C) 2019-2023 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
@@ -28,7 +28,8 @@ from vyos.configverify import verify_vrf
 from vyos.ifconfig import BridgeIf
 from vyos.configdict import has_address_configured
 from vyos.configdict import has_vrf_configured
-
+from vyos.configdep import set_dependents
+from vyos.configdep import call_dependents
 from vyos.utils.dict import dict_search
 from vyos import ConfigError
 
@@ -48,7 +49,7 @@ def get_config(config=None):
     ifname, bridge = get_interface_dict(conf, base)
 
     # determine which members have been removed
-    tmp = node_changed(conf, base + [ifname, 'member', 'interface'], key_mangling=('-', '_'))
+    tmp = node_changed(conf, base + [ifname, 'member', 'interface'])
     if tmp:
         if 'member' in bridge:
             bridge['member'].update({'interface_remove' : tmp })
@@ -83,6 +84,12 @@ def get_config(config=None):
             if 'enable_vlan' in bridge and tmp:
                 bridge['member']['interface'][interface].update({'has_vlan' : ''})
 
+            # When using VXLAN member interfaces that are configured for Single
+            # VXLAN Device (SVD) we need to call the VXLAN conf-mode script to re-create
+            # VLAN to VNI mappings if required
+            if interface.startswith('vxlan'):
+                set_dependents('vxlan', conf, interface)
+
     # delete empty dictionary keys - no need to run code paths if nothing is there to do
     if 'member' in bridge:
         if 'interface' in bridge['member'] and len(bridge['member']['interface']) == 0:
@@ -159,6 +166,13 @@ def apply(bridge):
     else:
         br.update(bridge)
 
+    for interface in dict_search('member.interface', bridge) or []:
+        if interface.startswith('vxlan'):
+            try:
+                call_dependents()
+            except ConfigError:
+                raise ConfigError('Error in updating VXLAN interface after changing bridge!')
+
     return None
 
 if __name__ == '__main__':
diff --git a/src/conf_mode/interfaces-dummy.py b/src/conf_mode/interfaces_dummy.py
index e771581e1..e771581e1 100755
--- a/src/conf_mode/interfaces-dummy.py
+++ b/src/conf_mode/interfaces_dummy.py
diff --git a/src/conf_mode/interfaces_ethernet.py b/src/conf_mode/interfaces_ethernet.py
new file mode 100755
index 000000000..2c0f846c3
--- /dev/null
+++ b/src/conf_mode/interfaces_ethernet.py
@@ -0,0 +1,391 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2019-2024 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+import os
+import pprint
+
+from glob import glob
+from sys import exit
+
+from vyos.base import Warning
+from vyos.config import Config
+from vyos.configdict import get_interface_dict
+from vyos.configdict import is_node_changed
+from vyos.configverify import verify_address
+from vyos.configverify import verify_dhcpv6
+from vyos.configverify import verify_eapol
+from vyos.configverify import verify_interface_exists
+from vyos.configverify import verify_mirror_redirect
+from vyos.configverify import verify_mtu
+from vyos.configverify import verify_mtu_ipv6
+from vyos.configverify import verify_vlan_config
+from vyos.configverify import verify_vrf
+from vyos.configverify import verify_bond_bridge_member
+from vyos.ethtool import Ethtool
+from vyos.ifconfig import EthernetIf
+from vyos.ifconfig import BondIf
+from vyos.pki import find_chain
+from vyos.pki import encode_certificate
+from vyos.pki import load_certificate
+from vyos.pki import wrap_private_key
+from vyos.template import render
+from vyos.utils.process import call
+from vyos.utils.dict import dict_search
+from vyos.utils.dict import dict_to_paths_values
+from vyos.utils.dict import dict_set
+from vyos.utils.dict import dict_delete
+from vyos.utils.file import write_file
+from vyos import ConfigError
+from vyos import airbag
+airbag.enable()
+
+# XXX: wpa_supplicant works on the source interface
+cfg_dir = '/run/wpa_supplicant'
+wpa_suppl_conf = '/run/wpa_supplicant/{ifname}.conf'
+
+def update_bond_options(conf: Config, eth_conf: dict) -> list:
+    """
+    Return list of blocked options if interface is a bond member
+    :param conf: Config object
+    :type conf: Config
+    :param eth_conf: Ethernet config dictionary
+    :type eth_conf: dict
+    :return: List of blocked options
+    :rtype: list
+    """
+    blocked_list = []
+    bond_name = list(eth_conf['is_bond_member'].keys())[0]
+    config_without_defaults = conf.get_config_dict(
+        ['interfaces', 'ethernet', eth_conf['ifname']],
+        key_mangling=('-', '_'),
+        get_first_key=True,
+        no_tag_node_value_mangle=True,
+        with_defaults=False,
+        with_recursive_defaults=False)
+    config_with_defaults = conf.get_config_dict(
+        ['interfaces', 'ethernet', eth_conf['ifname']],
+        key_mangling=('-', '_'),
+        get_first_key=True,
+        no_tag_node_value_mangle=True,
+        with_defaults=True,
+        with_recursive_defaults=True)
+    bond_config_with_defaults = conf.get_config_dict(
+        ['interfaces', 'bonding', bond_name],
+        key_mangling=('-', '_'),
+        get_first_key=True,
+        no_tag_node_value_mangle=True,
+        with_defaults=True,
+        with_recursive_defaults=True)
+    eth_dict_paths = dict_to_paths_values(config_without_defaults)
+    eth_path_base = ['interfaces', 'ethernet', eth_conf['ifname']]
+
+    #if option is configured under ethernet section
+    for option_path, option_value in eth_dict_paths.items():
+        bond_option_value = dict_search(option_path, bond_config_with_defaults)
+
+        #If option is allowed for changing then continue
+        if option_path in EthernetIf.get_bond_member_allowed_options():
+            continue
+        # if option is inherited from bond then set valued from bond interface
+        if option_path in BondIf.get_inherit_bond_options():
+            # If option equals to bond option then do nothing
+            if option_value == bond_option_value:
+                continue
+            else:
+                # if ethernet has option and bond interface has
+                # then copy it from bond
+                if bond_option_value is not None:
+                    if is_node_changed(conf, eth_path_base + option_path.split('.')):
+                        Warning(
+                            f'Cannot apply "{option_path.replace(".", " ")}" to "{option_value}".' \
+                            f' Interface "{eth_conf["ifname"]}" is a bond member.' \
+                            f' Option is inherited from bond "{bond_name}"')
+                    dict_set(option_path, bond_option_value, eth_conf)
+                    continue
+                # if ethernet has option and bond interface does not have
+                # then delete it form dict and do not apply it
+                else:
+                    if is_node_changed(conf, eth_path_base + option_path.split('.')):
+                        Warning(
+                            f'Cannot apply "{option_path.replace(".", " ")}".' \
+                            f' Interface "{eth_conf["ifname"]}" is a bond member.' \
+                            f' Option is inherited from bond "{bond_name}"')
+                    dict_delete(option_path, eth_conf)
+        blocked_list.append(option_path)
+
+    # if inherited option is not configured under ethernet section but configured under bond section
+    for option_path in BondIf.get_inherit_bond_options():
+        bond_option_value = dict_search(option_path, bond_config_with_defaults)
+        if bond_option_value is not None:
+            if option_path not in eth_dict_paths:
+                if is_node_changed(conf, eth_path_base + option_path.split('.')):
+                    Warning(
+                        f'Cannot apply "{option_path.replace(".", " ")}" to "{dict_search(option_path, config_with_defaults)}".' \
+                        f' Interface "{eth_conf["ifname"]}" is a bond member. ' \
+                        f'Option is inherited from bond "{bond_name}"')
+                dict_set(option_path, bond_option_value, eth_conf)
+    eth_conf['bond_blocked_changes'] = blocked_list
+    return None
+
+def get_config(config=None):
+    """
+    Retrive CLI config as dictionary. Dictionary can never be empty, as at least the
+    interface name will be added or a deleted flag
+    """
+    if config:
+        conf = config
+    else:
+        conf = Config()
+
+    base = ['interfaces', 'ethernet']
+    ifname, ethernet = get_interface_dict(conf, base, with_pki=True)
+
+    if 'is_bond_member' in ethernet:
+        update_bond_options(conf, ethernet)
+
+    tmp = is_node_changed(conf, base + [ifname, 'speed'])
+    if tmp: ethernet.update({'speed_duplex_changed': {}})
+
+    tmp = is_node_changed(conf, base + [ifname, 'duplex'])
+    if tmp: ethernet.update({'speed_duplex_changed': {}})
+
+    return ethernet
+
+def verify_speed_duplex(ethernet: dict, ethtool: Ethtool):
+    """
+     Verify speed and duplex
+    :param ethernet: dictionary which is received from get_interface_dict
+    :type ethernet: dict
+    :param ethtool: Ethernet object
+    :type ethtool: Ethtool
+    """
+    if ((ethernet['speed'] == 'auto' and ethernet['duplex'] != 'auto') or
+            (ethernet['speed'] != 'auto' and ethernet['duplex'] == 'auto')):
+        raise ConfigError(
+            'Speed/Duplex missmatch. Must be both auto or manually configured')
+
+    if ethernet['speed'] != 'auto' and ethernet['duplex'] != 'auto':
+        # We need to verify if the requested speed and duplex setting is
+        # supported by the underlaying NIC.
+        speed = ethernet['speed']
+        duplex = ethernet['duplex']
+        if not ethtool.check_speed_duplex(speed, duplex):
+            raise ConfigError(
+                f'Adapter does not support changing speed ' \
+                f'and duplex settings to: {speed}/{duplex}!')
+
+
+def verify_flow_control(ethernet: dict, ethtool: Ethtool):
+    """
+     Verify flow control
+    :param ethernet: dictionary which is received from get_interface_dict
+    :type ethernet: dict
+    :param ethtool: Ethernet object
+    :type ethtool: Ethtool
+    """
+    if 'disable_flow_control' in ethernet:
+        if not ethtool.check_flow_control():
+            raise ConfigError(
+                'Adapter does not support changing flow-control settings!')
+
+
+def verify_ring_buffer(ethernet: dict, ethtool: Ethtool):
+    """
+     Verify ring buffer
+    :param ethernet: dictionary which is received from get_interface_dict
+    :type ethernet: dict
+    :param ethtool: Ethernet object
+    :type ethtool: Ethtool
+    """
+    if 'ring_buffer' in ethernet:
+        max_rx = ethtool.get_ring_buffer_max('rx')
+        if not max_rx:
+            raise ConfigError(
+                'Driver does not support RX ring-buffer configuration!')
+
+        max_tx = ethtool.get_ring_buffer_max('tx')
+        if not max_tx:
+            raise ConfigError(
+                'Driver does not support TX ring-buffer configuration!')
+
+        rx = dict_search('ring_buffer.rx', ethernet)
+        if rx and int(rx) > int(max_rx):
+            raise ConfigError(f'Driver only supports a maximum RX ring-buffer ' \
+                              f'size of "{max_rx}" bytes!')
+
+        tx = dict_search('ring_buffer.tx', ethernet)
+        if tx and int(tx) > int(max_tx):
+            raise ConfigError(f'Driver only supports a maximum TX ring-buffer ' \
+                              f'size of "{max_tx}" bytes!')
+
+
+def verify_offload(ethernet: dict, ethtool: Ethtool):
+    """
+     Verify offloading capabilities
+    :param ethernet: dictionary which is received from get_interface_dict
+    :type ethernet: dict
+    :param ethtool: Ethernet object
+    :type ethtool: Ethtool
+    """
+    if dict_search('offload.rps', ethernet) != None:
+        if not os.path.exists(f'/sys/class/net/{ethernet["ifname"]}/queues/rx-0/rps_cpus'):
+            raise ConfigError('Interface does not suport RPS!')
+    driver = ethtool.get_driver_name()
+    # T3342 - Xen driver requires special treatment
+    if driver == 'vif':
+        if int(ethernet['mtu']) > 1500 and dict_search('offload.sg', ethernet) == None:
+            raise ConfigError('Xen netback drivers requires scatter-gatter offloading '\
+                              'for MTU size larger then 1500 bytes')
+
+
+def verify_allowedbond_changes(ethernet: dict):
+    """
+     Verify changed options if interface is in bonding
+    :param ethernet: dictionary which is received from get_interface_dict
+    :type ethernet: dict
+    """
+    if 'bond_blocked_changes' in ethernet:
+        for option in ethernet['bond_blocked_changes']:
+            raise ConfigError(f'Cannot configure "{option.replace(".", " ")}"' \
+                              f' on interface "{ethernet["ifname"]}".' \
+                              f' Interface is a bond member')
+
+
+def verify(ethernet):
+    if 'deleted' in ethernet:
+        return None
+    if 'is_bond_member' in ethernet:
+        verify_bond_member(ethernet)
+    else:
+        verify_ethernet(ethernet)
+
+
+def verify_bond_member(ethernet):
+    """
+     Verification function for ethernet interface which is in bonding
+    :param ethernet: dictionary which is received from get_interface_dict
+    :type ethernet: dict
+    """
+    ifname = ethernet['ifname']
+    verify_interface_exists(ifname)
+    verify_eapol(ethernet)
+    verify_mirror_redirect(ethernet)
+    ethtool = Ethtool(ifname)
+    verify_speed_duplex(ethernet, ethtool)
+    verify_flow_control(ethernet, ethtool)
+    verify_ring_buffer(ethernet, ethtool)
+    verify_offload(ethernet, ethtool)
+    verify_allowedbond_changes(ethernet)
+
+def verify_ethernet(ethernet):
+    """
+     Verification function for simple ethernet interface
+    :param ethernet: dictionary which is received from get_interface_dict
+    :type ethernet: dict
+    """
+    ifname = ethernet['ifname']
+    verify_interface_exists(ifname)
+    verify_mtu(ethernet)
+    verify_mtu_ipv6(ethernet)
+    verify_dhcpv6(ethernet)
+    verify_address(ethernet)
+    verify_vrf(ethernet)
+    verify_bond_bridge_member(ethernet)
+    verify_eapol(ethernet)
+    verify_mirror_redirect(ethernet)
+    ethtool = Ethtool(ifname)
+    # No need to check speed and duplex keys as both have default values.
+    verify_speed_duplex(ethernet, ethtool)
+    verify_flow_control(ethernet, ethtool)
+    verify_ring_buffer(ethernet, ethtool)
+    verify_offload(ethernet, ethtool)
+    # use common function to verify VLAN configuration
+    verify_vlan_config(ethernet)
+    return None
+
+
+def generate(ethernet):
+    # render real configuration file once
+    wpa_supplicant_conf = wpa_suppl_conf.format(**ethernet)
+
+    if 'deleted' in ethernet:
+        # delete configuration on interface removal
+        if os.path.isfile(wpa_supplicant_conf):
+            os.unlink(wpa_supplicant_conf)
+        return None
+
+    if 'eapol' in ethernet:
+        ifname = ethernet['ifname']
+
+        render(wpa_supplicant_conf, 'ethernet/wpa_supplicant.conf.j2', ethernet)
+
+        cert_file_path = os.path.join(cfg_dir, f'{ifname}_cert.pem')
+        cert_key_path = os.path.join(cfg_dir, f'{ifname}_cert.key')
+
+        cert_name = ethernet['eapol']['certificate']
+        pki_cert = ethernet['pki']['certificate'][cert_name]
+
+        loaded_pki_cert = load_certificate(pki_cert['certificate'])
+        loaded_ca_certs = {load_certificate(c['certificate'])
+            for c in ethernet['pki']['ca'].values()} if 'ca' in ethernet['pki'] else {}
+
+        cert_full_chain = find_chain(loaded_pki_cert, loaded_ca_certs)
+
+        write_file(cert_file_path,
+                   '\n'.join(encode_certificate(c) for c in cert_full_chain))
+        write_file(cert_key_path, wrap_private_key(pki_cert['private']['key']))
+
+        if 'ca_certificate' in ethernet['eapol']:
+            ca_cert_file_path = os.path.join(cfg_dir, f'{ifname}_ca.pem')
+            ca_chains = []
+
+            for ca_cert_name in ethernet['eapol']['ca_certificate']:
+                pki_ca_cert = ethernet['pki']['ca'][ca_cert_name]
+                loaded_ca_cert = load_certificate(pki_ca_cert['certificate'])
+                ca_full_chain = find_chain(loaded_ca_cert, loaded_ca_certs)
+                ca_chains.append(
+                    '\n'.join(encode_certificate(c) for c in ca_full_chain))
+
+            write_file(ca_cert_file_path, '\n'.join(ca_chains))
+
+    return None
+
+def apply(ethernet):
+    ifname = ethernet['ifname']
+    # take care about EAPoL supplicant daemon
+    eapol_action='stop'
+
+    e = EthernetIf(ifname)
+    if 'deleted' in ethernet:
+        # delete interface
+        e.remove()
+    else:
+        e.update(ethernet)
+        if 'eapol' in ethernet:
+            eapol_action='reload-or-restart'
+
+    call(f'systemctl {eapol_action} wpa_supplicant-wired@{ifname}')
+
+if __name__ == '__main__':
+    try:
+        c = get_config()
+        verify(c)
+        generate(c)
+
+        apply(c)
+    except ConfigError as e:
+        print(e)
+        exit(1)
diff --git a/src/conf_mode/interfaces-geneve.py b/src/conf_mode/interfaces_geneve.py
index f6694ddde..f6694ddde 100755
--- a/src/conf_mode/interfaces-geneve.py
+++ b/src/conf_mode/interfaces_geneve.py
diff --git a/src/conf_mode/interfaces-input.py b/src/conf_mode/interfaces_input.py
index ad248843d..ad248843d 100755
--- a/src/conf_mode/interfaces-input.py
+++ b/src/conf_mode/interfaces_input.py
diff --git a/src/conf_mode/interfaces-l2tpv3.py b/src/conf_mode/interfaces_l2tpv3.py
index e1db3206e..e1db3206e 100755
--- a/src/conf_mode/interfaces-l2tpv3.py
+++ b/src/conf_mode/interfaces_l2tpv3.py
diff --git a/src/conf_mode/interfaces-loopback.py b/src/conf_mode/interfaces_loopback.py
index 08d34477a..08d34477a 100755
--- a/src/conf_mode/interfaces-loopback.py
+++ b/src/conf_mode/interfaces_loopback.py
diff --git a/src/conf_mode/interfaces-macsec.py b/src/conf_mode/interfaces_macsec.py
index 0a927ac88..0a927ac88 100755
--- a/src/conf_mode/interfaces-macsec.py
+++ b/src/conf_mode/interfaces_macsec.py
diff --git a/src/conf_mode/interfaces-openvpn.py b/src/conf_mode/interfaces_openvpn.py
index 1d0feb56f..45569dd21 100755
--- a/src/conf_mode/interfaces-openvpn.py
+++ b/src/conf_mode/interfaces_openvpn.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 #
-# Copyright (C) 2019-2023 VyOS maintainers and contributors
+# Copyright (C) 2019-2024 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
@@ -30,6 +30,7 @@ from netifaces import interfaces
 from secrets import SystemRandom
 from shutil import rmtree
 
+from vyos.base import DeprecationWarning
 from vyos.config import Config
 from vyos.configdict import get_interface_dict
 from vyos.configdict import is_node_changed
@@ -88,16 +89,12 @@ def get_config(config=None):
         conf = Config()
     base = ['interfaces', 'openvpn']
 
-    ifname, openvpn = get_interface_dict(conf, base)
+    ifname, openvpn = get_interface_dict(conf, base, with_pki=True)
     openvpn['auth_user_pass_file'] = '/run/openvpn/{ifname}.pw'.format(**openvpn)
 
     if 'deleted' in openvpn:
         return openvpn
 
-    openvpn['pki'] = conf.get_config_dict(['pki'], key_mangling=('-', '_'),
-                                        get_first_key=True,
-                                        no_tag_node_value_mangle=True)
-
     if is_node_changed(conf, base + [ifname, 'openvpn-option']):
         openvpn.update({'restart_required': {}})
     if is_node_changed(conf, base + [ifname, 'enable-dco']):
@@ -165,6 +162,12 @@ def verify_pki(openvpn):
         if shared_secret_key not in pki['openvpn']['shared_secret']:
             raise ConfigError(f'Invalid shared-secret on openvpn interface {interface}')
 
+        # If PSK settings are correct, warn about its deprecation
+        DeprecationWarning('OpenVPN shared-secret support will be removed in future '\
+                           'VyOS versions. Please migrate your site-to-site tunnels to '\
+                           'TLS. You can use self-signed certificates with peer fingerprint '\
+                           'verification, consult the documentation for details.')
+
     if tls:
         if (mode in ['server', 'client']) and ('ca_certificate' not in tls):
             raise ConfigError(f'Must specify "tls ca-certificate" on openvpn interface {interface},\
@@ -344,9 +347,6 @@ def verify(openvpn):
             if v6_subnets > 1:
                 raise ConfigError('Cannot specify more than 1 IPv6 server subnet')
 
-            if v6_subnets > 0 and v4_subnets == 0:
-                raise ConfigError('IPv6 server requires an IPv4 server subnet')
-
             for subnet in tmp:
                 if is_ipv4(subnet):
                     subnet = IPv4Network(subnet)
@@ -388,6 +388,10 @@ def verify(openvpn):
                         for v4PoolNet in v4PoolNets:
                             if IPv4Address(client['ip'][0]) in v4PoolNet:
                                 print(f'Warning: Client "{client["name"]}" IP {client["ip"][0]} is in server IP pool, it is not reserved for this client.')
+            # configuring a client_ip_pool will set 'server ... nopool' which is currently incompatible with 'server-ipv6' (probably to be fixed upstream)
+            for subnet in (dict_search('server.subnet', openvpn) or []):
+                if is_ipv6(subnet):
+                    raise ConfigError(f'Setting client-ip-pool is incompatible having an IPv6 server subnet.')
 
         for subnet in (dict_search('server.subnet', openvpn) or []):
             if is_ipv6(subnet):
@@ -722,4 +726,3 @@ if __name__ == '__main__':
     except ConfigError as e:
         print(e)
         exit(1)
-
diff --git a/src/conf_mode/interfaces-pppoe.py b/src/conf_mode/interfaces_pppoe.py
index fca91253c..42f084309 100755
--- a/src/conf_mode/interfaces-pppoe.py
+++ b/src/conf_mode/interfaces_pppoe.py
@@ -61,6 +61,12 @@ def get_config(config=None):
             # bail out early - no need to further process other nodes
             break
 
+    if 'deleted' not in pppoe:
+        # We always set the MRU value to the MTU size. This code path only re-creates
+        # the old behavior if MRU is not set on the CLI.
+        if 'mru' not in pppoe:
+            pppoe['mru'] = pppoe['mtu']
+
     return pppoe
 
 def verify(pppoe):
@@ -77,6 +83,11 @@ def verify(pppoe):
     if {'connect_on_demand', 'vrf'} <= set(pppoe):
         raise ConfigError('On-demand dialing and VRF can not be used at the same time')
 
+    # both MTU and MRU have default values, thus we do not need to check
+    # if the key exists
+    if int(pppoe['mru']) > int(pppoe['mtu']):
+        raise ConfigError('PPPoE MRU needs to be lower then MTU!')
+
     return None
 
 def generate(pppoe):
diff --git a/src/conf_mode/interfaces-pseudo-ethernet.py b/src/conf_mode/interfaces_pseudo-ethernet.py
index dce5c2358..dce5c2358 100755
--- a/src/conf_mode/interfaces-pseudo-ethernet.py
+++ b/src/conf_mode/interfaces_pseudo-ethernet.py
diff --git a/src/conf_mode/interfaces-sstpc.py b/src/conf_mode/interfaces_sstpc.py
index b588910dc..b9d7a74fb 100755
--- a/src/conf_mode/interfaces-sstpc.py
+++ b/src/conf_mode/interfaces_sstpc.py
@@ -45,7 +45,7 @@ def get_config(config=None):
     else:
         conf = Config()
     base = ['interfaces', 'sstpc']
-    ifname, sstpc = get_interface_dict(conf, base)
+    ifname, sstpc = get_interface_dict(conf, base, with_pki=True)
 
     # We should only terminate the SSTP client session if critical parameters
     # change. All parameters that can be changed on-the-fly (like interface
@@ -57,10 +57,6 @@ def get_config(config=None):
             # bail out early - no need to further process other nodes
             break
 
-    # Load PKI certificates for later processing
-    sstpc['pki'] = conf.get_config_dict(['pki'], key_mangling=('-', '_'),
-                                        get_first_key=True,
-                                        no_tag_node_value_mangle=True)
     return sstpc
 
 def verify(sstpc):
diff --git a/src/conf_mode/interfaces-tunnel.py b/src/conf_mode/interfaces_tunnel.py
index 91aed9cc3..efa5ebc64 100755
--- a/src/conf_mode/interfaces-tunnel.py
+++ b/src/conf_mode/interfaces_tunnel.py
@@ -24,7 +24,7 @@ from vyos.configdict import get_interface_dict
 from vyos.configdict import is_node_changed
 from vyos.configverify import verify_address
 from vyos.configverify import verify_bridge_delete
-from vyos.configverify import verify_interface_exists
+from vyos.configverify import verify_source_interface
 from vyos.configverify import verify_mtu_ipv6
 from vyos.configverify import verify_mirror_redirect
 from vyos.configverify import verify_vrf
@@ -166,7 +166,7 @@ def verify(tunnel):
     verify_mirror_redirect(tunnel)
 
     if 'source_interface' in tunnel:
-        verify_interface_exists(tunnel['source_interface'])
+        verify_source_interface(tunnel)
 
     # TTL != 0 and nopmtudisc are incompatible, parameters and ip use default
     # values, thus the keys are always present.
diff --git a/src/conf_mode/interfaces-virtual-ethernet.py b/src/conf_mode/interfaces_virtual-ethernet.py
index 8efe89c41..8efe89c41 100755
--- a/src/conf_mode/interfaces-virtual-ethernet.py
+++ b/src/conf_mode/interfaces_virtual-ethernet.py
diff --git a/src/conf_mode/interfaces-vti.py b/src/conf_mode/interfaces_vti.py
index 9871810ae..9871810ae 100755
--- a/src/conf_mode/interfaces-vti.py
+++ b/src/conf_mode/interfaces_vti.py
diff --git a/src/conf_mode/interfaces-vxlan.py b/src/conf_mode/interfaces_vxlan.py
index a3b0867e0..4251e611b 100755
--- a/src/conf_mode/interfaces-vxlan.py
+++ b/src/conf_mode/interfaces_vxlan.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 #
-# Copyright (C) 2019-2022 VyOS maintainers and contributors
+# Copyright (C) 2019-2023 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
@@ -24,6 +24,7 @@ from vyos.config import Config
 from vyos.configdict import get_interface_dict
 from vyos.configdict import leaf_node_changed
 from vyos.configdict import is_node_changed
+from vyos.configdict import node_changed
 from vyos.configverify import verify_address
 from vyos.configverify import verify_bridge_delete
 from vyos.configverify import verify_mtu_ipv6
@@ -33,6 +34,7 @@ from vyos.configverify import verify_bond_bridge_member
 from vyos.ifconfig import Interface
 from vyos.ifconfig import VXLANIf
 from vyos.template import is_ipv6
+from vyos.utils.dict import dict_search
 from vyos import ConfigError
 from vyos import airbag
 airbag.enable()
@@ -52,12 +54,21 @@ def get_config(config=None):
     # VXLAN interfaces are picky and require recreation if certain parameters
     # change. But a VXLAN interface should - of course - not be re-created if
     # it's description or IP address is adjusted. Feels somehow logic doesn't it?
-    for cli_option in ['parameters', 'external', 'gpe', 'group', 'port', 'remote',
+    for cli_option in ['parameters', 'gpe', 'group', 'port', 'remote',
                        'source-address', 'source-interface', 'vni']:
         if is_node_changed(conf, base + [ifname, cli_option]):
             vxlan.update({'rebuild_required': {}})
             break
 
+    # When dealing with VNI filtering we need to know what VNI was actually removed,
+    # so build up a dict matching the vlan_to_vni structure but with removed values.
+    tmp = node_changed(conf, base + [ifname, 'vlan-to-vni'], recursive=True)
+    if tmp:
+        vxlan.update({'vlan_to_vni_removed': {}})
+        for vlan in tmp:
+            vni = leaf_node_changed(conf, base + [ifname, 'vlan-to-vni', vlan, 'vni'])
+            vxlan['vlan_to_vni_removed'].update({vlan : {'vni' : vni[0]}})
+
     # We need to verify that no other VXLAN tunnel is configured when external
     # mode is in use - Linux Kernel limitation
     conf.set_level(base)
@@ -90,17 +101,34 @@ def verify(vxlan):
     if not any(tmp in ['group', 'remote', 'source_address', 'source_interface'] for tmp in vxlan):
         raise ConfigError('Group, remote, source-address or source-interface must be configured')
 
-    if 'vni' not in vxlan and 'external' not in vxlan:
-        raise ConfigError(
-            'Must either configure VXLAN "vni" or use "external" CLI option!')
-
-    if {'external', 'vni'} <= set(vxlan):
-        raise ConfigError('Can not specify both "external" and "VNI"!')
-
-    if {'external', 'other_tunnels'} <= set(vxlan):
-        other_tunnels = ', '.join(vxlan['other_tunnels'])
-        raise ConfigError(f'Only one VXLAN tunnel is supported when "external" '\
-                          f'CLI option is used. Additional tunnels: {other_tunnels}')
+    if 'vni' not in vxlan and dict_search('parameters.external', vxlan) == None:
+        raise ConfigError('Must either configure VXLAN "vni" or use "external" CLI option!')
+
+    if dict_search('parameters.external', vxlan) != None:
+        if 'vni' in vxlan:
+            raise ConfigError('Can not specify both "external" and "VNI"!')
+
+        if 'other_tunnels' in vxlan:
+            # When multiple VXLAN interfaces are defined and "external" is used,
+            # all VXLAN interfaces need to have vni-filter enabled!
+            # See Linux Kernel commit f9c4bb0b245cee35ef66f75bf409c9573d934cf9
+            other_vni_filter = False
+            for tunnel, tunnel_config in vxlan['other_tunnels'].items():
+                if dict_search('parameters.vni_filter', tunnel_config) != None:
+                    other_vni_filter = True
+                    break
+            # eqivalent of the C foo ? 'a' : 'b' statement
+            vni_filter = True and (dict_search('parameters.vni_filter', vxlan) != None) or False
+            # If either one is enabled, so must be the other. Both can be off and both can be on
+            if (vni_filter and not other_vni_filter) or (not vni_filter and other_vni_filter):
+                raise ConfigError(f'Using multiple VXLAN interfaces with "external" '\
+                    'requires all VXLAN interfaces to have "vni-filter" configured!')
+
+            if not vni_filter and not other_vni_filter:
+                other_tunnels = ', '.join(vxlan['other_tunnels'])
+                raise ConfigError(f'Only one VXLAN tunnel is supported when "external" '\
+                                f'CLI option is used and "vni-filter" is unset. '\
+                                f'Additional tunnels: {other_tunnels}')
 
     if 'gpe' in vxlan and 'external' not in vxlan:
         raise ConfigError(f'VXLAN-GPE is only supported when "external" '\
@@ -146,10 +174,36 @@ def verify(vxlan):
                     raise ConfigError(error_msg)
                 protocol = 'ipv4'
 
+    if 'vlan_to_vni' in vxlan:
+        if 'is_bridge_member' not in vxlan:
+            raise ConfigError('VLAN to VNI mapping requires that VXLAN interface '\
+                              'is member of a bridge interface!')
+
+        vnis_used = []
+        for vif, vif_config in vxlan['vlan_to_vni'].items():
+            if 'vni' not in vif_config:
+                raise ConfigError(f'Must define VNI for VLAN "{vif}"!')
+            vni = vif_config['vni']
+            if vni in vnis_used:
+                raise ConfigError(f'VNI "{vni}" is already assigned to a different VLAN!')
+            vnis_used.append(vni)
+
+    if dict_search('parameters.neighbor_suppress', vxlan) != None:
+        if 'is_bridge_member' not in vxlan:
+            raise ConfigError('Neighbor suppression requires that VXLAN interface '\
+                              'is member of a bridge interface!')
+
     verify_mtu_ipv6(vxlan)
     verify_address(vxlan)
     verify_bond_bridge_member(vxlan)
     verify_mirror_redirect(vxlan)
+
+    # We use a defaultValue for port, thus it's always safe to use
+    if vxlan['port'] == '8472':
+        Warning('Starting from VyOS 1.4, the default port for VXLAN '\
+                'has been changed to 4789. This matches the IANA assigned '\
+                'standard port number!')
+
     return None
 
 def generate(vxlan):
diff --git a/src/conf_mode/interfaces-wireguard.py b/src/conf_mode/interfaces_wireguard.py
index 122d9589a..79e5d3f44 100755
--- a/src/conf_mode/interfaces-wireguard.py
+++ b/src/conf_mode/interfaces_wireguard.py
@@ -51,17 +51,9 @@ def get_config(config=None):
     tmp = is_node_changed(conf, base + [ifname, 'port'])
     if tmp: wireguard['port_changed'] = {}
 
-    # Determine which Wireguard peer has been removed.
-    # Peers can only be removed with their public key!
-    if 'peer' in wireguard:
-        peer_remove = {}
-        for peer, peer_config in wireguard['peer'].items():
-            # T4702: If anything on a peer changes we remove the peer first and re-add it
-            if is_node_changed(conf, base + [ifname, 'peer', peer]):
-                if 'public_key' in peer_config:
-                    peer_remove = dict_merge({'peer_remove' : {peer : peer_config['public_key']}}, peer_remove)
-        if peer_remove:
-           wireguard.update(peer_remove)
+    # T4702: If anything on a peer changes we remove the peer first and re-add it
+    if is_node_changed(conf, base + [ifname, 'peer']):
+        wireguard.update({'rebuild_required': {}})
 
     return wireguard
 
@@ -113,12 +105,21 @@ def verify(wireguard):
         public_keys.append(peer['public_key'])
 
 def apply(wireguard):
-    tmp = WireGuardIf(wireguard['ifname'])
-    if 'deleted' in wireguard:
-        tmp.remove()
-        return None
+    if 'rebuild_required' in wireguard or 'deleted' in wireguard:
+        wg = WireGuardIf(**wireguard)
+        # WireGuard only supports peer removal based on the configured public-key,
+        # by deleting the entire interface this is the shortcut instead of parsing
+        # out all peers and removing them one by one.
+        #
+        # Peer reconfiguration will always come with a short downtime while the
+        # WireGuard interface is recreated (see below)
+        wg.remove()
+
+    # Create the new interface if required
+    if 'deleted' not in wireguard:
+        wg = WireGuardIf(**wireguard)
+        wg.update(wireguard)
 
-    tmp.update(wireguard)
     return None
 
 if __name__ == '__main__':
diff --git a/src/conf_mode/interfaces-wireless.py b/src/conf_mode/interfaces_wireless.py
index 02b4a2500..02b4a2500 100755
--- a/src/conf_mode/interfaces-wireless.py
+++ b/src/conf_mode/interfaces_wireless.py
diff --git a/src/conf_mode/interfaces-wwan.py b/src/conf_mode/interfaces_wwan.py
index 2515dc838..2515dc838 100755
--- a/src/conf_mode/interfaces-wwan.py
+++ b/src/conf_mode/interfaces_wwan.py
diff --git a/src/conf_mode/le_cert.py b/src/conf_mode/le_cert.py
deleted file mode 100755
index 06c7e7b72..000000000
--- a/src/conf_mode/le_cert.py
+++ /dev/null
@@ -1,115 +0,0 @@
-#!/usr/bin/env python3
-#
-# Copyright (C) 2019-2020 VyOS maintainers and contributors
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 or later as
-# published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-import sys
-import os
-
-import vyos.defaults
-from vyos.config import Config
-from vyos import ConfigError
-from vyos.utils.process import cmd
-from vyos.utils.process import call
-from vyos.utils.process import is_systemd_service_running
-
-from vyos import airbag
-airbag.enable()
-
-vyos_conf_scripts_dir = vyos.defaults.directories['conf_mode']
-vyos_certbot_dir = vyos.defaults.directories['certbot']
-
-dependencies = [
-    'https.py',
-]
-
-def request_certbot(cert):
-    email = cert.get('email')
-    if email is not None:
-        email_flag = '-m {0}'.format(email)
-    else:
-        email_flag = ''
-
-    domains = cert.get('domains')
-    if domains is not None:
-        domain_flag = '-d ' + ' -d '.join(domains)
-    else:
-        domain_flag = ''
-
-    certbot_cmd = f'certbot certonly --config-dir {vyos_certbot_dir} -n --nginx --agree-tos --no-eff-email --expand {email_flag} {domain_flag}'
-
-    cmd(certbot_cmd,
-        raising=ConfigError,
-        message="The certbot request failed for the specified domains.")
-
-def get_config():
-    conf = Config()
-    if not conf.exists('service https certificates certbot'):
-        return None
-    else:
-        conf.set_level('service https certificates certbot')
-
-    cert = {}
-
-    if conf.exists('domain-name'):
-        cert['domains'] = conf.return_values('domain-name')
-
-    if conf.exists('email'):
-        cert['email'] = conf.return_value('email')
-
-    return cert
-
-def verify(cert):
-    if cert is None:
-        return None
-
-    if 'domains' not in cert:
-        raise ConfigError("At least one domain name is required to"
-                          " request a letsencrypt certificate.")
-
-    if 'email' not in cert:
-        raise ConfigError("An email address is required to request"
-                          " a letsencrypt certificate.")
-
-def generate(cert):
-    if cert is None:
-        return None
-
-    # certbot will attempt to reload nginx, even with 'certonly';
-    # start nginx if not active
-    if not is_systemd_service_running('nginx.service'):
-        call('systemctl start nginx.service')
-
-    request_certbot(cert)
-
-def apply(cert):
-    if cert is not None:
-        call('systemctl restart certbot.timer')
-    else:
-        call('systemctl stop certbot.timer')
-        return None
-
-    for dep in dependencies:
-        cmd(f'{vyos_conf_scripts_dir}/{dep}', raising=ConfigError)
-
-if __name__ == '__main__':
-    try:
-        c = get_config()
-        verify(c)
-        generate(c)
-        apply(c)
-    except ConfigError as e:
-        print(e)
-        sys.exit(1)
-
diff --git a/src/conf_mode/load-balancing-haproxy.py b/src/conf_mode/load-balancing_reverse-proxy.py
index 8fe429653..7338fe573 100755
--- a/src/conf_mode/load-balancing-haproxy.py
+++ b/src/conf_mode/load-balancing_reverse-proxy.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 #
-# Copyright (C) 2023 VyOS maintainers and contributors
+# Copyright (C) 2023-2024 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
@@ -43,17 +43,14 @@ def get_config(config=None):
         conf = Config()
 
     base = ['load-balancing', 'reverse-proxy']
+    if not conf.exists(base):
+        return None
     lb = conf.get_config_dict(base,
                               get_first_key=True,
                               key_mangling=('-', '_'),
-                              no_tag_node_value_mangle=True)
-
-    if lb:
-        lb['pki'] = conf.get_config_dict(['pki'], key_mangling=('-', '_'),
-                                    get_first_key=True, no_tag_node_value_mangle=True)
-
-    if lb:
-        lb = conf.merge_defaults(lb, recursive=True)
+                              no_tag_node_value_mangle=True,
+                              with_recursive_defaults=True,
+                              with_pki=True)
 
     return lb
 
@@ -94,8 +91,8 @@ def generate(lb):
             if os.path.isfile(file):
                 os.unlink(file)
         # Delete old directories
-        #if os.path.isdir(load_balancing_dir):
-        #    rmtree(load_balancing_dir, ignore_errors=True)
+        if os.path.isdir(load_balancing_dir):
+            rmtree(load_balancing_dir, ignore_errors=True)
 
         return None
 
@@ -106,26 +103,26 @@ def generate(lb):
     # SSL Certificates for frontend
     for front, front_config in lb['service'].items():
         if 'ssl' in front_config:
-            cert_file_path = os.path.join(load_balancing_dir, 'cert.pem')
-            cert_key_path = os.path.join(load_balancing_dir, 'cert.pem.key')
-            ca_cert_file_path = os.path.join(load_balancing_dir, 'ca.pem')
 
             if 'certificate' in front_config['ssl']:
-                #cert_file_path = os.path.join(load_balancing_dir, 'cert.pem')
-                #cert_key_path = os.path.join(load_balancing_dir, 'cert.key')
-                cert_name = front_config['ssl']['certificate']
-                pki_cert = lb['pki']['certificate'][cert_name]
+                cert_names = front_config['ssl']['certificate']
+
+                for cert_name in cert_names:
+                    pki_cert = lb['pki']['certificate'][cert_name]
+                    cert_file_path = os.path.join(load_balancing_dir, f'{cert_name}.pem')
+                    cert_key_path = os.path.join(load_balancing_dir, f'{cert_name}.pem.key')
 
-                with open(cert_file_path, 'w') as f:
-                    f.write(wrap_certificate(pki_cert['certificate']))
+                    with open(cert_file_path, 'w') as f:
+                        f.write(wrap_certificate(pki_cert['certificate']))
 
-                if 'private' in pki_cert and 'key' in pki_cert['private']:
-                    with open(cert_key_path, 'w') as f:
-                        f.write(wrap_private_key(pki_cert['private']['key']))
+                    if 'private' in pki_cert and 'key' in pki_cert['private']:
+                        with open(cert_key_path, 'w') as f:
+                            f.write(wrap_private_key(pki_cert['private']['key']))
 
             if 'ca_certificate' in front_config['ssl']:
                 ca_name = front_config['ssl']['ca_certificate']
                 pki_ca_cert = lb['pki']['ca'][ca_name]
+                ca_cert_file_path = os.path.join(load_balancing_dir, f'{ca_name}.pem')
 
                 with open(ca_cert_file_path, 'w') as f:
                     f.write(wrap_certificate(pki_ca_cert['certificate']))
@@ -133,11 +130,11 @@ def generate(lb):
     # SSL Certificates for backend
     for back, back_config in lb['backend'].items():
         if 'ssl' in back_config:
-            ca_cert_file_path = os.path.join(load_balancing_dir, 'ca.pem')
 
             if 'ca_certificate' in back_config['ssl']:
                 ca_name = back_config['ssl']['ca_certificate']
                 pki_ca_cert = lb['pki']['ca'][ca_name]
+                ca_cert_file_path = os.path.join(load_balancing_dir, f'{ca_name}.pem')
 
                 with open(ca_cert_file_path, 'w') as f:
                     f.write(wrap_certificate(pki_ca_cert['certificate']))
diff --git a/src/conf_mode/load-balancing-wan.py b/src/conf_mode/load-balancing_wan.py
index ad9c80d72..ad9c80d72 100755
--- a/src/conf_mode/load-balancing-wan.py
+++ b/src/conf_mode/load-balancing_wan.py
diff --git a/src/conf_mode/nat.py b/src/conf_mode/nat.py
index 9da7fbe80..ffd4a33e7 100755
--- a/src/conf_mode/nat.py
+++ b/src/conf_mode/nat.py
@@ -75,15 +75,8 @@ def verify_rule(config, err_msg, groups_dict):
         dict_search('source.port', config)):
 
         if config['protocol'] not in ['tcp', 'udp', 'tcp_udp']:
-            raise ConfigError(f'{err_msg}\n' \
-                              'ports can only be specified when protocol is '\
-                              'either tcp, udp or tcp_udp!')
-
-        if is_ip_network(dict_search('translation.address', config)):
-            raise ConfigError(f'{err_msg}\n' \
-                             'Cannot use ports with an IPv4 network as translation address as it\n' \
-                             'statically maps a whole network of addresses onto another\n' \
-                             'network of addresses')
+            raise ConfigError(f'{err_msg} ports can only be specified when '\
+                              'protocol is either tcp, udp or tcp_udp!')
 
     for side in ['destination', 'source']:
         if side in config:
@@ -195,11 +188,13 @@ def verify(nat):
     if dict_search('source.rule', nat):
         for rule, config in dict_search('source.rule', nat).items():
             err_msg = f'Source NAT configuration error in rule {rule}:'
-            if 'outbound_interface' not in config:
-                raise ConfigError(f'{err_msg} outbound-interface not specified')
 
-            if config['outbound_interface'] not in 'any' and config['outbound_interface'] not in interfaces():
-                Warning(f'rule "{rule}" interface "{config["outbound_interface"]}" does not exist on this system')
+            if 'outbound_interface' in config:
+                if 'name' in config['outbound_interface'] and 'group' in config['outbound_interface']:
+                    raise ConfigError(f'{err_msg} cannot specify both interface group and interface name for nat source rule "{rule}"')
+                elif 'name' in config['outbound_interface']:
+                    if config['outbound_interface']['name'] not in 'any' and config['outbound_interface']['name'] not in interfaces():
+                        Warning(f'NAT interface "{config["outbound_interface"]["name"]}" for source NAT rule "{rule}" does not exist!')
 
             if not dict_search('translation.address', config) and not dict_search('translation.port', config):
                 if 'exclude' not in config and 'backend' not in config['load_balance']:
@@ -218,11 +213,12 @@ def verify(nat):
         for rule, config in dict_search('destination.rule', nat).items():
             err_msg = f'Destination NAT configuration error in rule {rule}:'
 
-            if 'inbound_interface' not in config:
-                raise ConfigError(f'{err_msg}\n' \
-                                  'inbound-interface not specified')
-            elif config['inbound_interface'] not in 'any' and config['inbound_interface'] not in interfaces():
-                Warning(f'rule "{rule}" interface "{config["inbound_interface"]}" does not exist on this system')
+            if 'inbound_interface' in config:
+                if 'name' in config['inbound_interface'] and 'group' in config['inbound_interface']:
+                    raise ConfigError(f'{err_msg} cannot specify both interface group and interface name for destination nat rule "{rule}"')
+                elif 'name' in config['inbound_interface']:
+                    if config['inbound_interface']['name'] not in 'any' and config['inbound_interface']['name'] not in interfaces():
+                        Warning(f'NAT interface "{config["inbound_interface"]["name"]}" for destination NAT rule "{rule}" does not exist!')
 
             if not dict_search('translation.address', config) and not dict_search('translation.port', config) and 'redirect' not in config['translation']:
                 if 'exclude' not in config and 'backend' not in config['load_balance']:
@@ -236,8 +232,7 @@ def verify(nat):
             err_msg = f'Static NAT configuration error in rule {rule}:'
 
             if 'inbound_interface' not in config:
-                raise ConfigError(f'{err_msg}\n' \
-                                  'inbound-interface not specified')
+                raise ConfigError(f'{err_msg} inbound-interface not specified')
 
             # common rule verification
             verify_rule(config, err_msg, nat['firewall_group'])
diff --git a/src/conf_mode/nat64.py b/src/conf_mode/nat64.py
new file mode 100755
index 000000000..6026c61d0
--- /dev/null
+++ b/src/conf_mode/nat64.py
@@ -0,0 +1,216 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2023 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# pylint: disable=empty-docstring,missing-module-docstring
+
+import csv
+import os
+import re
+
+from ipaddress import IPv6Network
+from json import dumps as json_write
+
+from vyos import ConfigError
+from vyos import airbag
+from vyos.config import Config
+from vyos.configdict import dict_merge
+from vyos.configdict import is_node_changed
+from vyos.utils.dict import dict_search
+from vyos.utils.file import write_file
+from vyos.utils.kernel import check_kmod
+from vyos.utils.process import cmd
+from vyos.utils.process import run
+
+airbag.enable()
+
+INSTANCE_REGEX = re.compile(r"instance-(\d+)")
+JOOL_CONFIG_DIR = "/run/jool"
+
+
+def get_config(config: Config | None = None) -> None:
+    if config is None:
+        config = Config()
+
+    base = ["nat64"]
+    nat64 = config.get_config_dict(base, key_mangling=("-", "_"), get_first_key=True)
+
+    base_src = base + ["source", "rule"]
+
+    # Load in existing instances so we can destroy any unknown
+    lines = cmd("jool instance display --csv").splitlines()
+    for _, instance, _ in csv.reader(lines):
+        match = INSTANCE_REGEX.fullmatch(instance)
+        if not match:
+            # FIXME: Instances that don't match should be ignored but WARN'ed to the user
+            continue
+        num = match.group(1)
+
+        rules = nat64.setdefault("source", {}).setdefault("rule", {})
+        # Mark it for deletion
+        if num not in rules:
+            rules[num] = {"deleted": True}
+            continue
+
+        # If the user changes the mode, recreate the instance else Jool fails with:
+        # Jool error: Sorry; you can't change an instance's framework for now.
+        if is_node_changed(config, base_src + [f"instance-{num}", "mode"]):
+            rules[num]["recreate"] = True
+
+        # If the user changes the pool6, recreate the instance else Jool fails with:
+        # Jool error: Sorry; you can't change a NAT64 instance's pool6 for now.
+        if dict_search("source.prefix", rules[num]) and is_node_changed(
+            config,
+            base_src + [num, "source", "prefix"],
+        ):
+            rules[num]["recreate"] = True
+
+    return nat64
+
+
+def verify(nat64) -> None:
+    if not nat64:
+        # no need to verify the CLI as nat64 is going to be deactivated
+        return
+
+    if dict_search("source.rule", nat64):
+        # Ensure only 1 netfilter instance per namespace
+        nf_rules = filter(
+            lambda i: "deleted" not in i and i.get('mode') == "netfilter",
+            nat64["source"]["rule"].values(),
+        )
+        next(nf_rules, None)  # Discard the first element
+        if next(nf_rules, None) is not None:
+            raise ConfigError(
+                "Jool permits only 1 NAT64 netfilter instance (per network namespace)"
+            )
+
+        for rule, instance in nat64["source"]["rule"].items():
+            if "deleted" in instance:
+                continue
+
+            # Verify that source.prefix is set and is a /96
+            if not dict_search("source.prefix", instance):
+                raise ConfigError(f"Source NAT64 rule {rule} missing source prefix")
+            if IPv6Network(instance["source"]["prefix"]).prefixlen != 96:
+                raise ConfigError(f"Source NAT64 rule {rule} source prefix must be /96")
+
+            pools = dict_search("translation.pool", instance)
+            if pools:
+                for num, pool in pools.items():
+                    if "address" not in pool:
+                        raise ConfigError(
+                            f"Source NAT64 rule {rule} translation pool "
+                            f"{num} missing address/prefix"
+                        )
+                    if "port" not in pool:
+                        raise ConfigError(
+                            f"Source NAT64 rule {rule} translation pool "
+                            f"{num} missing port(-range)"
+                        )
+
+
+def generate(nat64) -> None:
+    os.makedirs(JOOL_CONFIG_DIR, exist_ok=True)
+
+    if dict_search("source.rule", nat64):
+        for rule, instance in nat64["source"]["rule"].items():
+            if "deleted" in instance:
+                # Delete the unused instance file
+                os.unlink(os.path.join(JOOL_CONFIG_DIR, f"instance-{rule}.json"))
+                continue
+
+            name = f"instance-{rule}"
+            config = {
+                "instance": name,
+                "framework": "netfilter",
+                "global": {
+                    "pool6": instance["source"]["prefix"],
+                    "manually-enabled": "disable" not in instance,
+                },
+                # "bib": [],
+            }
+
+            if "description" in instance:
+                config["comment"] = instance["description"]
+
+            if dict_search("translation.pool", instance):
+                pool4 = []
+                # mark
+                mark = ''
+                if dict_search("match.mark", instance):
+                    mark = instance["match"]["mark"]
+
+                for pool in instance["translation"]["pool"].values():
+                    if "disable" in pool:
+                        continue
+
+                    protos = pool.get("protocol", {}).keys() or ("tcp", "udp", "icmp")
+                    for proto in protos:
+                        obj = {
+                            "protocol": proto.upper(),
+                            "prefix": pool["address"],
+                            "port range": pool["port"],
+                        }
+                        if mark:
+                            obj["mark"] = int(mark)
+                        if "description" in pool:
+                            obj["comment"] = pool["description"]
+
+                        pool4.append(obj)
+
+                if pool4:
+                    config["pool4"] = pool4
+
+            write_file(f'{JOOL_CONFIG_DIR}/{name}.json', json_write(config, indent=2))
+
+
+def apply(nat64) -> None:
+    if not nat64:
+        return
+
+    if dict_search("source.rule", nat64):
+        # Deletions first to avoid conflicts
+        for rule, instance in nat64["source"]["rule"].items():
+            if not any(k in instance for k in ("deleted", "recreate")):
+                continue
+
+            ret = run(f"jool instance remove instance-{rule}")
+            if ret != 0:
+                raise ConfigError(
+                    f"Failed to remove nat64 source rule {rule} (jool instance instance-{rule})"
+                )
+
+        # Now creations
+        for rule, instance in nat64["source"]["rule"].items():
+            if "deleted" in instance:
+                continue
+
+            name = f"instance-{rule}"
+            ret = run(f"jool -i {name} file handle {JOOL_CONFIG_DIR}/{name}.json")
+            if ret != 0:
+                raise ConfigError(f"Failed to set jool instance {name}")
+
+
+if __name__ == "__main__":
+    try:
+        check_kmod(["jool"])
+        c = get_config()
+        verify(c)
+        generate(c)
+        apply(c)
+    except ConfigError as e:
+        print(e)
+        exit(1)
diff --git a/src/conf_mode/nat66.py b/src/conf_mode/nat66.py
index 4c12618bc..ed716b2a2 100755
--- a/src/conf_mode/nat66.py
+++ b/src/conf_mode/nat66.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 #
-# Copyright (C) 2020-2021 VyOS maintainers and contributors
+# Copyright (C) 2020-2023 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
@@ -35,7 +35,6 @@ airbag.enable()
 k_mod = ['nft_nat', 'nft_chain_nat']
 
 nftables_nat66_config = '/run/nftables_nat66.nft'
-ndppd_config = '/run/ndppd/ndppd.conf'
 
 def get_handler(json, chain, target):
     """ Get nftable rule handler number of given chain/target combination.
@@ -102,11 +101,13 @@ def verify(nat):
     if dict_search('source.rule', nat):
         for rule, config in dict_search('source.rule', nat).items():
             err_msg = f'Source NAT66 configuration error in rule {rule}:'
-            if 'outbound_interface' not in config:
-                raise ConfigError(f'{err_msg} outbound-interface not specified')
 
-            if config['outbound_interface'] not in interfaces():
-                raise ConfigError(f'rule "{rule}" interface "{config["outbound_interface"]}" does not exist on this system')
+            if 'outbound_interface' in config:
+                if 'name' in config['outbound_interface'] and 'group' in config['outbound_interface']:
+                    raise ConfigError(f'{err_msg} cannot specify both interface group and interface name for nat source rule "{rule}"')
+                elif 'name' in config['outbound_interface']:
+                    if config['outbound_interface']['name'] not in 'any' and config['outbound_interface']['name'] not in interfaces():
+                        Warning(f'NAT66 interface "{config["outbound_interface"]["name"]}" for source NAT66 rule "{rule}" does not exist!')
 
             addr = dict_search('translation.address', config)
             if addr != None:
@@ -125,12 +126,12 @@ def verify(nat):
         for rule, config in dict_search('destination.rule', nat).items():
             err_msg = f'Destination NAT66 configuration error in rule {rule}:'
 
-            if 'inbound_interface' not in config:
-                raise ConfigError(f'{err_msg}\n' \
-                                  'inbound-interface not specified')
-            else:
-                if config['inbound_interface'] not in 'any' and config['inbound_interface'] not in interfaces():
-                    Warning(f'rule "{rule}" interface "{config["inbound_interface"]}" does not exist on this system')
+            if 'inbound_interface' in config:
+                if 'name' in config['inbound_interface'] and 'group' in config['inbound_interface']:
+                    raise ConfigError(f'{err_msg} cannot specify both interface group and interface name for destination nat rule "{rule}"')
+                elif 'name' in config['inbound_interface']:
+                    if config['inbound_interface']['name'] not in 'any' and config['inbound_interface']['name'] not in interfaces():
+                        Warning(f'NAT66 interface "{config["inbound_interface"]["name"]}" for destination NAT66 rule "{rule}" does not exist!')
 
     return None
 
@@ -139,7 +140,6 @@ def generate(nat):
         nat['first_install'] = True
 
     render(nftables_nat66_config, 'firewall/nftables-nat66.j2', nat, permission=0o755)
-    render(ndppd_config, 'ndppd/ndppd.conf.j2', nat, permission=0o755)
     return None
 
 def apply(nat):
@@ -148,13 +148,6 @@ def apply(nat):
 
     cmd(f'nft -f {nftables_nat66_config}')
 
-    if 'deleted' in nat or not dict_search('source.rule', nat):
-        cmd('systemctl stop ndppd')
-        if os.path.isfile(ndppd_config):
-            os.unlink(ndppd_config)
-    else:
-        cmd('systemctl restart ndppd')
-
     return None
 
 if __name__ == '__main__':
diff --git a/src/conf_mode/netns.py b/src/conf_mode/netns.py
index 95ab83dbc..7cee33bc6 100755
--- a/src/conf_mode/netns.py
+++ b/src/conf_mode/netns.py
@@ -77,8 +77,8 @@ def verify(netns):
     if 'netns_remove' in netns:
         for name, config in netns['netns_remove'].items():
             if 'interface' in config:
-                raise ConfigError(f'Can not remove NETNS "{name}", it still has '\
-                                  f'member interfaces!')
+                raise ConfigError(f'Can not remove network namespace "{name}", it '\
+                                  f'still has member interfaces!')
 
     if 'name' in netns:
         for name, config in netns['name'].items():
@@ -87,7 +87,6 @@ def verify(netns):
 
     return None
 
-
 def generate(netns):
     if not netns:
         return None
diff --git a/src/conf_mode/pki.py b/src/conf_mode/pki.py
index 34ba2fe69..4be40e99e 100755
--- a/src/conf_mode/pki.py
+++ b/src/conf_mode/pki.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 #
-# Copyright (C) 2021 VyOS maintainers and contributors
+# Copyright (C) 2021-2024 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
@@ -14,59 +14,66 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
+import os
+
+from sys import argv
 from sys import exit
 
 from vyos.config import Config
-from vyos.configdep import set_dependents, call_dependents
+from vyos.config import config_dict_merge
+from vyos.configdep import set_dependents
+from vyos.configdep import call_dependents
 from vyos.configdict import node_changed
+from vyos.configdiff import Diff
+from vyos.defaults import directories
 from vyos.pki import is_ca_certificate
 from vyos.pki import load_certificate
 from vyos.pki import load_public_key
 from vyos.pki import load_private_key
 from vyos.pki import load_crl
 from vyos.pki import load_dh_parameters
+from vyos.utils.boot import boot_configuration_complete
+from vyos.utils.dict import dict_search
 from vyos.utils.dict import dict_search_args
 from vyos.utils.dict import dict_search_recursive
+from vyos.utils.process import call
+from vyos.utils.process import cmd
+from vyos.utils.process import is_systemd_service_active
 from vyos import ConfigError
 from vyos import airbag
 airbag.enable()
 
-# keys to recursively search for under specified path, script to call if update required
+vyos_certbot_dir = directories['certbot']
+
+# keys to recursively search for under specified path
 sync_search = [
     {
         'keys': ['certificate'],
         'path': ['service', 'https'],
-        'script': '/usr/libexec/vyos/conf_mode/https.py'
     },
     {
         'keys': ['certificate', 'ca_certificate'],
         'path': ['interfaces', 'ethernet'],
-        'script': '/usr/libexec/vyos/conf_mode/interfaces-ethernet.py'
     },
     {
         'keys': ['certificate', 'ca_certificate', 'dh_params', 'shared_secret_key', 'auth_key', 'crypt_key'],
         'path': ['interfaces', 'openvpn'],
-        'script': '/usr/libexec/vyos/conf_mode/interfaces-openvpn.py'
     },
     {
         'keys': ['ca_certificate'],
         'path': ['interfaces', 'sstpc'],
-        'script': '/usr/libexec/vyos/conf_mode/interfaces-sstpc.py'
     },
     {
         'keys': ['certificate', 'ca_certificate', 'local_key', 'remote_key'],
         'path': ['vpn', 'ipsec'],
-        'script': '/usr/libexec/vyos/conf_mode/vpn_ipsec.py'
     },
     {
         'keys': ['certificate', 'ca_certificate'],
         'path': ['vpn', 'openconnect'],
-        'script': '/usr/libexec/vyos/conf_mode/vpn_openconnect.py'
     },
     {
         'keys': ['certificate', 'ca_certificate'],
         'path': ['vpn', 'sstp'],
-        'script': '/usr/libexec/vyos/conf_mode/vpn_sstp.py'
     }
 ]
 
@@ -82,6 +89,33 @@ sync_translate = {
     'crypt_key': 'openvpn'
 }
 
+def certbot_delete(certificate):
+    if not boot_configuration_complete():
+        return
+    if os.path.exists(f'{vyos_certbot_dir}/renewal/{certificate}.conf'):
+        cmd(f'certbot delete --non-interactive --config-dir {vyos_certbot_dir} --cert-name {certificate}')
+
+def certbot_request(name: str, config: dict, dry_run: bool=True):
+    # We do not call certbot when booting the system - there is no need to do so and
+    # request new certificates during boot/image upgrade as the certbot configuration
+    # is stored persistent under /config - thus we do not open the door to transient
+    # errors
+    if not boot_configuration_complete():
+        return
+
+    domains = '--domains ' + ' --domains '.join(config['domain_name'])
+    tmp = f'certbot certonly --non-interactive --config-dir {vyos_certbot_dir} --cert-name {name} '\
+          f'--standalone --agree-tos --no-eff-email --expand --server {config["url"]} '\
+          f'--email {config["email"]} --key-type rsa --rsa-key-size {config["rsa_key_size"]} '\
+          f'{domains}'
+    if 'listen_address' in config:
+        tmp += f' --http-01-address {config["listen_address"]}'
+    # verify() does not need to actually request a cert but only test for plausability
+    if dry_run:
+        tmp += ' --dry-run'
+
+    cmd(tmp, raising=ConfigError, message=f'ACME certbot request failed for "{name}"!')
+
 def get_config(config=None):
     if config:
         conf = config
@@ -93,25 +127,60 @@ def get_config(config=None):
                                      get_first_key=True,
                                      no_tag_node_value_mangle=True)
 
-    pki['changed'] = {}
-    tmp = node_changed(conf, base + ['ca'], key_mangling=('-', '_'), recursive=True)
-    if tmp: pki['changed'].update({'ca' : tmp})
+    if len(argv) > 1 and argv[1] == 'certbot_renew':
+        pki['certbot_renew'] = {}
 
-    tmp = node_changed(conf, base + ['certificate'], key_mangling=('-', '_'), recursive=True)
-    if tmp: pki['changed'].update({'certificate' : tmp})
+    tmp = node_changed(conf, base + ['ca'], recursive=True)
+    if tmp:
+        if 'changed' not in pki: pki.update({'changed':{}})
+        pki['changed'].update({'ca' : tmp})
 
-    tmp = node_changed(conf, base + ['dh'], key_mangling=('-', '_'), recursive=True)
-    if tmp: pki['changed'].update({'dh' : tmp})
+    tmp = node_changed(conf, base + ['certificate'], recursive=True)
+    if tmp:
+        if 'changed' not in pki: pki.update({'changed':{}})
+        pki['changed'].update({'certificate' : tmp})
 
-    tmp = node_changed(conf, base + ['key-pair'], key_mangling=('-', '_'), recursive=True)
-    if tmp: pki['changed'].update({'key_pair' : tmp})
+    tmp = node_changed(conf, base + ['dh'], recursive=True)
+    if tmp:
+        if 'changed' not in pki: pki.update({'changed':{}})
+        pki['changed'].update({'dh' : tmp})
 
-    tmp = node_changed(conf, base + ['openvpn', 'shared-secret'], key_mangling=('-', '_'), recursive=True)
-    if tmp: pki['changed'].update({'openvpn' : tmp})
+    tmp = node_changed(conf, base + ['key-pair'], recursive=True)
+    if tmp:
+        if 'changed' not in pki: pki.update({'changed':{}})
+        pki['changed'].update({'key_pair' : tmp})
+
+    tmp = node_changed(conf, base + ['openvpn', 'shared-secret'], recursive=True)
+    if tmp:
+        if 'changed' not in pki: pki.update({'changed':{}})
+        pki['changed'].update({'openvpn' : tmp})
 
     # We only merge on the defaults of there is a configuration at all
     if conf.exists(base):
-        pki = conf.merge_defaults(pki, recursive=True)
+        # We have gathered the dict representation of the CLI, but there are default
+        # options which we need to update into the dictionary retrived.
+        default_values = conf.get_config_defaults(**pki.kwargs, recursive=True)
+        # remove ACME default configuration if unused by CLI
+        if 'certificate' in pki:
+            for name, cert_config in pki['certificate'].items():
+                if 'acme' not in cert_config:
+                    # Remove ACME default values
+                    del default_values['certificate'][name]['acme']
+
+        # merge CLI and default dictionary
+        pki = config_dict_merge(default_values, pki)
+
+    # Certbot triggered an external renew of the certificates.
+    # Mark all ACME based certificates as "changed" to trigger
+    # update of dependent services
+    if 'certificate' in pki and 'certbot_renew' in pki:
+        renew = []
+        for name, cert_config in pki['certificate'].items():
+            if 'acme' in cert_config:
+                renew.append(name)
+        # If triggered externally by certbot, certificate key is not present in changed
+        if 'changed' not in pki: pki.update({'changed':{}})
+        pki['changed'].update({'certificate' : renew})
 
     # We need to get the entire system configuration to verify that we are not
     # deleting a certificate that is still referenced somewhere!
@@ -119,38 +188,34 @@ def get_config(config=None):
                                          get_first_key=True,
                                          no_tag_node_value_mangle=True)
 
-    if 'changed' in pki:
-        for search in sync_search:
-            for key in search['keys']:
-                changed_key = sync_translate[key]
-
-                if changed_key not in pki['changed']:
-                    continue
-
-                for item_name in pki['changed'][changed_key]:
-                    node_present = False
-                    if changed_key == 'openvpn':
-                        node_present = dict_search_args(pki, 'openvpn', 'shared_secret', item_name)
-                    else:
-                        node_present = dict_search_args(pki, changed_key, item_name)
-
-                    if node_present:
-                        search_dict = dict_search_args(pki['system'], *search['path'])
-
-                        if not search_dict:
-                            continue
-
-                        for found_name, found_path in dict_search_recursive(search_dict, key):
-                            if found_name == item_name:
-                                path = search['path']
-                                path_str = ' '.join(path + found_path)
-                                print(f'pki: Updating config: {path_str} {found_name}')
-
-                                if path[0] == 'interfaces':
-                                    ifname = found_path[0]
-                                    set_dependents(path[1], conf, ifname)
-                                else:
-                                    set_dependents(path[1], conf)
+    for search in sync_search:
+        for key in search['keys']:
+            changed_key = sync_translate[key]
+            if 'changed' not in pki or changed_key not in pki['changed']:
+                continue
+
+            for item_name in pki['changed'][changed_key]:
+                node_present = False
+                if changed_key == 'openvpn':
+                    node_present = dict_search_args(pki, 'openvpn', 'shared_secret', item_name)
+                else:
+                    node_present = dict_search_args(pki, changed_key, item_name)
+
+                if node_present:
+                    search_dict = dict_search_args(pki['system'], *search['path'])
+                    if not search_dict:
+                        continue
+                    for found_name, found_path in dict_search_recursive(search_dict, key):
+                        if found_name == item_name:
+                            path = search['path']
+                            path_str = ' '.join(path + found_path)
+                            print(f'PKI: Updating config: {path_str} {found_name}')
+
+                            if path[0] == 'interfaces':
+                                ifname = found_path[0]
+                                set_dependents(path[1], conf, ifname)
+                            else:
+                                set_dependents(path[1], conf)
 
     return pki
 
@@ -223,6 +288,22 @@ def verify(pki):
                 if not is_valid_private_key(private['key'], protected):
                     raise ConfigError(f'Invalid private key on certificate "{name}"')
 
+            if 'acme' in cert_conf:
+                if 'domain_name' not in cert_conf['acme']:
+                    raise ConfigError(f'At least one domain-name is required to request '\
+                                    f'certificate for "{name}" via ACME!')
+
+                if 'email' not in cert_conf['acme']:
+                    raise ConfigError(f'An email address is required to request '\
+                                    f'certificate for "{name}" via ACME!')
+
+                if 'certbot_renew' not in pki:
+                    # Only run the ACME command if something on this entity changed,
+                    # as this is time intensive
+                    tmp = dict_search('changed.certificate', pki)
+                    if tmp != None and name in tmp:
+                        certbot_request(name, cert_conf['acme'])
+
     if 'dh' in pki:
         for name, dh_conf in pki['dh'].items():
             if 'parameters' in dh_conf:
@@ -283,12 +364,58 @@ def generate(pki):
     if not pki:
         return None
 
+    # Certbot renewal only needs to re-trigger the services to load up the
+    # new PEM file
+    if 'certbot_renew' in pki:
+        return None
+
+    certbot_list = []
+    certbot_list_on_disk = []
+    if os.path.exists(f'{vyos_certbot_dir}/live'):
+        certbot_list_on_disk = [f.path.split('/')[-1] for f in os.scandir(f'{vyos_certbot_dir}/live') if f.is_dir()]
+
+    if 'certificate' in pki:
+        changed_certificates = dict_search('changed.certificate', pki)
+        for name, cert_conf in pki['certificate'].items():
+            if 'acme' in cert_conf:
+                certbot_list.append(name)
+                # generate certificate if not found on disk
+                if name not in certbot_list_on_disk:
+                    certbot_request(name, cert_conf['acme'], dry_run=False)
+                elif changed_certificates != None and name in changed_certificates:
+                    # when something for the certificate changed, we should delete it
+                    if name in certbot_list_on_disk:
+                        certbot_delete(name)
+                    certbot_request(name, cert_conf['acme'], dry_run=False)
+
+    # Cleanup certbot configuration and certificates if no longer in use by CLI
+    # Get foldernames under vyos_certbot_dir which each represent a certbot cert
+    if os.path.exists(f'{vyos_certbot_dir}/live'):
+        for cert in certbot_list_on_disk:
+            if cert not in certbot_list:
+                # certificate is no longer active on the CLI - remove it
+                certbot_delete(cert)
+
     return None
 
 def apply(pki):
+    systemd_certbot_name = 'certbot.timer'
     if not pki:
+        call(f'systemctl stop {systemd_certbot_name}')
         return None
 
+    has_certbot = False
+    if 'certificate' in pki:
+        for name, cert_conf in pki['certificate'].items():
+            if 'acme' in cert_conf:
+                has_certbot = True
+                break
+
+    if not has_certbot:
+        call(f'systemctl stop {systemd_certbot_name}')
+    elif has_certbot and not is_systemd_service_active(systemd_certbot_name):
+        call(f'systemctl restart {systemd_certbot_name}')
+
     if 'changed' in pki:
         call_dependents()
 
diff --git a/src/conf_mode/policy-local-route.py b/src/conf_mode/policy-local-route.py
deleted file mode 100755
index 79526f82a..000000000
--- a/src/conf_mode/policy-local-route.py
+++ /dev/null
@@ -1,222 +0,0 @@
-#!/usr/bin/env python3
-#
-# Copyright (C) 2020-2021 VyOS maintainers and contributors
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 or later as
-# published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-import os
-
-from sys import exit
-
-from netifaces import interfaces
-from vyos.config import Config
-from vyos.configdict import dict_merge
-from vyos.configdict import node_changed
-from vyos.configdict import leaf_node_changed
-from vyos.template import render
-from vyos.utils.process import call
-from vyos import ConfigError
-from vyos import airbag
-airbag.enable()
-
-
-def get_config(config=None):
-
-    if config:
-        conf = config
-    else:
-        conf = Config()
-    base = ['policy']
-
-    pbr = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True)
-
-    for route in ['local_route', 'local_route6']:
-        dict_id = 'rule_remove' if route == 'local_route' else 'rule6_remove'
-        route_key = 'local-route' if route == 'local_route' else 'local-route6'
-        base_rule = base + [route_key, 'rule']
-
-        # delete policy local-route
-        dict = {}
-        tmp = node_changed(conf, base_rule, key_mangling=('-', '_'))
-        if tmp:
-            for rule in (tmp or []):
-                src = leaf_node_changed(conf, base_rule + [rule, 'source'])
-                fwmk = leaf_node_changed(conf, base_rule + [rule, 'fwmark'])
-                iif = leaf_node_changed(conf, base_rule + [rule, 'inbound-interface'])
-                dst = leaf_node_changed(conf, base_rule + [rule, 'destination'])
-                rule_def = {}
-                if src:
-                    rule_def = dict_merge({'source' : src}, rule_def)
-                if fwmk:
-                    rule_def = dict_merge({'fwmark' : fwmk}, rule_def)
-                if iif:
-                    rule_def = dict_merge({'inbound_interface' : iif}, rule_def)
-                if dst:
-                    rule_def = dict_merge({'destination' : dst}, rule_def)
-                dict = dict_merge({dict_id : {rule : rule_def}}, dict)
-                pbr.update(dict)
-
-        if not route in pbr:
-            continue
-
-        # delete policy local-route rule x source x.x.x.x
-        # delete policy local-route rule x fwmark x
-        # delete policy local-route rule x destination x.x.x.x
-        if 'rule' in pbr[route]:
-            for rule, rule_config in pbr[route]['rule'].items():
-                src = leaf_node_changed(conf, base_rule + [rule, 'source'])
-                fwmk = leaf_node_changed(conf, base_rule + [rule, 'fwmark'])
-                iif = leaf_node_changed(conf, base_rule + [rule, 'inbound-interface'])
-                dst = leaf_node_changed(conf, base_rule + [rule, 'destination'])
-                # keep track of changes in configuration
-                # otherwise we might remove an existing node although nothing else has changed
-                changed = False
-
-                rule_def = {}
-                # src is None if there are no changes to src
-                if src is None:
-                    # if src hasn't changed, include it in the removal selector
-                    # if a new selector is added, we have to remove all previous rules without this selector
-                    # to make sure we remove all previous rules with this source(s), it will be included
-                    if 'source' in rule_config:
-                        rule_def = dict_merge({'source': rule_config['source']}, rule_def)
-                else:
-                    # if src is not None, it's previous content will be returned
-                    # this can be an empty array if it's just being set, or the previous value
-                    # either way, something has to be changed and we only want to remove previous values
-                    changed = True
-                    # set the old value for removal if it's not empty
-                    if len(src) > 0:
-                        rule_def = dict_merge({'source' : src}, rule_def)
-                if fwmk is None:
-                    if 'fwmark' in rule_config:
-                        rule_def = dict_merge({'fwmark': rule_config['fwmark']}, rule_def)
-                else:
-                    changed = True
-                    if len(fwmk) > 0:
-                        rule_def = dict_merge({'fwmark' : fwmk}, rule_def)
-                if iif is None:
-                    if 'inbound_interface' in rule_config:
-                        rule_def = dict_merge({'inbound_interface': rule_config['inbound_interface']}, rule_def)
-                else:
-                    changed = True
-                    if len(iif) > 0:
-                        rule_def = dict_merge({'inbound_interface' : iif}, rule_def)
-                if dst is None:
-                    if 'destination' in rule_config:
-                        rule_def = dict_merge({'destination': rule_config['destination']}, rule_def)
-                else:
-                    changed = True
-                    if len(dst) > 0:
-                        rule_def = dict_merge({'destination' : dst}, rule_def)
-                if changed:
-                    dict = dict_merge({dict_id : {rule : rule_def}}, dict)
-                    pbr.update(dict)
-
-    return pbr
-
-def verify(pbr):
-    # bail out early - looks like removal from running config
-    if not pbr:
-        return None
-
-    for route in ['local_route', 'local_route6']:
-        if not route in pbr:
-            continue
-
-        pbr_route = pbr[route]
-        if 'rule' in pbr_route:
-            for rule in pbr_route['rule']:
-                if 'source' not in pbr_route['rule'][rule] \
-                        and 'destination' not in pbr_route['rule'][rule] \
-                        and 'fwmark' not in pbr_route['rule'][rule] \
-                        and 'inbound_interface' not in pbr_route['rule'][rule]:
-                    raise ConfigError('Source or destination address or fwmark or inbound-interface is required!')
-                else:
-                    if 'set' not in pbr_route['rule'][rule] or 'table' not in pbr_route['rule'][rule]['set']:
-                        raise ConfigError('Table set is required!')
-                    if 'inbound_interface' in pbr_route['rule'][rule]:
-                        interface = pbr_route['rule'][rule]['inbound_interface']
-                        if interface not in interfaces():
-                            raise ConfigError(f'Interface "{interface}" does not exist')
-
-    return None
-
-def generate(pbr):
-    if not pbr:
-        return None
-
-    return None
-
-def apply(pbr):
-    if not pbr:
-        return None
-
-    # Delete old rule if needed
-    for rule_rm in ['rule_remove', 'rule6_remove']:
-        if rule_rm in pbr:
-            v6 = " -6" if rule_rm == 'rule6_remove' else ""
-            for rule, rule_config in pbr[rule_rm].items():
-                rule_config['source'] = rule_config['source'] if 'source' in rule_config else ['']
-                for src in rule_config['source']:
-                    f_src = '' if src == '' else f' from {src} '
-                    rule_config['destination'] = rule_config['destination'] if 'destination' in rule_config else ['']
-                    for dst in rule_config['destination']:
-                        f_dst = '' if dst == '' else f' to {dst} '
-                        rule_config['fwmark'] = rule_config['fwmark'] if 'fwmark' in rule_config else ['']
-                        for fwmk in rule_config['fwmark']:
-                            f_fwmk = '' if fwmk == '' else f' fwmark {fwmk} '
-                            rule_config['inbound_interface'] = rule_config['inbound_interface'] if 'inbound_interface' in rule_config else ['']
-                            for iif in rule_config['inbound_interface']:
-                                f_iif = '' if iif == '' else f' iif {iif} '
-                                call(f'ip{v6} rule del prio {rule} {f_src}{f_dst}{f_fwmk}{f_iif}')
-
-    # Generate new config
-    for route in ['local_route', 'local_route6']:
-        if not route in pbr:
-            continue
-
-        v6 = " -6" if route == 'local_route6' else ""
-
-        pbr_route = pbr[route]
-        if 'rule' in pbr_route:
-            for rule, rule_config in pbr_route['rule'].items():
-                table = rule_config['set']['table']
-
-                rule_config['source'] = rule_config['source'] if 'source' in rule_config else ['all']
-                for src in rule_config['source'] or ['all']:
-                    f_src = '' if src == '' else f' from {src} '
-                    rule_config['destination'] = rule_config['destination'] if 'destination' in rule_config else ['all']
-                    for dst in rule_config['destination']:
-                        f_dst = '' if dst == '' else f' to {dst} '
-                        f_fwmk = ''
-                        if 'fwmark' in rule_config:
-                            fwmk = rule_config['fwmark']
-                            f_fwmk = f' fwmark {fwmk} '
-                        f_iif = ''
-                        if 'inbound_interface' in rule_config:
-                            iif = rule_config['inbound_interface']
-                            f_iif = f' iif {iif} '
-                        call(f'ip{v6} rule add prio {rule} {f_src}{f_dst}{f_fwmk}{f_iif} lookup {table}')
-
-    return None
-
-if __name__ == '__main__':
-    try:
-        c = get_config()
-        verify(c)
-        generate(c)
-        apply(c)
-    except ConfigError as e:
-        print(e)
-        exit(1)
diff --git a/src/conf_mode/policy_local-route.py b/src/conf_mode/policy_local-route.py
new file mode 100755
index 000000000..91e4fce2c
--- /dev/null
+++ b/src/conf_mode/policy_local-route.py
@@ -0,0 +1,315 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2020-2023 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+import os
+
+from itertools import product
+from sys import exit
+
+from netifaces import interfaces
+from vyos.config import Config
+from vyos.configdict import dict_merge
+from vyos.configdict import node_changed
+from vyos.configdict import leaf_node_changed
+from vyos.template import render
+from vyos.utils.process import call
+from vyos import ConfigError
+from vyos import airbag
+airbag.enable()
+
+
+def get_config(config=None):
+
+    if config:
+        conf = config
+    else:
+        conf = Config()
+    base = ['policy']
+
+    pbr = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True)
+
+    for route in ['local_route', 'local_route6']:
+        dict_id = 'rule_remove' if route == 'local_route' else 'rule6_remove'
+        route_key = 'local-route' if route == 'local_route' else 'local-route6'
+        base_rule = base + [route_key, 'rule']
+
+        # delete policy local-route
+        dict = {}
+        tmp = node_changed(conf, base_rule, key_mangling=('-', '_'))
+        if tmp:
+            for rule in (tmp or []):
+                src = leaf_node_changed(conf, base_rule + [rule, 'source', 'address'])
+                src_port = leaf_node_changed(conf, base_rule + [rule, 'source', 'port'])
+                fwmk = leaf_node_changed(conf, base_rule + [rule, 'fwmark'])
+                iif = leaf_node_changed(conf, base_rule + [rule, 'inbound-interface'])
+                dst = leaf_node_changed(conf, base_rule + [rule, 'destination', 'address'])
+                dst_port = leaf_node_changed(conf, base_rule + [rule, 'destination', 'port'])
+                table = leaf_node_changed(conf, base_rule + [rule, 'set', 'table'])
+                proto = leaf_node_changed(conf, base_rule + [rule, 'protocol'])
+                rule_def = {}
+                if src:
+                    rule_def = dict_merge({'source': {'address': src}}, rule_def)
+                if src_port:
+                    rule_def = dict_merge({'source': {'port': src_port}}, rule_def)
+                if fwmk:
+                    rule_def = dict_merge({'fwmark' : fwmk}, rule_def)
+                if iif:
+                    rule_def = dict_merge({'inbound_interface' : iif}, rule_def)
+                if dst:
+                    rule_def = dict_merge({'destination': {'address': dst}}, rule_def)
+                if dst_port:
+                    rule_def = dict_merge({'destination': {'port': dst_port}}, rule_def)
+                if table:
+                    rule_def = dict_merge({'table' : table}, rule_def)
+                if proto:
+                    rule_def = dict_merge({'protocol' : proto}, rule_def)
+                dict = dict_merge({dict_id : {rule : rule_def}}, dict)
+                pbr.update(dict)
+
+        if not route in pbr:
+            continue
+
+        # delete policy local-route rule x source x.x.x.x
+        # delete policy local-route rule x fwmark x
+        # delete policy local-route rule x destination x.x.x.x
+        if 'rule' in pbr[route]:
+            for rule, rule_config in pbr[route]['rule'].items():
+                src = leaf_node_changed(conf, base_rule + [rule, 'source', 'address'])
+                src_port = leaf_node_changed(conf, base_rule + [rule, 'source', 'port'])
+                fwmk = leaf_node_changed(conf, base_rule + [rule, 'fwmark'])
+                iif = leaf_node_changed(conf, base_rule + [rule, 'inbound-interface'])
+                dst = leaf_node_changed(conf, base_rule + [rule, 'destination', 'address'])
+                dst_port = leaf_node_changed(conf, base_rule + [rule, 'destination', 'port'])
+                table = leaf_node_changed(conf, base_rule + [rule, 'set', 'table'])
+                proto = leaf_node_changed(conf, base_rule + [rule, 'protocol'])
+                # keep track of changes in configuration
+                # otherwise we might remove an existing node although nothing else has changed
+                changed = False
+
+                rule_def = {}
+                # src is None if there are no changes to src
+                if src is None:
+                    # if src hasn't changed, include it in the removal selector
+                    # if a new selector is added, we have to remove all previous rules without this selector
+                    # to make sure we remove all previous rules with this source(s), it will be included
+                    if 'source' in rule_config:
+                        if 'address' in rule_config['source']:
+                            rule_def = dict_merge({'source': {'address': rule_config['source']['address']}}, rule_def)
+                else:
+                    # if src is not None, it's previous content will be returned
+                    # this can be an empty array if it's just being set, or the previous value
+                    # either way, something has to be changed and we only want to remove previous values
+                    changed = True
+                    # set the old value for removal if it's not empty
+                    if len(src) > 0:
+                        rule_def = dict_merge({'source': {'address': src}}, rule_def)
+
+                # source port
+                if src_port is None:
+                    if 'source' in rule_config:
+                        if 'port' in rule_config['source']:
+                            tmp = rule_config['source']['port']
+                            if isinstance(tmp, str):
+                                tmp = [tmp]
+                            rule_def = dict_merge({'source': {'port': tmp}}, rule_def)
+                else:
+                    changed = True
+                    if len(src_port) > 0:
+                        rule_def = dict_merge({'source': {'port': src_port}}, rule_def)
+
+                # fwmark
+                if fwmk is None:
+                    if 'fwmark' in rule_config:
+                        tmp = rule_config['fwmark']
+                        if isinstance(tmp, str):
+                            tmp = [tmp]
+                        rule_def = dict_merge({'fwmark': tmp}, rule_def)
+                else:
+                    changed = True
+                    if len(fwmk) > 0:
+                        rule_def = dict_merge({'fwmark' : fwmk}, rule_def)
+
+                # inbound-interface
+                if iif is None:
+                    if 'inbound_interface' in rule_config:
+                        rule_def = dict_merge({'inbound_interface': rule_config['inbound_interface']}, rule_def)
+                else:
+                    changed = True
+                    if len(iif) > 0:
+                        rule_def = dict_merge({'inbound_interface' : iif}, rule_def)
+
+                # destination address
+                if dst is None:
+                    if 'destination' in rule_config:
+                        if 'address' in rule_config['destination']:
+                            rule_def = dict_merge({'destination': {'address': rule_config['destination']['address']}}, rule_def)
+                else:
+                    changed = True
+                    if len(dst) > 0:
+                        rule_def = dict_merge({'destination': {'address': dst}}, rule_def)
+
+                # destination port
+                if dst_port is None:
+                    if 'destination' in rule_config:
+                        if 'port' in rule_config['destination']:
+                            tmp = rule_config['destination']['port']
+                            if isinstance(tmp, str):
+                                tmp = [tmp]
+                            rule_def = dict_merge({'destination': {'port': tmp}}, rule_def)
+                else:
+                    changed = True
+                    if len(dst_port) > 0:
+                        rule_def = dict_merge({'destination': {'port': dst_port}}, rule_def)
+
+                # table
+                if table is None:
+                    if 'set' in rule_config and 'table' in rule_config['set']:
+                        rule_def = dict_merge({'table': [rule_config['set']['table']]}, rule_def)
+                else:
+                    changed = True
+                    if len(table) > 0:
+                        rule_def = dict_merge({'table' : table}, rule_def)
+
+                # protocol
+                if proto is None:
+                    if 'protocol' in rule_config:
+                        tmp = rule_config['protocol']
+                        if isinstance(tmp, str):
+                            tmp = [tmp]
+                        rule_def = dict_merge({'protocol': tmp}, rule_def)
+                else:
+                    changed = True
+                    if len(proto) > 0:
+                        rule_def = dict_merge({'protocol' : proto}, rule_def)
+
+                if changed:
+                    dict = dict_merge({dict_id : {rule : rule_def}}, dict)
+                    pbr.update(dict)
+
+    return pbr
+
+def verify(pbr):
+    # bail out early - looks like removal from running config
+    if not pbr:
+        return None
+
+    for route in ['local_route', 'local_route6']:
+        if not route in pbr:
+            continue
+
+        pbr_route = pbr[route]
+        if 'rule' in pbr_route:
+            for rule in pbr_route['rule']:
+                if (
+                    'source' not in pbr_route['rule'][rule] and
+                    'destination' not in pbr_route['rule'][rule] and
+                    'fwmark' not in pbr_route['rule'][rule] and
+                    'inbound_interface' not in pbr_route['rule'][rule] and
+                    'protocol' not in pbr_route['rule'][rule]
+                ):
+                    raise ConfigError('Source or destination address or fwmark or inbound-interface or protocol is required!')
+
+                if 'set' not in pbr_route['rule'][rule] or 'table' not in pbr_route['rule'][rule]['set']:
+                    raise ConfigError('Table set is required!')
+
+                if 'inbound_interface' in pbr_route['rule'][rule]:
+                    interface = pbr_route['rule'][rule]['inbound_interface']
+                    if interface not in interfaces():
+                        raise ConfigError(f'Interface "{interface}" does not exist')
+
+    return None
+
+def generate(pbr):
+    if not pbr:
+        return None
+
+    return None
+
+def apply(pbr):
+    if not pbr:
+        return None
+
+    # Delete old rule if needed
+    for rule_rm in ['rule_remove', 'rule6_remove']:
+        if rule_rm in pbr:
+            v6 = " -6" if rule_rm == 'rule6_remove' else ""
+
+            for rule, rule_config in pbr[rule_rm].items():
+                source = rule_config.get('source', {}).get('address', [''])
+                source_port = rule_config.get('source', {}).get('port', [''])
+                destination = rule_config.get('destination', {}).get('address', [''])
+                destination_port = rule_config.get('destination', {}).get('port', [''])
+                fwmark = rule_config.get('fwmark', [''])
+                inbound_interface = rule_config.get('inbound_interface', [''])
+                protocol = rule_config.get('protocol', [''])
+                table = rule_config.get('table', [''])
+
+                for src, dst, src_port, dst_port, fwmk, iif, proto, table in product(
+                        source, destination, source_port, destination_port,
+                        fwmark, inbound_interface, protocol, table):
+                    f_src = '' if src == '' else f' from {src} '
+                    f_src_port = '' if src_port == '' else f' sport {src_port} '
+                    f_dst = '' if dst == '' else f' to {dst} '
+                    f_dst_port = '' if dst_port == '' else f' dport {dst_port} '
+                    f_fwmk = '' if fwmk == '' else f' fwmark {fwmk} '
+                    f_iif = '' if iif == '' else f' iif {iif} '
+                    f_proto = '' if proto == '' else f' ipproto {proto} '
+                    f_table = '' if table == '' else f' lookup {table} '
+
+                    call(f'ip{v6} rule del prio {rule} {f_src}{f_dst}{f_proto}{f_src_port}{f_dst_port}{f_fwmk}{f_iif}{f_table}')
+
+    # Generate new config
+    for route in ['local_route', 'local_route6']:
+        if not route in pbr:
+            continue
+
+        v6 = " -6" if route == 'local_route6' else ""
+        pbr_route = pbr[route]
+
+        if 'rule' in pbr_route:
+            for rule, rule_config in pbr_route['rule'].items():
+                table = rule_config['set'].get('table', '')
+                source = rule_config.get('source', {}).get('address', ['all'])
+                source_port = rule_config.get('source', {}).get('port', '')
+                destination = rule_config.get('destination', {}).get('address', ['all'])
+                destination_port = rule_config.get('destination', {}).get('port', '')
+                fwmark = rule_config.get('fwmark', '')
+                inbound_interface = rule_config.get('inbound_interface', '')
+                protocol = rule_config.get('protocol', '')
+
+                for src in source:
+                    f_src = f' from {src} ' if src else ''
+                    for dst in destination:
+                        f_dst = f' to {dst} ' if dst else ''
+                        f_src_port = f' sport {source_port} ' if source_port else ''
+                        f_dst_port = f' dport {destination_port} ' if destination_port else ''
+                        f_fwmk = f' fwmark {fwmark} ' if fwmark else ''
+                        f_iif = f' iif {inbound_interface} ' if inbound_interface else ''
+                        f_proto = f' ipproto {protocol} ' if protocol else ''
+
+                        call(f'ip{v6} rule add prio {rule}{f_src}{f_dst}{f_proto}{f_src_port}{f_dst_port}{f_fwmk}{f_iif} lookup {table}')
+
+    return None
+
+if __name__ == '__main__':
+    try:
+        c = get_config()
+        verify(c)
+        generate(c)
+        apply(c)
+    except ConfigError as e:
+        print(e)
+        exit(1)
diff --git a/src/conf_mode/policy-route.py b/src/conf_mode/policy_route.py
index adad012de..adad012de 100755
--- a/src/conf_mode/policy-route.py
+++ b/src/conf_mode/policy_route.py
diff --git a/src/conf_mode/protocols_bgp.py b/src/conf_mode/protocols_bgp.py
index 00015023c..bf807fa5f 100755
--- a/src/conf_mode/protocols_bgp.py
+++ b/src/conf_mode/protocols_bgp.py
@@ -30,6 +30,7 @@ from vyos.template import render_to_string
 from vyos.utils.dict import dict_search
 from vyos.utils.network import get_interface_vrf
 from vyos.utils.network import is_addr_assigned
+from vyos.utils.process import process_named_running
 from vyos import ConfigError
 from vyos import frr
 from vyos import airbag
@@ -49,8 +50,13 @@ def get_config(config=None):
 
     # eqivalent of the C foo ? 'a' : 'b' statement
     base = vrf and ['vrf', 'name', vrf, 'protocols', 'bgp'] or base_path
-    bgp = conf.get_config_dict(base, key_mangling=('-', '_'),
-                               get_first_key=True, no_tag_node_value_mangle=True)
+    bgp = conf.get_config_dict(
+        base,
+        key_mangling=('-', '_'),
+        get_first_key=True,
+        no_tag_node_value_mangle=True,
+        with_recursive_defaults=True,
+    )
 
     bgp['dependent_vrfs'] = conf.get_config_dict(['vrf', 'name'],
                                                  key_mangling=('-', '_'),
@@ -93,6 +99,7 @@ def get_config(config=None):
     tmp = conf.get_config_dict(['policy'])
     # Merge policy dict into "regular" config dict
     bgp = dict_merge(tmp, bgp)
+
     return bgp
 
 
@@ -246,6 +253,19 @@ def verify(bgp):
     if 'system_as' not in bgp:
         raise ConfigError('BGP system-as number must be defined!')
 
+    # Verify BMP
+    if 'bmp' in bgp:
+        # check bmp flag "bgpd -d -F traditional --daemon -A 127.0.0.1 -M rpki -M bmp"
+        if not process_named_running('bgpd', 'bmp'):
+            raise ConfigError(
+                f'"bmp" flag is not found in bgpd. Configure "set system frr bmp" and restart bgp process'
+            )
+        # check bmp target
+        if 'target' in bgp['bmp']:
+            for target, target_config in bgp['bmp']['target'].items():
+                if 'address' not in target_config:
+                    raise ConfigError(f'BMP target "{target}" address must be defined!')
+
     # Verify vrf on interface and bgp section
     if 'interface' in bgp:
         for interface in bgp['interface']:
diff --git a/src/conf_mode/igmp_proxy.py b/src/conf_mode/protocols_igmp-proxy.py
index 40db417dd..40db417dd 100755
--- a/src/conf_mode/igmp_proxy.py
+++ b/src/conf_mode/protocols_igmp-proxy.py
diff --git a/src/conf_mode/protocols_igmp.py b/src/conf_mode/protocols_igmp.py
deleted file mode 100755
index 435189025..000000000
--- a/src/conf_mode/protocols_igmp.py
+++ /dev/null
@@ -1,140 +0,0 @@
-#!/usr/bin/env python3
-#
-# Copyright (C) 2020-2023 VyOS maintainers and contributors
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 or later as
-# published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-import os
-
-from ipaddress import IPv4Address
-from sys import exit
-
-from vyos import ConfigError
-from vyos.config import Config
-from vyos.utils.process import process_named_running
-from vyos.utils.process import call
-from vyos.template import render
-from signal import SIGTERM
-
-from vyos import airbag
-airbag.enable()
-
-# Required to use the full path to pimd, in another case daemon will not be started
-pimd_cmd = f'/usr/lib/frr/pimd -d -F traditional --daemon -A 127.0.0.1'
-
-config_file = r'/tmp/igmp.frr'
-
-def get_config(config=None):
-    if config:
-        conf = config
-    else:
-        conf = Config()
-    igmp_conf = {
-        'igmp_conf' : False,
-        'pim_conf'  : False,
-        'igmp_proxy_conf' : False,
-        'old_ifaces'    : {},
-        'ifaces'    : {}
-    }
-    if not (conf.exists('protocols igmp') or conf.exists_effective('protocols igmp')):
-        return None
-
-    if conf.exists('protocols igmp-proxy'):
-        igmp_conf['igmp_proxy_conf'] = True
-
-    if conf.exists('protocols pim'):
-        igmp_conf['pim_conf'] = True
-
-    if conf.exists('protocols igmp'):
-        igmp_conf['igmp_conf'] = True
-
-    conf.set_level('protocols igmp')
-
-    # # Get interfaces
-    for iface in conf.list_effective_nodes('interface'):
-        igmp_conf['old_ifaces'].update({
-            iface : {
-                'version' : conf.return_effective_value('interface {0} version'.format(iface)),
-                'query_interval' : conf.return_effective_value('interface {0} query-interval'.format(iface)),
-                'query_max_resp_time' : conf.return_effective_value('interface {0} query-max-response-time'.format(iface)),
-                'gr_join' : {}
-            }
-        })
-        for gr_join in conf.list_effective_nodes('interface {0} join'.format(iface)):
-            igmp_conf['old_ifaces'][iface]['gr_join'][gr_join] = conf.return_effective_values('interface {0} join {1} source'.format(iface, gr_join))
-
-    for iface in conf.list_nodes('interface'):
-        igmp_conf['ifaces'].update({
-            iface : {
-                'version' : conf.return_value('interface {0} version'.format(iface)),
-                'query_interval' : conf.return_value('interface {0} query-interval'.format(iface)),
-                'query_max_resp_time' : conf.return_value('interface {0} query-max-response-time'.format(iface)),
-                'gr_join' : {}
-            }
-        })
-        for gr_join in conf.list_nodes('interface {0} join'.format(iface)):
-            igmp_conf['ifaces'][iface]['gr_join'][gr_join] = conf.return_values('interface {0} join {1} source'.format(iface, gr_join))
-
-    return igmp_conf
-
-def verify(igmp):
-    if igmp is None:
-        return None
-
-    if igmp['igmp_conf']:
-        # Check conflict with IGMP-Proxy
-        if igmp['igmp_proxy_conf']:
-            raise ConfigError(f"IGMP proxy and PIM cannot be both configured at the same time")
-
-        # Check interfaces
-        if not igmp['ifaces']:
-            raise ConfigError(f"IGMP require defined interfaces!")
-        # Check, is this multicast group
-        for intfc in igmp['ifaces']:
-            for gr_addr in igmp['ifaces'][intfc]['gr_join']:
-                if not IPv4Address(gr_addr).is_multicast:
-                    raise ConfigError(gr_addr + " not a multicast group")
-
-def generate(igmp):
-    if igmp is None:
-        return None
-
-    render(config_file, 'frr/igmp.frr.j2', igmp)
-    return None
-
-def apply(igmp):
-    if igmp is None:
-        return None
-
-    pim_pid = process_named_running('pimd')
-    if igmp['igmp_conf'] or igmp['pim_conf']:
-        if not pim_pid:
-            call(pimd_cmd)
-
-        if os.path.exists(config_file):
-            call(f'vtysh -d pimd -f {config_file}')
-            os.remove(config_file)
-    elif pim_pid:
-        os.kill(int(pim_pid), SIGTERM)
-
-    return None
-
-if __name__ == '__main__':
-    try:
-        c = get_config()
-        verify(c)
-        generate(c)
-        apply(c)
-    except ConfigError as e:
-        print(e)
-        exit(1)
diff --git a/src/conf_mode/protocols_isis.py b/src/conf_mode/protocols_isis.py
index e00c58ee4..8d594bb68 100755
--- a/src/conf_mode/protocols_isis.py
+++ b/src/conf_mode/protocols_isis.py
@@ -48,7 +48,8 @@ def get_config(config=None):
     # eqivalent of the C foo ? 'a' : 'b' statement
     base = vrf and ['vrf', 'name', vrf, 'protocols', 'isis'] or base_path
     isis = conf.get_config_dict(base, key_mangling=('-', '_'),
-                                get_first_key=True)
+                                get_first_key=True,
+                                no_tag_node_value_mangle=True)
 
     # Assign the name of our VRF context. This MUST be done before the return
     # statement below, else on deletion we will delete the default instance
@@ -219,6 +220,51 @@ def verify(isis):
                 if ("explicit_null" in prefix_config['index']) and ("no_php_flag" in prefix_config['index']):
                     raise ConfigError(f'Segment routing prefix {prefix} cannot have both explicit-null '\
                                       f'and no-php-flag configured at the same time.')
+ 
+    # Check for index ranges being larger than the segment routing global block    
+    if dict_search('segment_routing.global_block', isis):
+        g_high_label_value = dict_search('segment_routing.global_block.high_label_value', isis)
+        g_low_label_value = dict_search('segment_routing.global_block.low_label_value', isis)
+        g_label_difference = int(g_high_label_value) - int(g_low_label_value)
+        if dict_search('segment_routing.prefix', isis):
+            for prefix, prefix_config in isis['segment_routing']['prefix'].items():
+                if 'index' in prefix_config:
+                    index_size = isis['segment_routing']['prefix'][prefix]['index']['value']
+                    if int(index_size) > int(g_label_difference):
+                        raise ConfigError(f'Segment routing prefix {prefix} cannot have an '\
+                                          f'index base size larger than the SRGB label base.')
+            
+    # Check for LFA tiebreaker index duplication
+    if dict_search('fast_reroute.lfa.local.tiebreaker', isis):
+        comparison_dictionary = {}
+        for item, item_options in isis['fast_reroute']['lfa']['local']['tiebreaker'].items():
+            for index, index_options in item_options.items():
+                for index_value, index_value_options in index_options.items():
+                    if index_value not in comparison_dictionary.keys():
+                        comparison_dictionary[index_value] = [item]
+                    else:
+                        comparison_dictionary[index_value].append(item)
+        for index, index_length in comparison_dictionary.items():
+            if int(len(index_length)) > 1:
+                raise ConfigError(f'LFA index {index} cannot have more than one tiebreaker configured.')
+
+    # Check for LFA priority-limit configured multiple times per level
+    if dict_search('fast_reroute.lfa.local.priority_limit', isis):
+        comparison_dictionary = {}
+        for priority, priority_options in isis['fast_reroute']['lfa']['local']['priority_limit'].items():
+            for level, level_options in priority_options.items():
+                if level not in comparison_dictionary.keys():
+                    comparison_dictionary[level] = [priority]
+                else:
+                    comparison_dictionary[level].append(priority)
+            for level, level_length in comparison_dictionary.items():
+                if int(len(level_length)) > 1:
+                    raise ConfigError(f'LFA priority-limit on {level.replace("_", "-")} cannot have more than one priority configured.')
+
+    # Check for LFA remote prefix list configured with more than one list
+    if dict_search('fast_reroute.lfa.remote.prefix_list', isis):
+        if int(len(isis['fast_reroute']['lfa']['remote']['prefix_list'].items())) > 1:
+            raise ConfigError(f'LFA remote prefix-list has more than one configured. Cannot have more than one configured.')
 
     return None
 
@@ -265,4 +311,4 @@ if __name__ == '__main__':
         apply(c)
     except ConfigError as e:
         print(e)
-        exit(1)
+        exit(1)
\ No newline at end of file
diff --git a/src/conf_mode/protocols_nhrp.py b/src/conf_mode/protocols_nhrp.py
index 5ec0bc9e5..c339c6391 100755
--- a/src/conf_mode/protocols_nhrp.py
+++ b/src/conf_mode/protocols_nhrp.py
@@ -37,7 +37,7 @@ def get_config(config=None):
 
     nhrp = conf.get_config_dict(base, key_mangling=('-', '_'),
                                 get_first_key=True, no_tag_node_value_mangle=True)
-    nhrp['del_tunnels'] = node_changed(conf, base + ['tunnel'], key_mangling=('-', '_'))
+    nhrp['del_tunnels'] = node_changed(conf, base + ['tunnel'])
 
     if not conf.exists(base):
         return nhrp
diff --git a/src/conf_mode/protocols_ospf.py b/src/conf_mode/protocols_ospf.py
index cddd3765e..198d78ee0 100755
--- a/src/conf_mode/protocols_ospf.py
+++ b/src/conf_mode/protocols_ospf.py
@@ -215,6 +215,19 @@ def verify(ospf):
                     raise ConfigError(f'Segment routing prefix {prefix} cannot have both explicit-null '\
                                       f'and no-php-flag configured at the same time.')
 
+    # Check for index ranges being larger than the segment routing global block    
+    if dict_search('segment_routing.global_block', ospf):
+        g_high_label_value = dict_search('segment_routing.global_block.high_label_value', ospf)
+        g_low_label_value = dict_search('segment_routing.global_block.low_label_value', ospf)
+        g_label_difference = int(g_high_label_value) - int(g_low_label_value)
+        if dict_search('segment_routing.prefix', ospf):
+            for prefix, prefix_config in ospf['segment_routing']['prefix'].items():
+                if 'index' in prefix_config:
+                    index_size = ospf['segment_routing']['prefix'][prefix]['index']['value']
+                    if int(index_size) > int(g_label_difference):
+                        raise ConfigError(f'Segment routing prefix {prefix} cannot have an '\
+                                          f'index base size larger than the SRGB label base.')
+
     # Check route summarisation
     if 'summary_address' in ospf:
         for prefix, prefix_options in ospf['summary_address'].items():
diff --git a/src/conf_mode/protocols_pim.py b/src/conf_mode/protocols_pim.py
index 0aaa0d2c6..09c3be8df 100755
--- a/src/conf_mode/protocols_pim.py
+++ b/src/conf_mode/protocols_pim.py
@@ -16,144 +16,139 @@
 
 import os
 
-from ipaddress import IPv4Address
+from ipaddress import IPv4Network
+from signal import SIGTERM
 from sys import exit
 
 from vyos.config import Config
-from vyos import ConfigError
+from vyos.config import config_dict_merge
+from vyos.configdict import node_changed
+from vyos.configverify import verify_interface_exists
 from vyos.utils.process import process_named_running
 from vyos.utils.process import call
-from vyos.template import render
-from signal import SIGTERM
-
+from vyos.template import render_to_string
+from vyos import ConfigError
+from vyos import frr
 from vyos import airbag
 airbag.enable()
 
-# Required to use the full path to pimd, in another case daemon will not be started
-pimd_cmd = f'/usr/lib/frr/pimd -d -F traditional --daemon -A 127.0.0.1'
-
-config_file = r'/tmp/pimd.frr'
-
 def get_config(config=None):
     if config:
         conf = config
     else:
         conf = Config()
-    pim_conf = {
-        'pim_conf' : False,
-        'igmp_conf' : False,
-        'igmp_proxy_conf' : False,
-        'old_pim' : {
-            'ifaces' : {},
-            'rp'     : {}
-        },
-        'pim' : {
-            'ifaces' : {},
-            'rp'     : {}
-        }
-    }
-    if not (conf.exists('protocols pim') or conf.exists_effective('protocols pim')):
-        return None
-
-    if conf.exists('protocols igmp-proxy'):
-        pim_conf['igmp_proxy_conf'] = True
-
-    if conf.exists('protocols igmp'):
-        pim_conf['igmp_conf'] = True
-
-    if conf.exists('protocols pim'):
-        pim_conf['pim_conf'] = True
-
-    conf.set_level('protocols pim')
-
-    # Get interfaces
-    for iface in conf.list_effective_nodes('interface'):
-        pim_conf['old_pim']['ifaces'].update({
-            iface : {
-                'hello' : conf.return_effective_value('interface {0} hello'.format(iface)),
-                'dr_prio' : conf.return_effective_value('interface {0} dr-priority'.format(iface))
-            }
-        })
 
-    for iface in conf.list_nodes('interface'):
-        pim_conf['pim']['ifaces'].update({
-            iface : {
-                'hello' : conf.return_value('interface {0} hello'.format(iface)),
-                'dr_prio' : conf.return_value('interface {0} dr-priority'.format(iface)),
-            }
-        })
-
-    conf.set_level('protocols pim rp')
-
-    # Get RPs addresses
-    for rp_addr in conf.list_effective_nodes('address'):
-        pim_conf['old_pim']['rp'][rp_addr] = conf.return_effective_values('address {0} group'.format(rp_addr))
-
-    for rp_addr in conf.list_nodes('address'):
-        pim_conf['pim']['rp'][rp_addr] = conf.return_values('address {0} group'.format(rp_addr))
-
-    # Get RP keep-alive-timer
-    if conf.exists_effective('rp keep-alive-timer'):
-        pim_conf['old_pim']['rp_keep_alive'] = conf.return_effective_value('rp keep-alive-timer')
-    if conf.exists('rp keep-alive-timer'):
-        pim_conf['pim']['rp_keep_alive'] = conf.return_value('rp keep-alive-timer')
-
-    return pim_conf
+    base = ['protocols', 'pim']
+
+    pim = conf.get_config_dict(base, key_mangling=('-', '_'),
+                               get_first_key=True, no_tag_node_value_mangle=True)
+
+    # We can not run both IGMP proxy and PIM at the same time - get IGMP
+    # proxy status
+    if conf.exists(['protocols', 'igmp-proxy']):
+        pim.update({'igmp_proxy_enabled' : {}})
+
+    # FRR has VRF support for different routing daemons. As interfaces belong
+    # to VRFs - or the global VRF, we need to check for changed interfaces so
+    # that they will be properly rendered for the FRR config. Also this eases
+    # removal of interfaces from the running configuration.
+    interfaces_removed = node_changed(conf, base + ['interface'])
+    if interfaces_removed:
+        pim['interface_removed'] = list(interfaces_removed)
+
+    # Bail out early if configuration tree does no longer exist. this must
+    # be done after retrieving the list of interfaces to be removed.
+    if not conf.exists(base):
+        pim.update({'deleted' : ''})
+        return pim
+
+    # We have gathered the dict representation of the CLI, but there are default
+    # options which we need to update into the dictionary retrived.
+    default_values = conf.get_config_defaults(**pim.kwargs, recursive=True)
+
+    # We have to cleanup the default dict, as default values could enable features
+    # which are not explicitly enabled on the CLI. Example: default-information
+    # originate comes with a default metric-type of 2, which will enable the
+    # entire default-information originate tree, even when not set via CLI so we
+    # need to check this first and probably drop that key.
+    for interface in pim.get('interface', []):
+        # We need to reload the defaults on every pass b/c of
+        # hello-multiplier dependency on dead-interval
+        # If hello-multiplier is set, we need to remove the default from
+        # dead-interval.
+        if 'igmp' not in pim['interface'][interface]:
+            del default_values['interface'][interface]['igmp']
+
+    pim = config_dict_merge(default_values, pim)
+    return pim
 
 def verify(pim):
-    if pim is None:
+    if not pim or 'deleted' in pim:
         return None
 
-    if pim['pim_conf']:
-        # Check conflict with IGMP-Proxy
-        if pim['igmp_proxy_conf']:
-            raise ConfigError(f"IGMP proxy and PIM cannot be both configured at the same time")
-
-        # Check interfaces
-        if not pim['pim']['ifaces']:
-            raise ConfigError(f"PIM require defined interfaces!")
+    if 'igmp_proxy_enabled' in pim:
+        raise ConfigError('IGMP proxy and PIM cannot be configured at the same time!')
 
-        if not pim['pim']['rp']:
-            raise ConfigError(f"RP address required")
+    if 'interface' not in pim:
+        raise ConfigError('PIM require defined interfaces!')
 
-        # Check unique multicast groups
-        uniq_groups = []
-        for rp_addr in pim['pim']['rp']:
-            if not pim['pim']['rp'][rp_addr]:
-                raise ConfigError(f"Group should be specified for RP " + rp_addr)
-            for group in pim['pim']['rp'][rp_addr]:
-                if (group in uniq_groups):
-                    raise ConfigError(f"Group range " + group + " specified cannot exact match another")
+    for interface in pim['interface']:
+        verify_interface_exists(interface)
 
-                # Check, is this multicast group
-                gr_addr = group.split('/')
-                if IPv4Address(gr_addr[0]) < IPv4Address('224.0.0.0'):
-                    raise ConfigError(group + " not a multicast group")
+    if 'rp' in pim:
+        if 'address' not in pim['rp']:
+            raise ConfigError('PIM rendezvous point needs to be defined!')
 
-            uniq_groups.extend(pim['pim']['rp'][rp_addr])
+        # Check unique multicast groups
+        unique = []
+        pim_base_error = 'PIM rendezvous point group'
+        for address, address_config in pim['rp']['address'].items():
+            if 'group' not in address_config:
+                raise ConfigError(f'{pim_base_error} should be defined for "{address}"!')
+
+            # Check if it is a multicast group
+            for gr_addr in address_config['group']:
+                if not IPv4Network(gr_addr).is_multicast:
+                    raise ConfigError(f'{pim_base_error} "{gr_addr}" is not a multicast group!')
+                if gr_addr in unique:
+                    raise ConfigError(f'{pim_base_error} must be unique!')
+                unique.append(gr_addr)
 
 def generate(pim):
-    if pim is None:
+    if not pim or 'deleted' in pim:
         return None
-
-    render(config_file, 'frr/pimd.frr.j2', pim)
+    pim['frr_pimd_config']  = render_to_string('frr/pimd.frr.j2', pim)
     return None
 
 def apply(pim):
-    if pim is None:
+    pim_daemon = 'pimd'
+    pim_pid = process_named_running(pim_daemon)
+
+    if not pim or 'deleted' in pim:
+        if 'deleted' in pim:
+            os.kill(int(pim_pid), SIGTERM)
+
         return None
 
-    pim_pid = process_named_running('pimd')
-    if pim['igmp_conf'] or pim['pim_conf']:
-        if not pim_pid:
-            call(pimd_cmd)
+    if not pim_pid:
+        call('/usr/lib/frr/pimd -d -F traditional --daemon -A 127.0.0.1')
+
+    # Save original configuration prior to starting any commit actions
+    frr_cfg = frr.FRRConfig()
+
+    frr_cfg.load_configuration(pim_daemon)
+    frr_cfg.modify_section(f'^ip pim')
+    frr_cfg.modify_section(f'^ip igmp')
 
-        if os.path.exists(config_file):
-            call("vtysh -d pimd -f " + config_file)
-            os.remove(config_file)
-    elif pim_pid:
-        os.kill(int(pim_pid), SIGTERM)
+    for key in ['interface', 'interface_removed']:
+        if key not in pim:
+            continue
+        for interface in pim[key]:
+            frr_cfg.modify_section(f'^interface {interface}', stop_pattern='^exit', remove_stop_mark=True)
 
+    if 'frr_pimd_config' in pim:
+        frr_cfg.add_before(frr.default_add_before, pim['frr_pimd_config'])
+    frr_cfg.commit_configuration(pim_daemon)
     return None
 
 if __name__ == '__main__':
diff --git a/src/conf_mode/protocols_pim6.py b/src/conf_mode/protocols_pim6.py
new file mode 100755
index 000000000..2003a1014
--- /dev/null
+++ b/src/conf_mode/protocols_pim6.py
@@ -0,0 +1,133 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2023 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+from ipaddress import IPv6Address
+from ipaddress import IPv6Network
+from sys import exit
+
+from vyos.config import Config
+from vyos.config import config_dict_merge
+from vyos.configdict import node_changed
+from vyos.configverify import verify_interface_exists
+from vyos.template import render_to_string
+from vyos import ConfigError
+from vyos import frr
+from vyos import airbag
+airbag.enable()
+
+def get_config(config=None):
+    if config:
+        conf = config
+    else:
+        conf = Config()
+    base = ['protocols', 'pim6']
+    pim6 = conf.get_config_dict(base, key_mangling=('-', '_'),
+                                 get_first_key=True, with_recursive_defaults=True)
+
+    # FRR has VRF support for different routing daemons. As interfaces belong
+    # to VRFs - or the global VRF, we need to check for changed interfaces so
+    # that they will be properly rendered for the FRR config. Also this eases
+    # removal of interfaces from the running configuration.
+    interfaces_removed = node_changed(conf, base + ['interface'])
+    if interfaces_removed:
+        pim6['interface_removed'] = list(interfaces_removed)
+
+    # Bail out early if configuration tree does no longer exist. this must
+    # be done after retrieving the list of interfaces to be removed.
+    if not conf.exists(base):
+        pim6.update({'deleted' : ''})
+        return pim6
+
+    # We have gathered the dict representation of the CLI, but there are default
+    # options which we need to update into the dictionary retrived.
+    default_values = conf.get_config_defaults(**pim6.kwargs, recursive=True)
+
+    pim6 = config_dict_merge(default_values, pim6)
+    return pim6
+
+def verify(pim6):
+    if not pim6 or 'deleted' in pim6:
+        return
+
+    for interface, interface_config in pim6.get('interface', {}).items():
+        verify_interface_exists(interface)
+        if 'mld' in interface_config:
+            mld = interface_config['mld']
+            for group in mld.get('join', {}).keys():
+                # Validate multicast group address
+                if not IPv6Address(group).is_multicast:
+                    raise ConfigError(f"{group} is not a multicast group")
+
+    if 'rp' in pim6:
+        if 'address' not in pim6['rp']:
+            raise ConfigError('PIM6 rendezvous point needs to be defined!')
+
+        # Check unique multicast groups
+        unique = []
+        pim_base_error = 'PIM6 rendezvous point group'
+
+        if {'address', 'prefix-list6'} <= set(pim6['rp']):
+            raise ConfigError(f'{pim_base_error} supports either address or a prefix-list!')
+
+        for address, address_config in pim6['rp']['address'].items():
+            if 'group' not in address_config:
+                raise ConfigError(f'{pim_base_error} should be defined for "{address}"!')
+
+            # Check if it is a multicast group
+            for gr_addr in address_config['group']:
+                if not IPv6Network(gr_addr).is_multicast:
+                    raise ConfigError(f'{pim_base_error} "{gr_addr}" is not a multicast group!')
+                if gr_addr in unique:
+                    raise ConfigError(f'{pim_base_error} must be unique!')
+                unique.append(gr_addr)
+
+def generate(pim6):
+    if not pim6 or 'deleted' in pim6:
+        return
+    pim6['new_frr_config'] = render_to_string('frr/pim6d.frr.j2', pim6)
+    return None
+
+def apply(pim6):
+    if pim6 is None:
+        return
+
+    pim6_daemon = 'pim6d'
+
+    # Save original configuration prior to starting any commit actions
+    frr_cfg = frr.FRRConfig()
+
+    frr_cfg.load_configuration(pim6_daemon)
+
+    for key in ['interface', 'interface_removed']:
+        if key not in pim6:
+            continue
+        for interface in pim6[key]:
+            frr_cfg.modify_section(f'^interface {interface}', stop_pattern='^exit', remove_stop_mark=True)
+
+    if 'new_frr_config' in pim6:
+        frr_cfg.add_before(frr.default_add_before, pim6['new_frr_config'])
+    frr_cfg.commit_configuration(pim6_daemon)
+    return None
+
+if __name__ == '__main__':
+    try:
+        c = get_config()
+        verify(c)
+        generate(c)
+        apply(c)
+    except ConfigError as e:
+        print(e)
+        exit(1)
diff --git a/src/conf_mode/protocols_segment-routing.py b/src/conf_mode/protocols_segment-routing.py
new file mode 100755
index 000000000..d865c2ac0
--- /dev/null
+++ b/src/conf_mode/protocols_segment-routing.py
@@ -0,0 +1,118 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2023 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+import os
+
+from sys import exit
+
+from vyos.config import Config
+from vyos.configdict import node_changed
+from vyos.template import render_to_string
+from vyos.utils.dict import dict_search
+from vyos.utils.system import sysctl_write
+from vyos import ConfigError
+from vyos import frr
+from vyos import airbag
+airbag.enable()
+
+def get_config(config=None):
+    if config:
+        conf = config
+    else:
+        conf = Config()
+
+    base = ['protocols', 'segment-routing']
+    sr = conf.get_config_dict(base, key_mangling=('-', '_'),
+                              get_first_key=True,
+                              no_tag_node_value_mangle=True,
+                              with_recursive_defaults=True)
+
+    # FRR has VRF support for different routing daemons. As interfaces belong
+    # to VRFs - or the global VRF, we need to check for changed interfaces so
+    # that they will be properly rendered for the FRR config. Also this eases
+    # removal of interfaces from the running configuration.
+    interfaces_removed = node_changed(conf, base + ['interface'])
+    if interfaces_removed:
+        sr['interface_removed'] = list(interfaces_removed)
+
+    import pprint
+    pprint.pprint(sr)
+    return sr
+
+def verify(sr):
+    if 'srv6' in sr:
+        srv6_enable = False
+        if 'interface' in sr:
+            for interface, interface_config in sr['interface'].items():
+                if 'srv6' in interface_config:
+                    srv6_enable = True
+                    break
+        if not srv6_enable:
+            raise ConfigError('SRv6 should be enabled on at least one interface!')
+    return None
+
+def generate(sr):
+    if not sr:
+        return None
+
+    sr['new_frr_config'] = render_to_string('frr/zebra.segment_routing.frr.j2', sr)
+    return None
+
+def apply(sr):
+    zebra_daemon = 'zebra'
+
+    if 'interface_removed' in sr:
+        for interface in sr['interface_removed']:
+            # Disable processing of IPv6-SR packets
+            sysctl_write(f'net.ipv6.conf.{interface}.seg6_enabled', '0')
+
+    if 'interface' in sr:
+        for interface, interface_config in sr['interface'].items():
+            # Accept or drop SR-enabled IPv6 packets on this interface
+            if 'srv6' in interface_config:
+                sysctl_write(f'net.ipv6.conf.{interface}.seg6_enabled', '1')
+                # Define HMAC policy for ingress SR-enabled packets on this interface
+                # It's a redundant check as HMAC has a default value - but better safe
+                # then sorry
+                tmp = dict_search('srv6.hmac', interface_config)
+                if tmp == 'accept':
+                    sysctl_write(f'net.ipv6.conf.{interface}.seg6_require_hmac', '0')
+                elif tmp == 'drop':
+                    sysctl_write(f'net.ipv6.conf.{interface}.seg6_require_hmac', '1')
+                elif tmp == 'ignore':
+                    sysctl_write(f'net.ipv6.conf.{interface}.seg6_require_hmac', '-1')
+            else:
+                sysctl_write(f'net.ipv6.conf.{interface}.seg6_enabled', '0')
+
+    # Save original configuration prior to starting any commit actions
+    frr_cfg = frr.FRRConfig()
+    frr_cfg.load_configuration(zebra_daemon)
+    frr_cfg.modify_section(r'^segment-routing')
+    if 'new_frr_config' in sr:
+        frr_cfg.add_before(frr.default_add_before, sr['new_frr_config'])
+    frr_cfg.commit_configuration(zebra_daemon)
+
+    return None
+
+if __name__ == '__main__':
+    try:
+        c = get_config()
+        verify(c)
+        generate(c)
+        apply(c)
+    except ConfigError as e:
+        print(e)
+        exit(1)
diff --git a/src/conf_mode/arp.py b/src/conf_mode/protocols_static_arp.py
index b141f1141..b141f1141 100755
--- a/src/conf_mode/arp.py
+++ b/src/conf_mode/protocols_static_arp.py
diff --git a/src/conf_mode/protocols_static_neighbor-proxy.py b/src/conf_mode/protocols_static_neighbor-proxy.py
new file mode 100755
index 000000000..10cc1e748
--- /dev/null
+++ b/src/conf_mode/protocols_static_neighbor-proxy.py
@@ -0,0 +1,95 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2023 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+import os
+
+from sys import exit
+
+from vyos.config import Config
+from vyos.configdict import node_changed
+from vyos.utils.process import call
+from vyos import ConfigError
+from vyos import airbag
+
+airbag.enable()
+
+
+def get_config(config=None):
+    if config:
+        conf = config
+    else:
+        conf = Config()
+
+    base = ['protocols', 'static', 'neighbor-proxy']
+    config = conf.get_config_dict(base, get_first_key=True)
+
+    return config
+
+
+def verify(config):
+
+    if 'arp' in config:
+        for neighbor, neighbor_conf in config['arp'].items():
+            if 'interface' not in neighbor_conf:
+                raise ConfigError(
+                    f"ARP neighbor-proxy for '{neighbor}' requires an interface to be set!"
+                )
+
+    if 'nd' in config:
+        for neighbor, neighbor_conf in config['nd'].items():
+            if 'interface' not in neighbor_conf:
+                raise ConfigError(
+                    f"ARP neighbor-proxy for '{neighbor}' requires an interface to be set!"
+                )
+
+
+def generate(config):
+    pass
+
+
+def apply(config):
+    if not config:
+        # Cleanup proxy
+        call('ip neighbor flush proxy')
+        call('ip -6 neighbor flush proxy')
+        return None
+
+    # Add proxy ARP
+    if 'arp' in config:
+        # Cleanup entries before config
+        call('ip neighbor flush proxy')
+        for neighbor, neighbor_conf in config['arp'].items():
+            for interface in neighbor_conf.get('interface'):
+                call(f'ip neighbor add proxy {neighbor} dev {interface}')
+
+    # Add proxy NDP
+    if 'nd' in config:
+        # Cleanup entries before config
+        call('ip -6 neighbor flush proxy')
+        for neighbor, neighbor_conf in config['nd'].items():
+            for interface in neighbor_conf['interface']:
+                call(f'ip -6 neighbor add proxy {neighbor} dev {interface}')
+
+
+if __name__ == '__main__':
+    try:
+        c = get_config()
+        verify(c)
+        generate(c)
+        apply(c)
+    except ConfigError as e:
+        print(e)
+        exit(1)
diff --git a/src/conf_mode/bcast_relay.py b/src/conf_mode/service_broadcast-relay.py
index 31c552f5a..31c552f5a 100755
--- a/src/conf_mode/bcast_relay.py
+++ b/src/conf_mode/service_broadcast-relay.py
diff --git a/src/conf_mode/service_config_sync.py b/src/conf_mode/service_config-sync.py
index 4b8a7f6ee..4b8a7f6ee 100755
--- a/src/conf_mode/service_config_sync.py
+++ b/src/conf_mode/service_config-sync.py
diff --git a/src/conf_mode/conntrack_sync.py b/src/conf_mode/service_conntrack-sync.py
index 4fb2ce27f..4fb2ce27f 100755
--- a/src/conf_mode/conntrack_sync.py
+++ b/src/conf_mode/service_conntrack-sync.py
diff --git a/src/conf_mode/dhcp_relay.py b/src/conf_mode/service_dhcp-relay.py
index 37d708847..37d708847 100755
--- a/src/conf_mode/dhcp_relay.py
+++ b/src/conf_mode/service_dhcp-relay.py
diff --git a/src/conf_mode/dhcp_server.py b/src/conf_mode/service_dhcp-server.py
index ac7d95632..ac7d95632 100755
--- a/src/conf_mode/dhcp_server.py
+++ b/src/conf_mode/service_dhcp-server.py
diff --git a/src/conf_mode/dhcpv6_relay.py b/src/conf_mode/service_dhcpv6-relay.py
index 6537ca3c2..6537ca3c2 100755
--- a/src/conf_mode/dhcpv6_relay.py
+++ b/src/conf_mode/service_dhcpv6-relay.py
diff --git a/src/conf_mode/dhcpv6_server.py b/src/conf_mode/service_dhcpv6-server.py
index 427001609..427001609 100755
--- a/src/conf_mode/dhcpv6_server.py
+++ b/src/conf_mode/service_dhcpv6-server.py
diff --git a/src/conf_mode/service_dns_dynamic.py b/src/conf_mode/service_dns_dynamic.py
new file mode 100755
index 000000000..99fa8feee
--- /dev/null
+++ b/src/conf_mode/service_dns_dynamic.py
@@ -0,0 +1,187 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2018-2023 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+import os
+import re
+from sys import exit
+
+from vyos.base import Warning
+from vyos.config import Config
+from vyos.configverify import verify_interface_exists
+from vyos.template import render
+from vyos.utils.process import call
+from vyos import ConfigError
+from vyos import airbag
+airbag.enable()
+
+config_file = r'/run/ddclient/ddclient.conf'
+systemd_override = r'/run/systemd/system/ddclient.service.d/override.conf'
+
+# Dynamic interfaces that might not exist when the configuration is loaded
+dynamic_interfaces = ('pppoe', 'sstpc')
+
+# Protocols that require zone
+zone_necessary = ['cloudflare', 'digitalocean', 'godaddy', 'hetzner', 'gandi',
+                  'nfsn', 'nsupdate']
+zone_supported = zone_necessary + ['dnsexit2', 'zoneedit1']
+
+# Protocols that do not require username
+username_unnecessary = ['1984', 'cloudflare', 'cloudns', 'digitalocean', 'dnsexit2',
+                        'duckdns', 'freemyip', 'hetzner', 'keysystems', 'njalla',
+                        'nsupdate', 'regfishde']
+
+# Protocols that support TTL
+ttl_supported = ['cloudflare', 'dnsexit2', 'gandi', 'hetzner', 'godaddy', 'nfsn',
+                 'nsupdate']
+
+# Protocols that support both IPv4 and IPv6
+dualstack_supported = ['cloudflare', 'digitalocean', 'dnsexit2', 'duckdns',
+                       'dyndns2', 'easydns', 'freedns', 'hetzner', 'infomaniak',
+                       'njalla']
+
+# dyndns2 protocol in ddclient honors dual stack for selective servers
+# because of the way it is implemented in ddclient
+dyndns_dualstack_servers = ['members.dyndns.org', 'dynv6.com']
+
+def get_config(config=None):
+    if config:
+        conf = config
+    else:
+        conf = Config()
+
+    base = ['service', 'dns', 'dynamic']
+    if not conf.exists(base):
+        return None
+
+    dyndns = conf.get_config_dict(base, key_mangling=('-', '_'),
+                                  no_tag_node_value_mangle=True,
+                                  get_first_key=True,
+                                  with_recursive_defaults=True)
+
+    dyndns['config_file'] = config_file
+    return dyndns
+
+def verify(dyndns):
+    # bail out early - looks like removal from running config
+    if not dyndns or 'name' not in dyndns:
+        return None
+
+    # Dynamic DNS service provider - configuration validation
+    for service, config in dyndns['name'].items():
+
+        error_msg_req = f'is required for Dynamic DNS service "{service}"'
+        error_msg_uns = f'is not supported for Dynamic DNS service "{service}"'
+
+        for field in ['protocol', 'address', 'host_name']:
+            if field not in config:
+                raise ConfigError(f'"{field.replace("_", "-")}" {error_msg_req}')
+
+        # If dyndns address is an interface, ensure
+        # that the interface exists (or just warn if dynamic interface)
+        # and that web-options are not set
+        if config['address'] != 'web':
+            # exclude check interface for dynamic interfaces
+            if config['address'].startswith(dynamic_interfaces):
+                Warning(f'Interface "{config["address"]}" does not exist yet and cannot '
+                        f'be used for Dynamic DNS service "{service}" until it is up!')
+            else:
+                verify_interface_exists(config['address'])
+            if 'web_options' in config:
+                raise ConfigError(f'"web-options" is applicable only when using HTTP(S) '
+                                  f'web request to obtain the IP address')
+
+        # Warn if using checkip.dyndns.org, as it does not support HTTPS
+        # See: https://github.com/ddclient/ddclient/issues/597
+        if 'web_options' in config:
+            if 'url' not in config['web_options']:
+                raise ConfigError(f'"url" in "web-options" {error_msg_req} '
+                                  f'with protocol "{config["protocol"]}"')
+            elif re.search("^(https?://)?checkip\.dyndns\.org", config['web_options']['url']):
+                Warning(f'"checkip.dyndns.org" does not support HTTPS requests for IP address '
+                        f'lookup. Please use a different IP address lookup service.')
+
+        # RFC2136 uses 'key' instead of 'password'
+        if config['protocol'] != 'nsupdate' and 'password' not in config:
+            raise ConfigError(f'"password" {error_msg_req}')
+
+        # Other RFC2136 specific configuration validation
+        if config['protocol'] == 'nsupdate':
+            if 'password' in config:
+                raise ConfigError(f'"password" {error_msg_uns} with protocol "{config["protocol"]}"')
+            for field in ['server', 'key']:
+                if field not in config:
+                    raise ConfigError(f'"{field}" {error_msg_req} with protocol "{config["protocol"]}"')
+
+        if config['protocol'] in zone_necessary and 'zone' not in config:
+            raise ConfigError(f'"zone" {error_msg_req} with protocol "{config["protocol"]}"')
+
+        if config['protocol'] not in zone_supported and 'zone' in config:
+            raise ConfigError(f'"zone" {error_msg_uns} with protocol "{config["protocol"]}"')
+
+        if config['protocol'] not in username_unnecessary and 'username' not in config:
+            raise ConfigError(f'"username" {error_msg_req} with protocol "{config["protocol"]}"')
+
+        if config['protocol'] not in ttl_supported and 'ttl' in config:
+            raise ConfigError(f'"ttl" {error_msg_uns} with protocol "{config["protocol"]}"')
+
+        if config['ip_version'] == 'both':
+            if config['protocol'] not in dualstack_supported:
+                raise ConfigError(f'Both IPv4 and IPv6 at the same time {error_msg_uns} '
+                                  f'with protocol "{config["protocol"]}"')
+            # dyndns2 protocol in ddclient honors dual stack only for dyn.com (dyndns.org)
+            if config['protocol'] == 'dyndns2' and 'server' in config and config['server'] not in dyndns_dualstack_servers:
+                raise ConfigError(f'Both IPv4 and IPv6 at the same time {error_msg_uns} '
+                                  f'for "{config["server"]}" with protocol "{config["protocol"]}"')
+
+        if {'wait_time', 'expiry_time'} <= config.keys() and int(config['expiry_time']) < int(config['wait_time']):
+                raise ConfigError(f'"expiry-time" must be greater than "wait-time" for '
+                                  f'Dynamic DNS service "{service}"')
+
+    return None
+
+def generate(dyndns):
+    # bail out early - looks like removal from running config
+    if not dyndns or 'name' not in dyndns:
+        return None
+
+    render(config_file, 'dns-dynamic/ddclient.conf.j2', dyndns, permission=0o600)
+    render(systemd_override, 'dns-dynamic/override.conf.j2', dyndns)
+    return None
+
+def apply(dyndns):
+    systemd_service = 'ddclient.service'
+    # Reload systemd manager configuration
+    call('systemctl daemon-reload')
+
+    # bail out early - looks like removal from running config
+    if not dyndns or 'name' not in dyndns:
+        call(f'systemctl stop {systemd_service}')
+        if os.path.exists(config_file):
+            os.unlink(config_file)
+    else:
+        call(f'systemctl reload-or-restart {systemd_service}')
+
+    return None
+
+if __name__ == '__main__':
+    try:
+        c = get_config()
+        verify(c)
+        generate(c)
+        apply(c)
+    except ConfigError as e:
+        print(e)
+        exit(1)
diff --git a/src/conf_mode/dns_forwarding.py b/src/conf_mode/service_dns_forwarding.py
index c186f47af..c186f47af 100755
--- a/src/conf_mode/dns_forwarding.py
+++ b/src/conf_mode/service_dns_forwarding.py
diff --git a/src/conf_mode/service_event_handler.py b/src/conf_mode/service_event-handler.py
index 5028ef52f..5028ef52f 100755
--- a/src/conf_mode/service_event_handler.py
+++ b/src/conf_mode/service_event-handler.py
diff --git a/src/conf_mode/service_https.py b/src/conf_mode/service_https.py
new file mode 100755
index 000000000..46efc3c93
--- /dev/null
+++ b/src/conf_mode/service_https.py
@@ -0,0 +1,238 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2019-2024 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+import os
+import socket
+import sys
+import json
+
+from time import sleep
+
+from vyos.base import Warning
+from vyos.config import Config
+from vyos.config import config_dict_merge
+from vyos.configdiff import get_config_diff
+from vyos.configverify import verify_vrf
+from vyos.defaults import api_config_state
+from vyos.pki import wrap_certificate
+from vyos.pki import wrap_private_key
+from vyos.pki import wrap_dh_parameters
+from vyos.pki import load_dh_parameters
+from vyos.template import render
+from vyos.utils.dict import dict_search
+from vyos.utils.process import call
+from vyos.utils.process import is_systemd_service_active
+from vyos.utils.network import check_port_availability
+from vyos.utils.network import is_listen_port_bind_service
+from vyos.utils.file import write_file
+from vyos import ConfigError
+from vyos import airbag
+airbag.enable()
+
+config_file = '/etc/nginx/sites-enabled/default'
+systemd_override = r'/run/systemd/system/nginx.service.d/override.conf'
+cert_dir = '/run/nginx/certs'
+
+user = 'www-data'
+group = 'www-data'
+
+systemd_service_api = '/run/systemd/system/vyos-http-api.service'
+
+def get_config(config=None):
+    if config:
+        conf = config
+    else:
+        conf = Config()
+
+    base = ['service', 'https']
+    if not conf.exists(base):
+        return None
+
+    https = conf.get_config_dict(base, get_first_key=True,
+                                 key_mangling=('-', '_'),
+                                 with_pki=True)
+
+    # store path to API config file for later use in templates
+    https['api_config_state'] = api_config_state
+    # get fully qualified system hsotname
+    https['hostname'] = socket.getfqdn()
+
+    # We have gathered the dict representation of the CLI, but there are default
+    # options which we need to update into the dictionary retrived.
+    default_values = conf.get_config_defaults(**https.kwargs, recursive=True)
+    if 'api' not in https or 'graphql' not in https['api']:
+        del default_values['api']
+
+    # merge CLI and default dictionary
+    https = config_dict_merge(default_values, https)
+    return https
+
+def verify(https):
+    if https is None:
+        return None
+
+    if 'certificates' in https and 'certificate' in https['certificates']:
+        cert_name = https['certificates']['certificate']
+        if 'pki' not in https:
+            raise ConfigError('PKI is not configured!')
+
+        if cert_name not in https['pki']['certificate']:
+            raise ConfigError('Invalid certificate in configuration!')
+
+        pki_cert = https['pki']['certificate'][cert_name]
+
+        if 'certificate' not in pki_cert:
+            raise ConfigError('Missing certificate in configuration!')
+
+        if 'private' not in pki_cert or 'key' not in pki_cert['private']:
+            raise ConfigError('Missing certificate private key in configuration!')
+
+        if 'dh_params' in https['certificates']:
+            dh_name = https['certificates']['dh_params']
+            if dh_name not in https['pki']['dh']:
+                raise ConfigError('Invalid DH parameter in configuration!')
+
+            pki_dh = https['pki']['dh'][dh_name]
+            dh_params = load_dh_parameters(pki_dh['parameters'])
+            dh_numbers = dh_params.parameter_numbers()
+            dh_bits = dh_numbers.p.bit_length()
+            if dh_bits < 2048:
+                raise ConfigError(f'Minimum DH key-size is 2048 bits')
+
+    else:
+        Warning('No certificate specified, using build-in self-signed certificates. '\
+                'Do not use them in a production environment!')
+
+    # Check if server port is already in use by a different appliaction
+    listen_address = ['0.0.0.0']
+    port = int(https['port'])
+    if 'listen_address' in https:
+        listen_address = https['listen_address']
+
+    for address in listen_address:
+        if not check_port_availability(address, port, 'tcp') and not is_listen_port_bind_service(port, 'nginx'):
+            raise ConfigError(f'TCP port "{port}" is used by another service!')
+
+    verify_vrf(https)
+
+    # Verify API server settings, if present
+    if 'api' in https:
+        keys = dict_search('api.keys.id', https)
+        gql_auth_type = dict_search('api.graphql.authentication.type', https)
+
+        # If "api graphql" is not defined and `gql_auth_type` is None,
+        # there's certainly no JWT auth option, and keys are required
+        jwt_auth = (gql_auth_type == "token")
+
+        # Check for incomplete key configurations in every case
+        valid_keys_exist = False
+        if keys:
+            for k in keys:
+                if 'key' not in keys[k]:
+                    raise ConfigError(f'Missing HTTPS API key string for key id "{k}"')
+                else:
+                    valid_keys_exist = True
+
+        # If only key-based methods are enabled,
+        # fail the commit if no valid key configurations are found
+        if (not valid_keys_exist) and (not jwt_auth):
+            raise ConfigError('At least one HTTPS API key is required unless GraphQL token authentication is enabled!')
+
+        if (not valid_keys_exist) and jwt_auth:
+            Warning(f'API keys are not configured: classic (non-GraphQL) API will be unavailable!')
+
+    return None
+
+def generate(https):
+    if https is None:
+        for file in [systemd_service_api, config_file, systemd_override]:
+            if os.path.exists(file):
+                os.unlink(file)
+        return None
+
+    if 'api' in https:
+        render(systemd_service_api, 'https/vyos-http-api.service.j2', https)
+        with open(api_config_state, 'w') as f:
+            json.dump(https['api'], f, indent=2)
+    else:
+        if os.path.exists(systemd_service_api):
+            os.unlink(systemd_service_api)
+
+    # get certificate data
+    if 'certificates' in https and 'certificate' in https['certificates']:
+        cert_name = https['certificates']['certificate']
+        pki_cert = https['pki']['certificate'][cert_name]
+
+        cert_path = os.path.join(cert_dir, f'{cert_name}_cert.pem')
+        key_path = os.path.join(cert_dir, f'{cert_name}_key.pem')
+
+        server_cert = str(wrap_certificate(pki_cert['certificate']))
+
+        # Append CA certificate if specified to form a full chain
+        if 'ca_certificate' in https['certificates']:
+            ca_cert = https['certificates']['ca_certificate']
+            server_cert += '\n' + str(wrap_certificate(https['pki']['ca'][ca_cert]['certificate']))
+
+        write_file(cert_path, server_cert, user=user, group=group, mode=0o644)
+        write_file(key_path, wrap_private_key(pki_cert['private']['key']),
+                    user=user, group=group, mode=0o600)
+
+        tmp_path = {'cert_path': cert_path, 'key_path': key_path}
+
+        if 'dh_params' in https['certificates']:
+            dh_name = https['certificates']['dh_params']
+            pki_dh = https['pki']['dh'][dh_name]
+            if 'parameters' in pki_dh:
+                dh_path = os.path.join(cert_dir, f'{dh_name}_dh.pem')
+                write_file(dh_path, wrap_dh_parameters(pki_dh['parameters']),
+                           user=user, group=group, mode=0o600)
+                tmp_path.update({'dh_file' : dh_path})
+
+        https['certificates'].update(tmp_path)
+
+    render(config_file, 'https/nginx.default.j2', https)
+    render(systemd_override, 'https/override.conf.j2', https)
+    return None
+
+def apply(https):
+    # Reload systemd manager configuration
+    call('systemctl daemon-reload')
+    http_api_service_name = 'vyos-http-api.service'
+    https_service_name = 'nginx.service'
+
+    if https is None:
+        call(f'systemctl stop {http_api_service_name}')
+        call(f'systemctl stop {https_service_name}')
+        return
+
+    if 'api' in https:
+        call(f'systemctl reload-or-restart {http_api_service_name}')
+        # Let uvicorn settle before (possibly) restarting nginx
+        sleep(1)
+    elif is_systemd_service_active(http_api_service_name):
+        call(f'systemctl stop {http_api_service_name}')
+
+    call(f'systemctl reload-or-restart {https_service_name}')
+
+if __name__ == '__main__':
+    try:
+        c = get_config()
+        verify(c)
+        generate(c)
+        apply(c)
+    except ConfigError as e:
+        print(e)
+        sys.exit(1)
diff --git a/src/conf_mode/service_ids_fastnetmon.py b/src/conf_mode/service_ids_ddos-protection.py
index 276a71fcb..276a71fcb 100755
--- a/src/conf_mode/service_ids_fastnetmon.py
+++ b/src/conf_mode/service_ids_ddos-protection.py
diff --git a/src/conf_mode/service_ipoe-server.py b/src/conf_mode/service_ipoe-server.py
index b70e32373..36f00dec5 100755
--- a/src/conf_mode/service_ipoe-server.py
+++ b/src/conf_mode/service_ipoe-server.py
@@ -15,17 +15,17 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 import os
-import jmespath
 
 from sys import exit
 
 from vyos.config import Config
 from vyos.configdict import get_accel_dict
-from vyos.configverify import verify_accel_ppp_base_service
 from vyos.configverify import verify_interface_exists
 from vyos.template import render
 from vyos.utils.process import call
 from vyos.utils.dict import dict_search
+from vyos.accel_ppp_util import get_pools_in_order
+from vyos.accel_ppp_util import verify_accel_ppp_ip_pool
 from vyos import ConfigError
 from vyos import airbag
 airbag.enable()
@@ -35,87 +35,6 @@ ipoe_conf = '/run/accel-pppd/ipoe.conf'
 ipoe_chap_secrets = '/run/accel-pppd/ipoe.chap-secrets'
 
 
-def get_pools_in_order(data: dict) -> list:
-    """Return a list of dictionaries representing pool data in the order
-    in which they should be allocated. Pool must be defined before we can
-    use it with 'next-pool' option.
-
-    Args:
-        data: A dictionary of pool data, where the keys are pool names and the
-        values are dictionaries containing the 'subnet' key and the optional
-        'next_pool' key.
-
-    Returns:
-        list: A list of dictionaries
-
-    Raises:
-        ValueError: If a 'next_pool' key references a pool name that
-                    has not been defined.
-        ValueError: If a circular reference is found in the 'next_pool' keys.
-
-    Example:
-        config_data = {
-        ... 'first-pool': {
-        ... 'next_pool': 'second-pool',
-        ... 'subnet': '192.0.2.0/25'
-        ... },
-        ... 'second-pool': {
-        ... 'next_pool': 'third-pool',
-        ... 'subnet': '203.0.113.0/25'
-        ... },
-        ... 'third-pool': {
-        ... 'subnet': '198.51.100.0/24'
-        ... },
-        ... 'foo': {
-        ... 'subnet': '100.64.0.0/24',
-        ... 'next_pool': 'second-pool'
-        ... }
-        ... }
-
-        % get_pools_in_order(config_data)
-        [{'third-pool': {'subnet': '198.51.100.0/24'}},
-        {'second-pool': {'next_pool': 'third-pool', 'subnet': '203.0.113.0/25'}},
-        {'first-pool': {'next_pool': 'second-pool', 'subnet': '192.0.2.0/25'}},
-        {'foo': {'next_pool': 'second-pool', 'subnet': '100.64.0.0/24'}}]
-    """
-    pools = []
-    unresolved_pools = {}
-
-    for pool, pool_config in data.items():
-        if 'next_pool' not in pool_config:
-            pools.insert(0, {pool: pool_config})
-        else:
-            unresolved_pools[pool] = pool_config
-
-    while unresolved_pools:
-        resolved_pools = []
-
-        for pool, pool_config in unresolved_pools.items():
-            next_pool_name = pool_config['next_pool']
-
-            if any(p for p in pools if next_pool_name in p):
-                index = next(
-                    (i for i, p in enumerate(pools) if next_pool_name in p),
-                    None)
-                pools.insert(index + 1, {pool: pool_config})
-                resolved_pools.append(pool)
-            elif next_pool_name in unresolved_pools:
-                # next pool not yet resolved
-                pass
-            else:
-                raise ValueError(
-                    f"Pool '{next_pool_name}' not defined in configuration data"
-                )
-
-        if not resolved_pools:
-            raise ValueError("Circular reference in configuration data")
-
-        for pool in resolved_pools:
-            unresolved_pools.pop(pool)
-
-    return pools
-
-
 def get_config(config=None):
     if config:
         conf = config
@@ -128,18 +47,11 @@ def get_config(config=None):
     # retrieve common dictionary keys
     ipoe = get_accel_dict(conf, base, ipoe_chap_secrets)
 
-    if jmespath.search('client_ip_pool.name', ipoe):
-        dict_named_pools = jmespath.search('client_ip_pool.name', ipoe)
+    if dict_search('client_ip_pool', ipoe):
         # Multiple named pools require ordered values T5099
-        ipoe['ordered_named_pools'] = get_pools_in_order(dict_named_pools)
-        # T5099 'next-pool' option
-        if jmespath.search('client_ip_pool.name.*.next_pool', ipoe):
-            for pool, pool_config in ipoe['client_ip_pool']['name'].items():
-                if 'next_pool' in pool_config:
-                    ipoe['first_named_pool'] = pool
-                    ipoe['first_named_pool_subnet'] = pool_config
-                    break
+        ipoe['ordered_named_pools'] = get_pools_in_order(dict_search('client_ip_pool', ipoe))
 
+    ipoe['server_type'] = 'ipoe'
     return ipoe
 
 
@@ -156,9 +68,7 @@ def verify(ipoe):
             raise ConfigError('Option "client-subnet" incompatible with "vlan"!'
                               'Use "ipoe client-ip-pool" instead.')
 
-    #verify_accel_ppp_base_service(ipoe, local_users=False)
-    # IPoE server does not have 'gateway' option in the CLI
-    # we cannot use configverify.py verify_accel_ppp_base_service for ipoe-server
+    verify_accel_ppp_ip_pool(ipoe)
 
     if dict_search('authentication.mode', ipoe) == 'radius':
         if not dict_search('authentication.radius.server', ipoe):
diff --git a/src/conf_mode/lldp.py b/src/conf_mode/service_lldp.py
index c2e87d171..3c647a0e8 100755
--- a/src/conf_mode/lldp.py
+++ b/src/conf_mode/service_lldp.py
@@ -86,9 +86,9 @@ def verify(lldp):
                     raise ConfigError(f'Must define both longitude and latitude for "{interface}" location!')
 
     # check options
-    if 'snmp' in lldp and 'enable' in lldp['snmp']:
+    if 'snmp' in lldp:
         if 'system_snmp_enabled' not in lldp:
-            raise ConfigError('SNMP must be configured to enable LLDP SNMP')
+            raise ConfigError('SNMP must be configured to enable LLDP SNMP!')
 
 
 def generate(lldp):
@@ -121,4 +121,3 @@ if __name__ == '__main__':
     except ConfigError as e:
         print(e)
         exit(1)
-
diff --git a/src/conf_mode/service_mdns-repeater.py b/src/conf_mode/service_mdns_repeater.py
index a2c90b537..6526c23d1 100755
--- a/src/conf_mode/service_mdns-repeater.py
+++ b/src/conf_mode/service_mdns_repeater.py
@@ -18,7 +18,7 @@ import os
 
 from json import loads
 from sys import exit
-from netifaces import ifaddresses, interfaces, AF_INET
+from netifaces import ifaddresses, interfaces, AF_INET, AF_INET6
 
 from vyos.config import Config
 from vyos.ifconfig.vrrp import VRRP
@@ -29,6 +29,7 @@ from vyos import airbag
 airbag.enable()
 
 config_file = '/run/avahi-daemon/avahi-daemon.conf'
+systemd_override = r'/run/systemd/system/avahi-daemon.service.d/override.conf'
 vrrp_running_file = '/run/mdns_vrrp_active'
 
 def get_config(config=None):
@@ -36,18 +37,24 @@ def get_config(config=None):
         conf = config
     else:
         conf = Config()
+
     base = ['service', 'mdns', 'repeater']
-    mdns = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True)
+    if not conf.exists(base):
+        return None
+
+    mdns = conf.get_config_dict(base, key_mangling=('-', '_'),
+                                no_tag_node_value_mangle=True,
+                                get_first_key=True,
+                                with_recursive_defaults=True)
 
     if mdns:
         mdns['vrrp_exists'] = conf.exists('high-availability vrrp')
+        mdns['config_file'] = config_file
+
     return mdns
 
 def verify(mdns):
-    if not mdns:
-        return None
-
-    if 'disable' in mdns:
+    if not mdns or 'disable' in mdns:
         return None
 
     # We need at least two interfaces to repeat mDNS advertisments
@@ -60,10 +67,14 @@ def verify(mdns):
         if interface not in interfaces():
             raise ConfigError(f'Interface "{interface}" does not exist!')
 
-        if AF_INET not in ifaddresses(interface):
+        if mdns['ip_version'] in ['ipv4', 'both'] and AF_INET not in ifaddresses(interface):
             raise ConfigError('mDNS repeater requires an IPv4 address to be '
                                   f'configured on interface "{interface}"')
 
+        if mdns['ip_version'] in ['ipv6', 'both'] and AF_INET6 not in ifaddresses(interface):
+            raise ConfigError('mDNS repeater requires an IPv6 address to be '
+                                  f'configured on interface "{interface}"')
+
     return None
 
 # Get VRRP states from interfaces, returns only interfaces where state is MASTER
@@ -92,12 +103,17 @@ def generate(mdns):
         if len(mdns['interface']) < 2:
             return None
 
-    render(config_file, 'mdns-repeater/avahi-daemon.j2', mdns)
+    render(config_file, 'mdns-repeater/avahi-daemon.conf.j2', mdns)
+    render(systemd_override, 'mdns-repeater/override.conf.j2', mdns)
     return None
 
 def apply(mdns):
+    systemd_service = 'avahi-daemon.service'
+    # Reload systemd manager configuration
+    call('systemctl daemon-reload')
+
     if not mdns or 'disable' in mdns:
-        call('systemctl stop avahi-daemon.service')
+        call(f'systemctl stop {systemd_service}')
         if os.path.exists(config_file):
             os.unlink(config_file)
 
@@ -112,10 +128,10 @@ def apply(mdns):
                 os.mknod(vrrp_running_file) # vrrp script looks for this file to update mdns repeater
 
             if len(mdns['interface']) < 2:
-                call('systemctl stop avahi-daemon.service')
+                call(f'systemctl stop {systemd_service}')
                 return None
 
-        call('systemctl restart avahi-daemon.service')
+        call(f'systemctl restart {systemd_service}')
 
     return None
 
diff --git a/src/conf_mode/service_ndp-proxy.py b/src/conf_mode/service_ndp-proxy.py
new file mode 100755
index 000000000..aa2374f4c
--- /dev/null
+++ b/src/conf_mode/service_ndp-proxy.py
@@ -0,0 +1,91 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2023 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+import os
+
+from sys import exit
+
+from vyos.config import Config
+from vyos.configverify import verify_interface_exists
+from vyos.utils.process import call
+from vyos.template import render
+from vyos import ConfigError
+from vyos import airbag
+airbag.enable()
+
+systemd_service = 'ndppd.service'
+ndppd_config = '/run/ndppd/ndppd.conf'
+
+def get_config(config=None):
+    if config:
+        conf = config
+    else:
+        conf = Config()
+    base = ['service', 'ndp-proxy']
+    if not conf.exists(base):
+        return None
+
+    ndpp = conf.get_config_dict(base, key_mangling=('-', '_'),
+                                get_first_key=True,
+                                with_recursive_defaults=True)
+
+    return ndpp
+
+def verify(ndpp):
+    if not ndpp:
+        return None
+
+    if 'interface' in ndpp:
+        for interface, interface_config in ndpp['interface'].items():
+            verify_interface_exists(interface)
+
+            if 'rule' in interface_config:
+                for rule, rule_config in interface_config['rule'].items():
+                    if rule_config['mode'] == 'interface' and 'interface' not in rule_config:
+                        raise ConfigError(f'Rule "{rule}" uses interface mode but no interface defined!')
+
+                    if rule_config['mode'] != 'interface' and 'interface' in rule_config:
+                        if interface_config['mode'] != 'interface' and 'interface' in interface_config:
+                            raise ConfigError(f'Rule "{rule}" does not use interface mode, thus interface can not be defined!')
+
+    return None
+
+def generate(ndpp):
+    if not ndpp:
+        return None
+
+    render(ndppd_config, 'ndppd/ndppd.conf.j2', ndpp)
+    return None
+
+def apply(ndpp):
+    if not ndpp:
+        call(f'systemctl stop {systemd_service}')
+        if os.path.isfile(ndppd_config):
+            os.unlink(ndppd_config)
+        return None
+
+    call(f'systemctl reload-or-restart {systemd_service}')
+    return None
+
+if __name__ == '__main__':
+    try:
+        c = get_config()
+        verify(c)
+        generate(c)
+        apply(c)
+    except ConfigError as e:
+        print(e)
+        exit(1)
diff --git a/src/conf_mode/ntp.py b/src/conf_mode/service_ntp.py
index 1cc23a7df..1cc23a7df 100755
--- a/src/conf_mode/ntp.py
+++ b/src/conf_mode/service_ntp.py
diff --git a/src/conf_mode/service_pppoe-server.py b/src/conf_mode/service_pppoe-server.py
index aace267a7..7c624f034 100755
--- a/src/conf_mode/service_pppoe-server.py
+++ b/src/conf_mode/service_pppoe-server.py
@@ -21,13 +21,16 @@ from sys import exit
 from vyos.config import Config
 from vyos.configdict import get_accel_dict
 from vyos.configdict import is_node_changed
-from vyos.configverify import verify_accel_ppp_base_service
 from vyos.configverify import verify_interface_exists
 from vyos.template import render
 from vyos.utils.process import call
 from vyos.utils.dict import dict_search
+from vyos.accel_ppp_util import verify_accel_ppp_base_service
+from vyos.accel_ppp_util import verify_accel_ppp_ip_pool
+from vyos.accel_ppp_util import get_pools_in_order
 from vyos import ConfigError
 from vyos import airbag
+
 airbag.enable()
 
 pppoe_conf = r'/run/accel-pppd/pppoe.conf'
@@ -45,12 +48,19 @@ def get_config(config=None):
     # retrieve common dictionary keys
     pppoe = get_accel_dict(conf, base, pppoe_chap_secrets)
 
+    if dict_search('client_ip_pool', pppoe):
+        # Multiple named pools require ordered values T5099
+        pppoe['ordered_named_pools'] = get_pools_in_order(dict_search('client_ip_pool', pppoe))
+
     # reload-or-restart does not implemented in accel-ppp
     # use this workaround until it will be implemented
     # https://phabricator.accel-ppp.org/T3
-    if is_node_changed(conf, base + ['client-ip-pool']) or is_node_changed(
-            conf, base + ['client-ipv6-pool']):
+    conditions = [is_node_changed(conf, base + ['client-ip-pool']),
+                  is_node_changed(conf, base + ['client-ipv6-pool']),
+                  is_node_changed(conf, base + ['interface'])]
+    if any(conditions):
         pppoe.update({'restart_required': {}})
+    pppoe['server_type'] = 'pppoe'
     return pppoe
 
 def verify(pppoe):
@@ -69,12 +79,7 @@ def verify(pppoe):
     for interface in pppoe['interface']:
         verify_interface_exists(interface)
 
-    # local ippool and gateway settings config checks
-    if not (dict_search('client_ip_pool.subnet', pppoe) or
-           (dict_search('client_ip_pool.name', pppoe) or
-           (dict_search('client_ip_pool.start', pppoe) and
-            dict_search('client_ip_pool.stop', pppoe)))):
-        print('Warning: No PPPoE client pool defined')
+    verify_accel_ppp_ip_pool(pppoe)
 
     if dict_search('authentication.radius.dynamic_author.server', pppoe):
         if not dict_search('authentication.radius.dynamic_author.key', pppoe):
diff --git a/src/conf_mode/salt-minion.py b/src/conf_mode/service_salt-minion.py
index a8fce8e01..a8fce8e01 100755
--- a/src/conf_mode/salt-minion.py
+++ b/src/conf_mode/service_salt-minion.py
diff --git a/src/conf_mode/snmp.py b/src/conf_mode/service_snmp.py
index 7882f8510..f65d0d6bc 100755
--- a/src/conf_mode/snmp.py
+++ b/src/conf_mode/service_snmp.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 #
-# Copyright (C) 2018-2021 VyOS maintainers and contributors
+# Copyright (C) 2018-2023 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
@@ -54,7 +54,7 @@ def get_config(config=None):
     if not conf.exists(base):
         snmp.update({'deleted' : ''})
 
-    if conf.exists(['service', 'lldp', 'snmp', 'enable']):
+    if conf.exists(['service', 'lldp', 'snmp']):
         snmp.update({'lldp_snmp' : ''})
 
     if 'deleted' in snmp:
@@ -86,7 +86,7 @@ def get_config(config=None):
     return snmp
 
 def verify(snmp):
-    if not snmp:
+    if 'deleted' in snmp:
         return None
 
     if {'deleted', 'lldp_snmp'} <= set(snmp):
@@ -178,8 +178,6 @@ def verify(snmp):
     return None
 
 def generate(snmp):
-
-    #
     # As we are manipulating the snmpd user database we have to stop it first!
     # This is even save if service is going to be removed
     call(f'systemctl stop {systemd_service}')
@@ -190,7 +188,7 @@ def generate(snmp):
         if os.path.isfile(file):
             os.unlink(file)
 
-    if not snmp:
+    if 'deleted' in snmp:
         return None
 
     if 'v3' in snmp:
@@ -244,7 +242,7 @@ def apply(snmp):
     # Always reload systemd manager configuration
     call('systemctl daemon-reload')
 
-    if not snmp:
+    if 'deleted' in snmp:
         return None
 
     # start SNMP daemon
@@ -257,9 +255,7 @@ def apply(snmp):
         'bgpd', 'ospf6d', 'ospfd', 'ripd', 'ripngd', 'isisd', 'ldpd', 'zebra'
     ]
     for frr_daemon in frr_daemons_list:
-        call(
-            f'vtysh -c "configure terminal" -d {frr_daemon} -c "agentx" >/dev/null'
-        )
+        call(f'vtysh -c "configure terminal" -d {frr_daemon} -c "agentx" >/dev/null')
 
     return None
 
diff --git a/src/conf_mode/ssh.py b/src/conf_mode/service_ssh.py
index ee5e1eca2..ee5e1eca2 100755
--- a/src/conf_mode/ssh.py
+++ b/src/conf_mode/service_ssh.py
diff --git a/src/conf_mode/tftp_server.py b/src/conf_mode/service_tftp-server.py
index 3ad346e2e..3ad346e2e 100755
--- a/src/conf_mode/tftp_server.py
+++ b/src/conf_mode/service_tftp-server.py
diff --git a/src/conf_mode/intel_qat.py b/src/conf_mode/system_acceleration.py
index e4b248675..e4b248675 100755
--- a/src/conf_mode/intel_qat.py
+++ b/src/conf_mode/system_acceleration.py
diff --git a/src/conf_mode/config_mgmt.py b/src/conf_mode/system_config-management.py
index c681a8405..c681a8405 100755
--- a/src/conf_mode/config_mgmt.py
+++ b/src/conf_mode/system_config-management.py
diff --git a/src/conf_mode/conntrack.py b/src/conf_mode/system_conntrack.py
index 9c43640a9..9c43640a9 100755
--- a/src/conf_mode/conntrack.py
+++ b/src/conf_mode/system_conntrack.py
diff --git a/src/conf_mode/flow_accounting_conf.py b/src/conf_mode/system_flow-accounting.py
index 71acd69fa..f29fc94fb 100755
--- a/src/conf_mode/flow_accounting_conf.py
+++ b/src/conf_mode/system_flow-accounting.py
@@ -28,6 +28,7 @@ from vyos.ifconfig import Section
 from vyos.template import render
 from vyos.utils.process import call
 from vyos.utils.process import cmd
+from vyos.utils.process import run
 from vyos.utils.network import is_addr_assigned
 from vyos import ConfigError
 from vyos import airbag
@@ -116,6 +117,30 @@ def _nftables_config(configured_ifaces, direction, length=None):
         cmd(command, raising=ConfigError)
 
 
+def _nftables_trigger_setup(operation: str) -> None:
+    """Add a dummy rule to unlock the main pmacct loop with a packet-trigger
+
+    Args:
+        operation (str): 'add' or 'delete' a trigger
+    """
+    # check if a chain exists
+    table_exists = False
+    if run('nft -snj list table ip pmacct') == 0:
+        table_exists = True
+
+    if operation == 'delete' and table_exists:
+        nft_cmd: str = 'nft delete table ip pmacct'
+        cmd(nft_cmd, raising=ConfigError)
+    if operation == 'add' and not table_exists:
+        nft_cmds: list[str] = [
+            'nft add table ip pmacct',
+            'nft add chain ip pmacct pmacct_out { type filter hook output priority raw - 50 \\; policy accept \\; }',
+            'nft add rule ip pmacct pmacct_out oif lo ip daddr 127.0.254.0 counter log group 2 snaplen 1 queue-threshold 0 comment NFLOG_TRIGGER'
+        ]
+        for nft_cmd in nft_cmds:
+            cmd(nft_cmd, raising=ConfigError)
+
+
 def get_config(config=None):
     if config:
         conf = config
@@ -252,7 +277,6 @@ def generate(flow_config):
     call('systemctl daemon-reload')
 
 def apply(flow_config):
-    action = 'restart'
     # Check if flow-accounting was removed and define command
     if not flow_config:
         _nftables_config([], 'ingress')
@@ -262,6 +286,10 @@ def apply(flow_config):
         call(f'systemctl stop {systemd_service}')
         if os.path.exists(uacctd_conf_path):
             os.unlink(uacctd_conf_path)
+
+        # must be done after systemctl
+        _nftables_trigger_setup('delete')
+
         return
 
     # Start/reload flow-accounting daemon
@@ -277,6 +305,10 @@ def apply(flow_config):
         else:
             _nftables_config([], 'egress')
 
+    # add a trigger for signal processing
+    _nftables_trigger_setup('add')
+
+
 if __name__ == '__main__':
     try:
         config = get_config()
diff --git a/src/conf_mode/system_frr.py b/src/conf_mode/system_frr.py
index fb252238a..d43b172a6 100755
--- a/src/conf_mode/system_frr.py
+++ b/src/conf_mode/system_frr.py
@@ -22,17 +22,14 @@ from vyos import airbag
 from vyos.config import Config
 from vyos.logger import syslog
 from vyos.template import render_to_string
+from vyos.utils.boot import boot_configuration_complete
 from vyos.utils.file import read_file
 from vyos.utils.file import write_file
-from vyos.utils.process import run
+from vyos.utils.process import call
 airbag.enable()
 
 # path to daemons config and config status files
 config_file = '/etc/frr/daemons'
-vyos_status_file = '/tmp/vyos-config-status'
-# path to watchfrr for FRR control
-watchfrr = '/usr/lib/frr/watchfrr.sh'
-
 
 def get_config(config=None):
     if config:
@@ -41,16 +38,16 @@ def get_config(config=None):
         conf = Config()
 
     base = ['system', 'frr']
-    frr_config = conf.get_config_dict(base, get_first_key=True)
+    frr_config = conf.get_config_dict(base, key_mangling=('-', '_'),
+                                      get_first_key=True,
+                                      with_recursive_defaults=True)
 
     return frr_config
 
-
 def verify(frr_config):
     # Nothing to verify here
     pass
 
-
 def generate(frr_config):
     # read daemons config file
     daemons_config_current = read_file(config_file)
@@ -62,25 +59,21 @@ def generate(frr_config):
         write_file(config_file, daemons_config_new)
         frr_config['config_file_changed'] = True
 
-
 def apply(frr_config):
-    # check if this is initial commit during boot or intiated by CLI
-    # if the file exists, this must be CLI commit
-    commit_type_cli = Path(vyos_status_file).exists()
     # display warning to user
-    if commit_type_cli and frr_config.get('config_file_changed'):
+    if boot_configuration_complete() and frr_config.get('config_file_changed'):
         # Since FRR restart is not safe thing, better to give
         # control over this to users
         print('''
         You need to reboot a router (preferred) or restart FRR
         to apply changes in modules settings
         ''')
-    # restart FRR automatically. DUring the initial boot this should be
-    # safe in most cases
-    if not commit_type_cli and frr_config.get('config_file_changed'):
-        syslog.warning('Restarting FRR to apply changes in modules')
-        run(f'{watchfrr} restart')
 
+    # restart FRR automatically
+    # During initial boot this should be safe in most cases
+    if not boot_configuration_complete() and frr_config.get('config_file_changed'):
+        syslog.warning('Restarting FRR to apply changes in modules')
+        call(f'systemctl restart frr.service')
 
 if __name__ == '__main__':
     try:
diff --git a/src/conf_mode/host_name.py b/src/conf_mode/system_host-name.py
index 36d1f6493..6204cf247 100755
--- a/src/conf_mode/host_name.py
+++ b/src/conf_mode/system_host-name.py
@@ -61,8 +61,9 @@ def get_config(config=None):
         hosts['domain_name'] = conf.return_value(['system', 'domain-name'])
         hosts['domain_search'].append(hosts['domain_name'])
 
-    for search in conf.return_values(['system', 'domain-search', 'domain']):
-        hosts['domain_search'].append(search)
+    if conf.exists(['system', 'domain-search']):
+        for search in conf.return_values(['system', 'domain-search']):
+            hosts['domain_search'].append(search)
 
     if conf.exists(['system', 'name-server']):
         for ns in conf.return_values(['system', 'name-server']):
diff --git a/src/conf_mode/system-ip.py b/src/conf_mode/system_ip.py
index 5e4e5ec28..7612e2c0d 100755
--- a/src/conf_mode/system-ip.py
+++ b/src/conf_mode/system_ip.py
@@ -20,10 +20,12 @@ from vyos.config import Config
 from vyos.configdict import dict_merge
 from vyos.configverify import verify_route_map
 from vyos.template import render_to_string
-from vyos.utils.process import call
 from vyos.utils.dict import dict_search
 from vyos.utils.file import write_file
+from vyos.utils.process import call
+from vyos.utils.process import is_systemd_service_active
 from vyos.utils.system import sysctl_write
+
 from vyos import ConfigError
 from vyos import frr
 from vyos import airbag
@@ -115,16 +117,20 @@ def apply(opt):
     value = '48' if (tmp is None) else tmp
     sysctl_write('net.ipv4.tcp_mtu_probe_floor', value)
 
-    zebra_daemon = 'zebra'
-    # Save original configuration prior to starting any commit actions
-    frr_cfg = frr.FRRConfig()
-
-    # The route-map used for the FIB (zebra) is part of the zebra daemon
-    frr_cfg.load_configuration(zebra_daemon)
-    frr_cfg.modify_section(r'ip protocol \w+ route-map [-a-zA-Z0-9.]+', stop_pattern='(\s|!)')
-    if 'frr_zebra_config' in opt:
-        frr_cfg.add_before(frr.default_add_before, opt['frr_zebra_config'])
-    frr_cfg.commit_configuration(zebra_daemon)
+    # During startup of vyos-router that brings up FRR, the service is not yet
+    # running when this script is called first. Skip this part and wait for initial
+    # commit of the configuration to trigger this statement
+    if is_systemd_service_active('frr.service'):
+        zebra_daemon = 'zebra'
+        # Save original configuration prior to starting any commit actions
+        frr_cfg = frr.FRRConfig()
+
+        # The route-map used for the FIB (zebra) is part of the zebra daemon
+        frr_cfg.load_configuration(zebra_daemon)
+        frr_cfg.modify_section(r'ip protocol \w+ route-map [-a-zA-Z0-9.]+', stop_pattern='(\s|!)')
+        if 'frr_zebra_config' in opt:
+            frr_cfg.add_before(frr.default_add_before, opt['frr_zebra_config'])
+        frr_cfg.commit_configuration(zebra_daemon)
 
 if __name__ == '__main__':
     try:
diff --git a/src/conf_mode/system-ipv6.py b/src/conf_mode/system_ipv6.py
index e40ed38e2..90a1a8087 100755
--- a/src/conf_mode/system-ipv6.py
+++ b/src/conf_mode/system_ipv6.py
@@ -22,8 +22,9 @@ from vyos.configdict import dict_merge
 from vyos.configverify import verify_route_map
 from vyos.template import render_to_string
 from vyos.utils.dict import dict_search
-from vyos.utils.system import sysctl_write
 from vyos.utils.file import write_file
+from vyos.utils.process import is_systemd_service_active
+from vyos.utils.system import sysctl_write
 from vyos import ConfigError
 from vyos import frr
 from vyos import airbag
@@ -93,16 +94,20 @@ def apply(opt):
             if name == 'accept_dad':
                 write_file(os.path.join(root, name), value)
 
-    zebra_daemon = 'zebra'
-    # Save original configuration prior to starting any commit actions
-    frr_cfg = frr.FRRConfig()
+    # During startup of vyos-router that brings up FRR, the service is not yet
+    # running when this script is called first. Skip this part and wait for initial
+    # commit of the configuration to trigger this statement
+    if is_systemd_service_active('frr.service'):
+        zebra_daemon = 'zebra'
+        # Save original configuration prior to starting any commit actions
+        frr_cfg = frr.FRRConfig()
 
-    # The route-map used for the FIB (zebra) is part of the zebra daemon
-    frr_cfg.load_configuration(zebra_daemon)
-    frr_cfg.modify_section(r'ipv6 protocol \w+ route-map [-a-zA-Z0-9.]+', stop_pattern='(\s|!)')
-    if 'frr_zebra_config' in opt:
-        frr_cfg.add_before(frr.default_add_before, opt['frr_zebra_config'])
-    frr_cfg.commit_configuration(zebra_daemon)
+        # The route-map used for the FIB (zebra) is part of the zebra daemon
+        frr_cfg.load_configuration(zebra_daemon)
+        frr_cfg.modify_section(r'ipv6 protocol \w+ route-map [-a-zA-Z0-9.]+', stop_pattern='(\s|!)')
+        if 'frr_zebra_config' in opt:
+            frr_cfg.add_before(frr.default_add_before, opt['frr_zebra_config'])
+        frr_cfg.commit_configuration(zebra_daemon)
 
 if __name__ == '__main__':
     try:
diff --git a/src/conf_mode/system-login.py b/src/conf_mode/system_login.py
index 02c97afaa..30e823bd4 100755
--- a/src/conf_mode/system-login.py
+++ b/src/conf_mode/system_login.py
@@ -20,6 +20,7 @@ from passlib.hosts import linux_context
 from psutil import users
 from pwd import getpwall
 from pwd import getpwnam
+from pwd import getpwuid
 from sys import exit
 from time import sleep
 
@@ -29,6 +30,7 @@ from vyos.defaults import directories
 from vyos.template import render
 from vyos.template import is_ipv4
 from vyos.utils.dict import dict_search
+from vyos.utils.file import chown
 from vyos.utils.process import cmd
 from vyos.utils.process import call
 from vyos.utils.process import rc_cmd
@@ -104,6 +106,9 @@ def get_config(config=None):
     # prune TACACS global defaults if not set by user
     if login.from_defaults(['tacacs']):
         del login['tacacs']
+    # same for RADIUS
+    if login.from_defaults(['radius']):
+        del login['radius']
 
     # create a list of all users, cli and users
     all_users = list(set(local_users + cli_users))
@@ -303,6 +308,7 @@ def generate(login):
 
 
 def apply(login):
+    enable_otp = False
     if 'user' in login:
         for user, user_config in login['user'].items():
             # make new user using vyatta shell and make home directory (-m),
@@ -330,13 +336,19 @@ def apply(login):
             command += f' --groups frr,frrvty,vyattacfg,sudo,adm,dip,disk {user}'
             try:
                 cmd(command)
-
                 # we should not rely on the value stored in
                 # user_config['home_directory'], as a crazy user will choose
                 # username root or any other system user which will fail.
                 #
                 # XXX: Should we deny using root at all?
                 home_dir = getpwnam(user).pw_dir
+                # T5875: ensure UID is properly set on home directory if user is re-added
+                # the home directory will always exist, as it's created above by --create-home,
+                # retrieve current owner of home directory and adjust it on demand
+                dir_owner = getpwuid(os.stat(home_dir).st_uid).pw_name
+                if dir_owner != user:
+                     chown(home_dir, user=user, recursive=True)
+
                 render(f'{home_dir}/.ssh/authorized_keys', 'login/authorized_keys.j2',
                        user_config, permission=0o600,
                        formater=lambda _: _.replace("&quot;", '"'),
@@ -347,6 +359,7 @@ def apply(login):
 
             # Generate 2FA/MFA One-Time-Pad configuration
             if dict_search('authentication.otp.key', user_config):
+                enable_otp = True
                 render(f'{home_dir}/.google_authenticator', 'login/pam_otp_ga.conf.j2',
                        user_config, permission=0o400, user=user, group='users')
             else:
@@ -377,17 +390,28 @@ def apply(login):
             except Exception as e:
                 raise ConfigError(f'Deleting user "{user}" raised exception: {e}')
 
-    # Enable RADIUS in PAM configuration
-    pam_cmd = '--remove'
+    # Enable/disable RADIUS in PAM configuration
+    cmd('pam-auth-update --disable radius-mandatory radius-optional')
     if 'radius' in login:
-        pam_cmd = '--enable'
-    cmd(f'pam-auth-update --package {pam_cmd} radius')
-
-    # Enable/Disable TACACS in PAM configuration
-    pam_cmd = '--remove'
+        if login['radius'].get('security_mode', '') == 'mandatory':
+            pam_profile = 'radius-mandatory'
+        else:
+            pam_profile = 'radius-optional'
+        cmd(f'pam-auth-update --enable {pam_profile}')
+
+    # Enable/disable TACACS+ in PAM configuration
+    cmd('pam-auth-update --disable tacplus-mandatory tacplus-optional')
     if 'tacacs' in login:
-        pam_cmd = '--enable'
-    cmd(f'pam-auth-update --package {pam_cmd} tacplus')
+        if login['tacacs'].get('security_mode', '') == 'mandatory':
+            pam_profile = 'tacplus-mandatory'
+        else:
+            pam_profile = 'tacplus-optional'
+        cmd(f'pam-auth-update --enable {pam_profile}')
+
+    # Enable/disable Google authenticator
+    cmd('pam-auth-update --disable mfa-google-authenticator')
+    if enable_otp:
+        cmd(f'pam-auth-update --enable mfa-google-authenticator')
 
     return None
 
diff --git a/src/conf_mode/system-login-banner.py b/src/conf_mode/system_login_banner.py
index 65fa04417..65fa04417 100755
--- a/src/conf_mode/system-login-banner.py
+++ b/src/conf_mode/system_login_banner.py
diff --git a/src/conf_mode/system-logs.py b/src/conf_mode/system_logs.py
index 8ad4875d4..8ad4875d4 100755
--- a/src/conf_mode/system-logs.py
+++ b/src/conf_mode/system_logs.py
diff --git a/src/conf_mode/system-option.py b/src/conf_mode/system_option.py
index d92121b3d..d92121b3d 100755
--- a/src/conf_mode/system-option.py
+++ b/src/conf_mode/system_option.py
diff --git a/src/conf_mode/system-proxy.py b/src/conf_mode/system_proxy.py
index 079c43e7e..079c43e7e 100755
--- a/src/conf_mode/system-proxy.py
+++ b/src/conf_mode/system_proxy.py
diff --git a/src/conf_mode/system-syslog.py b/src/conf_mode/system_syslog.py
index 07fbb0734..07fbb0734 100755
--- a/src/conf_mode/system-syslog.py
+++ b/src/conf_mode/system_syslog.py
diff --git a/src/conf_mode/task_scheduler.py b/src/conf_mode/system_task-scheduler.py
index 129be5d3c..129be5d3c 100755
--- a/src/conf_mode/task_scheduler.py
+++ b/src/conf_mode/system_task-scheduler.py
diff --git a/src/conf_mode/system-timezone.py b/src/conf_mode/system_timezone.py
index cd3d4b229..cd3d4b229 100755
--- a/src/conf_mode/system-timezone.py
+++ b/src/conf_mode/system_timezone.py
diff --git a/src/conf_mode/system_update_check.py b/src/conf_mode/system_update-check.py
index 8d641a97d..8d641a97d 100755
--- a/src/conf_mode/system_update_check.py
+++ b/src/conf_mode/system_update-check.py
diff --git a/src/conf_mode/vpn_ipsec.py b/src/conf_mode/vpn_ipsec.py
index fa271cbdb..adbac0405 100755
--- a/src/conf_mode/vpn_ipsec.py
+++ b/src/conf_mode/vpn_ipsec.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 #
-# Copyright (C) 2021-2023 VyOS maintainers and contributors
+# Copyright (C) 2021-2024 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
@@ -29,7 +29,10 @@ from vyos.configdict import leaf_node_changed
 from vyos.configverify import verify_interface_exists
 from vyos.defaults import directories
 from vyos.ifconfig import Interface
+from vyos.pki import encode_certificate
 from vyos.pki import encode_public_key
+from vyos.pki import find_chain
+from vyos.pki import load_certificate
 from vyos.pki import load_private_key
 from vyos.pki import wrap_certificate
 from vyos.pki import wrap_crl
@@ -40,6 +43,7 @@ from vyos.template import is_ipv4
 from vyos.template import is_ipv6
 from vyos.template import render
 from vyos.utils.network import is_ipv6_link_local
+from vyos.utils.network import interface_exists
 from vyos.utils.dict import dict_search
 from vyos.utils.dict import dict_search_args
 from vyos.utils.process import call
@@ -62,11 +66,11 @@ default_install_routes = 'yes'
 
 vici_socket = '/var/run/charon.vici'
 
-CERT_PATH = f'{swanctl_dir}/x509/'
+CERT_PATH   = f'{swanctl_dir}/x509/'
 PUBKEY_PATH = f'{swanctl_dir}/pubkey/'
-KEY_PATH  = f'{swanctl_dir}/private/'
-CA_PATH   = f'{swanctl_dir}/x509ca/'
-CRL_PATH  = f'{swanctl_dir}/x509crl/'
+KEY_PATH    = f'{swanctl_dir}/private/'
+CA_PATH     = f'{swanctl_dir}/x509ca/'
+CRL_PATH    = f'{swanctl_dir}/x509crl/'
 
 DHCP_HOOK_IFLIST = '/tmp/ipsec_dhcp_waiting'
 
@@ -84,15 +88,13 @@ def get_config(config=None):
     ipsec = conf.get_config_dict(base, key_mangling=('-', '_'),
                                  no_tag_node_value_mangle=True,
                                  get_first_key=True,
-                                 with_recursive_defaults=True)
+                                 with_recursive_defaults=True,
+                                 with_pki=True)
 
     ipsec['dhcp_no_address'] = {}
     ipsec['install_routes'] = 'no' if conf.exists(base + ["options", "disable-route-autoinstall"]) else default_install_routes
     ipsec['interface_change'] = leaf_node_changed(conf, base + ['interface'])
     ipsec['nhrp_exists'] = conf.exists(['protocols', 'nhrp', 'tunnel'])
-    ipsec['pki'] = conf.get_config_dict(['pki'], key_mangling=('-', '_'),
-                                        no_tag_node_value_mangle=True,
-                                        get_first_key=True)
 
     tmp = conf.get_config_dict(l2tp_base, key_mangling=('-', '_'),
                                no_tag_node_value_mangle=True,
@@ -157,7 +159,7 @@ def verify(ipsec):
                 if 'id' not in psk_config or 'secret' not in psk_config:
                     raise ConfigError(f'Authentication psk "{psk}" missing "id" or "secret"')
 
-    if 'interfaces' in ipsec :
+    if 'interface' in ipsec:
         for ifname in ipsec['interface']:
             verify_interface_exists(ifname)
 
@@ -393,7 +395,7 @@ def verify(ipsec):
 
                 if 'bind' in peer_conf['vti']:
                     vti_interface = peer_conf['vti']['bind']
-                    if not os.path.exists(f'/sys/class/net/{vti_interface}'):
+                    if not interface_exists(vti_interface):
                         raise ConfigError(f'VTI interface {vti_interface} for site-to-site peer {peer} does not exist!')
 
             if 'vti' not in peer_conf and 'tunnel' not in peer_conf:
@@ -431,15 +433,23 @@ def generate_pki_files_x509(pki, x509_conf):
     ca_cert_name = x509_conf['ca_certificate']
     ca_cert_data = dict_search_args(pki, 'ca', ca_cert_name, 'certificate')
     ca_cert_crls = dict_search_args(pki, 'ca', ca_cert_name, 'crl') or []
+    ca_index = 1
     crl_index = 1
 
+    ca_cert = load_certificate(ca_cert_data)
+    pki_ca_certs = [load_certificate(ca['certificate']) for ca in pki['ca'].values()]
+
+    ca_cert_chain = find_chain(ca_cert, pki_ca_certs)
+
     cert_name = x509_conf['certificate']
     cert_data = dict_search_args(pki, 'certificate', cert_name, 'certificate')
     key_data = dict_search_args(pki, 'certificate', cert_name, 'private', 'key')
     protected = 'passphrase' in x509_conf
 
-    with open(os.path.join(CA_PATH, f'{ca_cert_name}.pem'), 'w') as f:
-        f.write(wrap_certificate(ca_cert_data))
+    for ca_cert_obj in ca_cert_chain:
+        with open(os.path.join(CA_PATH, f'{ca_cert_name}_{ca_index}.pem'), 'w') as f:
+            f.write(encode_certificate(ca_cert_obj))
+        ca_index += 1
 
     for crl in ca_cert_crls:
         with open(os.path.join(CRL_PATH, f'{ca_cert_name}_{crl_index}.pem'), 'w') as f:
diff --git a/src/conf_mode/vpn_l2tp.py b/src/conf_mode/vpn_l2tp.py
index 6232ce64a..03a27d3cd 100755
--- a/src/conf_mode/vpn_l2tp.py
+++ b/src/conf_mode/vpn_l2tp.py
@@ -15,321 +15,48 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 import os
-import re
 
-from copy import deepcopy
-from stat import S_IRUSR, S_IWUSR, S_IRGRP
 from sys import exit
 
-from ipaddress import ip_network
-
 from vyos.config import Config
-from vyos.template import is_ipv4
+from vyos.configdict import get_accel_dict
 from vyos.template import render
 from vyos.utils.process import call
-from vyos.utils.system import get_half_cpus
-from vyos.utils.network import check_port_availability
-from vyos.utils.network import is_listen_port_bind_service
+from vyos.utils.dict import dict_search
+from vyos.accel_ppp_util import verify_accel_ppp_base_service
+from vyos.accel_ppp_util import verify_accel_ppp_ip_pool
+from vyos.accel_ppp_util import get_pools_in_order
+from vyos.base import Warning
 from vyos import ConfigError
 
 from vyos import airbag
 airbag.enable()
 
+
 l2tp_conf = '/run/accel-pppd/l2tp.conf'
 l2tp_chap_secrets = '/run/accel-pppd/l2tp.chap-secrets'
 
-default_config_data = {
-    'auth_mode': 'local',
-    'auth_ppp_mppe': 'prefer',
-    'auth_proto': ['auth_mschap_v2'],
-    'chap_secrets_file': l2tp_chap_secrets, # used in Jinja2 template
-    'client_ip_pool': None,
-    'client_ip_subnets': [],
-    'client_ipv6_pool': [],
-    'client_ipv6_pool_configured': False,
-    'client_ipv6_delegate_prefix': [],
-    'dnsv4': [],
-    'dnsv6': [],
-    'gateway_address': '10.255.255.0',
-    'local_users' : [],
-    'mtu': '1436',
-    'outside_addr': '',
-    'ppp_mppe': 'prefer',
-    'ppp_echo_failure' : '3',
-    'ppp_echo_interval' : '30',
-    'ppp_echo_timeout': '0',
-    'ppp_ipv6_accept_peer_intf_id': False,
-    'ppp_ipv6_intf_id': None,
-    'ppp_ipv6_peer_intf_id': None,
-    'radius_server': [],
-    'radius_acct_inter_jitter': '',
-    'radius_acct_interim_interval': None,
-    'radius_acct_tmo': '3',
-    'radius_max_try': '3',
-    'radius_timeout': '3',
-    'radius_nas_id': '',
-    'radius_nas_ip': '',
-    'radius_source_address': '',
-    'radius_shaper_attr': '',
-    'radius_shaper_vendor': '',
-    'radius_dynamic_author': {},
-    'wins': [],
-    'ip6_column': [],
-    'thread_cnt': get_half_cpus()
-}
-
 def get_config(config=None):
     if config:
         conf = config
     else:
         conf = Config()
-    base_path = ['vpn', 'l2tp', 'remote-access']
-    if not conf.exists(base_path):
+    base = ['vpn', 'l2tp', 'remote-access']
+    if not conf.exists(base):
         return None
 
-    conf.set_level(base_path)
-    l2tp = deepcopy(default_config_data)
-
-    ### general options ###
-    if conf.exists(['name-server']):
-        for name_server in conf.return_values(['name-server']):
-            if is_ipv4(name_server):
-                l2tp['dnsv4'].append(name_server)
-            else:
-                l2tp['dnsv6'].append(name_server)
-
-    if conf.exists(['wins-server']):
-        l2tp['wins'] = conf.return_values(['wins-server'])
-
-    if conf.exists('outside-address'):
-        l2tp['outside_addr'] = conf.return_value('outside-address')
-
-    if conf.exists(['authentication', 'mode']):
-        l2tp['auth_mode'] = conf.return_value(['authentication', 'mode'])
-
-    if conf.exists(['authentication', 'require']):
-        l2tp['auth_proto'] = []
-        auth_mods = {
-            'pap': 'auth_pap',
-            'chap': 'auth_chap_md5',
-            'mschap': 'auth_mschap_v1',
-            'mschap-v2': 'auth_mschap_v2'
-        }
-
-        for proto in conf.return_values(['authentication', 'require']):
-            l2tp['auth_proto'].append(auth_mods[proto])
-
-    if conf.exists(['authentication', 'mppe']):
-        l2tp['auth_ppp_mppe'] = conf.return_value(['authentication', 'mppe'])
-
-    #
-    # local auth
-    if conf.exists(['authentication', 'local-users']):
-        for username in conf.list_nodes(['authentication', 'local-users', 'username']):
-            user = {
-                'name' : username,
-                'password' : '',
-                'state' : 'enabled',
-                'ip' : '*',
-                'upload' : None,
-                'download' : None
-            }
-
-            conf.set_level(base_path + ['authentication', 'local-users', 'username', username])
-
-            if conf.exists(['password']):
-                user['password'] = conf.return_value(['password'])
-
-            if conf.exists(['disable']):
-                user['state'] = 'disable'
-
-            if conf.exists(['static-ip']):
-                user['ip'] = conf.return_value(['static-ip'])
-
-            if conf.exists(['rate-limit', 'download']):
-                user['download'] = conf.return_value(['rate-limit', 'download'])
-
-            if conf.exists(['rate-limit', 'upload']):
-                user['upload'] = conf.return_value(['rate-limit', 'upload'])
-
-            l2tp['local_users'].append(user)
-
-    #
-    # RADIUS auth and settings
-    conf.set_level(base_path + ['authentication', 'radius'])
-    if conf.exists(['server']):
-        for server in conf.list_nodes(['server']):
-            radius = {
-                'server' : server,
-                'key' : '',
-                'fail_time' : 0,
-                'port' : '1812',
-                'acct_port' : '1813'
-            }
-
-            conf.set_level(base_path + ['authentication', 'radius', 'server', server])
-
-            if conf.exists(['disable-accounting']):
-                radius['acct_port'] = '0'
-
-            if conf.exists(['fail-time']):
-                radius['fail_time'] = conf.return_value(['fail-time'])
-
-            if conf.exists(['port']):
-                radius['port'] = conf.return_value(['port'])
-
-            if conf.exists(['acct-port']):
-                radius['acct_port'] = conf.return_value(['acct-port'])
-
-            if conf.exists(['key']):
-                radius['key'] = conf.return_value(['key'])
-
-            if not conf.exists(['disable']):
-                l2tp['radius_server'].append(radius)
-
-        #
-        # advanced radius-setting
-        conf.set_level(base_path + ['authentication', 'radius'])
-
-        if conf.exists(['accounting-interim-interval']):
-            l2tp['radius_acct_interim_interval'] = conf.return_value(['accounting-interim-interval'])
-
-        if conf.exists(['acct-interim-jitter']):
-            l2tp['radius_acct_inter_jitter'] = conf.return_value(['acct-interim-jitter'])
-
-        if conf.exists(['acct-timeout']):
-            l2tp['radius_acct_tmo'] = conf.return_value(['acct-timeout'])
-
-        if conf.exists(['max-try']):
-            l2tp['radius_max_try'] = conf.return_value(['max-try'])
-
-        if conf.exists(['timeout']):
-            l2tp['radius_timeout'] = conf.return_value(['timeout'])
-
-        if conf.exists(['nas-identifier']):
-            l2tp['radius_nas_id'] = conf.return_value(['nas-identifier'])
-
-        if conf.exists(['nas-ip-address']):
-            l2tp['radius_nas_ip'] = conf.return_value(['nas-ip-address'])
-
-        if conf.exists(['source-address']):
-            l2tp['radius_source_address'] = conf.return_value(['source-address'])
-
-        # Dynamic Authorization Extensions (DOA)/Change Of Authentication (COA)
-        if conf.exists(['dae-server']):
-            dae = {
-                'port' : '',
-                'server' : '',
-                'key' : ''
-            }
-
-            if conf.exists(['dae-server', 'ip-address']):
-                dae['server'] = conf.return_value(['dae-server', 'ip-address'])
-
-            if conf.exists(['dae-server', 'port']):
-                dae['port'] = conf.return_value(['dae-server', 'port'])
-
-            if conf.exists(['dae-server', 'secret']):
-                dae['key'] = conf.return_value(['dae-server', 'secret'])
-
-            l2tp['radius_dynamic_author'] = dae
-
-        if conf.exists(['rate-limit', 'enable']):
-            l2tp['radius_shaper_attr'] = 'Filter-Id'
-            c_attr = ['rate-limit', 'enable', 'attribute']
-            if conf.exists(c_attr):
-                l2tp['radius_shaper_attr'] = conf.return_value(c_attr)
-
-            c_vendor = ['rate-limit', 'enable', 'vendor']
-            if conf.exists(c_vendor):
-                l2tp['radius_shaper_vendor'] = conf.return_value(c_vendor)
-
-    conf.set_level(base_path)
-    if conf.exists(['client-ip-pool']):
-        if conf.exists(['client-ip-pool', 'start']) and conf.exists(['client-ip-pool', 'stop']):
-            start = conf.return_value(['client-ip-pool', 'start'])
-            stop  = conf.return_value(['client-ip-pool', 'stop'])
-            l2tp['client_ip_pool'] = start + '-' + re.search('[0-9]+$', stop).group(0)
-
-    if conf.exists(['client-ip-pool', 'subnet']):
-        l2tp['client_ip_subnets'] = conf.return_values(['client-ip-pool', 'subnet'])
-
-    if conf.exists(['client-ipv6-pool', 'prefix']):
-        l2tp['client_ipv6_pool_configured'] = True
-        l2tp['ip6_column'].append('ip6')
-        for prefix in conf.list_nodes(['client-ipv6-pool', 'prefix']):
-            tmp = {
-                'prefix': prefix,
-                'mask': '64'
-            }
-
-            if conf.exists(['client-ipv6-pool', 'prefix', prefix, 'mask']):
-                tmp['mask'] = conf.return_value(['client-ipv6-pool', 'prefix', prefix, 'mask'])
-
-            l2tp['client_ipv6_pool'].append(tmp)
-
-    if conf.exists(['client-ipv6-pool', 'delegate']):
+    # retrieve common dictionary keys
+    l2tp = get_accel_dict(conf, base, l2tp_chap_secrets)
+    if dict_search('client_ip_pool', l2tp):
+        # Multiple named pools require ordered values T5099
+        l2tp['ordered_named_pools'] = get_pools_in_order(
+            dict_search('client_ip_pool', l2tp))
+    l2tp['ip6_column'] = []
+    if dict_search('client_ipv6_pool.prefix', l2tp):
+        l2tp['ip6_column'].append('ipv6')
+    if dict_search('client_ipv6_pool.delegate', l2tp):
         l2tp['ip6_column'].append('ip6-db')
-        for prefix in conf.list_nodes(['client-ipv6-pool', 'delegate']):
-            tmp = {
-                'prefix': prefix,
-                'mask': ''
-            }
-
-            if conf.exists(['client-ipv6-pool', 'delegate', prefix, 'delegation-prefix']):
-                tmp['mask'] = conf.return_value(['client-ipv6-pool', 'delegate', prefix, 'delegation-prefix'])
-
-            l2tp['client_ipv6_delegate_prefix'].append(tmp)
-
-    if conf.exists(['mtu']):
-        l2tp['mtu'] = conf.return_value(['mtu'])
-
-    # gateway address
-    if conf.exists(['gateway-address']):
-        l2tp['gateway_address'] = conf.return_value(['gateway-address'])
-    else:
-        # calculate gw-ip-address
-        if conf.exists(['client-ip-pool', 'start']):
-            # use start ip as gw-ip-address
-            l2tp['gateway_address'] = conf.return_value(['client-ip-pool', 'start'])
-
-        elif conf.exists(['client-ip-pool', 'subnet']):
-            # use first ip address from first defined pool
-            subnet = conf.return_values(['client-ip-pool', 'subnet'])[0]
-            subnet = ip_network(subnet)
-            l2tp['gateway_address'] = str(list(subnet.hosts())[0])
-
-    # LNS secret
-    if conf.exists(['lns', 'shared-secret']):
-        l2tp['lns_shared_secret'] = conf.return_value(['lns', 'shared-secret'])
-    if conf.exists(['lns', 'host-name']):
-        l2tp['lns_host_name'] = conf.return_value(['lns', 'host-name'])
-
-    if conf.exists(['ccp-disable']):
-        l2tp['ccp_disable'] = True
-
-    # PPP options
-    if conf.exists(['idle']):
-        l2tp['ppp_echo_timeout'] = conf.return_value(['idle'])
-
-    if conf.exists(['ppp-options', 'lcp-echo-failure']):
-        l2tp['ppp_echo_failure'] = conf.return_value(['ppp-options', 'lcp-echo-failure'])
-
-    if conf.exists(['ppp-options', 'lcp-echo-interval']):
-        l2tp['ppp_echo_interval'] = conf.return_value(['ppp-options', 'lcp-echo-interval'])
-
-    if conf.exists(['ppp-options', 'ipv6']):
-        l2tp['ppp_ipv6'] = conf.return_value(['ppp-options', 'ipv6'])
-
-    if conf.exists(['ppp-options', 'ipv6-accept-peer-intf-id']):
-        l2tp['ppp_ipv6_accept_peer_intf_id'] = True
-
-    if conf.exists(['ppp-options', 'ipv6-intf-id']):
-        l2tp['ppp_ipv6_intf_id'] = conf.return_value(['ppp-options', 'ipv6-intf-id'])
-
-    if conf.exists(['ppp-options', 'ipv6-peer-intf-id']):
-        l2tp['ppp_ipv6_peer_intf_id'] = conf.return_value(['ppp-options', 'ipv6-peer-intf-id'])
-
+    l2tp['server_type'] = 'l2tp'
     return l2tp
 
 
@@ -337,56 +64,24 @@ def verify(l2tp):
     if not l2tp:
         return None
 
-    if l2tp['auth_mode'] == 'local':
-        if not l2tp['local_users']:
-            raise ConfigError('L2TP local auth mode requires local users to be configured!')
-
-        for user in l2tp['local_users']:
-            if not user['password']:
-                raise ConfigError(f"Password required for user {user['name']}")
+    verify_accel_ppp_base_service(l2tp)
 
-    elif l2tp['auth_mode'] == 'radius':
-        if len(l2tp['radius_server']) == 0:
-            raise ConfigError("RADIUS authentication requires at least one server")
+    if dict_search('authentication.radius.dynamic_author.server', l2tp):
+        if not dict_search('authentication.radius.dynamic_author.key', l2tp):
+            raise ConfigError('DA/CoE server key required!')
 
-        for radius in l2tp['radius_server']:
-            if not radius['key']:
-                raise ConfigError(f"Missing RADIUS secret for server { radius['key'] }")
+    if dict_search('authentication.mode', l2tp) in ['local', 'noauth']:
+        if not l2tp['client_ip_pool'] and not l2tp['client_ipv6_pool']:
+            raise ConfigError(
+                "L2TP local auth mode requires local client-ip-pool or client-ipv6-pool to be configured!")
+        if dict_search('client_ip_pool', l2tp) and not dict_search('default_pool', l2tp):
+            Warning("'default-pool' is not defined")
 
-        if l2tp['radius_dynamic_author']:
-            if not l2tp['radius_dynamic_author']['server']:
-                raise ConfigError("Missing ip-address for dae-server")
-            if not l2tp['radius_dynamic_author']['key']:
-                raise ConfigError("Missing secret for dae-server")
-            address = l2tp['radius_dynamic_author']['server']
-            port = l2tp['radius_dynamic_author']['port']
-            proto = 'tcp'
-            # check if dae listen port is not used by another service
-            if check_port_availability(address, int(port), proto) is not True and \
-                not is_listen_port_bind_service(int(port), 'accel-pppd'):
-                raise ConfigError(f'"{proto}" port "{port}" is used by another service')
+    verify_accel_ppp_ip_pool(l2tp)
 
-    # check for the existence of a client ip pool
-    if not (l2tp['client_ip_pool'] or l2tp['client_ip_subnets']):
+    if 'wins_server' in l2tp and len(l2tp['wins_server']) > 2:
         raise ConfigError(
-            "set vpn l2tp remote-access client-ip-pool requires subnet or start/stop IP pool")
-
-    # check ipv6
-    if l2tp['client_ipv6_delegate_prefix'] and not l2tp['client_ipv6_pool']:
-        raise ConfigError('IPv6 prefix delegation requires client-ipv6-pool prefix')
-
-    for prefix in l2tp['client_ipv6_delegate_prefix']:
-        if not prefix['mask']:
-            raise ConfigError('Delegation-prefix required for individual delegated networks')
-
-    if len(l2tp['wins']) > 2:
-        raise ConfigError('Not more then two IPv4 WINS name-servers can be configured')
-
-    if len(l2tp['dnsv4']) > 2:
-        raise ConfigError('Not more then two IPv4 DNS name-servers can be configured')
-
-    if len(l2tp['dnsv6']) > 3:
-        raise ConfigError('Not more then three IPv6 DNS name-servers can be configured')
+            'Not more then two WINS name-servers can be configured')
 
     return None
 
@@ -397,13 +92,9 @@ def generate(l2tp):
 
     render(l2tp_conf, 'accel-ppp/l2tp.config.j2', l2tp)
 
-    if l2tp['auth_mode'] == 'local':
-        render(l2tp_chap_secrets, 'accel-ppp/chap-secrets.j2', l2tp)
-        os.chmod(l2tp_chap_secrets, S_IRUSR | S_IWUSR | S_IRGRP)
-
-    else:
-        if os.path.exists(l2tp_chap_secrets):
-             os.unlink(l2tp_chap_secrets)
+    if dict_search('authentication.mode', l2tp) == 'local':
+        render(l2tp_chap_secrets, 'accel-ppp/chap-secrets.config_dict.j2',
+               l2tp, permission=0o640)
 
     return None
 
@@ -419,12 +110,14 @@ def apply(l2tp):
 
     call('systemctl restart accel-ppp@l2tp.service')
 
+
 if __name__ == '__main__':
     try:
         c = get_config()
         verify(c)
         generate(c)
         apply(c)
+
     except ConfigError as e:
         print(e)
         exit(1)
diff --git a/src/conf_mode/vpn_openconnect.py b/src/conf_mode/vpn_openconnect.py
index a039172c4..421ac6997 100755
--- a/src/conf_mode/vpn_openconnect.py
+++ b/src/conf_mode/vpn_openconnect.py
@@ -56,12 +56,8 @@ def get_config(config=None):
 
     ocserv = conf.get_config_dict(base, key_mangling=('-', '_'),
                                   get_first_key=True,
-                                  with_recursive_defaults=True)
-
-    if ocserv:
-        ocserv['pki'] = conf.get_config_dict(['pki'], key_mangling=('-', '_'),
-                                             no_tag_node_value_mangle=True,
-                                             get_first_key=True)
+                                  with_recursive_defaults=True,
+                                  with_pki=True)
 
     return ocserv
 
diff --git a/src/conf_mode/vpn_pptp.py b/src/conf_mode/vpn_pptp.py
index d542f57fe..f769be39f 100755
--- a/src/conf_mode/vpn_pptp.py
+++ b/src/conf_mode/vpn_pptp.py
@@ -15,17 +15,17 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 import os
-import re
-
-from copy import deepcopy
-from stat import S_IRUSR, S_IWUSR, S_IRGRP
 from sys import exit
 
+
 from vyos.config import Config
 from vyos.template import render
-from vyos.utils.system import get_half_cpus
 from vyos.utils.process import call
+from vyos.utils.dict import dict_search
+from vyos.accel_ppp_util import verify_accel_ppp_ip_pool
+from vyos.accel_ppp_util import get_pools_in_order
 from vyos import ConfigError
+from vyos.configdict import get_accel_dict
 
 from vyos import airbag
 airbag.enable()
@@ -33,241 +33,70 @@ airbag.enable()
 pptp_conf = '/run/accel-pppd/pptp.conf'
 pptp_chap_secrets = '/run/accel-pppd/pptp.chap-secrets'
 
-default_pptp = {
-    'auth_mode' : 'local',
-    'local_users' : [],
-    'radius_server' : [],
-    'radius_acct_inter_jitter': '',
-    'radius_acct_interim_interval': None,
-    'radius_acct_tmo' : '30',
-    'radius_max_try' : '3',
-    'radius_timeout' : '30',
-    'radius_nas_id' : '',
-    'radius_nas_ip' : '',
-    'radius_source_address' : '',
-    'radius_shaper_attr' : '',
-    'radius_shaper_enable': False,
-    'radius_shaper_multiplier': '',
-    'radius_shaper_vendor': '',
-    'radius_dynamic_author' : '',
-    'chap_secrets_file': pptp_chap_secrets, # used in Jinja2 template
-    'outside_addr': '',
-    'dnsv4': [],
-    'wins': [],
-    'client_ip_pool': '',
-    'mtu': '1436',
-    'auth_proto' : ['auth_mschap_v2'],
-    'ppp_mppe' : 'prefer',
-    'thread_cnt': get_half_cpus()
-}
 
 def get_config(config=None):
     if config:
         conf = config
     else:
         conf = Config()
-    base_path = ['vpn', 'pptp', 'remote-access']
-    if not conf.exists(base_path):
+    base = ['vpn', 'pptp', 'remote-access']
+    if not conf.exists(base):
         return None
 
-    pptp = deepcopy(default_pptp)
-    conf.set_level(base_path)
-
-    if conf.exists(['name-server']):
-        pptp['dnsv4'] = conf.return_values(['name-server'])
-
-    if conf.exists(['wins-server']):
-        pptp['wins'] = conf.return_values(['wins-server'])
-
-    if conf.exists(['outside-address']):
-        pptp['outside_addr'] = conf.return_value(['outside-address'])
-
-    if conf.exists(['authentication', 'mode']):
-        pptp['auth_mode'] = conf.return_value(['authentication', 'mode'])
-
-    #
-    # local auth
-    if conf.exists(['authentication', 'local-users']):
-        for username in conf.list_nodes(['authentication', 'local-users', 'username']):
-            user = {
-                'name': username,
-                'password' : '',
-                'state' : 'enabled',
-                'ip' : '*',
-            }
-
-            conf.set_level(base_path + ['authentication', 'local-users', 'username', username])
-
-            if conf.exists(['password']):
-                user['password'] = conf.return_value(['password'])
-
-            if conf.exists(['disable']):
-                user['state'] = 'disable'
-
-            if conf.exists(['static-ip']):
-                user['ip'] = conf.return_value(['static-ip'])
-
-            if not conf.exists(['disable']):
-                pptp['local_users'].append(user)
-
-    #
-    # RADIUS auth and settings
-    conf.set_level(base_path + ['authentication', 'radius'])
-    if conf.exists(['server']):
-        for server in conf.list_nodes(['server']):
-            radius = {
-                'server' : server,
-                'key' : '',
-                'fail_time' : 0,
-                'port' : '1812',
-                'acct_port' : '1813'
-            }
-
-            conf.set_level(base_path + ['authentication', 'radius', 'server', server])
-
-            if conf.exists(['disable-accounting']):
-                radius['acct_port'] = '0'
-
-            if conf.exists(['fail-time']):
-                radius['fail_time'] = conf.return_value(['fail-time'])
-
-            if conf.exists(['port']):
-                radius['port'] = conf.return_value(['port'])
-
-            if conf.exists(['acct-port']):
-                radius['acct_port'] = conf.return_value(['acct-port'])
-
-            if conf.exists(['key']):
-                radius['key'] = conf.return_value(['key'])
-
-            if not conf.exists(['disable']):
-                pptp['radius_server'].append(radius)
-
-        #
-        # advanced radius-setting
-        conf.set_level(base_path + ['authentication', 'radius'])
-
-        if conf.exists(['accounting-interim-interval']):
-            pptp['radius_acct_interim_interval'] = conf.return_value(['accounting-interim-interval'])
-
-        if conf.exists(['acct-interim-jitter']):
-            pptp['radius_acct_inter_jitter'] = conf.return_value(['acct-interim-jitter'])
-
-        if conf.exists(['acct-timeout']):
-            pptp['radius_acct_tmo'] = conf.return_value(['acct-timeout'])
-
-        if conf.exists(['max-try']):
-            pptp['radius_max_try'] = conf.return_value(['max-try'])
-
-        if conf.exists(['timeout']):
-            pptp['radius_timeout'] = conf.return_value(['timeout'])
-
-        if conf.exists(['nas-identifier']):
-            pptp['radius_nas_id'] = conf.return_value(['nas-identifier'])
-
-        if conf.exists(['nas-ip-address']):
-            pptp['radius_nas_ip'] = conf.return_value(['nas-ip-address'])
-
-        if conf.exists(['source-address']):
-            pptp['radius_source_address'] = conf.return_value(['source-address'])
-
-        # Dynamic Authorization Extensions (DOA)/Change Of Authentication (COA)
-        if conf.exists(['dae-server']):
-            dae = {
-                'port' : '',
-                'server' : '',
-                'key' : ''
-            }
-
-            if conf.exists(['dynamic-author', 'ip-address']):
-                dae['server'] = conf.return_value(['dynamic-author', 'ip-address'])
-
-            if conf.exists(['dynamic-author', 'port']):
-                dae['port'] = conf.return_value(['dynamic-author', 'port'])
-
-            if conf.exists(['dynamic-author', 'key']):
-                dae['key'] = conf.return_value(['dynamic-author', 'key'])
-
-            pptp['radius_dynamic_author'] = dae
-
-        # Rate limit
-        if conf.exists(['rate-limit', 'attribute']):
-            pptp['radius_shaper_attr'] = conf.return_value(['rate-limit', 'attribute'])
-
-        if conf.exists(['rate-limit', 'enable']):
-            pptp['radius_shaper_enable'] = True
-
-        if conf.exists(['rate-limit', 'multiplier']):
-            pptp['radius_shaper_multiplier'] = conf.return_value(['rate-limit', 'multiplier'])
-
-        if conf.exists(['rate-limit', 'vendor']):
-            pptp['radius_shaper_vendor'] = conf.return_value(['rate-limit', 'vendor'])
-
-    conf.set_level(base_path)
-    if conf.exists(['client-ip-pool']):
-        if conf.exists(['client-ip-pool', 'start']) and conf.exists(['client-ip-pool', 'stop']):
-            start = conf.return_value(['client-ip-pool', 'start'])
-            stop  = conf.return_value(['client-ip-pool', 'stop'])
-            pptp['client_ip_pool'] = start + '-' + re.search('[0-9]+$', stop).group(0)
-
-    if conf.exists(['mtu']):
-        pptp['mtu'] = conf.return_value(['mtu'])
-
-    # gateway address
-    if conf.exists(['gateway-address']):
-        pptp['gw_ip'] = conf.return_value(['gateway-address'])
-    else:
-        # calculate gw-ip-address
-        if conf.exists(['client-ip-pool', 'start']):
-            # use start ip as gw-ip-address
-            pptp['gateway_address'] = conf.return_value(['client-ip-pool', 'start'])
-
-    if conf.exists(['authentication', 'require']):
-        # clear default list content, now populate with actual CLI values
-        pptp['auth_proto'] = []
-        auth_mods = {
-            'pap': 'auth_pap',
-            'chap': 'auth_chap_md5',
-            'mschap': 'auth_mschap_v1',
-            'mschap-v2': 'auth_mschap_v2'
-        }
-
-        for proto in conf.return_values(['authentication', 'require']):
-            pptp['auth_proto'].append(auth_mods[proto])
-
-    if conf.exists(['authentication', 'mppe']):
-        pptp['ppp_mppe'] = conf.return_value(['authentication', 'mppe'])
+    # retrieve common dictionary keys
+    pptp = get_accel_dict(conf, base, pptp_chap_secrets)
 
+    if dict_search('client_ip_pool', pptp):
+        # Multiple named pools require ordered values T5099
+        pptp['ordered_named_pools'] = get_pools_in_order(
+            dict_search('client_ip_pool', pptp))
+    pptp['chap_secrets_file'] = pptp_chap_secrets
+    pptp['server_type'] = 'pptp'
     return pptp
 
 
 def verify(pptp):
     if not pptp:
         return None
-
-    if pptp['auth_mode'] == 'local':
-        if not pptp['local_users']:
-            raise ConfigError('PPTP local auth mode requires local users to be configured!')
-
-        for user in pptp['local_users']:
-            username = user['name']
-            if not user['password']:
-                raise ConfigError(f'Password required for local user "{username}"')
-
-    elif pptp['auth_mode'] == 'radius':
-        if len(pptp['radius_server']) == 0:
-            raise ConfigError('RADIUS authentication requires at least one server')
-
-        for radius in pptp['radius_server']:
-            if not radius['key']:
-                server = radius['server']
-                raise ConfigError(f'Missing RADIUS secret key for server "{ server }"')
-
-    if len(pptp['dnsv4']) > 2:
-        raise ConfigError('Not more then two IPv4 DNS name-servers can be configured')
-
-    if len(pptp['wins']) > 2:
-        raise ConfigError('Not more then two IPv4 WINS name-servers can be configured')
+    auth_mode = dict_search('authentication.mode', pptp)
+    if auth_mode == 'local':
+        if not dict_search('authentication.local_users', pptp):
+            raise ConfigError(
+                'PPTP local auth mode requires local users to be configured!')
+
+        for user in dict_search('authentication.local_users.username', pptp):
+            user_config = pptp['authentication']['local_users']['username'][
+                user]
+            if 'password' not in user_config:
+                raise ConfigError(f'Password required for local user "{user}"')
+
+    elif auth_mode == 'radius':
+        if not dict_search('authentication.radius.server', pptp):
+            raise ConfigError(
+                'RADIUS authentication requires at least one server')
+        for server in dict_search('authentication.radius.server', pptp):
+            radius_config = pptp['authentication']['radius']['server'][server]
+            if 'key' not in radius_config:
+                raise ConfigError(
+                    f'Missing RADIUS secret key for server "{server}"')
+
+    if auth_mode == 'local' or auth_mode == 'noauth':
+        if not dict_search('client_ip_pool', pptp):
+            raise ConfigError(
+                'PPTP local auth mode requires local client-ip-pool '
+                'to be configured!')
+
+    verify_accel_ppp_ip_pool(pptp)
+
+    if 'name_server' in pptp:
+        if len(pptp['name_server']) > 2:
+            raise ConfigError(
+                'Not more then two IPv4 DNS name-servers can be configured'
+            )
+
+    if 'wins_server' in pptp and len(pptp['wins_server']) > 2:
+        raise ConfigError(
+            'Not more then two WINS name-servers can be configured')
 
 
 def generate(pptp):
@@ -276,13 +105,11 @@ def generate(pptp):
 
     render(pptp_conf, 'accel-ppp/pptp.config.j2', pptp)
 
-    if pptp['local_users']:
-        render(pptp_chap_secrets, 'accel-ppp/chap-secrets.j2', pptp)
-        os.chmod(pptp_chap_secrets, S_IRUSR | S_IWUSR | S_IRGRP)
-    else:
-        if os.path.exists(pptp_chap_secrets):
-             os.unlink(pptp_chap_secrets)
+    if dict_search('authentication.mode', pptp) == 'local':
+        render(pptp_chap_secrets, 'accel-ppp/chap-secrets.config_dict.j2',
+               pptp, permission=0o640)
 
+    return None
 
 def apply(pptp):
     if not pptp:
@@ -295,6 +122,7 @@ def apply(pptp):
 
     call('systemctl restart accel-ppp@pptp.service')
 
+
 if __name__ == '__main__':
     try:
         c = get_config()
diff --git a/src/conf_mode/vpn_sstp.py b/src/conf_mode/vpn_sstp.py
index e98d8385b..6bf9307e1 100755
--- a/src/conf_mode/vpn_sstp.py
+++ b/src/conf_mode/vpn_sstp.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 #
-# Copyright (C) 2018-2022 VyOS maintainers and contributors
+# Copyright (C) 2018-2024 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
@@ -21,13 +21,15 @@ from sys import exit
 from vyos.config import Config
 from vyos.configdict import get_accel_dict
 from vyos.configdict import dict_merge
-from vyos.configverify import verify_accel_ppp_base_service
 from vyos.pki import wrap_certificate
 from vyos.pki import wrap_private_key
 from vyos.template import render
 from vyos.utils.process import call
 from vyos.utils.network import check_port_availability
 from vyos.utils.dict import dict_search
+from vyos.accel_ppp_util import verify_accel_ppp_base_service
+from vyos.accel_ppp_util import verify_accel_ppp_ip_pool
+from vyos.accel_ppp_util import get_pools_in_order
 from vyos.utils.network import is_listen_port_bind_service
 from vyos.utils.file import write_file
 from vyos import ConfigError
@@ -52,14 +54,15 @@ def get_config(config=None):
         return None
 
     # retrieve common dictionary keys
-    sstp = get_accel_dict(conf, base, sstp_chap_secrets)
-    if sstp:
-        sstp['pki'] = conf.get_config_dict(['pki'], key_mangling=('-', '_'),
-                                           get_first_key=True,
-                                           no_tag_node_value_mangle=True)
+    sstp = get_accel_dict(conf, base, sstp_chap_secrets, with_pki=True)
+    if dict_search('client_ip_pool', sstp):
+        # Multiple named pools require ordered values T5099
+        sstp['ordered_named_pools'] = get_pools_in_order(dict_search('client_ip_pool', sstp))
 
+    sstp['server_type'] = 'sstp'
     return sstp
 
+
 def verify(sstp):
     if not sstp:
         return None
@@ -75,6 +78,7 @@ def verify(sstp):
     if 'client_ip_pool' not in sstp and 'client_ipv6_pool' not in sstp:
         raise ConfigError('Client IP subnet required')
 
+    verify_accel_ppp_ip_pool(sstp)
     #
     # SSL certificate checks
     #
diff --git a/src/conf_mode/vpp.py b/src/conf_mode/vpp.py
deleted file mode 100755
index 82c2f236e..000000000
--- a/src/conf_mode/vpp.py
+++ /dev/null
@@ -1,207 +0,0 @@
-#!/usr/bin/env python3
-#
-# Copyright (C) 2023 VyOS maintainers and contributors
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 or later as
-# published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-import os
-from psutil import virtual_memory
-
-from pathlib import Path
-from re import search as re_search, MULTILINE as re_M
-
-from vyos.config import Config
-from vyos.configdep import set_dependents, call_dependents
-from vyos.configdict import node_changed
-from vyos.ifconfig import Section
-from vyos.utils.boot import boot_configuration_complete
-from vyos.utils.process import call
-from vyos.utils.process import rc_cmd
-from vyos.utils.system import sysctl_read
-from vyos.utils.system import sysctl_apply
-from vyos.template import render
-
-from vyos import ConfigError
-from vyos import airbag
-from vyos.vpp import VPPControl
-from vyos.vpp import HostControl
-
-airbag.enable()
-
-service_name = 'vpp'
-service_conf = Path(f'/run/vpp/{service_name}.conf')
-systemd_override = '/run/systemd/system/vpp.service.d/10-override.conf'
-
-# Free memory required for VPP
-# 2 GB for hugepages + 1 GB for other services
-MIN_AVAILABLE_MEMORY: int = 3 * 1024**3
-
-
-def _get_pci_address_by_interface(iface) -> str:
-    rc, out = rc_cmd(f'ethtool -i {iface}')
-    # if ethtool command was successful
-    if rc == 0 and out:
-        regex_filter = r'^bus-info: (?P<address>\w+:\w+:\w+\.\w+)$'
-        re_obj = re_search(regex_filter, out, re_M)
-        # if bus-info with PCI address found
-        if re_obj:
-            address = re_obj.groupdict().get('address', '')
-            return address
-    # use VPP - maybe interface already attached to it
-    vpp_control = VPPControl(attempts=20, interval=500)
-    pci_addr = vpp_control.get_pci_addr(iface)
-    if pci_addr:
-        return pci_addr
-    # raise error if PCI address was not found
-    raise ConfigError(f'Cannot find PCI address for interface {iface}')
-
-
-def get_config(config=None):
-    if config:
-        conf = config
-    else:
-        conf = Config()
-
-    base = ['vpp']
-    base_ethernet = ['interfaces', 'ethernet']
-
-    # find interfaces removed from VPP
-    removed_ifaces = []
-    tmp = node_changed(conf, base + ['interface'])
-    if tmp:
-        for removed_iface in tmp:
-            pci_address: str = _get_pci_address_by_interface(removed_iface)
-            removed_ifaces.append({
-                'iface_name': removed_iface,
-                'iface_pci_addr': pci_address
-            })
-            # add an interface to a list of interfaces that need
-            # to be reinitialized after the commit
-            set_dependents('ethernet', conf, removed_iface)
-
-    if not conf.exists(base):
-        return {'removed_ifaces': removed_ifaces}
-
-    config = conf.get_config_dict(base, key_mangling=('-', '_'),
-                                  no_tag_node_value_mangle=True,
-                                  get_first_key=True,
-                                  with_recursive_defaults=True)
-
-    if 'interface' in config:
-        for iface, iface_config in config['interface'].items():
-            # add an interface to a list of interfaces that need
-            # to be reinitialized after the commit
-            set_dependents('ethernet', conf, iface)
-
-            # Get PCI address auto
-            if iface_config['pci'] == 'auto':
-                config['interface'][iface]['pci'] = _get_pci_address_by_interface(iface)
-
-    config['other_interfaces'] = conf.get_config_dict(base_ethernet, key_mangling=('-', '_'),
-                                     get_first_key=True, no_tag_node_value_mangle=True)
-
-    if removed_ifaces:
-        config['removed_ifaces'] = removed_ifaces
-
-    return config
-
-
-def verify(config):
-    # bail out early - looks like removal from running config
-    if not config or (len(config) == 1 and 'removed_ifaces' in config):
-        return None
-
-    if 'interface' not in config:
-        raise ConfigError('"interface" is required but not set!')
-
-    if 'cpu' in config:
-        if 'corelist_workers' in config['cpu'] and 'main_core' not in config[
-                'cpu']:
-            raise ConfigError('"cpu main-core" is required but not set!')
-
-    memory_available: int = virtual_memory().available
-    if memory_available < MIN_AVAILABLE_MEMORY:
-        raise ConfigError(
-            'Not enough free memory to start VPP:\n'
-            f'available: {round(memory_available / 1024**3, 1)}GB\n'
-            f'required: {round(MIN_AVAILABLE_MEMORY / 1024**3, 1)}GB')
-
-
-def generate(config):
-    if not config or (len(config) == 1 and 'removed_ifaces' in config):
-        # Remove old config and return
-        service_conf.unlink(missing_ok=True)
-        return None
-
-    render(service_conf, 'vpp/startup.conf.j2', config)
-    render(systemd_override, 'vpp/override.conf.j2', config)
-
-    # apply default sysctl values from
-    # https://github.com/FDio/vpp/blob/v23.06/src/vpp/conf/80-vpp.conf
-    sysctl_config: dict[str, str] = {
-        'vm.nr_hugepages': '1024',
-        'vm.max_map_count': '3096',
-        'vm.hugetlb_shm_group': '0',
-        'kernel.shmmax': '2147483648'
-    }
-    # we do not want to reduce `kernel.shmmax`
-    kernel_shmnax_current: str = sysctl_read('kernel.shmmax')
-    if int(kernel_shmnax_current) > int(sysctl_config['kernel.shmmax']):
-        sysctl_config['kernel.shmmax'] = kernel_shmnax_current
-
-    if not sysctl_apply(sysctl_config):
-        raise ConfigError('Cannot configure sysctl parameters for VPP')
-
-    return None
-
-
-def apply(config):
-    if not config or (len(config) == 1 and 'removed_ifaces' in config):
-        call(f'systemctl stop {service_name}.service')
-    else:
-        call('systemctl daemon-reload')
-        call(f'systemctl restart {service_name}.service')
-
-    # Initialize interfaces removed from VPP
-    for iface in config.get('removed_ifaces', []):
-        host_control = HostControl()
-        # rescan PCI to use a proper driver
-        host_control.pci_rescan(iface['iface_pci_addr'])
-        # rename to the proper name
-        iface_new_name: str = host_control.get_eth_name(iface['iface_pci_addr'])
-        host_control.rename_iface(iface_new_name, iface['iface_name'])
-
-    if 'interface' in config:
-        # connect to VPP
-        # must be performed multiple attempts because API is not available
-        # immediately after the service restart
-        vpp_control = VPPControl(attempts=20, interval=500)
-        for iface, _ in config['interface'].items():
-            # Create lcp
-            if iface not in Section.interfaces():
-                vpp_control.lcp_pair_add(iface, iface)
-
-    # reinitialize interfaces, but not during the first boot
-    if boot_configuration_complete():
-        call_dependents()
-
-
-if __name__ == '__main__':
-    try:
-        c = get_config()
-        verify(c)
-        generate(c)
-        apply(c)
-    except ConfigError as e:
-        print(e)
-        exit(1)
diff --git a/src/conf_mode/vrf.py b/src/conf_mode/vrf.py
index 37625142c..9b1b6355f 100755
--- a/src/conf_mode/vrf.py
+++ b/src/conf_mode/vrf.py
@@ -214,6 +214,18 @@ def apply(vrf):
             # Delete the VRF Kernel interface
             call(f'ip link delete dev {tmp}')
 
+    # Enable/Disable VRF strict mode
+    # When net.vrf.strict_mode=0 (default) it is possible to associate multiple
+    # VRF devices to the same table. Conversely, when net.vrf.strict_mode=1 a
+    # table can be associated to a single VRF device.
+    #
+    # A VRF table can be used by the VyOS CLI only once (ensured by verify()),
+    # this simply adds an additional Kernel safety net
+    strict_mode = '0'
+    # Set to 1 if any VRF is defined
+    if 'name' in vrf: strict_mode = '1'
+    sysctl_write('net.vrf.strict_mode', strict_mode)
+
     if 'name' in vrf:
         # Separate VRFs in conntrack table
         # check if table already exists
diff --git a/src/etc/dhcp/dhclient-enter-hooks.d/99-run-user-hooks b/src/etc/dhcp/dhclient-enter-hooks.d/99-run-user-hooks
index b4b4d516d..570758be6 100644
--- a/src/etc/dhcp/dhclient-enter-hooks.d/99-run-user-hooks
+++ b/src/etc/dhcp/dhclient-enter-hooks.d/99-run-user-hooks
@@ -1,5 +1,5 @@
 #!/bin/bash
 DHCP_PRE_HOOKS="/config/scripts/dhcp-client/pre-hooks.d/"
 if [ -d "${DHCP_PRE_HOOKS}" ] ; then
-    run-parts "${DHCP_PRE_HOOKS}"
+    run_hookdir "${DHCP_PRE_HOOKS}"
 fi
diff --git a/src/etc/dhcp/dhclient-exit-hooks.d/98-run-user-hooks b/src/etc/dhcp/dhclient-exit-hooks.d/98-run-user-hooks
index 442419d79..910b586f0 100755
--- a/src/etc/dhcp/dhclient-exit-hooks.d/98-run-user-hooks
+++ b/src/etc/dhcp/dhclient-exit-hooks.d/98-run-user-hooks
@@ -1,5 +1,5 @@
 #!/bin/bash
 DHCP_POST_HOOKS="/config/scripts/dhcp-client/post-hooks.d/"
 if [ -d "${DHCP_POST_HOOKS}" ] ; then
-    run-parts "${DHCP_POST_HOOKS}"
+    run_hookdir "${DHCP_POST_HOOKS}"
 fi
diff --git a/src/etc/ipsec.d/vti-up-down b/src/etc/ipsec.d/vti-up-down
index 9eb6fac48..441b316c2 100755
--- a/src/etc/ipsec.d/vti-up-down
+++ b/src/etc/ipsec.d/vti-up-down
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 #
-# Copyright (C) 2021 VyOS maintainers and contributors
+# Copyright (C) 2021-2023 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
@@ -13,8 +13,9 @@
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
-## Script called up strongswan to bring the vti interface up/down based on the state of the IPSec tunnel.
-## Called as vti_up_down vti_intf_name
+
+# Script called up strongswan to bring the VTI interface up/down based on
+# the state of the IPSec tunnel. Called as vti_up_down vti_intf_name
 
 import os
 import sys
@@ -25,9 +26,10 @@ from syslog import LOG_PID
 from syslog import LOG_INFO
 
 from vyos.configquery import ConfigTreeQuery
+from vyos.configdict import get_interface_dict
+from vyos.ifconfig import VTIIf
 from vyos.utils.process import call
 from vyos.utils.network import get_interface_config
-from vyos.utils.network import get_interface_address
 
 if __name__ == '__main__':
     verb = os.getenv('PLUTO_VERB')
@@ -48,14 +50,13 @@ if __name__ == '__main__':
 
     vti_link_up = (vti_link['operstate'] != 'DOWN' if 'operstate' in vti_link else False)
 
-    config = ConfigTreeQuery()
-    vti_dict = config.get_config_dict(['interfaces', 'vti', interface],
-                                      get_first_key=True)
-
     if verb in ['up-client', 'up-host']:
         if not vti_link_up:
-            if 'disable' not in vti_dict:
-                call(f'sudo ip link set {interface} up')
+            conf = ConfigTreeQuery()
+            _, vti = get_interface_dict(conf.config, ['interfaces', 'vti'], interface)
+            if 'disable' not in vti:
+                tmp = VTIIf(interface)
+                tmp.update(vti)
             else:
                 syslog(f'Interface {interface} is admin down ...')
     elif verb in ['down-client', 'down-host']:
diff --git a/src/etc/ppp/ip-down.d/98-vyos-pppoe-cleanup-nameservers b/src/etc/ppp/ip-down.d/98-vyos-pppoe-cleanup-nameservers
index 222c75f21..5157469f4 100755
--- a/src/etc/ppp/ip-down.d/98-vyos-pppoe-cleanup-nameservers
+++ b/src/etc/ppp/ip-down.d/98-vyos-pppoe-cleanup-nameservers
@@ -1,5 +1,4 @@
 #!/bin/bash
-### Autogenerated by interfaces-pppoe.py ###
 
 interface=$6
 if [ -z "$interface" ]; then
diff --git a/src/etc/ppp/ip-up.d/98-vyos-pppoe-setup-nameservers b/src/etc/ppp/ip-up.d/98-vyos-pppoe-setup-nameservers
index 0fcedbedc..4affaeb5c 100755
--- a/src/etc/ppp/ip-up.d/98-vyos-pppoe-setup-nameservers
+++ b/src/etc/ppp/ip-up.d/98-vyos-pppoe-setup-nameservers
@@ -1,5 +1,4 @@
 #!/bin/bash
-### Autogenerated by interfaces-pppoe.py ###
 
 interface=$6
 if [ -z "$interface" ]; then
diff --git a/src/etc/sudoers.d/vyos b/src/etc/sudoers.d/vyos
index e0fd8cb0b..c099446ba 100644
--- a/src/etc/sudoers.d/vyos
+++ b/src/etc/sudoers.d/vyos
@@ -42,6 +42,7 @@ Cmnd_Alias FORCE_CLUSTER = /usr/share/heartbeat/hb_takeover, \
                            /usr/share/heartbeat/hb_standby
 Cmnd_Alias DIAGNOSTICS = /bin/ip vrf exec * /bin/ping *,       \
                          /bin/ip vrf exec * /bin/traceroute *, \
+                         /bin/ip vrf exec * /usr/bin/mtr *, \
                          /usr/libexec/vyos/op_mode/*
 %operator ALL=NOPASSWD: DATE, IPTABLES, ETHTOOL, IPFLUSH, HWINFO, \
 			PPPOE_CMDS, PCAPTURE, /usr/sbin/wanpipemon, \
diff --git a/src/etc/sysctl.d/30-vyos-router.conf b/src/etc/sysctl.d/30-vyos-router.conf
index f5d84be4b..6291be5f0 100644
--- a/src/etc/sysctl.d/30-vyos-router.conf
+++ b/src/etc/sysctl.d/30-vyos-router.conf
@@ -21,7 +21,6 @@ net.ipv4.conf.all.arp_filter=0
 
 # https://vyos.dev/T300
 net.ipv4.conf.all.arp_ignore=0
-
 net.ipv4.conf.all.arp_announce=2
 
 # Enable packet forwarding for IPv4
@@ -98,15 +97,14 @@ net.ipv6.route.skip_notify_on_dev_down=1
 # Default value of 20 seems to interfere with larger OSPF and VRRP setups
 net.ipv4.igmp_max_memberships = 512
 
-# Increase default garbage collection thresholds
-net.ipv4.neigh.default.gc_thresh1 = 1024
-net.ipv4.neigh.default.gc_thresh2 = 4096
-net.ipv4.neigh.default.gc_thresh3 = 8192
-#
-net.ipv6.neigh.default.gc_thresh1 = 1024
-net.ipv6.neigh.default.gc_thresh2 = 4096
-net.ipv6.neigh.default.gc_thresh3 = 8192
-
 # Enable global RFS (Receive Flow Steering) configuration. RFS is inactive
 # until explicitly configured at the interface level
 net.core.rps_sock_flow_entries = 32768
+
+# Congestion control
+net.core.default_qdisc=fq_codel
+net.ipv4.tcp_congestion_control=bbr
+
+# Disable IPv6 Segment Routing packets by default
+net.ipv6.conf.all.seg6_enabled = 0
+net.ipv6.conf.default.seg6_enabled = 0
diff --git a/src/etc/systemd/system/avahi-daemon.service.d/override.conf b/src/etc/systemd/system/avahi-daemon.service.d/override.conf
deleted file mode 100644
index a9d2085f7..000000000
--- a/src/etc/systemd/system/avahi-daemon.service.d/override.conf
+++ /dev/null
@@ -1,8 +0,0 @@
-[Unit]
-After=
-After=vyos-router.service
-ConditionPathExists=/run/avahi-daemon/avahi-daemon.conf
-
-[Service]
-ExecStart=
-ExecStart=/usr/sbin/avahi-daemon --syslog --file /run/avahi-daemon/avahi-daemon.conf
\ No newline at end of file
diff --git a/src/etc/systemd/system/certbot.service.d/10-override.conf b/src/etc/systemd/system/certbot.service.d/10-override.conf
new file mode 100644
index 000000000..542f77eb2
--- /dev/null
+++ b/src/etc/systemd/system/certbot.service.d/10-override.conf
@@ -0,0 +1,7 @@
+[Unit]
+After=
+After=vyos-router.service
+
+[Service]
+ExecStart=
+ExecStart=/usr/bin/certbot renew --config-dir /config/auth/letsencrypt --no-random-sleep-on-renew --post-hook "/usr/libexec/vyos/vyos-certbot-renew-pki.sh"
diff --git a/src/etc/systemd/system/frr.service.d/override.conf b/src/etc/systemd/system/frr.service.d/override.conf
index 094f83551..614b4f7ed 100644
--- a/src/etc/systemd/system/frr.service.d/override.conf
+++ b/src/etc/systemd/system/frr.service.d/override.conf
@@ -1,3 +1,6 @@
+[Unit]
+After=vyos-router.service
+
 [Service]
 LimitNOFILE=4096
 ExecStartPre=/bin/bash -c 'mkdir -p /run/frr/config; \
diff --git a/src/etc/systemd/system/nginx.service.d/10-override.conf b/src/etc/systemd/system/nginx.service.d/10-override.conf
new file mode 100644
index 000000000..1be5cec81
--- /dev/null
+++ b/src/etc/systemd/system/nginx.service.d/10-override.conf
@@ -0,0 +1,3 @@
+[Unit]
+After=
+After=vyos-router.service
diff --git a/src/etc/udev/rules.d/99-vyos-systemd.rules b/src/etc/udev/rules.d/99-vyos-systemd.rules
new file mode 100644
index 000000000..54aea668c
--- /dev/null
+++ b/src/etc/udev/rules.d/99-vyos-systemd.rules
@@ -0,0 +1,79 @@
+# The main reason that we store this file is systemd-udevd interfaces excludes
+# /lib/systemd/systemd-sysctl for dynamic interfaces (ppp|ipoe|l2tp etc)
+
+ACTION=="remove", GOTO="systemd_end"
+
+SUBSYSTEM=="tty", KERNEL=="tty[a-zA-Z]*|hvc*|xvc*|hvsi*|ttysclp*|sclp_line*|3270/tty[0-9]*", TAG+="systemd"
+KERNEL=="vport*", TAG+="systemd"
+
+SUBSYSTEM=="ptp", TAG+="systemd"
+
+SUBSYSTEM=="ubi", TAG+="systemd"
+
+SUBSYSTEM=="block", TAG+="systemd"
+
+# We can't make any conclusions about suspended DM devices so let's just import previous SYSTEMD_READY state and skip other rules
+SUBSYSTEM=="block", ENV{DM_SUSPENDED}=="1", IMPORT{db}="SYSTEMD_READY", GOTO="systemd_end"
+SUBSYSTEM=="block", ACTION=="add", ENV{DM_UDEV_DISABLE_OTHER_RULES_FLAG}=="1", ENV{SYSTEMD_READY}="0"
+
+# Ignore encrypted devices with no identified superblock on it, since
+# we are probably still calling mke2fs or mkswap on it.
+SUBSYSTEM=="block", ENV{DM_UUID}=="CRYPT-*", ENV{ID_PART_TABLE_TYPE}=="", ENV{ID_FS_USAGE}=="", ENV{SYSTEMD_READY}="0"
+
+# Explicitly set SYSTEMD_READY=1 for DM devices that don't have it set yet, so that we always have something to import above
+SUBSYSTEM=="block", ENV{DM_UUID}=="?*", ENV{SYSTEMD_READY}=="", ENV{SYSTEMD_READY}="1"
+
+# add symlink to GPT root disk
+SUBSYSTEM=="block", ENV{ID_PART_GPT_AUTO_ROOT}=="1", ENV{ID_FS_TYPE}!="crypto_LUKS", SYMLINK+="gpt-auto-root"
+SUBSYSTEM=="block", ENV{ID_PART_GPT_AUTO_ROOT}=="1", ENV{ID_FS_TYPE}=="crypto_LUKS", SYMLINK+="gpt-auto-root-luks"
+SUBSYSTEM=="block", ENV{DM_UUID}=="CRYPT-*", ENV{DM_NAME}=="root", SYMLINK+="gpt-auto-root"
+
+# Ignore raid devices that are not yet assembled and started
+SUBSYSTEM=="block", ENV{DEVTYPE}=="disk", KERNEL=="md*", TEST!="md/array_state", ENV{SYSTEMD_READY}="0"
+SUBSYSTEM=="block", ENV{DEVTYPE}=="disk", KERNEL=="md*", ATTR{md/array_state}=="|clear|inactive", ENV{SYSTEMD_READY}="0"
+
+# Ignore loop devices that don't have any file attached
+SUBSYSTEM=="block", KERNEL=="loop[0-9]*", ENV{DEVTYPE}=="disk", TEST!="loop/backing_file", ENV{SYSTEMD_READY}="0"
+
+# Ignore nbd devices until the PID file exists (which signals a connected device)
+SUBSYSTEM=="block", KERNEL=="nbd*", ENV{DEVTYPE}=="disk", TEST!="pid", ENV{SYSTEMD_READY}="0"
+
+# We need a hardware independent way to identify network devices. We
+# use the /sys/subsystem/ path for this. Kernel "bus" and "class" names
+# should be treated as one namespace, like udev handles it. This is mostly
+# just an identification string for systemd, so whether the path actually is
+# accessible or not does not matter as long as it is unique and in the
+# filesystem namespace.
+
+SUBSYSTEM=="net", KERNEL!="lo", TAG+="systemd", ENV{SYSTEMD_ALIAS}+="/sys/subsystem/net/devices/$name"
+SUBSYSTEM=="bluetooth", TAG+="systemd", ENV{SYSTEMD_ALIAS}+="/sys/subsystem/bluetooth/devices/%k", \
+  ENV{SYSTEMD_WANTS}+="bluetooth.target", ENV{SYSTEMD_USER_WANTS}+="bluetooth.target"
+
+ENV{ID_SMARTCARD_READER}=="?*", TAG+="systemd", ENV{SYSTEMD_WANTS}+="smartcard.target", ENV{SYSTEMD_USER_WANTS}+="smartcard.target"
+SUBSYSTEM=="sound", KERNEL=="controlC*", TAG+="systemd", ENV{SYSTEMD_WANTS}+="sound.target", ENV{SYSTEMD_USER_WANTS}+="sound.target"
+
+SUBSYSTEM=="printer", TAG+="systemd", ENV{SYSTEMD_WANTS}+="printer.target", ENV{SYSTEMD_USER_WANTS}+="printer.target"
+SUBSYSTEM=="usb", KERNEL=="lp*", TAG+="systemd", ENV{SYSTEMD_WANTS}+="printer.target", ENV{SYSTEMD_USER_WANTS}+="printer.target"
+SUBSYSTEM=="usb", ENV{DEVTYPE}=="usb_device", ENV{ID_USB_INTERFACES}=="*:0701??:*", TAG+="systemd", ENV{SYSTEMD_WANTS}+="printer.target", ENV{SYSTEMD_USER_WANTS}+="printer.target"
+
+SUBSYSTEM=="udc", ACTION=="add", TAG+="systemd", ENV{SYSTEMD_WANTS}+="usb-gadget.target"
+
+# Apply sysctl variables to network devices (and only to those) as they appear. 
+# T5706. Exclude: lo, dummy*, ppp*, ipoe*, l2tp*, pptp*, sslvpn* and sstp*.
+ACTION=="add", SUBSYSTEM=="net", KERNEL!="lo|dummy*|ppp*|ipoe*|l2tp*|pptp*|sslvpn*|sstp*", RUN+="/lib/systemd/systemd-sysctl --prefix=/net/ipv4/conf/$name --prefix=/net/ipv4/neigh/$name --prefix=/net/ipv6/conf/$name --prefix=/net/ipv6/neigh/$name"
+
+# Pull in backlight save/restore for all backlight devices and
+# keyboard backlights
+SUBSYSTEM=="backlight", TAG+="systemd", IMPORT{builtin}="path_id", ENV{SYSTEMD_WANTS}+="systemd-backlight@backlight:$name.service"
+SUBSYSTEM=="leds", KERNEL=="*kbd_backlight", TAG+="systemd", IMPORT{builtin}="path_id", ENV{SYSTEMD_WANTS}+="systemd-backlight@leds:$name.service"
+
+# Pull in rfkill save/restore for all rfkill devices
+SUBSYSTEM=="rfkill", ENV{SYSTEMD_RFKILL}="1"
+SUBSYSTEM=="rfkill", IMPORT{builtin}="path_id"
+SUBSYSTEM=="misc", KERNEL=="rfkill", TAG+="systemd", ENV{SYSTEMD_WANTS}+="systemd-rfkill.socket"
+
+# Asynchronously mount file systems implemented by these modules as soon as they are loaded.
+SUBSYSTEM=="module", KERNEL=="fuse", TAG+="systemd", ENV{SYSTEMD_WANTS}+="sys-fs-fuse-connections.mount"
+SUBSYSTEM=="module", KERNEL=="configfs", TAG+="systemd", ENV{SYSTEMD_WANTS}+="sys-kernel-config.mount"
+
+LABEL="systemd_end"
diff --git a/src/helpers/config_dependency.py b/src/helpers/config_dependency.py
new file mode 100755
index 000000000..50c72956e
--- /dev/null
+++ b/src/helpers/config_dependency.py
@@ -0,0 +1,58 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2023 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+#
+
+import os
+import sys
+from argparse import ArgumentParser
+from argparse import ArgumentTypeError
+
+try:
+    from vyos.configdep import check_dependency_graph
+    from vyos.defaults import directories
+except ImportError:
+    # allow running during addon package build
+    _here = os.path.dirname(__file__)
+    sys.path.append(os.path.join(_here, '../../python/vyos'))
+    from configdep import check_dependency_graph
+    from defaults import directories
+
+# addon packages will need to specify the dependency directory
+dependency_dir = os.path.join(directories['data'],
+                              'config-mode-dependencies')
+
+def path_exists(s):
+    if not os.path.exists(s):
+        raise ArgumentTypeError("Must specify a valid vyos-1x dependency directory")
+    return s
+
+def main():
+    parser = ArgumentParser(description='generate and save dict from xml defintions')
+    parser.add_argument('--dependency-dir', type=path_exists,
+                        default=dependency_dir,
+                        help='location of vyos-1x dependency directory')
+    parser.add_argument('--supplement', type=str,
+                        help='supplemental dependency file')
+    args = vars(parser.parse_args())
+
+    if not check_dependency_graph(**args):
+        sys.exit(1)
+
+    sys.exit(0)
+
+if __name__ == '__main__':
+    main()
diff --git a/src/validators/ipv6-duid b/src/helpers/read-saved-value.py
index fd4728e50..1463e9ffe 100755
--- a/src/validators/ipv6-duid
+++ b/src/helpers/read-saved-value.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 #
-# Copyright (C) 2021 VyOS maintainers and contributors
+# Copyright (C) 2023 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
@@ -13,15 +13,18 @@
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+#
 
-import re
-import sys
-
-pattern = "^([0-9A-Fa-f]{2}:){,127}([0-9A-Fa-f]{2})$"
+from argparse import ArgumentParser
+from vyos.utils.config import read_saved_value
 
 if __name__ == '__main__':
-    if len(sys.argv) != 2:
-        sys.exit(1)
-    if not re.match(pattern, sys.argv[1]):
-        sys.exit(1)
-    sys.exit(0)
+    parser = ArgumentParser()
+    parser.add_argument('--path', nargs='*')
+    args = parser.parse_args()
+
+    out = read_saved_value(args.path) if args.path else ''
+    if isinstance(out, list):
+        out = ' '.join(out)
+    print(out)
diff --git a/src/helpers/simple-download.py b/src/helpers/simple-download.py
new file mode 100755
index 000000000..501af75f5
--- /dev/null
+++ b/src/helpers/simple-download.py
@@ -0,0 +1,20 @@
+#!/usr/bin/env python3
+
+import sys
+from argparse import ArgumentParser
+from vyos.remote import download
+
+parser = ArgumentParser()
+parser.add_argument('--local-file', help='local file', required=True)
+parser.add_argument('--remote-path', help='remote path', required=True)
+
+args = parser.parse_args()
+
+try:
+    download(args.local_file, args.remote_path,
+             check_space=True, raise_error=True)
+except Exception as e:
+    print(e)
+    sys.exit(1)
+
+sys.exit()
diff --git a/src/helpers/strip-private.py b/src/helpers/strip-private.py
index eb584edaf..cb29069cf 100755
--- a/src/helpers/strip-private.py
+++ b/src/helpers/strip-private.py
@@ -1,6 +1,6 @@
 #!/usr/bin/python3
 
-# Copyright 2021-2022 VyOS maintainers and contributors <maintainers@vyos.io>
+# Copyright 2021-2023 VyOS maintainers and contributors <maintainers@vyos.io>
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -21,7 +21,6 @@ import sys
 
 from netaddr import IPNetwork, AddrFormatError
 
-
 parser = argparse.ArgumentParser(description='strip off private information from VyOS config')
 
 strictness = parser.add_mutually_exclusive_group()
@@ -119,6 +118,7 @@ if __name__ == "__main__":
         (True, re.compile(r'(shared-secret-key-file|ca-cert-file|cert-file|dh-file|key-file|client) (\S+)'), r'\1 xxxxxx'),
         # Strip IPSEC secrets
         (True, re.compile(r'pre-shared-secret \S+'), 'pre-shared-secret xxxxxx'),
+        (True, re.compile(r'secret \S+'), 'secret xxxxxx'),
         # Strip OSPF md5-key
         (True, re.compile(r'md5-key \S+'), 'md5-key xxxxxx'),
         # Strip WireGuard private-key
diff --git a/src/helpers/vyos-boot-config-loader.py b/src/helpers/vyos-boot-config-loader.py
index 01b06526d..42de696ce 100755
--- a/src/helpers/vyos-boot-config-loader.py
+++ b/src/helpers/vyos-boot-config-loader.py
@@ -102,7 +102,8 @@ def failsafe(config_file_name):
                                       'authentication',
                                       'encrypted-password'])
 
-    cmd(f"useradd -s /bin/bash -G 'users,sudo' -m -N -p '{passwd}' vyos")
+    cmd(f"useradd --create-home --no-user-group --shell /bin/vbash --password '{passwd}' "\
+        "--groups frr,frrvty,vyattacfg,sudo,adm,dip,disk vyos")
 
 if __name__ == '__main__':
     if len(sys.argv) < 2:
diff --git a/src/helpers/vyos-certbot-renew-pki.sh b/src/helpers/vyos-certbot-renew-pki.sh
new file mode 100755
index 000000000..d0b663f7b
--- /dev/null
+++ b/src/helpers/vyos-certbot-renew-pki.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+source /opt/vyatta/etc/functions/script-template
+/usr/libexec/vyos/conf_mode/pki.py certbot_renew
diff --git a/src/helpers/vyos-load-config.py b/src/helpers/vyos-load-config.py
index e579e81b2..4ec865454 100755
--- a/src/helpers/vyos-load-config.py
+++ b/src/helpers/vyos-load-config.py
@@ -66,7 +66,7 @@ def get_local_config(filename):
 
     return config_str
 
-if any(x in file_name for x in protocols):
+if any(file_name.startswith(f'{x}://') for x in protocols):
     config_string = vyos.remote.get_remote_config(file_name)
     if not config_string:
         sys.exit(f"No such config file at '{file_name}'")
diff --git a/src/helpers/vyos-save-config.py b/src/helpers/vyos-save-config.py
index 2812155e8..518bd9864 100755
--- a/src/helpers/vyos-save-config.py
+++ b/src/helpers/vyos-save-config.py
@@ -19,6 +19,7 @@ import os
 import re
 import sys
 from tempfile import NamedTemporaryFile
+from argparse import ArgumentParser
 
 from vyos.config import Config
 from vyos.remote import urlc
@@ -28,8 +29,15 @@ from vyos.defaults import directories
 DEFAULT_CONFIG_PATH = os.path.join(directories['config'], 'config.boot')
 remote_save = None
 
-if len(sys.argv) > 1:
-    save_file = sys.argv[1]
+parser = ArgumentParser(description='Save configuration')
+parser.add_argument('file', type=str, nargs='?', help='Save configuration to file')
+parser.add_argument('--write-json-file', type=str, help='Save JSON of configuration to file')
+args = parser.parse_args()
+file = args.file
+json_file = args.write_json_file
+
+if file is not None:
+    save_file = file
 else:
     save_file = DEFAULT_CONFIG_PATH
 
@@ -44,10 +52,20 @@ ct = config.get_config_tree(effective=True)
 
 write_file = save_file if remote_save is None else NamedTemporaryFile(delete=False).name
 with open(write_file, 'w') as f:
-    f.write(ct.to_string())
+    # config_tree is None before boot configuration is complete;
+    # automated saves should check boot_configuration_complete
+    if ct is not None:
+        f.write(ct.to_string())
     f.write("\n")
     f.write(system_footer())
 
+if json_file is not None and ct is not None:
+    try:
+        with open(json_file, 'w') as f:
+            f.write(ct.to_json())
+    except OSError as e:
+        print(f'failed to write JSON file: {e}')
+
 if remote_save is not None:
     try:
         remote_save.upload(write_file)
diff --git a/src/init/vyos-router b/src/init/vyos-router
index 96f163213..ff95be994 100755
--- a/src/init/vyos-router
+++ b/src/init/vyos-router
@@ -105,6 +105,9 @@ load_bootfile ()
 restore_if_missing_preconfig_script ()
 {
     if [ ! -x ${vyatta_sysconfdir}/config/scripts/vyos-preconfig-bootup.script ]; then
+        mkdir -p ${vyatta_sysconfdir}/config/scripts
+        chgrp ${GROUP} ${vyatta_sysconfdir}/config/scripts
+        chmod 775 ${vyatta_sysconfdir}/config/scripts
         cp ${vyos_rootfs_dir}/opt/vyatta/etc/config/scripts/vyos-preconfig-bootup.script ${vyatta_sysconfdir}/config/scripts/
         chgrp ${GROUP} ${vyatta_sysconfdir}/config/scripts/vyos-preconfig-bootup.script
         chmod 750 ${vyatta_sysconfdir}/config/scripts/vyos-preconfig-bootup.script
@@ -123,6 +126,9 @@ run_preconfig_script ()
 restore_if_missing_postconfig_script ()
 {
     if [ ! -x ${vyatta_sysconfdir}/config/scripts/vyos-postconfig-bootup.script ]; then
+        mkdir -p ${vyatta_sysconfdir}/config/scripts
+        chgrp ${GROUP} ${vyatta_sysconfdir}/config/scripts
+        chmod 775 ${vyatta_sysconfdir}/config/scripts
         cp ${vyos_rootfs_dir}/opt/vyatta/etc/config/scripts/vyos-postconfig-bootup.script ${vyatta_sysconfdir}/config/scripts/
         chgrp ${GROUP} ${vyatta_sysconfdir}/config/scripts/vyos-postconfig-bootup.script
         chmod 750 ${vyatta_sysconfdir}/config/scripts/vyos-postconfig-bootup.script
@@ -228,11 +234,34 @@ cleanup_post_commit_hooks () {
 # system defaults.
 security_reset ()
 {
+
+    # restore NSS cofniguration back to sane system defaults
+    # will be overwritten later when configuration is loaded
+    cat <<EOF >/etc/nsswitch.conf
+passwd:         files
+group:          files
+shadow:         files
+gshadow:        files
+
+# Per T2678, commenting out myhostname
+hosts:          files dns #myhostname
+networks:       files
+
+protocols:      db files
+services:       db files
+ethers:         db files
+rpc:            db files
+
+netgroup:       nis
+EOF
+
     # restore PAM back to virgin state (no radius/tacacs services)
-    pam-auth-update --package --remove radius
+    pam-auth-update --disable radius-mandatory radius-optional
     rm -f /etc/pam_radius_auth.conf
-    pam-auth-update --package --remove tacplus
+    pam-auth-update --disable tacplus-mandatory tacplus-optional
     rm -f /etc/tacplus_nss.conf /etc/tacplus_servers
+    # and no Google authenticator for 2FA/MFA
+    pam-auth-update --disable mfa-google-authenticator
 
     # Certain configuration files are re-generated by the configuration
     # subsystem and must reside under /etc and can not easily be moved to /run.
@@ -337,17 +366,14 @@ start ()
     nfct helper add tns inet tcp
     nft -f /usr/share/vyos/vyos-firewall-init.conf || log_failure_msg "could not initiate firewall rules"
 
-    rm -f /etc/hostname
-    ${vyos_conf_scripts_dir}/host_name.py || log_failure_msg "could not reset host-name"
-    systemctl start frr.service
-
     # As VyOS does not execute commands that are not present in the CLI we call
     # the script by hand to have a single source for the login banner and MOTD
     ${vyos_conf_scripts_dir}/system_console.py || log_failure_msg "could not reset serial console"
-    ${vyos_conf_scripts_dir}/system-login.py || log_failure_msg "could not reset system login"
-    ${vyos_conf_scripts_dir}/system-login-banner.py || log_failure_msg "could not reset motd and issue files"
-    ${vyos_conf_scripts_dir}/system-option.py || log_failure_msg "could not reset system option files"
-    ${vyos_conf_scripts_dir}/conntrack.py || log_failure_msg "could not reset conntrack subsystem"
+    ${vyos_conf_scripts_dir}/system_login_banner.py || log_failure_msg "could not reset motd and issue files"
+    ${vyos_conf_scripts_dir}/system_option.py || log_failure_msg "could not reset system option files"
+    ${vyos_conf_scripts_dir}/system_ip.py || log_failure_msg "could not reset system IPv4 options"
+    ${vyos_conf_scripts_dir}/system_ipv6.py || log_failure_msg "could not reset system IPv6 options"
+    ${vyos_conf_scripts_dir}/system_conntrack.py || log_failure_msg "could not reset conntrack subsystem"
     ${vyos_conf_scripts_dir}/container.py || log_failure_msg "could not reset container subsystem"
 
     clear_or_override_config_files || log_failure_msg "could not reset config files"
@@ -373,6 +399,16 @@ start ()
       && chgrp ${GROUP} ${vyatta_configdir}
     log_action_end_msg $?
 
+    # T5239: early read of system hostname as this value is read-only once during
+    # FRR initialisation
+    tmp=$(${vyos_libexec_dir}/read-saved-value.py --path "system host-name")
+    hostnamectl set-hostname --static "$tmp"
+
+    ${vyos_conf_scripts_dir}/system_frr.py || log_failure_msg "could not reset FRR config"
+    # If for any reason FRR was not started by system_frr.py - start it anyways.
+    # This is a safety net!
+    systemctl start frr.service
+
     disabled bootfile || init_bootfile
 
     cleanup_post_commit_hooks
diff --git a/src/migration-scripts/cluster/1-to-2 b/src/migration-scripts/cluster/1-to-2
new file mode 100755
index 000000000..a2e589155
--- /dev/null
+++ b/src/migration-scripts/cluster/1-to-2
@@ -0,0 +1,193 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2023 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+import re
+import sys
+
+from vyos.configtree import ConfigTree
+
+if __name__ == '__main__':
+    if len(sys.argv) < 2:
+        print("Must specify file name!")
+        sys.exit(1)
+
+    file_name = sys.argv[1]
+
+    with open(file_name, 'r') as f:
+        config_file = f.read()
+
+    config = ConfigTree(config_file)
+
+    if not config.exists(['cluster']):
+        # Cluster is not set -- nothing to do at all
+        sys.exit(0)
+
+    # If at least one cluster group is defined, we have real work to do.
+    # If there are no groups, we remove the top-level cluster node at the end of this script anyway.
+    if config.exists(['cluster', 'group']):
+        # First, gather timer and interface settings to duplicate them in all groups,
+        # since in the old cluster they are global, but in VRRP they are always per-group
+
+        global_interface = None
+        if config.exists(['cluster', 'interface']):
+            global_interface = config.return_value(['cluster', 'interface'])
+        else:
+            # Such configs shouldn't exist in practice because interface is a required option.
+            # But since it's possible to specify interface inside 'service' options,
+            # we may be able to convert such configs nonetheless.
+            print("Warning: incorrect cluster config: interface is not defined.", file=sys.stderr)
+
+        # There are three timers: advertise-interval, dead-interval, and monitor-dead-interval
+        # Only the first one makes sense for the VRRP, we translate it to advertise-interval
+        advertise_interval = None
+        if config.exists(['cluster', 'keepalive-interval']):
+            advertise_interval = config.return_value(['cluster', 'keepalive-interval'])
+
+        if advertise_interval is not None:
+            # Cluster had all timers in milliseconds, so we need to convert them to seconds
+            # And ensure they are not shorter than one second
+            advertise_interval = int(advertise_interval) // 1000
+            if advertise_interval < 1:
+                advertise_interval = 1
+
+        # Cluster had password as a global option, in VRRP it's per-group
+        password = None
+        if config.exists(['cluster', 'pre-shared-secret']):
+            password = config.return_value(['cluster', 'pre-shared-secret'])
+
+        # Set up the stage for converting cluster groups to VRRP groups
+        free_vrids = set(range(1,255))
+        vrrp_base_path = ['high-availability', 'vrrp', 'group']
+        if not config.exists(vrrp_base_path):
+            # If VRRP is not set up, create a node and set it to 'tag node'
+            # Setting it to 'tag' is not mandatory but it's better to be consistent
+            # with configs produced by 'save'
+            config.set(vrrp_base_path)
+            config.set_tag(vrrp_base_path)
+        else:
+            # If there are VRRP groups already, we need to find the set of unused VRID numbers to avoid conflicts
+            existing_vrids = set()
+            for vg in config.list_nodes(vrrp_base_path):
+                existing_vrids.add(int(config.return_value(vrrp_base_path + [vg, 'vrid'])))
+            free_vrids = free_vrids.difference(existing_vrids)
+
+        # Now handle cluster groups
+        groups = config.list_nodes(['cluster', 'group'])
+        for g in groups:
+            base_path = ['cluster', 'group', g]
+            service_names = config.return_values(base_path + ['service'])
+
+            # Cluster used to allow services other than IP addresses, at least nominally
+            # Whether that ever worked is a big question, but we need to consider that,
+            # since configs with custom services are definitely impossible to meaningfully migrate now
+            services = {"ip": [], "other": []}
+            for s in service_names:
+                if re.match(r'^(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/\d{1,2})(/[a-z]+\d+)?$', s):
+                    services["ip"].append(s)
+                else:
+                    services["other"].append(s)
+
+            if services["other"]:
+                print("Cluster config includes non-IP address services and cannot be migrated", file=sys.stderr)
+                sys.exit(1)
+
+            # Cluster allowed virtual IPs for different interfaces within a single group.
+            # VRRP groups are by definition bound to interfaces, so we cannot migrate such configurations.
+            # Thus we need to find out if all addresses either leave the interface unspecified
+            # (in that case the global 'cluster interface' option is used),
+            # or have the same interface, or have the same interface as the global 'cluster interface'.
+
+            # First, we collect all addresses and check if they have interface specified
+            # If not, we substitute the global interface option
+            # or throw an error if it's not in the config.
+            ips = []
+            for ip in services["ip"]:
+                ip_with_intf = re.match(r'^(?P<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\/\d{1,2})/(?P<intf>[a-z]+\d+)$', ip)
+                if ip_with_intf:
+                    ips.append({"ip": ip_with_intf.group("ip"), "interface": ip_with_intf.group("intf")})
+                else:
+                    if global_interface is not None:
+                        ips.append({"ip": ip, "interface": global_interface})
+                    else:
+                        print("Error: cluster has groups with IPs without interfaces and 'cluster interface' is not specified.", file=sys.stderr)
+                        sys.exit(1)
+
+            # Then we check if all addresses are for the same interface.
+            intfs_set = set(map(lambda i: i["interface"], ips))
+            if len(intfs_set) > 1:
+                print("Error: cluster group has addresses for different interfaces", file=sys.stderr)
+                sys.exit(1)
+
+            # If we got this far, the group is migratable.
+
+            # Extract the interface from the set -- we know there's only a single member.
+            interface = intfs_set.pop()
+
+            addresses = list(map(lambda i: i["ip"], ips))
+            vrrp_path = ['high-availability', 'vrrp', 'group', g]
+
+            # If there's already a VRRP group with exactly the same name,
+            # we probably shouldn't try to make up a unique name, just leave migration to the user...
+            if config.exists(vrrp_path):
+                print("Error: VRRP group with the same name as a cluster group already exists", file=sys.stderr)
+                sys.exit(1)
+
+            config.set(vrrp_path + ['interface'], value=interface)
+            for a in addresses:
+                config.set(vrrp_path + ['virtual-address'], value=a, replace=False)
+
+            # Take the next free VRID and assign it to the group
+            vrid = free_vrids.pop()
+            config.set(vrrp_path + ['vrid'], value=vrid)
+
+            # Convert the monitor option to VRRP ping health check
+            if config.exists(base_path + ['monitor']):
+                monitor_ip = config.return_value(base_path + ['monitor'])
+                config.set(vrrp_path + ['health-check', 'ping'], value=monitor_ip)
+
+            # Convert "auto-failback" to "no-preempt", if necessary
+            if config.exists(base_path + ['auto-failback']):
+                # It's a boolean node that requires "true" or "false"
+                # so if it exists we still need to check its value
+                auto_failback = config.return_value(base_path + ['auto-failback'])
+                if auto_failback == "false":
+                    config.set(vrrp_path + ['no-preempt'])
+                else:
+                    # It's "true" or we assume it is, which means preemption is desired,
+                    # and in VRRP config it's the default
+                    pass
+            else:
+                # The old default for that option is false
+                config.set(vrrp_path + ['no-preempt'])
+
+            # Inject settings from the global cluster config that have to be per-group in VRRP
+            if advertise_interval is not None:
+                config.set(vrrp_path + ['advertise-interval'], value=advertise_interval)
+
+            if password is not None:
+                config.set(vrrp_path + ['authentication', 'password'], value=password)
+                config.set(vrrp_path + ['authentication', 'type'], value='plaintext-password')
+
+    # Finally, clean up the old cluster node
+    config.delete(['cluster'])
+
+    try:
+        with open(file_name, 'w') as f:
+            f.write(config.to_string())
+    except OSError as e:
+        print("Failed to save the modified config: {}".format(e))
+        sys.exit(1)
diff --git a/src/migration-scripts/dns-dynamic/0-to-1 b/src/migration-scripts/dns-dynamic/0-to-1
index d80e8d44a..b7674a9c8 100755
--- a/src/migration-scripts/dns-dynamic/0-to-1
+++ b/src/migration-scripts/dns-dynamic/0-to-1
@@ -25,8 +25,10 @@
 #        to "service dns dynamic address <address> service <config> username ..."
 # - apply global 'ipv6-enable' to per <config> 'ip-version: ipv6'
 # - apply service protocol mapping upfront, they are not 'auto-detected' anymore
+# - migrate web-options url to stricter format
 
 import sys
+import re
 from vyos.configtree import ConfigTree
 
 service_protocol_mapping = {
@@ -81,20 +83,42 @@ for address in config.list_nodes(new_base_path):
                 config.rename(new_base_path + [address, 'service', svc_cfg, 'login'], 'username')
             # Apply global 'ipv6-enable' to per <config> 'ip-version: ipv6'
             if config.exists(new_base_path + [address, 'ipv6-enable']):
-                config.set(new_base_path + [address, 'service', svc_cfg, 'ip-version'],
-                           value='ipv6', replace=False)
+                config.set(new_base_path + [address, 'service', svc_cfg, 'ip-version'], 'ipv6')
                 config.delete(new_base_path + [address, 'ipv6-enable'])
             # Apply service protocol mapping upfront, they are not 'auto-detected' anymore
             if svc_cfg in service_protocol_mapping:
                 config.set(new_base_path + [address, 'service', svc_cfg, 'protocol'],
-                           value=service_protocol_mapping.get(svc_cfg), replace=False)
+                           service_protocol_mapping.get(svc_cfg))
 
-    # Migrate "service dns dynamic interface <interface> use-web"
-    #      to "service dns dynamic address <address> web-options"
-    # Also, rename <address> to 'web' literal for backward compatibility
+    # If use-web is set, then:
+    #   Move "service dns dynamic address <address> <service|rfc2136> <service> ..."
+    #     to "service dns dynamic address web <service|rfc2136> <service>-<address> ..."
+    #   Move "service dns dynamic address web use-web ..."
+    #     to "service dns dynamic address web web-options ..."
+    # Note: The config is named <service>-<address> to avoid name conflict with old entries
     if config.exists(new_base_path + [address, 'use-web']):
-        config.rename(new_base_path + [address], 'web')
-        config.rename(new_base_path + ['web', 'use-web'], 'web-options')
+        for svc_type in ['rfc2136', 'service']:
+            if config.exists(new_base_path + [address, svc_type]):
+                config.set(new_base_path + ['web', svc_type])
+                config.set_tag(new_base_path + ['web', svc_type])
+                for svc_cfg in config.list_nodes(new_base_path + [address, svc_type]):
+                    config.copy(new_base_path + [address, svc_type, svc_cfg],
+                                new_base_path + ['web', svc_type, f'{svc_cfg}-{address}'])
+
+        # Multiple web-options were not supported, so copy only the first one
+        # Also, migrate web-options url to stricter format and transition
+        # checkip.dyndns.org to https://domains.google.com/checkip for better
+        # TLS support (see: https://github.com/ddclient/ddclient/issues/597)
+        if not config.exists(new_base_path + ['web', 'web-options']):
+            config.copy(new_base_path + [address, 'use-web'], new_base_path + ['web', 'web-options'])
+            if config.exists(new_base_path + ['web', 'web-options', 'url']):
+                url = config.return_value(new_base_path + ['web', 'web-options', 'url'])
+                if re.search("^(https?://)?checkip\.dyndns\.org", url):
+                    config.set(new_base_path + ['web', 'web-options', 'url'], 'https://domains.google.com/checkip')
+                if not url.startswith(('http://', 'https://')):
+                    config.set(new_base_path + ['web', 'web-options', 'url'], f'https://{url}')
+
+        config.delete(new_base_path + [address])
 
 try:
     with open(file_name, 'w') as f:
diff --git a/src/migration-scripts/dns-dynamic/1-to-2 b/src/migration-scripts/dns-dynamic/1-to-2
new file mode 100755
index 000000000..8b599b57a
--- /dev/null
+++ b/src/migration-scripts/dns-dynamic/1-to-2
@@ -0,0 +1,70 @@
+#!/usr/bin/env python3
+
+# Copyright (C) 2023 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# T5708:
+# - migrate "service dns dynamic timeout ..."
+#        to "service dns dynamic interval ..."
+# - remove "service dns dynamic address <interface> web-options ..." when <interface> != "web"
+# - migrate "service dns dynamic address <interface> service <service> protocol dnsexit"
+#        to "service dns dynamic address <interface> service <service> protocol dnsexit2"
+
+import sys
+from vyos.configtree import ConfigTree
+
+if len(sys.argv) < 2:
+    print("Must specify file name!")
+    sys.exit(1)
+
+file_name = sys.argv[1]
+
+with open(file_name, 'r') as f:
+    config_file = f.read()
+
+config = ConfigTree(config_file)
+
+base_path = ['service', 'dns', 'dynamic']
+timeout_path = base_path + ['timeout']
+address_path = base_path + ['address']
+
+if not config.exists(base_path):
+    # Nothing to do
+    sys.exit(0)
+
+# Migrate "service dns dynamic timeout ..."
+#      to "service dns dynamic interval ..."
+if config.exists(timeout_path):
+    config.rename(timeout_path, 'interval')
+
+# Remove "service dns dynamic address <interface> web-options ..." when <interface> != "web"
+for address in config.list_nodes(address_path):
+    if config.exists(address_path + [address, 'web-options']) and address != 'web':
+        config.delete(address_path + [address, 'web-options'])
+
+# Migrate "service dns dynamic address <interface> service <service> protocol dnsexit"
+#      to "service dns dynamic address <interface> service <service> protocol dnsexit2"
+for address in config.list_nodes(address_path):
+    for svc_cfg in config.list_nodes(address_path + [address, 'service']):
+        if config.exists(address_path + [address, 'service', svc_cfg, 'protocol']):
+            protocol = config.return_value(address_path + [address, 'service', svc_cfg, 'protocol'])
+            if protocol == 'dnsexit':
+                config.set(address_path + [address, 'service', svc_cfg, 'protocol'], 'dnsexit2')
+
+try:
+    with open(file_name, 'w') as f:
+        f.write(config.to_string())
+except OSError as e:
+    print("Failed to save the modified config: {}".format(e))
+    sys.exit(1)
diff --git a/src/migration-scripts/dns-dynamic/2-to-3 b/src/migration-scripts/dns-dynamic/2-to-3
new file mode 100755
index 000000000..4e0aa37d5
--- /dev/null
+++ b/src/migration-scripts/dns-dynamic/2-to-3
@@ -0,0 +1,119 @@
+#!/usr/bin/env python3
+
+# Copyright (C) 2023 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# T5791:
+# - migrate "service dns dynamic address web web-options ..."
+#        to "service dns dynamic name <service> address web ..." (per service)
+# - migrate "service dns dynamic address <address> rfc2136 <service> ..."
+#        to "service dns dynamic name <service> address <interface> protocol 'nsupdate'"
+# - migrate "service dns dynamic address <interface> service <service> ..."
+#        to "service dns dynamic name <service> address <interface> ..."
+# - normalize the all service names to conform with name constraints
+
+import sys
+import re
+from unicodedata import normalize
+from vyos.configtree import ConfigTree
+
+def normalize_name(name):
+    """Normalize service names to conform with name constraints.
+
+    This is necessary as part of migration because there were no constraints in
+    the old name format.
+    """
+    # Normalize unicode characters to ASCII (NFKD)
+    # Replace all separators with hypens, strip leading and trailing hyphens
+    name = normalize('NFKD', name).encode('ascii', 'ignore').decode()
+    name = re.sub(r'(\s|_|\W)+', '-', name).strip('-')
+
+    return name
+
+
+if len(sys.argv) < 2:
+    print("Must specify file name!")
+    sys.exit(1)
+
+file_name = sys.argv[1]
+
+with open(file_name, 'r') as f:
+    config_file = f.read()
+
+config = ConfigTree(config_file)
+
+base_path = ['service', 'dns', 'dynamic']
+address_path = base_path + ['address']
+name_path = base_path + ['name']
+
+if not config.exists(address_path):
+    # Nothing to do
+    sys.exit(0)
+
+# config.copy does not recursively create a path, so initialize the name path as tagged node
+if not config.exists(name_path):
+    config.set(name_path)
+    config.set_tag(name_path)
+
+for address in config.list_nodes(address_path):
+
+    address_path_tag = address_path + [address]
+
+    # Move web-option as a configuration in each service instead of top level web-option
+    if config.exists(address_path_tag + ['web-options']) and address == 'web':
+        for svc_type in ['service', 'rfc2136']:
+            if config.exists(address_path_tag + [svc_type]):
+                for svc_cfg in config.list_nodes(address_path_tag + [svc_type]):
+                    config.copy(address_path_tag + ['web-options'],
+                                address_path_tag + [svc_type, svc_cfg, 'web-options'])
+        config.delete(address_path_tag + ['web-options'])
+
+    for svc_type in ['service', 'rfc2136']:
+        if config.exists(address_path_tag + [svc_type]):
+            # Set protocol to 'nsupdate' for RFC2136 configuration
+            if svc_type == 'rfc2136':
+                for rfc_cfg in config.list_nodes(address_path_tag + ['rfc2136']):
+                    config.set(address_path_tag + ['rfc2136', rfc_cfg, 'protocol'], 'nsupdate')
+
+            # Add address as config value in each service before moving the service path
+            # And then copy the services from 'address <interface> service <service>'
+            #                              to 'name (service|rfc2136)-<service>-<address>'
+            # Note: The new service is named (service|rfc2136)-<service>-<address>
+            #       to avoid name conflict with old entries
+            for svc_cfg in config.list_nodes(address_path_tag + [svc_type]):
+                config.set(address_path_tag + [svc_type, svc_cfg, 'address'], address)
+                config.copy(address_path_tag + [svc_type, svc_cfg],
+                            name_path + ['-'.join([svc_type, svc_cfg, address])])
+
+# Finally cleanup the old address path
+config.delete(address_path)
+
+# Normalize the all service names to conform with name constraints
+index = 1
+for name in config.list_nodes(name_path):
+    new_name = normalize_name(name)
+    if new_name != name:
+        # Append index if there is still a name conflicts after normalization
+        # For example, "foo-?(" and "foo-!)" both normalize to "foo-"
+        if config.exists(name_path + [new_name]):
+            new_name = f'{new_name}-{index}'
+            index += 1
+        config.rename(name_path + [name], new_name)
+
+try:
+    with open(file_name, 'w') as f:
+        f.write(config.to_string())
+except OSError as e:
+    print("Failed to save the modified config: {}".format(e))
+    sys.exit(1)
diff --git a/src/migration-scripts/firewall/10-to-11 b/src/migration-scripts/firewall/10-to-11
index 716c5a240..e14ea0e51 100755
--- a/src/migration-scripts/firewall/10-to-11
+++ b/src/migration-scripts/firewall/10-to-11
@@ -63,19 +63,11 @@ if not config.exists(base):
 
 ### Migration of state policies
 if config.exists(base + ['state-policy']):
-    for family in ['ipv4', 'ipv6']:
-        for hook in ['forward', 'input', 'output']:
-            for priority in ['filter']:
-                # Add default-action== accept for compatibility reasons:
-                config.set(base + [family, hook, priority, 'default-action'], value='accept')
-                position = 1
-                for state in config.list_nodes(base + ['state-policy']):
-                    action = config.return_value(base + ['state-policy', state, 'action'])
-                    config.set(base + [family, hook, priority, 'rule'])
-                    config.set_tag(base + [family, hook, priority, 'rule'])
-                    config.set(base + [family, hook, priority, 'rule', position, 'state', state], value='enable')
-                    config.set(base + [family, hook, priority, 'rule', position, 'action'], value=action)
-                    position = position + 1
+    for state in config.list_nodes(base + ['state-policy']):
+        action = config.return_value(base + ['state-policy', state, 'action'])
+        config.set(base + ['global-options', 'state-policy', state, 'action'], value=action)
+        if config.exists(base + ['state-policy', state, 'log']):
+            config.set(base + ['global-options', 'state-policy', state, 'log'], value='enable')
     config.delete(base + ['state-policy'])
 
 ## migration of global options:
@@ -181,191 +173,6 @@ if config.exists(base + ['interface']):
 
     config.delete(base + ['interface'])
 
-
-### Migration of zones:
-### User interface groups 
-if config.exists(base + ['zone']):
-    inp_ipv4_rule = 101
-    inp_ipv6_rule = 101
-    fwd_ipv4_rule = 101
-    fwd_ipv6_rule = 101
-    out_ipv4_rule = 101
-    out_ipv6_rule = 101
-    local_zone = 'False'
-
-    for zone in config.list_nodes(base + ['zone']):
-        if config.exists(base + ['zone', zone, 'local-zone']):
-            local_zone = 'True'
-            # Add default-action== accept for compatibility reasons:
-            config.set(base + ['ipv4', 'input', 'filter', 'default-action'], value='accept')
-            config.set(base + ['ipv6', 'input', 'filter', 'default-action'], value='accept')
-            config.set(base + ['ipv4', 'output', 'filter', 'default-action'], value='accept')
-            config.set(base + ['ipv6', 'output', 'filter', 'default-action'], value='accept')
-            for from_zone in config.list_nodes(base + ['zone', zone, 'from']):
-                group_name = 'IG_' + from_zone
-                if config.exists(base + ['zone', zone, 'from', from_zone, 'firewall', 'name']):
-                    # ipv4 input ruleset
-                    target_ipv4_chain = config.return_value(base + ['zone', zone, 'from', from_zone, 'firewall', 'name'])
-                    config.set(base + ['ipv4', 'input', 'filter', 'rule'])
-                    config.set_tag(base + ['ipv4', 'input', 'filter', 'rule'])
-                    config.set(base + ['ipv4', 'input', 'filter', 'rule', inp_ipv4_rule, 'inbound-interface', 'interface-group'], value=group_name)
-                    config.set(base + ['ipv4', 'input', 'filter', 'rule', inp_ipv4_rule, 'action'], value='jump')
-                    config.set(base + ['ipv4', 'input', 'filter', 'rule', inp_ipv4_rule, 'jump-target'], value=target_ipv4_chain)
-                    inp_ipv4_rule = inp_ipv4_rule + 5
-                if config.exists(base + ['zone', zone, 'from', from_zone, 'firewall', 'ipv6-name']):
-                    # ipv6 input ruleset
-                    target_ipv6_chain = config.return_value(base + ['zone', zone, 'from', from_zone, 'firewall', 'ipv6-name'])
-                    config.set(base + ['ipv6', 'input', 'filter', 'rule'])
-                    config.set_tag(base + ['ipv6', 'input', 'filter', 'rule'])
-                    config.set(base + ['ipv6', 'input', 'filter', 'rule', inp_ipv6_rule, 'inbound-interface', 'interface-group'], value=group_name)
-                    config.set(base + ['ipv6', 'input', 'filter', 'rule', inp_ipv6_rule, 'action'], value='jump')
-                    config.set(base + ['ipv6', 'input', 'filter', 'rule', inp_ipv6_rule, 'jump-target'], value=target_ipv6_chain)
-                    inp_ipv6_rule = inp_ipv6_rule + 5
-
-            # Migrate: set firewall zone <zone> default-action <action>
-            # Options: drop or reject. If not specified, is drop
-            if config.exists(base + ['zone', zone, 'default-action']):
-                local_def_action = config.return_value(base + ['zone', zone, 'default-action'])
-            else:
-                local_def_action = 'drop'
-            config.set(base + ['ipv4', 'input', 'filter', 'rule'])
-            config.set_tag(base + ['ipv4', 'input', 'filter', 'rule'])
-            config.set(base + ['ipv4', 'input', 'filter', 'rule', inp_ipv4_rule, 'action'], value=local_def_action)
-            config.set(base + ['ipv6', 'input', 'filter', 'rule'])
-            config.set_tag(base + ['ipv6', 'input', 'filter', 'rule'])
-            config.set(base + ['ipv6', 'input', 'filter', 'rule', inp_ipv6_rule, 'action'], value=local_def_action)
-            if config.exists(base + ['zone', zone, 'enable-default-log']):
-                config.set(base + ['ipv4', 'input', 'filter', 'rule', inp_ipv4_rule, 'log'], value='enable')
-                config.set(base + ['ipv6', 'input', 'filter', 'rule', inp_ipv6_rule, 'log'], value='enable')
-
-        else:
-        # It's not a local zone
-            group_name = 'IG_' + zone
-            # Add default-action== accept for compatibility reasons:
-            config.set(base + ['ipv4', 'forward', 'filter', 'default-action'], value='accept')
-            config.set(base + ['ipv6', 'forward', 'filter', 'default-action'], value='accept')
-            # intra-filtering migration. By default accept
-            intra_zone_ipv4_action = 'accept'
-            intra_zone_ipv6_action = 'accept'
-            
-            if config.exists(base + ['zone', zone, 'intra-zone-filtering', 'action']):
-                intra_zone_ipv4_action = config.return_value(base + ['zone', zone, 'intra-zone-filtering', 'action'])
-                intra_zone_ipv6_action = intra_zone_ipv4_action
-            else:
-                if config.exists(base + ['zone', zone, 'intra-zone-filtering', 'firewall', 'name']):
-                    intra_zone_ipv4_target = config.return_value(base + ['zone', zone, 'intra-zone-filtering', 'firewall', 'name'])
-                    intra_zone_ipv4_action = 'jump'
-                if config.exists(base + ['zone', zone, 'intra-zone-filtering', 'firewall', 'ipv6-name']):
-                    intra_zone_ipv6_target = config.return_value(base + ['zone', zone, 'intra-zone-filtering', 'firewall', 'ipv6-name'])
-                    intra_zone_ipv6_action = 'jump'
-            config.set(base + ['ipv4', 'forward', 'filter', 'rule'])
-            config.set_tag(base + ['ipv4', 'forward', 'filter', 'rule'])
-            config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'outbound-interface', 'interface-group'], value=group_name)
-            config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'inbound-interface', 'interface-group'], value=group_name)
-            config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'action'], value=intra_zone_ipv4_action)
-            config.set(base + ['ipv6', 'forward', 'filter', 'rule'])
-            config.set_tag(base + ['ipv6', 'forward', 'filter', 'rule'])
-            config.set(base + ['ipv6', 'forward', 'filter', 'rule', fwd_ipv6_rule, 'outbound-interface', 'interface-group'], value=group_name)
-            config.set(base + ['ipv6', 'forward', 'filter', 'rule', fwd_ipv6_rule, 'inbound-interface', 'interface-group'], value=group_name)
-            config.set(base + ['ipv6', 'forward', 'filter', 'rule', fwd_ipv6_rule, 'action'], value=intra_zone_ipv6_action)
-            if intra_zone_ipv4_action == 'jump':
-                if config.exists(base + ['zone', zone, 'intra-zone-filtering', 'firewall', 'name']):
-                    intra_zone_ipv4_target = config.return_value(base + ['zone', zone, 'intra-zone-filtering', 'firewall', 'name'])
-                    config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'jump-target'], value=intra_zone_ipv4_target)
-            if intra_zone_ipv6_action == 'jump':
-                if config.exists(base + ['zone', zone, 'intra-zone-filtering', 'firewall', 'ipv6-name']):
-                    intra_zone_ipv6_target = config.return_value(base + ['zone', zone, 'intra-zone-filtering', 'firewall', 'ipv6-name'])
-                    config.set(base + ['ipv6', 'forward', 'filter', 'rule', fwd_ipv6_rule, 'jump-target'], value=intra_zone_ipv6_target)
-            fwd_ipv4_rule = fwd_ipv4_rule + 5
-            fwd_ipv6_rule = fwd_ipv6_rule + 5
-
-            if config.exists(base + ['zone', zone, 'interface']):
-                # Create interface group IG_<zone>
-                group_name = 'IG_' + zone
-                config.set(base + ['group', 'interface-group'], value=group_name)
-                config.set_tag(base + ['group', 'interface-group'])
-                for iface in config.return_values(base + ['zone', zone, 'interface']):
-                    config.set(base + ['group', 'interface-group', group_name, 'interface'], value=iface, replace=False)
-
-            if config.exists(base + ['zone', zone, 'from']):
-                for from_zone in config.list_nodes(base + ['zone', zone, 'from']):
-                    from_group = 'IG_' + from_zone
-                    if config.exists(base + ['zone', zone, 'from', from_zone, 'firewall', 'name']):
-                        target_ipv4_chain = config.return_value(base + ['zone', zone, 'from', from_zone, 'firewall', 'name'])
-                        if config.exists(base + ['zone', from_zone, 'local-zone']):
-                            # It's from LOCAL zone -> Output filtering 
-                            config.set(base + ['ipv4', 'output', 'filter', 'rule'])
-                            config.set_tag(base + ['ipv4', 'output', 'filter', 'rule'])
-                            config.set(base + ['ipv4', 'output', 'filter', 'rule', out_ipv4_rule, 'outbound-interface', 'interface-group'], value=group_name)
-                            config.set(base + ['ipv4', 'output', 'filter', 'rule', out_ipv4_rule, 'action'], value='jump')
-                            config.set(base + ['ipv4', 'output', 'filter', 'rule', out_ipv4_rule, 'jump-target'], value=target_ipv4_chain)
-                            out_ipv4_rule = out_ipv4_rule + 5
-                        else:
-                            # It's not LOCAL zone -> forward filtering
-                            config.set(base + ['ipv4', 'forward', 'filter', 'rule'])
-                            config.set_tag(base + ['ipv4', 'forward', 'filter', 'rule'])
-                            config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'outbound-interface', 'interface-group'], value=group_name)
-                            config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'inbound-interface', 'interface-group'], value=from_group)
-                            config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'action'], value='jump')
-                            config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'jump-target'], value=target_ipv4_chain)
-                            fwd_ipv4_rule = fwd_ipv4_rule + 5
-                    if config.exists(base + ['zone', zone, 'from', from_zone, 'firewall', 'ipv6-name']):
-                        target_ipv6_chain = config.return_value(base + ['zone', zone, 'from', from_zone, 'firewall', 'ipv6-name'])
-                        if config.exists(base + ['zone', from_zone, 'local-zone']):
-                            # It's from LOCAL zone -> Output filtering
-                            config.set(base + ['ipv6', 'output', 'filter', 'rule'])
-                            config.set_tag(base + ['ipv6', 'output', 'filter', 'rule'])
-                            config.set(base + ['ipv6', 'output', 'filter', 'rule', out_ipv6_rule, 'outbound-interface', 'interface-group'], value=group_name)
-                            config.set(base + ['ipv6', 'output', 'filter', 'rule', out_ipv6_rule, 'action'], value='jump')
-                            config.set(base + ['ipv6', 'output', 'filter', 'rule', out_ipv6_rule, 'jump-target'], value=target_ipv6_chain)
-                            out_ipv6_rule = out_ipv6_rule + 5
-                        else:
-                            # It's not LOCAL zone -> forward filtering
-                            config.set(base + ['ipv6', 'forward', 'filter', 'rule'])
-                            config.set_tag(base + ['ipv6', 'forward', 'filter', 'rule'])
-                            config.set(base + ['ipv6', 'forward', 'filter', 'rule', fwd_ipv6_rule, 'outbound-interface', 'interface-group'], value=group_name)
-                            config.set(base + ['ipv6', 'forward', 'filter', 'rule', fwd_ipv6_rule, 'inbound-interface', 'interface-group'], value=from_group)
-                            config.set(base + ['ipv6', 'forward', 'filter', 'rule', fwd_ipv6_rule, 'action'], value='jump')
-                            config.set(base + ['ipv6', 'forward', 'filter', 'rule', fwd_ipv6_rule, 'jump-target'], value=target_ipv6_chain)
-                            fwd_ipv6_rule = fwd_ipv6_rule + 5
-
-            ## Now need to migrate: set firewall zone <zone> default-action <action>    # action=drop if not specified.
-            if config.exists(base + ['zone', zone, 'default-action']):
-                def_action = config.return_value(base + ['zone', zone, 'default-action'])
-            else:
-                def_action = 'drop'
-            config.set(base + ['ipv4', 'forward', 'filter', 'rule'])
-            config.set_tag(base + ['ipv4', 'forward', 'filter', 'rule'])
-            config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'outbound-interface', 'interface-group'], value=group_name)
-            config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'action'], value=def_action)
-            description = 'zone_' + zone + ' default-action'
-            config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'description'], value=description)
-            config.set(base + ['ipv6', 'forward', 'filter', 'rule'])
-            config.set_tag(base + ['ipv6', 'forward', 'filter', 'rule'])
-            config.set(base + ['ipv6', 'forward', 'filter', 'rule', fwd_ipv6_rule, 'outbound-interface', 'interface-group'], value=group_name)
-            config.set(base + ['ipv6', 'forward', 'filter', 'rule', fwd_ipv6_rule, 'action'], value=def_action)
-            config.set(base + ['ipv6', 'forward', 'filter', 'rule', fwd_ipv6_rule, 'description'], value=description)
-
-            if config.exists(base + ['zone', zone, 'enable-default-log']):
-                config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'log'], value='enable')
-                config.set(base + ['ipv6', 'forward', 'filter', 'rule', fwd_ipv6_rule, 'log'], value='enable')
-            fwd_ipv4_rule = fwd_ipv4_rule + 5
-            fwd_ipv6_rule = fwd_ipv6_rule + 5
-
-    # Migrate default-action (force to be drop in output chain) if local zone is defined
-    if local_zone == 'True':
-        # General drop in output change if needed
-        config.set(base + ['ipv4', 'output', 'filter', 'rule'])
-        config.set_tag(base + ['ipv4', 'output', 'filter', 'rule'])
-        config.set(base + ['ipv4', 'output', 'filter', 'rule', out_ipv4_rule, 'action'], value=local_def_action)
-        config.set(base + ['ipv6', 'output', 'filter', 'rule'])
-        config.set_tag(base + ['ipv6', 'output', 'filter', 'rule'])
-        config.set(base + ['ipv6', 'output', 'filter', 'rule', out_ipv6_rule, 'action'], value=local_def_action)
-
-    config.delete(base + ['zone'])
-
-###### END migration zones
-
 try:
     with open(file_name, 'w') as f:
         f.write(config.to_string())
diff --git a/src/migration-scripts/firewall/11-to-12 b/src/migration-scripts/firewall/11-to-12
new file mode 100755
index 000000000..ba8374d66
--- /dev/null
+++ b/src/migration-scripts/firewall/11-to-12
@@ -0,0 +1,74 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2023 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# T5681: Firewall re-writing. Simplify cli when mathcing interface
+# From
+    # set firewall ... rule <rule> [inbound-interface | outboubd-interface] interface-name <iface>
+    # set firewall ... rule <rule> [inbound-interface | outboubd-interface] interface-group <iface_group>
+# To
+    # set firewall ... rule <rule> [inbound-interface | outboubd-interface] name <iface>
+    # set firewall ... rule <rule> [inbound-interface | outboubd-interface] group <iface_group>
+
+import re
+
+from sys import argv
+from sys import exit
+
+from vyos.configtree import ConfigTree
+from vyos.ifconfig import Section
+
+if len(argv) < 2:
+    print("Must specify file name!")
+    exit(1)
+
+file_name = argv[1]
+
+with open(file_name, 'r') as f:
+    config_file = f.read()
+
+base = ['firewall']
+config = ConfigTree(config_file)
+
+if not config.exists(base):
+    # Nothing to do
+    exit(0)
+
+## Migration from base chains
+#if config.exists(base + ['interface', iface, direction]):
+for family in ['ipv4', 'ipv6']:
+    if config.exists(base + [family]):
+        for hook in ['forward', 'input', 'output', 'name']:
+            if config.exists(base + [family, hook]):
+                for priority in config.list_nodes(base + [family, hook]):
+                    if config.exists(base + [family, hook, priority, 'rule']):
+                        for rule in config.list_nodes(base + [family, hook, priority, 'rule']):
+                            for direction in ['inbound-interface', 'outbound-interface']:
+                                if config.exists(base + [family, hook, priority, 'rule', rule, direction]):
+                                    if config.exists(base + [family, hook, priority, 'rule', rule, direction, 'interface-name']):
+                                        iface = config.return_value(base + [family, hook, priority, 'rule', rule, direction, 'interface-name'])
+                                        config.set(base + [family, hook, priority, 'rule', rule, direction, 'name'], value=iface)
+                                        config.delete(base + [family, hook, priority, 'rule', rule, direction, 'interface-name'])
+                                    elif config.exists(base + [family, hook, priority, 'rule', rule, direction, 'interface-group']):
+                                        group = config.return_value(base + [family, hook, priority, 'rule', rule, direction, 'interface-group'])
+                                        config.set(base + [family, hook, priority, 'rule', rule, direction, 'group'], value=group)
+                                        config.delete(base + [family, hook, priority, 'rule', rule, direction, 'interface-group'])
+
+try:
+    with open(file_name, 'w') as f:
+        f.write(config.to_string())
+except OSError as e:
+    print("Failed to save the modified config: {}".format(e))
+    exit(1)
\ No newline at end of file
diff --git a/src/migration-scripts/firewall/12-to-13 b/src/migration-scripts/firewall/12-to-13
new file mode 100755
index 000000000..8396dd9d1
--- /dev/null
+++ b/src/migration-scripts/firewall/12-to-13
@@ -0,0 +1,92 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2023 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# T5729: Switch to valueless whenever is possible.
+# From
+    # set firewall ... rule <rule> log enable
+    # set firewall ... rule <rule> state <state> enable
+    # set firewall ... rule <rule> log disable
+    # set firewall ... rule <rule> state <state> disable
+# To
+    # set firewall ... rule <rule> log
+    # set firewall ... rule <rule> state <state>
+    # Remove command if log=disable or <state>=disable
+
+import re
+
+from sys import argv
+from sys import exit
+
+from vyos.configtree import ConfigTree
+from vyos.ifconfig import Section
+
+if len(argv) < 2:
+    print("Must specify file name!")
+    exit(1)
+
+file_name = argv[1]
+
+with open(file_name, 'r') as f:
+    config_file = f.read()
+
+base = ['firewall']
+config = ConfigTree(config_file)
+
+if not config.exists(base):
+    # Nothing to do
+    exit(0)
+
+# State Policy logs:
+if config.exists(base + ['global-options', 'state-policy']):
+    for state in config.list_nodes(base + ['global-options', 'state-policy']):
+        if config.exists(base + ['global-options', 'state-policy', state, 'log']):
+            log_value = config.return_value(base + ['global-options', 'state-policy', state, 'log'])
+            config.delete(base + ['global-options', 'state-policy', state, 'log'])
+            if log_value == 'enable':
+                config.set(base + ['global-options', 'state-policy', state, 'log'])
+
+for family in ['ipv4', 'ipv6', 'bridge']:
+    if config.exists(base + [family]):
+        for hook in ['forward', 'input', 'output', 'name']:
+            if config.exists(base + [family, hook]):
+                for priority in config.list_nodes(base + [family, hook]):
+                    if config.exists(base + [family, hook, priority, 'rule']):
+                        for rule in config.list_nodes(base + [family, hook, priority, 'rule']):
+                            # Log
+                            if config.exists(base + [family, hook, priority, 'rule', rule, 'log']):
+                                log_value = config.return_value(base + [family, hook, priority, 'rule', rule, 'log'])
+                                config.delete(base + [family, hook, priority, 'rule', rule, 'log'])
+                                if log_value == 'enable':
+                                    config.set(base + [family, hook, priority, 'rule', rule, 'log'])
+                            # State
+                            if config.exists(base + [family, hook, priority, 'rule', rule, 'state']):
+                                flag_enable = 'False'
+                                for state in ['established', 'invalid', 'new', 'related']:
+                                    if config.exists(base + [family, hook, priority, 'rule', rule, 'state', state]):
+                                        state_value = config.return_value(base + [family, hook, priority, 'rule', rule, 'state', state])
+                                        config.delete(base + [family, hook, priority, 'rule', rule, 'state', state])
+                                        if state_value == 'enable':
+                                            config.set(base + [family, hook, priority, 'rule', rule, 'state'], value=state, replace=False)
+                                            flag_enable = 'True'
+                                if flag_enable == 'False':
+                                    config.delete(base + [family, hook, priority, 'rule', rule, 'state'])
+
+try:
+    with open(file_name, 'w') as f:
+        f.write(config.to_string())
+except OSError as e:
+    print("Failed to save the modified config: {}".format(e))
+    exit(1)
\ No newline at end of file
diff --git a/src/migration-scripts/firewall/13-to-14 b/src/migration-scripts/firewall/13-to-14
new file mode 100755
index 000000000..f45ff0674
--- /dev/null
+++ b/src/migration-scripts/firewall/13-to-14
@@ -0,0 +1,59 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2023 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# T5834: Rename 'enable-default-log' to 'default-log'
+# From
+    # set firewall ... filter enable-default-log
+    # set firewall ... name <name> enable-default-log
+# To
+    # set firewall ... filter default-log
+    # set firewall ... name <name> default-log
+
+from sys import argv
+from sys import exit
+
+from vyos.configtree import ConfigTree
+
+if len(argv) < 2:
+    print("Must specify file name!")
+    exit(1)
+
+file_name = argv[1]
+
+with open(file_name, 'r') as f:
+    config_file = f.read()
+
+base = ['firewall']
+config = ConfigTree(config_file)
+
+if not config.exists(base):
+    # Nothing to do
+    exit(0)
+
+for family in ['ipv4', 'ipv6', 'bridge']:
+    if config.exists(base + [family]):
+        for hook in ['forward', 'input', 'output', 'name']:
+            if config.exists(base + [family, hook]):
+                for priority in config.list_nodes(base + [family, hook]):
+                    if config.exists(base + [family, hook, priority, 'enable-default-log']):
+                        config.rename(base + [family, hook, priority, 'enable-default-log'], 'default-log')
+
+try:
+    with open(file_name, 'w') as f:
+        f.write(config.to_string())
+except OSError as e:
+    print("Failed to save the modified config: {}".format(e))
+    exit(1)
diff --git a/src/migration-scripts/firewall/6-to-7 b/src/migration-scripts/firewall/6-to-7
index 9ad887acc..b918833e9 100755
--- a/src/migration-scripts/firewall/6-to-7
+++ b/src/migration-scripts/firewall/6-to-7
@@ -73,6 +73,7 @@ icmp_translations = {
     #  Time Exceeded
     'ttl-zero-during-transit': [11, 0],
     'ttl-zero-during-reassembly': [11, 1],
+    'ttl-exceeded': 'time-exceeded',
     # Parameter Problem
     'ip-header-bad': [12, 0],
     'required-option-missing': [12, 1]
@@ -87,8 +88,14 @@ icmpv6_translations = {
     'communication-prohibited': [1, 1],
     'address-unreachble': [1, 3],
     'port-unreachable': [1, 4],
-    # Redirect
+    # nd
     'redirect': 'nd-redirect',
+    'router-solicitation': 'nd-router-solicit',
+    'router-advertisement': 'nd-router-advert',
+    'neighbour-solicitation': 'nd-neighbor-solicit',
+    'neighbor-solicitation': 'nd-neighbor-solicit',
+    'neighbour-advertisement': 'nd-neighbor-advert',
+    'neighbor-advertisement': 'nd-neighbor-advert',
     #  Time Exceeded
     'ttl-zero-during-transit': [3, 0],
     'ttl-zero-during-reassembly': [3, 1],
diff --git a/src/migration-scripts/https/1-to-2 b/src/migration-scripts/https/1-to-2
index b1cf37ea6..1a2cdc1e7 100755
--- a/src/migration-scripts/https/1-to-2
+++ b/src/migration-scripts/https/1-to-2
@@ -15,7 +15,7 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 # * Move 'api virtual-host' list to 'api-restrict virtual-host' so it
-#   is owned by https.py instead of http-api.py
+#   is owned by service_https.py
 
 import sys
 
diff --git a/src/migration-scripts/https/4-to-5 b/src/migration-scripts/https/4-to-5
new file mode 100755
index 000000000..0dfb6ac19
--- /dev/null
+++ b/src/migration-scripts/https/4-to-5
@@ -0,0 +1,62 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2023 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# T5762: http: api: smoketests fail as they can not establish IPv6 connection
+#        to uvicorn backend server, always make the UNIX domain socket the
+#        default way of communication
+
+import sys
+
+from vyos.configtree import ConfigTree
+
+if len(sys.argv) < 2:
+    print("Must specify file name!")
+    sys.exit(1)
+
+file_name = sys.argv[1]
+
+with open(file_name, 'r') as f:
+    config_file = f.read()
+
+config = ConfigTree(config_file)
+
+base = ['service', 'https']
+if not config.exists(base):
+    # Nothing to do
+    sys.exit(0)
+
+# Delete "socket" CLI option - we always use UNIX domain sockets for
+# NGINX <-> API server communication
+if config.exists(base + ['api', 'socket']):
+    config.delete(base + ['api', 'socket'])
+
+# There is no need for an API service port, as UNIX domain sockets
+# are used
+if config.exists(base + ['api', 'port']):
+    config.delete(base + ['api', 'port'])
+
+# rename listen-port -> port ver virtual-host
+if config.exists(base + ['virtual-host']):
+    for vhost in config.list_nodes(base + ['virtual-host']):
+        if config.exists(base + ['virtual-host', vhost, 'listen-port']):
+            config.rename(base + ['virtual-host', vhost, 'listen-port'], 'port')
+
+try:
+    with open(file_name, 'w') as f:
+        f.write(config.to_string())
+except OSError as e:
+    print("Failed to save the modified config: {}".format(e))
+    sys.exit(1)
diff --git a/src/migration-scripts/https/5-to-6 b/src/migration-scripts/https/5-to-6
new file mode 100755
index 000000000..6d6efd32c
--- /dev/null
+++ b/src/migration-scripts/https/5-to-6
@@ -0,0 +1,109 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2024 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# T5886: Add support for ACME protocol (LetsEncrypt), migrate https certbot
+#        to new "pki certificate" CLI tree
+# T5902: Remove virtual-host
+
+import os
+import sys
+
+from vyos.configtree import ConfigTree
+from vyos.defaults import directories
+from vyos.utils.process import cmd
+
+vyos_certbot_dir = directories['certbot']
+
+if len(sys.argv) < 2:
+    print("Must specify file name!")
+    sys.exit(1)
+
+file_name = sys.argv[1]
+
+with open(file_name, 'r') as f:
+    config_file = f.read()
+
+config = ConfigTree(config_file)
+
+base = ['service', 'https']
+if not config.exists(base):
+    # Nothing to do
+    sys.exit(0)
+
+if config.exists(base + ['certificates']):
+    # both domain-name and email must be set on CLI - ensured by previous verify()
+    domain_names = config.return_values(base + ['certificates', 'certbot', 'domain-name'])
+    email = config.return_value(base + ['certificates', 'certbot', 'email'])
+    config.delete(base + ['certificates'])
+
+    # Set default certname based on domain-name
+    cert_name = 'https-' + domain_names[0].split('.')[0]
+    # Overwrite certname from previous certbot calls if available
+    # We can not use python code like os.scandir due to filesystem permissions.
+    # This must be run as root
+    certbot_live = f'{vyos_certbot_dir}/live/' # we need the trailing /
+    if os.path.exists(certbot_live):
+        tmp = cmd(f'sudo find {certbot_live} -maxdepth 1 -type d')
+        tmp = tmp.split() # tmp = ['/config/auth/letsencrypt/live', '/config/auth/letsencrypt/live/router.vyos.net']
+        tmp.remove(certbot_live)
+        cert_name = tmp[0].replace(certbot_live, '')
+
+    config.set(['pki', 'certificate', cert_name, 'acme', 'email'], value=email)
+    config.set_tag(['pki', 'certificate'])
+    for domain in domain_names:
+        config.set(['pki', 'certificate', cert_name, 'acme', 'domain-name'], value=domain, replace=False)
+
+    # Update Webserver certificate
+    config.set(base + ['certificates', 'certificate'], value=cert_name)
+
+if config.exists(base + ['virtual-host']):
+    allow_client = []
+    listen_port = []
+    listen_address = []
+    for virtual_host in config.list_nodes(base + ['virtual-host']):
+        allow_path = base + ['virtual-host', virtual_host, 'allow-client', 'address']
+        if config.exists(allow_path):
+            tmp = config.return_values(allow_path)
+            allow_client.extend(tmp)
+
+        port_path = base + ['virtual-host', virtual_host, 'listen-port']
+        if config.exists(port_path):
+            tmp = config.return_value(port_path)
+            listen_port.append(tmp)
+
+        listen_address_path = base + ['virtual-host', virtual_host, 'listen-address']
+        if config.exists(listen_address_path):
+            tmp = config.return_value(listen_address_path)
+            listen_address.append(tmp)
+
+    config.delete(base + ['virtual-host'])
+    for client in allow_client:
+        config.set(base + ['allow-client', 'address'], value=client, replace=False)
+
+    #  clear listen-address if "all" were specified
+    if '*' in listen_address:
+        listen_address = []
+    for address in listen_address:
+        config.set(base + ['listen-address'], value=address, replace=False)
+
+
+
+try:
+    with open(file_name, 'w') as f:
+        f.write(config.to_string())
+except OSError as e:
+    print("Failed to save the modified config: {}".format(e))
+    sys.exit(1)
diff --git a/src/migration-scripts/interfaces/22-to-23 b/src/migration-scripts/interfaces/22-to-23
index 8b21fce51..04e023e77 100755
--- a/src/migration-scripts/interfaces/22-to-23
+++ b/src/migration-scripts/interfaces/22-to-23
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 #
-# Copyright (C) 2021 VyOS maintainers and contributors
+# Copyright (C) 2021-2023 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
@@ -13,133 +13,45 @@
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-from sys import argv
-from sys import exit
+#
+# Deletes Wireguard peers if they have the same public key as the router has.
+import sys
 from vyos.configtree import ConfigTree
-
-def migrate_ospf(config, path, interface):
-    path = path + ['ospf']
-    if config.exists(path):
-        new_base = ['protocols', 'ospf', 'interface']
-        config.set(new_base)
-        config.set_tag(new_base)
-        config.copy(path, new_base + [interface])
-        config.delete(path)
-
-        # if "ip ospf" was the only setting, we can clean out the empty
-        # ip node afterwards
-        if len(config.list_nodes(path[:-1])) == 0:
-            config.delete(path[:-1])
-
-def migrate_ospfv3(config, path, interface):
-    path = path + ['ospfv3']
-    if config.exists(path):
-        new_base = ['protocols', 'ospfv3', 'interface']
-        config.set(new_base)
-        config.set_tag(new_base)
-        config.copy(path, new_base + [interface])
-        config.delete(path)
-
-        # if "ipv6 ospfv3" was the only setting, we can clean out the empty
-        # ip node afterwards
-        if len(config.list_nodes(path[:-1])) == 0:
-            config.delete(path[:-1])
-
-def migrate_rip(config, path, interface):
-    path = path + ['rip']
-    if config.exists(path):
-        new_base = ['protocols', 'rip', 'interface']
-        config.set(new_base)
-        config.set_tag(new_base)
-        config.copy(path, new_base + [interface])
-        config.delete(path)
-
-        # if "ip rip" was the only setting, we can clean out the empty
-        # ip node afterwards
-        if len(config.list_nodes(path[:-1])) == 0:
-            config.delete(path[:-1])
-
-def migrate_ripng(config, path, interface):
-    path = path + ['ripng']
-    if config.exists(path):
-        new_base = ['protocols', 'ripng', 'interface']
-        config.set(new_base)
-        config.set_tag(new_base)
-        config.copy(path, new_base + [interface])
-        config.delete(path)
-
-        # if "ipv6 ripng" was the only setting, we can clean out the empty
-        # ip node afterwards
-        if len(config.list_nodes(path[:-1])) == 0:
-            config.delete(path[:-1])
+from vyos.utils.network import is_wireguard_key_pair
 
 if __name__ == '__main__':
-    if len(argv) < 2:
+    if len(sys.argv) < 2:
         print("Must specify file name!")
-        exit(1)
+        sys.exit(1)
+
+    file_name = sys.argv[1]
 
-    file_name = argv[1]
     with open(file_name, 'r') as f:
         config_file = f.read()
 
     config = ConfigTree(config_file)
-
-    #
-    # Migrate "interface ethernet eth0 ip ospf" to "protocols ospf interface eth0"
-    #
-    for type in config.list_nodes(['interfaces']):
-        for interface in config.list_nodes(['interfaces', type]):
-            ip_base = ['interfaces', type, interface, 'ip']
-            ipv6_base = ['interfaces', type, interface, 'ipv6']
-            migrate_rip(config, ip_base, interface)
-            migrate_ripng(config, ipv6_base, interface)
-            migrate_ospf(config, ip_base, interface)
-            migrate_ospfv3(config, ipv6_base, interface)
-
-            vif_path = ['interfaces', type, interface, 'vif']
-            if config.exists(vif_path):
-                for vif in config.list_nodes(vif_path):
-                    vif_ip_base = vif_path + [vif, 'ip']
-                    vif_ipv6_base = vif_path + [vif, 'ipv6']
-                    ifname = f'{interface}.{vif}'
-
-                    migrate_rip(config, vif_ip_base, ifname)
-                    migrate_ripng(config, vif_ipv6_base, ifname)
-                    migrate_ospf(config, vif_ip_base, ifname)
-                    migrate_ospfv3(config, vif_ipv6_base, ifname)
-
-
-            vif_s_path = ['interfaces', type, interface, 'vif-s']
-            if config.exists(vif_s_path):
-                for vif_s in config.list_nodes(vif_s_path):
-                    vif_s_ip_base = vif_s_path + [vif_s, 'ip']
-                    vif_s_ipv6_base = vif_s_path + [vif_s, 'ipv6']
-
-                    # vif-c interfaces MUST be migrated before their parent vif-s
-                    # interface as the migrate_*() functions delete the path!
-                    vif_c_path = ['interfaces', type, interface, 'vif-s', vif_s, 'vif-c']
-                    if config.exists(vif_c_path):
-                        for vif_c in config.list_nodes(vif_c_path):
-                            vif_c_ip_base = vif_c_path + [vif_c, 'ip']
-                            vif_c_ipv6_base = vif_c_path + [vif_c, 'ipv6']
-                            ifname = f'{interface}.{vif_s}.{vif_c}'
-
-                            migrate_rip(config, vif_c_ip_base, ifname)
-                            migrate_ripng(config, vif_c_ipv6_base, ifname)
-                            migrate_ospf(config, vif_c_ip_base, ifname)
-                            migrate_ospfv3(config, vif_c_ipv6_base, ifname)
-
-
-                    ifname = f'{interface}.{vif_s}'
-                    migrate_rip(config, vif_s_ip_base, ifname)
-                    migrate_ripng(config, vif_s_ipv6_base, ifname)
-                    migrate_ospf(config, vif_s_ip_base, ifname)
-                    migrate_ospfv3(config, vif_s_ipv6_base, ifname)
+    base = ['interfaces', 'wireguard']
+    if not config.exists(base):
+        # Nothing to do
+        sys.exit(0)
+    for interface in config.list_nodes(base):
+        if not config.exists(base + [interface, 'private-key']):
+            continue
+        private_key = config.return_value(base + [interface, 'private-key'])
+        interface_base = base + [interface]
+        if config.exists(interface_base + ['peer']):
+            for peer in config.list_nodes(interface_base + ['peer']):
+                peer_base = interface_base + ['peer', peer]
+                if not config.exists(peer_base + ['public-key']):
+                    continue
+                peer_public_key = config.return_value(peer_base + ['public-key'])
+                if not config.exists(peer_base + ['disable']) \
+                        and is_wireguard_key_pair(private_key, peer_public_key):
+                    config.set(peer_base + ['disable'])
 
     try:
         with open(file_name, 'w') as f:
             f.write(config.to_string())
     except OSError as e:
         print("Failed to save the modified config: {}".format(e))
-        exit(1)
+        sys.exit(1)
diff --git a/src/migration-scripts/interfaces/23-to-24 b/src/migration-scripts/interfaces/23-to-24
index 8fd79ecc6..8b21fce51 100755
--- a/src/migration-scripts/interfaces/23-to-24
+++ b/src/migration-scripts/interfaces/23-to-24
@@ -14,47 +14,132 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-# A VTI interface also requires an IPSec configuration - VyOS 1.2 supported
-# having a VTI interface in the CLI but no IPSec configuration - drop VTI
-# configuration if this is the case for VyOS 1.4
-
-import sys
+from sys import argv
+from sys import exit
 from vyos.configtree import ConfigTree
 
+def migrate_ospf(config, path, interface):
+    path = path + ['ospf']
+    if config.exists(path):
+        new_base = ['protocols', 'ospf', 'interface']
+        config.set(new_base)
+        config.set_tag(new_base)
+        config.copy(path, new_base + [interface])
+        config.delete(path)
+
+        # if "ip ospf" was the only setting, we can clean out the empty
+        # ip node afterwards
+        if len(config.list_nodes(path[:-1])) == 0:
+            config.delete(path[:-1])
+
+def migrate_ospfv3(config, path, interface):
+    path = path + ['ospfv3']
+    if config.exists(path):
+        new_base = ['protocols', 'ospfv3', 'interface']
+        config.set(new_base)
+        config.set_tag(new_base)
+        config.copy(path, new_base + [interface])
+        config.delete(path)
+
+        # if "ipv6 ospfv3" was the only setting, we can clean out the empty
+        # ip node afterwards
+        if len(config.list_nodes(path[:-1])) == 0:
+            config.delete(path[:-1])
+
+def migrate_rip(config, path, interface):
+    path = path + ['rip']
+    if config.exists(path):
+        new_base = ['protocols', 'rip', 'interface']
+        config.set(new_base)
+        config.set_tag(new_base)
+        config.copy(path, new_base + [interface])
+        config.delete(path)
+
+        # if "ip rip" was the only setting, we can clean out the empty
+        # ip node afterwards
+        if len(config.list_nodes(path[:-1])) == 0:
+            config.delete(path[:-1])
+
+def migrate_ripng(config, path, interface):
+    path = path + ['ripng']
+    if config.exists(path):
+        new_base = ['protocols', 'ripng', 'interface']
+        config.set(new_base)
+        config.set_tag(new_base)
+        config.copy(path, new_base + [interface])
+        config.delete(path)
+
+        # if "ipv6 ripng" was the only setting, we can clean out the empty
+        # ip node afterwards
+        if len(config.list_nodes(path[:-1])) == 0:
+            config.delete(path[:-1])
+
 if __name__ == '__main__':
-    if len(sys.argv) < 2:
+    if len(argv) < 2:
         print("Must specify file name!")
-        sys.exit(1)
-
-    file_name = sys.argv[1]
+        exit(1)
 
+    file_name = argv[1]
     with open(file_name, 'r') as f:
         config_file = f.read()
 
     config = ConfigTree(config_file)
-    base = ['interfaces', 'vti']
-    if not config.exists(base):
-        # Nothing to do
-        sys.exit(0)
-
-    ipsec_base = ['vpn', 'ipsec', 'site-to-site', 'peer']
-    for interface in config.list_nodes(base):
-        found = False
-        if config.exists(ipsec_base):
-            for peer in config.list_nodes(ipsec_base):
-                if config.exists(ipsec_base + [peer, 'vti', 'bind']):
-                    tmp = config.return_value(ipsec_base + [peer, 'vti', 'bind'])
-                    if tmp == interface:
-                        # Interface was found and we no longer need to search
-                        # for it in our IPSec peers
-                        found = True
-                        break
-        if not found:
-            config.delete(base + [interface])
+
+    #
+    # Migrate "interface ethernet eth0 ip ospf" to "protocols ospf interface eth0"
+    #
+    for type in config.list_nodes(['interfaces']):
+        for interface in config.list_nodes(['interfaces', type]):
+            ip_base = ['interfaces', type, interface, 'ip']
+            ipv6_base = ['interfaces', type, interface, 'ipv6']
+            migrate_rip(config, ip_base, interface)
+            migrate_ripng(config, ipv6_base, interface)
+            migrate_ospf(config, ip_base, interface)
+            migrate_ospfv3(config, ipv6_base, interface)
+
+            vif_path = ['interfaces', type, interface, 'vif']
+            if config.exists(vif_path):
+                for vif in config.list_nodes(vif_path):
+                    vif_ip_base = vif_path + [vif, 'ip']
+                    vif_ipv6_base = vif_path + [vif, 'ipv6']
+                    ifname = f'{interface}.{vif}'
+
+                    migrate_rip(config, vif_ip_base, ifname)
+                    migrate_ripng(config, vif_ipv6_base, ifname)
+                    migrate_ospf(config, vif_ip_base, ifname)
+                    migrate_ospfv3(config, vif_ipv6_base, ifname)
+
+
+            vif_s_path = ['interfaces', type, interface, 'vif-s']
+            if config.exists(vif_s_path):
+                for vif_s in config.list_nodes(vif_s_path):
+                    vif_s_ip_base = vif_s_path + [vif_s, 'ip']
+                    vif_s_ipv6_base = vif_s_path + [vif_s, 'ipv6']
+
+                    # vif-c interfaces MUST be migrated before their parent vif-s
+                    # interface as the migrate_*() functions delete the path!
+                    vif_c_path = ['interfaces', type, interface, 'vif-s', vif_s, 'vif-c']
+                    if config.exists(vif_c_path):
+                        for vif_c in config.list_nodes(vif_c_path):
+                            vif_c_ip_base = vif_c_path + [vif_c, 'ip']
+                            vif_c_ipv6_base = vif_c_path + [vif_c, 'ipv6']
+                            ifname = f'{interface}.{vif_s}.{vif_c}'
+
+                            migrate_rip(config, vif_c_ip_base, ifname)
+                            migrate_ripng(config, vif_c_ipv6_base, ifname)
+                            migrate_ospf(config, vif_c_ip_base, ifname)
+                            migrate_ospfv3(config, vif_c_ipv6_base, ifname)
+
+
+                    ifname = f'{interface}.{vif_s}'
+                    migrate_rip(config, vif_s_ip_base, ifname)
+                    migrate_ripng(config, vif_s_ipv6_base, ifname)
+                    migrate_ospf(config, vif_s_ip_base, ifname)
+                    migrate_ospfv3(config, vif_s_ipv6_base, ifname)
 
     try:
         with open(file_name, 'w') as f:
             f.write(config.to_string())
     except OSError as e:
         print("Failed to save the modified config: {}".format(e))
-        sys.exit(1)
+        exit(1)
diff --git a/src/migration-scripts/interfaces/24-to-25 b/src/migration-scripts/interfaces/24-to-25
index 9aa6ea5e3..8fd79ecc6 100755
--- a/src/migration-scripts/interfaces/24-to-25
+++ b/src/migration-scripts/interfaces/24-to-25
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 #
-# Copyright (C) 2021-2023 VyOS maintainers and contributors
+# Copyright (C) 2021 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
@@ -14,374 +14,47 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-# Migrate Wireguard to store keys in CLI
-# Migrate EAPoL to PKI configuration
+# A VTI interface also requires an IPSec configuration - VyOS 1.2 supported
+# having a VTI interface in the CLI but no IPSec configuration - drop VTI
+# configuration if this is the case for VyOS 1.4
 
-import os
 import sys
-
 from vyos.configtree import ConfigTree
-from vyos.pki import CERT_BEGIN
-from vyos.pki import load_certificate
-from vyos.pki import load_crl
-from vyos.pki import load_dh_parameters
-from vyos.pki import load_private_key
-from vyos.pki import encode_certificate
-from vyos.pki import encode_dh_parameters
-from vyos.pki import encode_private_key
-from vyos.pki import verify_crl
-from vyos.utils.process import run
-
-def wrapped_pem_to_config_value(pem):
-    out = []
-    for line in pem.strip().split("\n"):
-        if not line or line.startswith("-----") or line[0] == '#':
-            continue
-        out.append(line)
-    return "".join(out)
-
-def read_file_for_pki(config_auth_path):
-    full_path = os.path.join(AUTH_DIR, config_auth_path)
-    output = None
-
-    if os.path.isfile(full_path):
-        if not os.access(full_path, os.R_OK):
-            run(f'sudo chmod 644 {full_path}')
-
-        with open(full_path, 'r') as f:
-            output = f.read()
-
-    return output
 
-if len(sys.argv) < 2:
-    print("Must specify file name!")
-    sys.exit(1)
+if __name__ == '__main__':
+    if len(sys.argv) < 2:
+        print("Must specify file name!")
+        sys.exit(1)
 
-file_name = sys.argv[1]
+    file_name = sys.argv[1]
 
-with open(file_name, 'r') as f:
-    config_file = f.read()
+    with open(file_name, 'r') as f:
+        config_file = f.read()
 
-config = ConfigTree(config_file)
+    config = ConfigTree(config_file)
+    base = ['interfaces', 'vti']
+    if not config.exists(base):
+        # Nothing to do
+        sys.exit(0)
 
-AUTH_DIR = '/config/auth'
-pki_base = ['pki']
-
-# OpenVPN
-base = ['interfaces', 'openvpn']
-
-if config.exists(base):
+    ipsec_base = ['vpn', 'ipsec', 'site-to-site', 'peer']
     for interface in config.list_nodes(base):
-        x509_base = base + [interface, 'tls']
-        pki_name = f'openvpn_{interface}'
-
-        if config.exists(base + [interface, 'shared-secret-key-file']):
-            if not config.exists(pki_base + ['openvpn', 'shared-secret']):
-                config.set(pki_base + ['openvpn', 'shared-secret'])
-                config.set_tag(pki_base + ['openvpn', 'shared-secret'])
-
-            key_file = config.return_value(base + [interface, 'shared-secret-key-file'])
-            key = read_file_for_pki(key_file)
-            key_pki_name = f'{pki_name}_shared'
-
-            if key:
-                config.set(pki_base + ['openvpn', 'shared-secret', key_pki_name, 'key'], value=wrapped_pem_to_config_value(key))
-                config.set(pki_base + ['openvpn', 'shared-secret', key_pki_name, 'version'], value='1')
-                config.set(base + [interface, 'shared-secret-key'], value=key_pki_name)
-            else:
-                print(f'Failed to migrate shared-secret-key on openvpn interface {interface}')
-
-            config.delete(base + [interface, 'shared-secret-key-file'])
-
-        if not config.exists(base + [interface, 'tls']):
-            continue
-
-        if config.exists(base + [interface, 'tls', 'auth-file']):
-            if not config.exists(pki_base + ['openvpn', 'shared-secret']):
-                config.set(pki_base + ['openvpn', 'shared-secret'])
-                config.set_tag(pki_base + ['openvpn', 'shared-secret'])
-
-            key_file = config.return_value(base + [interface, 'tls', 'auth-file'])
-            key = read_file_for_pki(key_file)
-            key_pki_name = f'{pki_name}_auth'
-
-            if key:
-                config.set(pki_base + ['openvpn', 'shared-secret', key_pki_name, 'key'], value=wrapped_pem_to_config_value(key))
-                config.set(pki_base + ['openvpn', 'shared-secret', key_pki_name, 'version'], value='1')
-                config.set(base + [interface, 'tls', 'auth-key'], value=key_pki_name)
-            else:
-                print(f'Failed to migrate auth-key on openvpn interface {interface}')
-
-            config.delete(base + [interface, 'tls', 'auth-file'])
-
-        if config.exists(base + [interface, 'tls', 'crypt-file']):
-            if not config.exists(pki_base + ['openvpn', 'shared-secret']):
-                config.set(pki_base + ['openvpn', 'shared-secret'])
-                config.set_tag(pki_base + ['openvpn', 'shared-secret'])
-
-            key_file = config.return_value(base + [interface, 'tls', 'crypt-file'])
-            key = read_file_for_pki(key_file)
-            key_pki_name = f'{pki_name}_crypt'
-
-            if key:
-                config.set(pki_base + ['openvpn', 'shared-secret', key_pki_name, 'key'], value=wrapped_pem_to_config_value(key))
-                config.set(pki_base + ['openvpn', 'shared-secret', key_pki_name, 'version'], value='1')
-                config.set(base + [interface, 'tls', 'crypt-key'], value=key_pki_name)
-            else:
-                print(f'Failed to migrate crypt-key on openvpn interface {interface}')
-
-            config.delete(base + [interface, 'tls', 'crypt-file'])
-
-        ca_certs = {}
-
-        if config.exists(x509_base + ['ca-cert-file']):
-            if not config.exists(pki_base + ['ca']):
-                config.set(pki_base + ['ca'])
-                config.set_tag(pki_base + ['ca'])
-
-            cert_file = config.return_value(x509_base + ['ca-cert-file'])
-            cert_path = os.path.join(AUTH_DIR, cert_file)
-
-            if os.path.isfile(cert_path):
-                if not os.access(cert_path, os.R_OK):
-                    run(f'sudo chmod 644 {cert_path}')
-
-                with open(cert_path, 'r') as f:
-                    certs_str = f.read()
-                    certs_data = certs_str.split(CERT_BEGIN)
-                    index = 1
-                    for cert_data in certs_data[1:]:
-                        cert = load_certificate(CERT_BEGIN + cert_data, wrap_tags=False)
-
-                        if cert:
-                            ca_certs[f'{pki_name}_{index}'] = cert
-                            cert_pem = encode_certificate(cert)
-                            config.set(pki_base + ['ca', f'{pki_name}_{index}', 'certificate'], value=wrapped_pem_to_config_value(cert_pem))
-                            config.set(x509_base + ['ca-certificate'], value=f'{pki_name}_{index}', replace=False)
-                        else:
-                            print(f'Failed to migrate CA certificate on openvpn interface {interface}')
-
-                        index += 1
-            else:
-                print(f'Failed to migrate CA certificate on openvpn interface {interface}')
-
-            config.delete(x509_base + ['ca-cert-file'])
-
-        if config.exists(x509_base + ['crl-file']):
-            if not config.exists(pki_base + ['ca']):
-                config.set(pki_base + ['ca'])
-                config.set_tag(pki_base + ['ca'])
-
-            crl_file = config.return_value(x509_base + ['crl-file'])
-            crl_path = os.path.join(AUTH_DIR, crl_file)
-            crl = None
-            crl_ca_name = None
-
-            if os.path.isfile(crl_path):
-                if not os.access(crl_path, os.R_OK):
-                    run(f'sudo chmod 644 {crl_path}')
-
-                with open(crl_path, 'r') as f:
-                    crl_data = f.read()
-                    crl = load_crl(crl_data, wrap_tags=False)
-
-                    for ca_name, ca_cert in ca_certs.items():
-                        if verify_crl(crl, ca_cert):
-                            crl_ca_name = ca_name
-                            break
-
-            if crl and crl_ca_name:
-                crl_pem = encode_certificate(crl)
-                config.set(pki_base + ['ca', crl_ca_name, 'crl'], value=wrapped_pem_to_config_value(crl_pem))
-            else:
-                print(f'Failed to migrate CRL on openvpn interface {interface}')
-
-            config.delete(x509_base + ['crl-file'])
-
-        if config.exists(x509_base + ['cert-file']):
-            if not config.exists(pki_base + ['certificate']):
-                config.set(pki_base + ['certificate'])
-                config.set_tag(pki_base + ['certificate'])
-
-            cert_file = config.return_value(x509_base + ['cert-file'])
-            cert_path = os.path.join(AUTH_DIR, cert_file)
-            cert = None
-
-            if os.path.isfile(cert_path):
-                if not os.access(cert_path, os.R_OK):
-                    run(f'sudo chmod 644 {cert_path}')
-
-                with open(cert_path, 'r') as f:
-                    cert_data = f.read()
-                    cert = load_certificate(cert_data, wrap_tags=False)
-
-            if cert:
-                cert_pem = encode_certificate(cert)
-                config.set(pki_base + ['certificate', pki_name, 'certificate'], value=wrapped_pem_to_config_value(cert_pem))
-                config.set(x509_base + ['certificate'], value=pki_name)
-            else:
-                print(f'Failed to migrate certificate on openvpn interface {interface}')
-
-            config.delete(x509_base + ['cert-file'])
-
-        if config.exists(x509_base + ['key-file']):
-            key_file = config.return_value(x509_base + ['key-file'])
-            key_path = os.path.join(AUTH_DIR, key_file)
-            key = None
-
-            if os.path.isfile(key_path):
-                if not os.access(key_path, os.R_OK):
-                    run(f'sudo chmod 644 {key_path}')
-
-                with open(key_path, 'r') as f:
-                    key_data = f.read()
-                    key = load_private_key(key_data, passphrase=None, wrap_tags=False)
-
-            if key:
-                key_pem = encode_private_key(key, passphrase=None)
-                config.set(pki_base + ['certificate', pki_name, 'private', 'key'], value=wrapped_pem_to_config_value(key_pem))
-            else:
-                print(f'Failed to migrate private key on openvpn interface {interface}')
-
-            config.delete(x509_base + ['key-file'])
-
-        if config.exists(x509_base + ['dh-file']):
-            if not config.exists(pki_base + ['dh']):
-                config.set(pki_base + ['dh'])
-                config.set_tag(pki_base + ['dh'])
-
-            dh_file = config.return_value(x509_base + ['dh-file'])
-            dh_path = os.path.join(AUTH_DIR, dh_file)
-            dh = None
-
-            if os.path.isfile(dh_path):
-                if not os.access(dh_path, os.R_OK):
-                    run(f'sudo chmod 644 {dh_path}')
-
-                with open(dh_path, 'r') as f:
-                    dh_data = f.read()
-                    dh = load_dh_parameters(dh_data, wrap_tags=False)
-
-            if dh:
-                dh_pem = encode_dh_parameters(dh)
-                config.set(pki_base + ['dh', pki_name, 'parameters'], value=wrapped_pem_to_config_value(dh_pem))
-                config.set(x509_base + ['dh-params'], value=pki_name)
-            else:
-                print(f'Failed to migrate DH parameters on openvpn interface {interface}')
-
-            config.delete(x509_base + ['dh-file'])
-
-# Wireguard
-base = ['interfaces', 'wireguard']
-
-if config.exists(base):
-    for interface in config.list_nodes(base):
-        private_key_path = base + [interface, 'private-key']
-
-        key_file = 'default'
-        if config.exists(private_key_path):
-            key_file = config.return_value(private_key_path)
-
-        full_key_path = f'/config/auth/wireguard/{key_file}/private.key'
-
-        if not os.path.exists(full_key_path):
-            print(f'Could not find wireguard private key for migration on interface "{interface}"')
-            continue
-
-        with open(full_key_path, 'r') as f:
-            key_data = f.read().strip()
-            config.set(private_key_path, value=key_data)
-
-        for peer in config.list_nodes(base + [interface, 'peer']):
-            config.rename(base + [interface, 'peer', peer, 'pubkey'], 'public-key')
-
-# Ethernet EAPoL
-base = ['interfaces', 'ethernet']
-
-if config.exists(base):
-    for interface in config.list_nodes(base):
-        if not config.exists(base + [interface, 'eapol']):
-            continue
-
-        x509_base = base + [interface, 'eapol']
-        pki_name = f'eapol_{interface}'
-
-        if config.exists(x509_base + ['ca-cert-file']):
-            if not config.exists(pki_base + ['ca']):
-                config.set(pki_base + ['ca'])
-                config.set_tag(pki_base + ['ca'])
-
-            cert_file = config.return_value(x509_base + ['ca-cert-file'])
-            cert_path = os.path.join(AUTH_DIR, cert_file)
-            cert = None
-
-            if os.path.isfile(cert_path):
-                if not os.access(cert_path, os.R_OK):
-                    run(f'sudo chmod 644 {cert_path}')
-
-                with open(cert_path, 'r') as f:
-                    cert_data = f.read()
-                    cert = load_certificate(cert_data, wrap_tags=False)
-
-            if cert:
-                cert_pem = encode_certificate(cert)
-                config.set(pki_base + ['ca', pki_name, 'certificate'], value=wrapped_pem_to_config_value(cert_pem))
-                config.set(x509_base + ['ca-certificate'], value=pki_name)
-            else:
-                print(f'Failed to migrate CA certificate on eapol config for interface {interface}')
-
-            config.delete(x509_base + ['ca-cert-file'])
-
-        if config.exists(x509_base + ['cert-file']):
-            if not config.exists(pki_base + ['certificate']):
-                config.set(pki_base + ['certificate'])
-                config.set_tag(pki_base + ['certificate'])
-
-            cert_file = config.return_value(x509_base + ['cert-file'])
-            cert_path = os.path.join(AUTH_DIR, cert_file)
-            cert = None
-
-            if os.path.isfile(cert_path):
-                if not os.access(cert_path, os.R_OK):
-                    run(f'sudo chmod 644 {cert_path}')
-
-                with open(cert_path, 'r') as f:
-                    cert_data = f.read()
-                    cert = load_certificate(cert_data, wrap_tags=False)
-
-            if cert:
-                cert_pem = encode_certificate(cert)
-                config.set(pki_base + ['certificate', pki_name, 'certificate'], value=wrapped_pem_to_config_value(cert_pem))
-                config.set(x509_base + ['certificate'], value=pki_name)
-            else:
-                print(f'Failed to migrate certificate on eapol config for interface {interface}')
-
-            config.delete(x509_base + ['cert-file'])
-
-        if config.exists(x509_base + ['key-file']):
-            key_file = config.return_value(x509_base + ['key-file'])
-            key_path = os.path.join(AUTH_DIR, key_file)
-            key = None
-
-            if os.path.isfile(key_path):
-                if not os.access(key_path, os.R_OK):
-                    run(f'sudo chmod 644 {key_path}')
-
-                with open(key_path, 'r') as f:
-                    key_data = f.read()
-                    key = load_private_key(key_data, passphrase=None, wrap_tags=False)
-
-            if key:
-                key_pem = encode_private_key(key, passphrase=None)
-                config.set(pki_base + ['certificate', pki_name, 'private', 'key'], value=wrapped_pem_to_config_value(key_pem))
-            else:
-                print(f'Failed to migrate private key on eapol config for interface {interface}')
-
-            config.delete(x509_base + ['key-file'])
-
-try:
-    with open(file_name, 'w') as f:
-        f.write(config.to_string())
-except OSError as e:
-    print("Failed to save the modified config: {}".format(e))
-    sys.exit(1)
+        found = False
+        if config.exists(ipsec_base):
+            for peer in config.list_nodes(ipsec_base):
+                if config.exists(ipsec_base + [peer, 'vti', 'bind']):
+                    tmp = config.return_value(ipsec_base + [peer, 'vti', 'bind'])
+                    if tmp == interface:
+                        # Interface was found and we no longer need to search
+                        # for it in our IPSec peers
+                        found = True
+                        break
+        if not found:
+            config.delete(base + [interface])
+
+    try:
+        with open(file_name, 'w') as f:
+            f.write(config.to_string())
+    except OSError as e:
+        print("Failed to save the modified config: {}".format(e))
+        sys.exit(1)
diff --git a/src/migration-scripts/interfaces/25-to-26 b/src/migration-scripts/interfaces/25-to-26
index 4967a29fa..9aa6ea5e3 100755
--- a/src/migration-scripts/interfaces/25-to-26
+++ b/src/migration-scripts/interfaces/25-to-26
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 #
-# Copyright (C) 2022 VyOS maintainers and contributors
+# Copyright (C) 2021-2023 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
@@ -14,41 +14,374 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-# T4384: pppoe: replace default-route CLI option with common CLI nodes already
-#        present for DHCP
+# Migrate Wireguard to store keys in CLI
+# Migrate EAPoL to PKI configuration
 
-from sys import argv
+import os
+import sys
 
-from vyos.ethtool import Ethtool
 from vyos.configtree import ConfigTree
+from vyos.pki import CERT_BEGIN
+from vyos.pki import load_certificate
+from vyos.pki import load_crl
+from vyos.pki import load_dh_parameters
+from vyos.pki import load_private_key
+from vyos.pki import encode_certificate
+from vyos.pki import encode_dh_parameters
+from vyos.pki import encode_private_key
+from vyos.pki import verify_crl
+from vyos.utils.process import run
 
-if len(argv) < 2:
+def wrapped_pem_to_config_value(pem):
+    out = []
+    for line in pem.strip().split("\n"):
+        if not line or line.startswith("-----") or line[0] == '#':
+            continue
+        out.append(line)
+    return "".join(out)
+
+def read_file_for_pki(config_auth_path):
+    full_path = os.path.join(AUTH_DIR, config_auth_path)
+    output = None
+
+    if os.path.isfile(full_path):
+        if not os.access(full_path, os.R_OK):
+            run(f'sudo chmod 644 {full_path}')
+
+        with open(full_path, 'r') as f:
+            output = f.read()
+
+    return output
+
+if len(sys.argv) < 2:
     print("Must specify file name!")
-    exit(1)
+    sys.exit(1)
+
+file_name = sys.argv[1]
 
-file_name = argv[1]
 with open(file_name, 'r') as f:
     config_file = f.read()
 
-base = ['interfaces', 'pppoe']
 config = ConfigTree(config_file)
 
-if not config.exists(base):
-    exit(0)
+AUTH_DIR = '/config/auth'
+pki_base = ['pki']
+
+# OpenVPN
+base = ['interfaces', 'openvpn']
+
+if config.exists(base):
+    for interface in config.list_nodes(base):
+        x509_base = base + [interface, 'tls']
+        pki_name = f'openvpn_{interface}'
+
+        if config.exists(base + [interface, 'shared-secret-key-file']):
+            if not config.exists(pki_base + ['openvpn', 'shared-secret']):
+                config.set(pki_base + ['openvpn', 'shared-secret'])
+                config.set_tag(pki_base + ['openvpn', 'shared-secret'])
+
+            key_file = config.return_value(base + [interface, 'shared-secret-key-file'])
+            key = read_file_for_pki(key_file)
+            key_pki_name = f'{pki_name}_shared'
+
+            if key:
+                config.set(pki_base + ['openvpn', 'shared-secret', key_pki_name, 'key'], value=wrapped_pem_to_config_value(key))
+                config.set(pki_base + ['openvpn', 'shared-secret', key_pki_name, 'version'], value='1')
+                config.set(base + [interface, 'shared-secret-key'], value=key_pki_name)
+            else:
+                print(f'Failed to migrate shared-secret-key on openvpn interface {interface}')
+
+            config.delete(base + [interface, 'shared-secret-key-file'])
+
+        if not config.exists(base + [interface, 'tls']):
+            continue
+
+        if config.exists(base + [interface, 'tls', 'auth-file']):
+            if not config.exists(pki_base + ['openvpn', 'shared-secret']):
+                config.set(pki_base + ['openvpn', 'shared-secret'])
+                config.set_tag(pki_base + ['openvpn', 'shared-secret'])
+
+            key_file = config.return_value(base + [interface, 'tls', 'auth-file'])
+            key = read_file_for_pki(key_file)
+            key_pki_name = f'{pki_name}_auth'
+
+            if key:
+                config.set(pki_base + ['openvpn', 'shared-secret', key_pki_name, 'key'], value=wrapped_pem_to_config_value(key))
+                config.set(pki_base + ['openvpn', 'shared-secret', key_pki_name, 'version'], value='1')
+                config.set(base + [interface, 'tls', 'auth-key'], value=key_pki_name)
+            else:
+                print(f'Failed to migrate auth-key on openvpn interface {interface}')
+
+            config.delete(base + [interface, 'tls', 'auth-file'])
+
+        if config.exists(base + [interface, 'tls', 'crypt-file']):
+            if not config.exists(pki_base + ['openvpn', 'shared-secret']):
+                config.set(pki_base + ['openvpn', 'shared-secret'])
+                config.set_tag(pki_base + ['openvpn', 'shared-secret'])
+
+            key_file = config.return_value(base + [interface, 'tls', 'crypt-file'])
+            key = read_file_for_pki(key_file)
+            key_pki_name = f'{pki_name}_crypt'
+
+            if key:
+                config.set(pki_base + ['openvpn', 'shared-secret', key_pki_name, 'key'], value=wrapped_pem_to_config_value(key))
+                config.set(pki_base + ['openvpn', 'shared-secret', key_pki_name, 'version'], value='1')
+                config.set(base + [interface, 'tls', 'crypt-key'], value=key_pki_name)
+            else:
+                print(f'Failed to migrate crypt-key on openvpn interface {interface}')
+
+            config.delete(base + [interface, 'tls', 'crypt-file'])
+
+        ca_certs = {}
+
+        if config.exists(x509_base + ['ca-cert-file']):
+            if not config.exists(pki_base + ['ca']):
+                config.set(pki_base + ['ca'])
+                config.set_tag(pki_base + ['ca'])
+
+            cert_file = config.return_value(x509_base + ['ca-cert-file'])
+            cert_path = os.path.join(AUTH_DIR, cert_file)
+
+            if os.path.isfile(cert_path):
+                if not os.access(cert_path, os.R_OK):
+                    run(f'sudo chmod 644 {cert_path}')
+
+                with open(cert_path, 'r') as f:
+                    certs_str = f.read()
+                    certs_data = certs_str.split(CERT_BEGIN)
+                    index = 1
+                    for cert_data in certs_data[1:]:
+                        cert = load_certificate(CERT_BEGIN + cert_data, wrap_tags=False)
+
+                        if cert:
+                            ca_certs[f'{pki_name}_{index}'] = cert
+                            cert_pem = encode_certificate(cert)
+                            config.set(pki_base + ['ca', f'{pki_name}_{index}', 'certificate'], value=wrapped_pem_to_config_value(cert_pem))
+                            config.set(x509_base + ['ca-certificate'], value=f'{pki_name}_{index}', replace=False)
+                        else:
+                            print(f'Failed to migrate CA certificate on openvpn interface {interface}')
+
+                        index += 1
+            else:
+                print(f'Failed to migrate CA certificate on openvpn interface {interface}')
+
+            config.delete(x509_base + ['ca-cert-file'])
+
+        if config.exists(x509_base + ['crl-file']):
+            if not config.exists(pki_base + ['ca']):
+                config.set(pki_base + ['ca'])
+                config.set_tag(pki_base + ['ca'])
+
+            crl_file = config.return_value(x509_base + ['crl-file'])
+            crl_path = os.path.join(AUTH_DIR, crl_file)
+            crl = None
+            crl_ca_name = None
+
+            if os.path.isfile(crl_path):
+                if not os.access(crl_path, os.R_OK):
+                    run(f'sudo chmod 644 {crl_path}')
+
+                with open(crl_path, 'r') as f:
+                    crl_data = f.read()
+                    crl = load_crl(crl_data, wrap_tags=False)
+
+                    for ca_name, ca_cert in ca_certs.items():
+                        if verify_crl(crl, ca_cert):
+                            crl_ca_name = ca_name
+                            break
+
+            if crl and crl_ca_name:
+                crl_pem = encode_certificate(crl)
+                config.set(pki_base + ['ca', crl_ca_name, 'crl'], value=wrapped_pem_to_config_value(crl_pem))
+            else:
+                print(f'Failed to migrate CRL on openvpn interface {interface}')
+
+            config.delete(x509_base + ['crl-file'])
+
+        if config.exists(x509_base + ['cert-file']):
+            if not config.exists(pki_base + ['certificate']):
+                config.set(pki_base + ['certificate'])
+                config.set_tag(pki_base + ['certificate'])
+
+            cert_file = config.return_value(x509_base + ['cert-file'])
+            cert_path = os.path.join(AUTH_DIR, cert_file)
+            cert = None
+
+            if os.path.isfile(cert_path):
+                if not os.access(cert_path, os.R_OK):
+                    run(f'sudo chmod 644 {cert_path}')
+
+                with open(cert_path, 'r') as f:
+                    cert_data = f.read()
+                    cert = load_certificate(cert_data, wrap_tags=False)
+
+            if cert:
+                cert_pem = encode_certificate(cert)
+                config.set(pki_base + ['certificate', pki_name, 'certificate'], value=wrapped_pem_to_config_value(cert_pem))
+                config.set(x509_base + ['certificate'], value=pki_name)
+            else:
+                print(f'Failed to migrate certificate on openvpn interface {interface}')
+
+            config.delete(x509_base + ['cert-file'])
+
+        if config.exists(x509_base + ['key-file']):
+            key_file = config.return_value(x509_base + ['key-file'])
+            key_path = os.path.join(AUTH_DIR, key_file)
+            key = None
+
+            if os.path.isfile(key_path):
+                if not os.access(key_path, os.R_OK):
+                    run(f'sudo chmod 644 {key_path}')
+
+                with open(key_path, 'r') as f:
+                    key_data = f.read()
+                    key = load_private_key(key_data, passphrase=None, wrap_tags=False)
+
+            if key:
+                key_pem = encode_private_key(key, passphrase=None)
+                config.set(pki_base + ['certificate', pki_name, 'private', 'key'], value=wrapped_pem_to_config_value(key_pem))
+            else:
+                print(f'Failed to migrate private key on openvpn interface {interface}')
+
+            config.delete(x509_base + ['key-file'])
+
+        if config.exists(x509_base + ['dh-file']):
+            if not config.exists(pki_base + ['dh']):
+                config.set(pki_base + ['dh'])
+                config.set_tag(pki_base + ['dh'])
+
+            dh_file = config.return_value(x509_base + ['dh-file'])
+            dh_path = os.path.join(AUTH_DIR, dh_file)
+            dh = None
+
+            if os.path.isfile(dh_path):
+                if not os.access(dh_path, os.R_OK):
+                    run(f'sudo chmod 644 {dh_path}')
+
+                with open(dh_path, 'r') as f:
+                    dh_data = f.read()
+                    dh = load_dh_parameters(dh_data, wrap_tags=False)
+
+            if dh:
+                dh_pem = encode_dh_parameters(dh)
+                config.set(pki_base + ['dh', pki_name, 'parameters'], value=wrapped_pem_to_config_value(dh_pem))
+                config.set(x509_base + ['dh-params'], value=pki_name)
+            else:
+                print(f'Failed to migrate DH parameters on openvpn interface {interface}')
+
+            config.delete(x509_base + ['dh-file'])
+
+# Wireguard
+base = ['interfaces', 'wireguard']
+
+if config.exists(base):
+    for interface in config.list_nodes(base):
+        private_key_path = base + [interface, 'private-key']
+
+        key_file = 'default'
+        if config.exists(private_key_path):
+            key_file = config.return_value(private_key_path)
+
+        full_key_path = f'/config/auth/wireguard/{key_file}/private.key'
+
+        if not os.path.exists(full_key_path):
+            print(f'Could not find wireguard private key for migration on interface "{interface}"')
+            continue
+
+        with open(full_key_path, 'r') as f:
+            key_data = f.read().strip()
+            config.set(private_key_path, value=key_data)
+
+        for peer in config.list_nodes(base + [interface, 'peer']):
+            config.rename(base + [interface, 'peer', peer, 'pubkey'], 'public-key')
+
+# Ethernet EAPoL
+base = ['interfaces', 'ethernet']
+
+if config.exists(base):
+    for interface in config.list_nodes(base):
+        if not config.exists(base + [interface, 'eapol']):
+            continue
+
+        x509_base = base + [interface, 'eapol']
+        pki_name = f'eapol_{interface}'
+
+        if config.exists(x509_base + ['ca-cert-file']):
+            if not config.exists(pki_base + ['ca']):
+                config.set(pki_base + ['ca'])
+                config.set_tag(pki_base + ['ca'])
+
+            cert_file = config.return_value(x509_base + ['ca-cert-file'])
+            cert_path = os.path.join(AUTH_DIR, cert_file)
+            cert = None
+
+            if os.path.isfile(cert_path):
+                if not os.access(cert_path, os.R_OK):
+                    run(f'sudo chmod 644 {cert_path}')
+
+                with open(cert_path, 'r') as f:
+                    cert_data = f.read()
+                    cert = load_certificate(cert_data, wrap_tags=False)
+
+            if cert:
+                cert_pem = encode_certificate(cert)
+                config.set(pki_base + ['ca', pki_name, 'certificate'], value=wrapped_pem_to_config_value(cert_pem))
+                config.set(x509_base + ['ca-certificate'], value=pki_name)
+            else:
+                print(f'Failed to migrate CA certificate on eapol config for interface {interface}')
+
+            config.delete(x509_base + ['ca-cert-file'])
+
+        if config.exists(x509_base + ['cert-file']):
+            if not config.exists(pki_base + ['certificate']):
+                config.set(pki_base + ['certificate'])
+                config.set_tag(pki_base + ['certificate'])
+
+            cert_file = config.return_value(x509_base + ['cert-file'])
+            cert_path = os.path.join(AUTH_DIR, cert_file)
+            cert = None
+
+            if os.path.isfile(cert_path):
+                if not os.access(cert_path, os.R_OK):
+                    run(f'sudo chmod 644 {cert_path}')
+
+                with open(cert_path, 'r') as f:
+                    cert_data = f.read()
+                    cert = load_certificate(cert_data, wrap_tags=False)
+
+            if cert:
+                cert_pem = encode_certificate(cert)
+                config.set(pki_base + ['certificate', pki_name, 'certificate'], value=wrapped_pem_to_config_value(cert_pem))
+                config.set(x509_base + ['certificate'], value=pki_name)
+            else:
+                print(f'Failed to migrate certificate on eapol config for interface {interface}')
+
+            config.delete(x509_base + ['cert-file'])
+
+        if config.exists(x509_base + ['key-file']):
+            key_file = config.return_value(x509_base + ['key-file'])
+            key_path = os.path.join(AUTH_DIR, key_file)
+            key = None
+
+            if os.path.isfile(key_path):
+                if not os.access(key_path, os.R_OK):
+                    run(f'sudo chmod 644 {key_path}')
+
+                with open(key_path, 'r') as f:
+                    key_data = f.read()
+                    key = load_private_key(key_data, passphrase=None, wrap_tags=False)
+
+            if key:
+                key_pem = encode_private_key(key, passphrase=None)
+                config.set(pki_base + ['certificate', pki_name, 'private', 'key'], value=wrapped_pem_to_config_value(key_pem))
+            else:
+                print(f'Failed to migrate private key on eapol config for interface {interface}')
 
-for ifname in config.list_nodes(base):
-    tmp_config = base + [ifname, 'default-route']
-    if config.exists(tmp_config):
-        # Retrieve current config value
-        value = config.return_value(tmp_config)
-        # Delete old Config node
-        config.delete(tmp_config)
-        if value == 'none':
-            config.set(base + [ifname, 'no-default-route'])
+            config.delete(x509_base + ['key-file'])
 
 try:
     with open(file_name, 'w') as f:
         f.write(config.to_string())
 except OSError as e:
-    print(f'Failed to save the modified config: {e}')
-    exit(1)
+    print("Failed to save the modified config: {}".format(e))
+    sys.exit(1)
diff --git a/src/migration-scripts/interfaces/26-to-27 b/src/migration-scripts/interfaces/26-to-27
index a0d043d11..4967a29fa 100755
--- a/src/migration-scripts/interfaces/26-to-27
+++ b/src/migration-scripts/interfaces/26-to-27
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 #
-# Copyright (C) 2023 VyOS maintainers and contributors
+# Copyright (C) 2022 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
@@ -14,8 +14,8 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-# T4995: pppoe, wwan, sstpc-client rename "authentication user" CLI node
-#        to "authentication username"
+# T4384: pppoe: replace default-route CLI option with common CLI nodes already
+#        present for DHCP
 
 from sys import argv
 
@@ -30,16 +30,21 @@ file_name = argv[1]
 with open(file_name, 'r') as f:
     config_file = f.read()
 
+base = ['interfaces', 'pppoe']
 config = ConfigTree(config_file)
 
-for type in ['pppoe', 'sstpc-client', 'wwam']:
-    base = ['interfaces', type]
-    if not config.exists(base):
-        continue
-    for interface in config.list_nodes(base):
-        auth_base = base + [interface, 'authentication', 'user']
-        if config.exists(auth_base):
-            config.rename(auth_base, 'username')
+if not config.exists(base):
+    exit(0)
+
+for ifname in config.list_nodes(base):
+    tmp_config = base + [ifname, 'default-route']
+    if config.exists(tmp_config):
+        # Retrieve current config value
+        value = config.return_value(tmp_config)
+        # Delete old Config node
+        config.delete(tmp_config)
+        if value == 'none':
+            config.set(base + [ifname, 'no-default-route'])
 
 try:
     with open(file_name, 'w') as f:
diff --git a/src/migration-scripts/interfaces/27-to-28 b/src/migration-scripts/interfaces/27-to-28
index ad5bfa653..a0d043d11 100755
--- a/src/migration-scripts/interfaces/27-to-28
+++ b/src/migration-scripts/interfaces/27-to-28
@@ -14,8 +14,8 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-# T5034: tunnel: rename "multicast enable" CLI node to "enable-multicast"
-#        valueless node.
+# T4995: pppoe, wwan, sstpc-client rename "authentication user" CLI node
+#        to "authentication username"
 
 from sys import argv
 
@@ -30,21 +30,16 @@ file_name = argv[1]
 with open(file_name, 'r') as f:
     config_file = f.read()
 
-base = ['interfaces', 'tunnel']
 config = ConfigTree(config_file)
 
-if not config.exists(base):
-    exit(0)
-
-for ifname in config.list_nodes(base):
-    multicast_base = base + [ifname, 'multicast']
-    if config.exists(multicast_base):
-        tmp = config.return_value(multicast_base)
-        print(tmp)
-        # Delete old Config node
-        config.delete(multicast_base)
-        if tmp == 'enable':
-            config.set(base + [ifname, 'enable-multicast'])
+for type in ['pppoe', 'sstpc-client', 'wwam']:
+    base = ['interfaces', type]
+    if not config.exists(base):
+        continue
+    for interface in config.list_nodes(base):
+        auth_base = base + [interface, 'authentication', 'user']
+        if config.exists(auth_base):
+            config.rename(auth_base, 'username')
 
 try:
     with open(file_name, 'w') as f:
diff --git a/src/migration-scripts/interfaces/28-to-29 b/src/migration-scripts/interfaces/28-to-29
index acb6ee1fb..ad5bfa653 100755
--- a/src/migration-scripts/interfaces/28-to-29
+++ b/src/migration-scripts/interfaces/28-to-29
@@ -14,7 +14,8 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-# T5286: remove XDP support in favour of VPP
+# T5034: tunnel: rename "multicast enable" CLI node to "enable-multicast"
+#        valueless node.
 
 from sys import argv
 
@@ -29,17 +30,21 @@ file_name = argv[1]
 with open(file_name, 'r') as f:
     config_file = f.read()
 
-supports_xdp = ['bonding', 'ethernet']
+base = ['interfaces', 'tunnel']
 config = ConfigTree(config_file)
 
-for if_type in supports_xdp:
-    base = ['interfaces', if_type]
-    if not config.exists(base):
-        continue
-    for interface in config.list_nodes(base):
-        if_base = base + [interface]
-        if config.exists(if_base + ['xdp']):
-            config.delete(if_base + ['xdp'])
+if not config.exists(base):
+    exit(0)
+
+for ifname in config.list_nodes(base):
+    multicast_base = base + [ifname, 'multicast']
+    if config.exists(multicast_base):
+        tmp = config.return_value(multicast_base)
+        print(tmp)
+        # Delete old Config node
+        config.delete(multicast_base)
+        if tmp == 'enable':
+            config.set(base + [ifname, 'enable-multicast'])
 
 try:
     with open(file_name, 'w') as f:
diff --git a/src/migration-scripts/interfaces/29-to-30 b/src/migration-scripts/interfaces/29-to-30
index 97e1b329c..acb6ee1fb 100755
--- a/src/migration-scripts/interfaces/29-to-30
+++ b/src/migration-scripts/interfaces/29-to-30
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 #
-# Copyright (C) 2021-2023 VyOS maintainers and contributors
+# Copyright (C) 2023 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
@@ -13,42 +13,37 @@
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
-#
-# Deletes Wireguard peers if they have the same public key as the router has.
-import sys
+
+# T5286: remove XDP support in favour of VPP
+
+from sys import argv
+
+from vyos.ethtool import Ethtool
 from vyos.configtree import ConfigTree
-from vyos.utils.network import is_wireguard_key_pair
 
-if __name__ == '__main__':
-    if len(sys.argv) < 2:
-        print("Must specify file name!")
-        sys.exit(1)
+if len(argv) < 2:
+    print("Must specify file name!")
+    exit(1)
 
-    file_name = sys.argv[1]
+file_name = argv[1]
+with open(file_name, 'r') as f:
+    config_file = f.read()
 
-    with open(file_name, 'r') as f:
-        config_file = f.read()
+supports_xdp = ['bonding', 'ethernet']
+config = ConfigTree(config_file)
 
-    config = ConfigTree(config_file)
-    base = ['interfaces', 'wireguard']
+for if_type in supports_xdp:
+    base = ['interfaces', if_type]
     if not config.exists(base):
-        # Nothing to do
-        sys.exit(0)
+        continue
     for interface in config.list_nodes(base):
-        private_key = config.return_value(base + [interface, 'private-key'])
-        interface_base = base + [interface]
-        if config.exists(interface_base + ['peer']):
-            for peer in config.list_nodes(interface_base + ['peer']):
-                peer_base = interface_base + ['peer', peer]
-                peer_public_key = config.return_value(peer_base + ['public-key'])
-                if config.exists(peer_base + ['public-key']):
-                    if not config.exists(peer_base + ['disable']) \
-                            and is_wireguard_key_pair(private_key, peer_public_key):
-                        config.set(peer_base + ['disable'])
-
-    try:
-        with open(file_name, 'w') as f:
-            f.write(config.to_string())
-    except OSError as e:
-        print("Failed to save the modified config: {}".format(e))
-        sys.exit(1)
+        if_base = base + [interface]
+        if config.exists(if_base + ['xdp']):
+            config.delete(if_base + ['xdp'])
+
+try:
+    with open(file_name, 'w') as f:
+        f.write(config.to_string())
+except OSError as e:
+    print(f'Failed to save the modified config: {e}')
+    exit(1)
diff --git a/src/migration-scripts/interfaces/30-to-31 b/src/migration-scripts/interfaces/30-to-31
new file mode 100755
index 000000000..894106ef4
--- /dev/null
+++ b/src/migration-scripts/interfaces/30-to-31
@@ -0,0 +1,71 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2021-2023 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+# Deletes Wireguard peers if they have the same public key as the router has.
+
+import json
+from sys import argv
+from sys import exit
+from vyos.configtree import ConfigTree
+from vyos.ifconfig import EthernetIf
+from vyos.ifconfig import BondIf
+from vyos.utils.dict import dict_to_paths_values
+
+if len(argv) < 2:
+    print("Must specify file name!")
+    exit(1)
+
+file_name = argv[1]
+with open(file_name, 'r') as f:
+    config_file = f.read()
+    base = ['interfaces', 'bonding']
+
+config = ConfigTree(config_file)
+if not config.exists(base):
+    # Nothing to do
+    exit(0)
+for bond in config.list_nodes(base):
+    member_base = base + [bond, 'member', 'interface']
+    if config.exists(member_base):
+        for interface in config.return_values(member_base):
+            if_base = ['interfaces', 'ethernet', interface]
+            if config.exists(if_base):
+                config_ethernet = json.loads(config.get_subtree(if_base).to_json())
+                eth_dict_paths = dict_to_paths_values(config_ethernet)
+                for option_path, option_value in eth_dict_paths.items():
+                    # If option is allowed for changing then continue
+                    converted_path = option_path.replace('-','_')
+                    if converted_path in EthernetIf.get_bond_member_allowed_options():
+                        continue
+                    # if option is inherited from bond then continue
+                    if converted_path in BondIf.get_inherit_bond_options():
+                        continue
+                    option_path_list = option_path.split('.')
+                    config.delete(if_base + option_path_list)
+                    del option_path_list[-1]
+                    # delete empty node from config
+                    while len(option_path_list) > 0:
+                        if config.list_nodes(if_base + option_path_list):
+                            break
+                        config.delete(if_base + option_path_list)
+                        del option_path_list[-1]
+
+try:
+    with open(file_name, 'w') as f:
+        f.write(config.to_string())
+except OSError as e:
+    print(f'Failed to save the modified config: {e}')
+    exit(1)
diff --git a/src/migration-scripts/interfaces/31-to-32 b/src/migration-scripts/interfaces/31-to-32
new file mode 100755
index 000000000..0fc27b70a
--- /dev/null
+++ b/src/migration-scripts/interfaces/31-to-32
@@ -0,0 +1,55 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2023 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+# T5671: change port to IANA assigned default port
+# T5759: change default MTU 1450 -> 1500
+
+from sys import argv
+from sys import exit
+from vyos.configtree import ConfigTree
+
+if len(argv) < 2:
+    print("Must specify file name!")
+    exit(1)
+
+file_name = argv[1]
+with open(file_name, 'r') as f:
+    config_file = f.read()
+
+base = ['interfaces', 'vxlan']
+
+config = ConfigTree(config_file)
+if not config.exists(base):
+    # Nothing to do
+    exit(0)
+
+for vxlan in config.list_nodes(base):
+    if config.exists(base + [vxlan, 'external']):
+        config.delete(base + [vxlan, 'external'])
+        config.set(base + [vxlan, 'parameters', 'external'])
+
+    if not config.exists(base + [vxlan, 'port']):
+        config.set(base + [vxlan, 'port'], value='8472')
+
+    if not config.exists(base + [vxlan, 'mtu']):
+        config.set(base + [vxlan, 'mtu'], value='1450')
+
+try:
+    with open(file_name, 'w') as f:
+        f.write(config.to_string())
+except OSError as e:
+    print(f'Failed to save the modified config: {e}')
+    exit(1)
diff --git a/src/migration-scripts/ipoe-server/1-to-2 b/src/migration-scripts/ipoe-server/1-to-2
new file mode 100755
index 000000000..c8cec6835
--- /dev/null
+++ b/src/migration-scripts/ipoe-server/1-to-2
@@ -0,0 +1,87 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2023 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# - changed cli of all named pools
+# - moved gateway-address from pool to global configuration with / netmask
+#   gateway can exist without pool if radius is used
+#   and Framed-ip-address is transmited
+# - There are several gateway-addresses in ipoe
+# - default-pool by migration.
+#       1. The first pool that contains next-poll.
+#       2. Else, the first pool in the list
+
+import os
+
+from sys import argv
+from sys import exit
+from vyos.configtree import ConfigTree
+
+
+if len(argv) < 2:
+    print("Must specify file name!")
+    exit(1)
+
+file_name = argv[1]
+
+with open(file_name, 'r') as f:
+    config_file = f.read()
+
+config = ConfigTree(config_file)
+base = ['service', 'ipoe-server']
+pool_base = base + ['client-ip-pool']
+if not config.exists(base):
+    exit(0)
+
+if not config.exists(pool_base):
+    exit(0)
+default_pool = ''
+gateway = ''
+
+#named pool migration
+namedpools_base = pool_base + ['name']
+
+for pool_name in config.list_nodes(namedpools_base):
+    pool_path = namedpools_base + [pool_name]
+    if config.exists(pool_path + ['subnet']):
+        subnet = config.return_value(pool_path + ['subnet'])
+        config.set(pool_base + [pool_name, 'range'], value=subnet)
+        # Get netmask from subnet
+        mask = subnet.split("/")[1]
+    if config.exists(pool_path + ['next-pool']):
+        next_pool = config.return_value(pool_path + ['next-pool'])
+        config.set(pool_base + [pool_name, 'next-pool'], value=next_pool)
+        if not default_pool:
+            default_pool = pool_name
+    if config.exists(pool_path + ['gateway-address']) and mask:
+        gateway = f'{config.return_value(pool_path + ["gateway-address"])}/{mask}'
+        config.set(base + ['gateway-address'], value=gateway, replace=False)
+
+if not default_pool and config.list_nodes(namedpools_base):
+    default_pool = config.list_nodes(namedpools_base)[0]
+
+config.delete(namedpools_base)
+
+if default_pool:
+    config.set(base + ['default-pool'], value=default_pool)
+# format as tag node
+config.set_tag(pool_base)
+
+try:
+    with open(file_name, 'w') as f:
+        f.write(config.to_string())
+except OSError as e:
+    print("Failed to save the modified config: {}".format(e))
+    exit(1)
diff --git a/src/migration-scripts/l2tp/4-to-5 b/src/migration-scripts/l2tp/4-to-5
new file mode 100755
index 000000000..496dc83d6
--- /dev/null
+++ b/src/migration-scripts/l2tp/4-to-5
@@ -0,0 +1,87 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2023 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# - move all pool to named pools
+#       'start-stop' migrate to namedpool 'default-range-pool'
+#       'subnet' migrate to namedpool 'default-subnet-pool'
+#       'default-subnet-pool' is the next pool for 'default-range-pool'
+
+import os
+
+from sys import argv
+from sys import exit
+from vyos.configtree import ConfigTree
+
+
+if len(argv) < 2:
+    print("Must specify file name!")
+    exit(1)
+
+file_name = argv[1]
+
+with open(file_name, 'r') as f:
+    config_file = f.read()
+
+config = ConfigTree(config_file)
+base = ['vpn', 'l2tp', 'remote-access']
+pool_base = base + ['client-ip-pool']
+if not config.exists(base):
+    exit(0)
+
+if not config.exists(pool_base):
+    exit(0)
+default_pool = ''
+range_pool_name = 'default-range-pool'
+subnet_base_name = 'default-subnet-pool'
+number = 1
+subnet_pool_name = f'{subnet_base_name}-{number}'
+prev_subnet_pool = subnet_pool_name
+if config.exists(pool_base + ['subnet']):
+    default_pool = subnet_pool_name
+    for subnet in config.return_values(pool_base + ['subnet']):
+        config.set(pool_base + [subnet_pool_name, 'range'], value=subnet)
+        if prev_subnet_pool != subnet_pool_name:
+            config.set(pool_base + [prev_subnet_pool, 'next-pool'],
+                       value=subnet_pool_name)
+            prev_subnet_pool = subnet_pool_name
+        number += 1
+        subnet_pool_name = f'{subnet_base_name}-{number}'
+
+    config.delete(pool_base + ['subnet'])
+
+if config.exists(pool_base + ['start']) and config.exists(pool_base + ['stop']):
+    start_ip = config.return_value(pool_base + ['start'])
+    stop_ip = config.return_value(pool_base + ['stop'])
+    ip_range = f'{start_ip}-{stop_ip}'
+    config.delete(pool_base + ['start'])
+    config.delete(pool_base + ['stop'])
+    config.set(pool_base + [range_pool_name, 'range'], value=ip_range)
+    if default_pool:
+        config.set(pool_base + [range_pool_name, 'next-pool'],
+                   value=default_pool)
+    default_pool = range_pool_name
+
+if default_pool:
+    config.set(base + ['default-pool'], value=default_pool)
+# format as tag node
+config.set_tag(pool_base)
+
+try:
+    with open(file_name, 'w') as f:
+        f.write(config.to_string())
+except OSError as e:
+    print("Failed to save the modified config: {}".format(e))
+    exit(1)
diff --git a/src/migration-scripts/l2tp/5-to-6 b/src/migration-scripts/l2tp/5-to-6
new file mode 100755
index 000000000..ca0b13dcc
--- /dev/null
+++ b/src/migration-scripts/l2tp/5-to-6
@@ -0,0 +1,110 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2023 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+
+import os
+
+from sys import argv
+from sys import exit
+from vyos.configtree import ConfigTree
+
+
+if len(argv) < 2:
+    print("Must specify file name!")
+    exit(1)
+
+file_name = argv[1]
+
+with open(file_name, 'r') as f:
+    config_file = f.read()
+
+config = ConfigTree(config_file)
+base = ['vpn', 'l2tp', 'remote-access']
+if not config.exists(base):
+    exit(0)
+
+#migrate idle to ppp option lcp-echo-timeout
+idle_path = base + ['idle']
+if config.exists(idle_path):
+    config.set(base + ['ppp-options', 'lcp-echo-timeout'],
+               value=config.return_value(idle_path))
+    config.delete(idle_path)
+
+#migrate mppe from authentication to ppp-otion
+mppe_path = base + ['authentication', 'mppe']
+if config.exists(mppe_path):
+    config.set(base + ['ppp-options', 'mppe'],
+               value=config.return_value(mppe_path))
+    config.delete(mppe_path)
+
+#migrate require to protocol
+require_path = base + ['authentication', 'require']
+if config.exists(require_path):
+    protocols = list(config.return_values(require_path))
+    for protocol in protocols:
+        config.set(base + ['authentication', 'protocols'], value=protocol,
+                   replace=False)
+    config.delete(require_path)
+else:
+    config.set(base + ['authentication', 'protocols'], value='mschap-v2')
+
+#migrate default gateway if not exist
+if not config.exists(base + ['gateway-address']):
+    config.set(base + ['gateway-address'], value='10.255.255.0')
+
+#migrate authentication radius timeout
+rad_timeout_path = base + ['authentication', 'radius', 'timeout']
+if config.exists(rad_timeout_path):
+    if int(config.return_value(rad_timeout_path)) > 60:
+        config.set(rad_timeout_path, value=60)
+
+#migrate authentication radius acct timeout
+rad_acct_timeout_path = base + ['authentication', 'radius', 'acct-timeout']
+if config.exists(rad_acct_timeout_path):
+    if int(config.return_value(rad_acct_timeout_path)) > 60:
+        config.set(rad_acct_timeout_path,value=60)
+
+#migrate authentication radius max-try
+rad_max_try_path = base + ['authentication', 'radius', 'max-try']
+if config.exists(rad_max_try_path):
+    if int(config.return_value(rad_max_try_path)) > 20:
+        config.set(rad_max_try_path, value=20)
+
+#migrate dae-server to dynamic-author
+dae_path_old = base + ['authentication', 'radius', 'dae-server']
+dae_path_new = base + ['authentication', 'radius', 'dynamic-author']
+
+if config.exists(dae_path_old + ['ip-address']):
+    config.set(dae_path_new + ['server'],
+               value=config.return_value(dae_path_old + ['ip-address']))
+
+if config.exists(dae_path_old + ['port']):
+    config.set(dae_path_new + ['port'],
+               value=config.return_value(dae_path_old + ['port']))
+
+if config.exists(dae_path_old + ['secret']):
+    config.set(dae_path_new + ['key'],
+               value=config.return_value(dae_path_old + ['secret']))
+
+if config.exists(dae_path_old):
+    config.delete(dae_path_old)
+
+try:
+    with open(file_name, 'w') as f:
+        f.write(config.to_string())
+except OSError as e:
+    print("Failed to save the modified config: {}".format(e))
+    exit(1)
diff --git a/src/migration-scripts/lldp/0-to-1 b/src/migration-scripts/lldp/0-to-1
index a936cbdfc..a99356062 100755
--- a/src/migration-scripts/lldp/0-to-1
+++ b/src/migration-scripts/lldp/0-to-1
@@ -1,4 +1,18 @@
 #!/usr/bin/env python3
+#
+# Copyright (C) 2020 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 # Delete "set service lldp interface <interface> location civic-based" option
 # as it was broken most of the time anyways
diff --git a/src/migration-scripts/lldp/1-to-2 b/src/migration-scripts/lldp/1-to-2
new file mode 100755
index 000000000..35efb25db
--- /dev/null
+++ b/src/migration-scripts/lldp/1-to-2
@@ -0,0 +1,48 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2023 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# T5855: migrate "set service lldp snmp enable" -> `set service lldp snmp"
+
+import sys
+
+from vyos.configtree import ConfigTree
+
+if len(sys.argv) < 2:
+    print("Must specify file name!")
+    sys.exit(1)
+
+file_name = sys.argv[1]
+
+with open(file_name, 'r') as f:
+    config_file = f.read()
+
+config = ConfigTree(config_file)
+base = ['service', 'lldp']
+if not config.exists(base):
+    # Nothing to do
+    sys.exit(0)
+
+if config.exists(base + ['snmp']):
+    enabled = config.exists(base + ['snmp', 'enable'])
+    config.delete(base + ['snmp'])
+    if enabled: config.set(base + ['snmp'])
+
+try:
+    with open(file_name, 'w') as f:
+        f.write(config.to_string())
+except OSError as e:
+    print("Failed to save the modified config: {}".format(e))
+    sys.exit(1)
diff --git a/src/migration-scripts/nat/5-to-6 b/src/migration-scripts/nat/5-to-6
new file mode 100755
index 000000000..de3830582
--- /dev/null
+++ b/src/migration-scripts/nat/5-to-6
@@ -0,0 +1,62 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2023 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# T5643: move from 'set nat [source|destination] rule X [inbound-interface|outbound interface] <iface>'
+# to
+# 'set nat [source|destination] rule X [inbound-interface|outbound interface] interface-name <iface>'
+
+from sys import argv,exit
+from vyos.configtree import ConfigTree
+
+if len(argv) < 2:
+    print("Must specify file name!")
+    exit(1)
+
+file_name = argv[1]
+
+with open(file_name, 'r') as f:
+    config_file = f.read()
+
+config = ConfigTree(config_file)
+
+if not config.exists(['nat']):
+    # Nothing to do
+    exit(0)
+
+for direction in ['source', 'destination']:
+    # If a node doesn't exist, we obviously have nothing to do.
+    if not config.exists(['nat', direction]):
+        continue
+
+    # However, we also need to handle the case when a 'source' or 'destination' sub-node does exist,
+    # but there are no rules under it.
+    if not config.list_nodes(['nat', direction]):
+        continue
+
+    for rule in config.list_nodes(['nat', direction, 'rule']):
+        base = ['nat', direction, 'rule', rule]
+        for iface in ['inbound-interface','outbound-interface']:
+            if config.exists(base + [iface]):
+                tmp = config.return_value(base + [iface])
+                config.delete(base + [iface])
+                config.set(base + [iface, 'interface-name'], value=tmp)
+
+try:
+    with open(file_name, 'w') as f:
+        f.write(config.to_string())
+except OSError as e:
+    print("Failed to save the modified config: {}".format(e))
+    exit(1)
diff --git a/src/migration-scripts/nat/6-to-7 b/src/migration-scripts/nat/6-to-7
new file mode 100755
index 000000000..a2e735394
--- /dev/null
+++ b/src/migration-scripts/nat/6-to-7
@@ -0,0 +1,71 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2023 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# T5681: Firewall re-writing. Simplify cli when mathcing interface
+# From
+#   'set nat [source|destination] rule X [inbound-interface|outbound interface] interface-name <iface>'
+#   'set nat [source|destination] rule X [inbound-interface|outbound interface] interface-group <iface_group>'
+# to
+#   'set nat [source|destination] rule X [inbound-interface|outbound interface] name <iface>'
+#   'set nat [source|destination] rule X [inbound-interface|outbound interface] group <iface_group>'
+# Also remove command if interface == any
+
+from sys import argv,exit
+from vyos.configtree import ConfigTree
+
+if len(argv) < 2:
+    print("Must specify file name!")
+    exit(1)
+
+file_name = argv[1]
+
+with open(file_name, 'r') as f:
+    config_file = f.read()
+
+config = ConfigTree(config_file)
+
+if not config.exists(['nat']):
+    # Nothing to do
+    exit(0)
+
+for direction in ['source', 'destination']:
+    # If a node doesn't exist, we obviously have nothing to do.
+    if not config.exists(['nat', direction]):
+        continue
+
+    # However, we also need to handle the case when a 'source' or 'destination' sub-node does exist,
+    # but there are no rules under it.
+    if not config.list_nodes(['nat', direction]):
+        continue
+
+    for rule in config.list_nodes(['nat', direction, 'rule']):
+        base = ['nat', direction, 'rule', rule]
+        for iface in ['inbound-interface','outbound-interface']:
+            if config.exists(base + [iface]):
+                if config.exists(base + [iface, 'interface-name']):
+                    tmp = config.return_value(base + [iface, 'interface-name'])
+                    if tmp != 'any':
+                        config.delete(base + [iface, 'interface-name'])
+                        config.set(base + [iface, 'name'], value=tmp)
+                    else:
+                        config.delete(base + [iface])
+
+try:
+    with open(file_name, 'w') as f:
+        f.write(config.to_string())
+except OSError as e:
+    print("Failed to save the modified config: {}".format(e))
+    exit(1)
diff --git a/src/migration-scripts/nat66/1-to-2 b/src/migration-scripts/nat66/1-to-2
new file mode 100755
index 000000000..b7d4e3f6b
--- /dev/null
+++ b/src/migration-scripts/nat66/1-to-2
@@ -0,0 +1,63 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2023 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# T5681: Firewall re-writing. Simplify cli when mathcing interface
+# From
+#   'set nat66 [source|destination] rule X [inbound-interface|outbound interface] <iface>'
+# to
+#   'set nat66 [source|destination] rule X [inbound-interface|outbound interface] name <iface>'
+
+from sys import argv,exit
+from vyos.configtree import ConfigTree
+
+if len(argv) < 2:
+    print("Must specify file name!")
+    exit(1)
+
+file_name = argv[1]
+
+with open(file_name, 'r') as f:
+    config_file = f.read()
+
+config = ConfigTree(config_file)
+if not config.exists(['nat66']):
+    # Nothing to do
+    exit(0)
+
+for direction in ['source', 'destination']:
+    # If a node doesn't exist, we obviously have nothing to do.
+    if not config.exists(['nat66', direction]):
+        continue
+
+    # However, we also need to handle the case when a 'source' or 'destination' sub-node does exist,
+    # but there are no rules under it.
+    if not config.list_nodes(['nat66', direction]):
+        continue
+
+    for rule in config.list_nodes(['nat66', direction, 'rule']):
+        base = ['nat66', direction, 'rule', rule]
+        for iface in ['inbound-interface','outbound-interface']:
+            if config.exists(base + [iface]):
+                tmp = config.return_value(base + [iface])
+                config.delete(base + [iface])
+                config.set(base + [iface, 'name'], value=tmp)
+
+try:
+    with open(file_name, 'w') as f:
+        f.write(config.to_string())
+except OSError as e:
+    print("Failed to save the modified config: {}".format(e))
+    exit(1)
diff --git a/src/migration-scripts/nat66/2-to-3 b/src/migration-scripts/nat66/2-to-3
new file mode 100755
index 000000000..f34f170b3
--- /dev/null
+++ b/src/migration-scripts/nat66/2-to-3
@@ -0,0 +1,61 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2023 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+from sys import argv,exit
+from vyos.configtree import ConfigTree
+
+if len(argv) < 2:
+    print("Must specify file name!")
+    exit(1)
+
+file_name = argv[1]
+
+with open(file_name, 'r') as f:
+    config_file = f.read()
+
+base = ['nat66', 'source']
+new_base = ['service', 'ndp-proxy', 'interface']
+
+config = ConfigTree(config_file)
+if not config.exists(base):
+    # Nothing to do
+    exit(0)
+
+for rule in config.list_nodes(base + ['rule']):
+    base_rule = base + ['rule', rule]
+
+    interface = None
+    if config.exists(base_rule + ['outbound-interface', 'name']):
+        interface = config.return_value(base_rule + ['outbound-interface', 'name'])
+    else:
+        continue
+
+    prefix_base = base_rule + ['source', 'prefix']
+    if config.exists(prefix_base):
+        prefix = config.return_value(prefix_base)
+        config.set(new_base + [interface, 'prefix', prefix, 'mode'], value='static')
+        config.set_tag(new_base)
+        config.set_tag(new_base + [interface, 'prefix'])
+
+        if config.exists(base_rule + ['disable']):
+            config.set(new_base + [interface, 'prefix', prefix, 'disable'])
+
+try:
+    with open(file_name, 'w') as f:
+        f.write(config.to_string())
+except OSError as e:
+    print("Failed to save the modified config: {}".format(e))
+    exit(1)
diff --git a/src/migration-scripts/pim/0-to-1 b/src/migration-scripts/pim/0-to-1
new file mode 100755
index 000000000..bf8af733c
--- /dev/null
+++ b/src/migration-scripts/pim/0-to-1
@@ -0,0 +1,72 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2023 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# T5736: igmp: migrate "protocols igmp" to "protocols pim"
+
+import sys
+from vyos.configtree import ConfigTree
+
+if len(sys.argv) < 2:
+    print("Must specify file name!")
+    sys.exit(1)
+
+file_name = sys.argv[1]
+
+with open(file_name, 'r') as f:
+    config_file = f.read()
+
+config = ConfigTree(config_file)
+
+base = ['protocols', 'igmp']
+pim_base = ['protocols', 'pim']
+if not config.exists(base):
+    # Nothing to do
+    sys.exit(0)
+
+for interface in config.list_nodes(base + ['interface']):
+    base_igmp_iface = base + ['interface', interface]
+    pim_base_iface = pim_base + ['interface', interface]
+
+    # Create IGMP note under PIM interface
+    if not config.exists(pim_base_iface + ['igmp']):
+        config.set(pim_base_iface + ['igmp'])
+
+    if config.exists(base_igmp_iface + ['join']):
+        config.copy(base_igmp_iface + ['join'], pim_base_iface + ['igmp', 'join'])
+        config.set_tag(pim_base_iface + ['igmp', 'join'])
+
+        new_join_base = pim_base_iface + ['igmp', 'join']
+        for address in config.list_nodes(new_join_base):
+            if config.exists(new_join_base + [address, 'source']):
+                config.rename(new_join_base + [address, 'source'], 'source-address')
+
+    if config.exists(base_igmp_iface + ['query-interval']):
+        config.copy(base_igmp_iface + ['query-interval'], pim_base_iface + ['igmp', 'query-interval'])
+
+    if config.exists(base_igmp_iface + ['query-max-response-time']):
+        config.copy(base_igmp_iface + ['query-max-response-time'], pim_base_iface + ['igmp', 'query-max-response-time'])
+
+    if config.exists(base_igmp_iface + ['version']):
+        config.copy(base_igmp_iface + ['version'], pim_base_iface + ['igmp', 'version'])
+
+config.delete(base)
+
+try:
+    with open(file_name, 'w') as f:
+        f.write(config.to_string())
+except OSError as e:
+    print("Failed to save the modified config: {}".format(e))
+    sys.exit(1)
diff --git a/src/migration-scripts/policy/5-to-6 b/src/migration-scripts/policy/5-to-6
new file mode 100755
index 000000000..f1545cddb
--- /dev/null
+++ b/src/migration-scripts/policy/5-to-6
@@ -0,0 +1,65 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2023 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# T5165: Migrate policy local-route rule <tag> destination|source
+
+import re
+
+from sys import argv
+from sys import exit
+
+from vyos.configtree import ConfigTree
+from vyos.ifconfig import Section
+
+if len(argv) < 2:
+    print("Must specify file name!")
+    exit(1)
+
+file_name = argv[1]
+
+with open(file_name, 'r') as f:
+    config_file = f.read()
+
+base4 = ['policy', 'local-route']
+base6 = ['policy', 'local-route6']
+config = ConfigTree(config_file)
+
+if not config.exists(base4) and not config.exists(base6):
+    # Nothing to do
+    exit(0)
+
+# replace 'policy local-route{v6} rule <tag> destination|source <x.x.x.x>'
+#      => 'policy local-route{v6} rule <tag> destination|source address <x.x.x.x>'
+for base in [base4, base6]:
+    if config.exists(base + ['rule']):
+        for rule in config.list_nodes(base + ['rule']):
+            dst_path = base + ['rule', rule, 'destination']
+            src_path = base + ['rule', rule, 'source']
+            # Destination
+            if config.exists(dst_path):
+                for dst_addr in config.return_values(dst_path):
+                    config.set(dst_path + ['address'], value=dst_addr, replace=False)
+            # Source
+            if config.exists(src_path):
+                for src_addr in config.return_values(src_path):
+                    config.set(src_path + ['address'], value=src_addr, replace=False)
+
+try:
+    with open(file_name, 'w') as f:
+        f.write(config.to_string())
+except OSError as e:
+    print("Failed to save the modified config: {}".format(e))
+    exit(1)
diff --git a/src/migration-scripts/policy/6-to-7 b/src/migration-scripts/policy/6-to-7
new file mode 100755
index 000000000..e07822ffd
--- /dev/null
+++ b/src/migration-scripts/policy/6-to-7
@@ -0,0 +1,79 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2023 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# T5729: Switch to valueless whenever is possible.
+# From
+    # set policy [route | route6] ... rule <rule> log enable
+    # set policy [route | route6] ... rule <rule> log disable
+# To
+    # set policy [route | route6] ... rule <rule> log
+    # Remove command if log=disable
+
+import re
+
+from sys import argv
+from sys import exit
+
+from vyos.configtree import ConfigTree
+from vyos.ifconfig import Section
+
+if len(argv) < 2:
+    print("Must specify file name!")
+    exit(1)
+
+file_name = argv[1]
+
+with open(file_name, 'r') as f:
+    config_file = f.read()
+
+base = ['policy']
+config = ConfigTree(config_file)
+
+if not config.exists(base):
+    # Nothing to do
+    exit(0)
+
+for family in ['route', 'route6']:
+    if config.exists(base + [family]):
+
+        for policy_name in config.list_nodes(base + [family]):
+            if config.exists(base + [family, policy_name, 'rule']):
+                for rule in config.list_nodes(base + [family, policy_name, 'rule']):
+                    # Log
+                    if config.exists(base + [family, policy_name, 'rule', rule, 'log']):
+                        log_value = config.return_value(base + [family, policy_name, 'rule', rule, 'log'])
+                        config.delete(base + [family, policy_name, 'rule', rule, 'log'])
+                        if log_value == 'enable':
+                            config.set(base + [family, policy_name, 'rule', rule, 'log'])
+                    # State
+                    if config.exists(base + [family, policy_name, 'rule', rule, 'state']):
+                        flag_enable = 'False'
+                        for state in ['established', 'invalid', 'new', 'related']:
+                            if config.exists(base + [family, policy_name, 'rule', rule, 'state', state]):
+                                state_value = config.return_value(base + [family, policy_name, 'rule', rule, 'state', state])
+                                config.delete(base + [family, policy_name, 'rule', rule, 'state', state])
+                                if state_value == 'enable':
+                                    config.set(base + [family, policy_name, 'rule', rule, 'state'], value=state, replace=False)
+                                    flag_enable = 'True'
+                        if flag_enable == 'False':
+                            config.delete(base + [family, policy_name, 'rule', rule, 'state'])
+
+try:
+    with open(file_name, 'w') as f:
+        f.write(config.to_string())
+except OSError as e:
+    print("Failed to save the modified config: {}".format(e))
+    exit(1)
\ No newline at end of file
diff --git a/src/migration-scripts/policy/7-to-8 b/src/migration-scripts/policy/7-to-8
new file mode 100755
index 000000000..73eece1a6
--- /dev/null
+++ b/src/migration-scripts/policy/7-to-8
@@ -0,0 +1,56 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2023 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# T5834: Rename 'enable-default-log' to 'default-log'
+# From
+    # set policy [route | route 6] <route> enable-default-log
+# To
+    # set policy [route | route 6] <route> default-log
+
+from sys import argv
+from sys import exit
+
+from vyos.configtree import ConfigTree
+
+if len(argv) < 2:
+    print("Must specify file name!")
+    exit(1)
+
+file_name = argv[1]
+
+with open(file_name, 'r') as f:
+    config_file = f.read()
+
+base = ['policy']
+config = ConfigTree(config_file)
+
+if not config.exists(base):
+    # Nothing to do
+    exit(0)
+
+for family in ['route', 'route6']:
+    if config.exists(base + [family]):
+
+        for policy_name in config.list_nodes(base + [family]):
+            if config.exists(base + [family, policy_name, 'enable-default-log']):
+                config.rename(base + [family, policy_name, 'enable-default-log'], 'default-log')
+
+try:
+    with open(file_name, 'w') as f:
+        f.write(config.to_string())
+except OSError as e:
+    print("Failed to save the modified config: {}".format(e))
+    exit(1)
diff --git a/src/migration-scripts/pppoe-server/6-to-7 b/src/migration-scripts/pppoe-server/6-to-7
new file mode 100755
index 000000000..d856c1f34
--- /dev/null
+++ b/src/migration-scripts/pppoe-server/6-to-7
@@ -0,0 +1,122 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2023 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# - move all pool to named pools
+#       'start-stop' migrate to namedpool 'default-range-pool'
+#       'subnet' migrate to namedpool 'default-subnet-pool'
+#       'default-subnet-pool' is the next pool for 'default-range-pool'
+# - There is only one gateway-address, take the first which is configured
+# - default-pool by migration.
+#       1. If authentication mode = 'local' then it is first named pool.
+#       If there are not named pools, namedless pool will be default.
+#       2. If authentication mode = 'radius' then namedless pool will be default
+
+import os
+
+from sys import argv
+from sys import exit
+from vyos.configtree import ConfigTree
+
+
+if len(argv) < 2:
+    print("Must specify file name!")
+    exit(1)
+
+file_name = argv[1]
+
+with open(file_name, 'r') as f:
+    config_file = f.read()
+
+config = ConfigTree(config_file)
+base = ['service', 'pppoe-server']
+pool_base = base + ['client-ip-pool']
+if not config.exists(base):
+    exit(0)
+
+if not config.exists(pool_base):
+    exit(0)
+default_pool = ''
+range_pool_name = 'default-range-pool'
+
+subnet_base_name = 'default-subnet-pool'
+number = 1
+subnet_pool_name = f'{subnet_base_name}-{number}'
+prev_subnet_pool = subnet_pool_name
+#Default nameless pools migrations
+if config.exists(pool_base + ['subnet']):
+    default_pool = subnet_pool_name
+    for subnet in config.return_values(pool_base + ['subnet']):
+        config.set(pool_base + [subnet_pool_name, 'range'], value=subnet)
+        if prev_subnet_pool != subnet_pool_name:
+            config.set(pool_base + [prev_subnet_pool, 'next-pool'],
+                       value=subnet_pool_name)
+            prev_subnet_pool = subnet_pool_name
+        number += 1
+        subnet_pool_name = f'{subnet_base_name}-{number}'
+
+    config.delete(pool_base + ['subnet'])
+
+if config.exists(pool_base + ['start']) and config.exists(pool_base + ['stop']):
+    start_ip = config.return_value(pool_base + ['start'])
+    stop_ip = config.return_value(pool_base + ['stop'])
+    ip_range = f'{start_ip}-{stop_ip}'
+    config.delete(pool_base + ['start'])
+    config.delete(pool_base + ['stop'])
+    config.set(pool_base + [range_pool_name, 'range'], value=ip_range)
+    if default_pool:
+        config.set(pool_base + [range_pool_name, 'next-pool'],
+                   value=default_pool)
+    default_pool = range_pool_name
+
+gateway = ''
+if config.exists(base + ['gateway-address']):
+    gateway = config.return_value(base + ['gateway-address'])
+
+#named pool migration
+namedpools_base = pool_base + ['name']
+if config.exists(namedpools_base):
+    if config.exists(base + ['authentication', 'mode']):
+        if config.return_value(base + ['authentication', 'mode']) == 'local':
+            if config.list_nodes(namedpools_base):
+                default_pool = config.list_nodes(namedpools_base)[0]
+
+    for pool_name in config.list_nodes(namedpools_base):
+        pool_path = namedpools_base + [pool_name]
+        if config.exists(pool_path + ['subnet']):
+            subnet = config.return_value(pool_path + ['subnet'])
+            config.set(pool_base + [pool_name, 'range'], value=subnet)
+        if config.exists(pool_path + ['next-pool']):
+            next_pool = config.return_value(pool_path + ['next-pool'])
+            config.set(pool_base + [pool_name, 'next-pool'], value=next_pool)
+        if not gateway:
+            if config.exists(pool_path + ['gateway-address']):
+                gateway = config.return_value(pool_path + ['gateway-address'])
+
+    config.delete(namedpools_base)
+
+if gateway:
+    config.set(base + ['gateway-address'], value=gateway)
+if default_pool:
+    config.set(base + ['default-pool'], value=default_pool)
+# format as tag node
+config.set_tag(pool_base)
+
+try:
+    with open(file_name, 'w') as f:
+        f.write(config.to_string())
+except OSError as e:
+    print("Failed to save the modified config: {}".format(e))
+    exit(1)
diff --git a/src/migration-scripts/pptp/2-to-3 b/src/migration-scripts/pptp/2-to-3
new file mode 100755
index 000000000..98dc5c2a6
--- /dev/null
+++ b/src/migration-scripts/pptp/2-to-3
@@ -0,0 +1,64 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2023 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# - move all pool to named pools
+#       'start-stop' migrate to namedpool 'default-range-pool'
+#       'default-subnet-pool' is the next pool for 'default-range-pool'
+
+import os
+
+from sys import argv
+from sys import exit
+from vyos.configtree import ConfigTree
+
+
+if len(argv) < 2:
+    print("Must specify file name!")
+    exit(1)
+
+file_name = argv[1]
+
+with open(file_name, 'r') as f:
+    config_file = f.read()
+
+config = ConfigTree(config_file)
+base = ['vpn', 'pptp', 'remote-access']
+pool_base = base + ['client-ip-pool']
+if not config.exists(base):
+    exit(0)
+
+if not config.exists(pool_base):
+    exit(0)
+
+range_pool_name = 'default-range-pool'
+
+if config.exists(pool_base + ['start']) and config.exists(pool_base + ['stop']):
+    start_ip = config.return_value(pool_base + ['start'])
+    stop_ip = config.return_value(pool_base + ['stop'])
+    ip_range = f'{start_ip}-{stop_ip}'
+    config.delete(pool_base + ['start'])
+    config.delete(pool_base + ['stop'])
+    config.set(pool_base + [range_pool_name, 'range'], value=ip_range)
+    config.set(base + ['default-pool'], value=range_pool_name)
+# format as tag node
+config.set_tag(pool_base)
+
+try:
+    with open(file_name, 'w') as f:
+        f.write(config.to_string())
+except OSError as e:
+    print("Failed to save the modified config: {}".format(e))
+    exit(1)
diff --git a/src/migration-scripts/sstp/4-to-5 b/src/migration-scripts/sstp/4-to-5
new file mode 100755
index 000000000..3a86c79ec
--- /dev/null
+++ b/src/migration-scripts/sstp/4-to-5
@@ -0,0 +1,71 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2023 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# - move all pool to named pools
+#       'subnet' migrate to namedpool 'default-subnet-pool'
+#       'default-subnet-pool' is the next pool for 'default-range-pool'
+
+import os
+
+from sys import argv
+from sys import exit
+from vyos.configtree import ConfigTree
+
+
+if len(argv) < 2:
+    print("Must specify file name!")
+    exit(1)
+
+file_name = argv[1]
+
+with open(file_name, 'r') as f:
+    config_file = f.read()
+
+config = ConfigTree(config_file)
+base = ['vpn', 'sstp']
+pool_base = base + ['client-ip-pool']
+if not config.exists(base):
+    exit(0)
+
+if not config.exists(pool_base):
+    exit(0)
+
+subnet_base_name = 'default-subnet-pool'
+number = 1
+subnet_pool_name = f'{subnet_base_name}-{number}'
+prev_subnet_pool = subnet_pool_name
+if config.exists(pool_base + ['subnet']):
+    default_pool = subnet_pool_name
+    for subnet in config.return_values(pool_base + ['subnet']):
+        config.set(pool_base + [subnet_pool_name, 'range'], value=subnet)
+        if prev_subnet_pool != subnet_pool_name:
+            config.set(pool_base + [prev_subnet_pool, 'next-pool'],
+                       value=subnet_pool_name)
+            prev_subnet_pool = subnet_pool_name
+        number += 1
+        subnet_pool_name = f'{subnet_base_name}-{number}'
+
+    config.delete(pool_base + ['subnet'])
+    config.set(base + ['default-pool'], value=default_pool)
+# format as tag node
+config.set_tag(pool_base)
+
+try:
+    with open(file_name, 'w') as f:
+        f.write(config.to_string())
+except OSError as e:
+    print("Failed to save the modified config: {}".format(e))
+    exit(1)
diff --git a/src/migration-scripts/system/13-to-14 b/src/migration-scripts/system/13-to-14
index 1fa781869..5b781158b 100755
--- a/src/migration-scripts/system/13-to-14
+++ b/src/migration-scripts/system/13-to-14
@@ -34,7 +34,7 @@ else:
 
     # retrieve all valid timezones
     try:
-        tz_datas = cmd('find /usr/share/zoneinfo/posix -type f -or -type l | sed -e s:/usr/share/zoneinfo/posix/::')
+        tz_datas = cmd('timedatectl list-timezones')
     except OSError:
         tz_datas = ''
     tz_data = tz_datas.split('\n')
diff --git a/src/migration-scripts/system/26-to-27 b/src/migration-scripts/system/26-to-27
new file mode 100755
index 000000000..80bb82cbd
--- /dev/null
+++ b/src/migration-scripts/system/26-to-27
@@ -0,0 +1,47 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2023 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+# T5877: migrate 'system domain-search domain' to 'system domain-search'
+
+from sys import exit, argv
+from vyos.configtree import ConfigTree
+
+if len(argv) < 2:
+    print("Must specify file name!")
+    exit(1)
+
+file_name = argv[1]
+with open(file_name, 'r') as f:
+    config_file = f.read()
+
+base = ['system', 'domain-search']
+config = ConfigTree(config_file)
+
+if not config.exists(base):
+    exit(0)
+
+if config.exists(base + ['domain']):
+    entries = config.return_values(base + ['domain'])
+    config.delete(base + ['domain'])
+    for entry in entries:
+        config.set(base, value=entry, replace=False)
+
+try:
+    with open(file_name, 'w') as f:
+        f.write(config.to_string())
+except OSError as e:
+    print(f'Failed to save the modified config: {e}')
+    exit(1)
diff --git a/src/op_mode/bridge.py b/src/op_mode/bridge.py
index 185db4f20..412a4eba8 100755
--- a/src/op_mode/bridge.py
+++ b/src/op_mode/bridge.py
@@ -56,6 +56,13 @@ def _get_raw_data_vlan(tunnel:bool=False):
     data_dict = json.loads(json_data)
     return data_dict
 
+def _get_raw_data_vni() -> dict:
+    """
+    :returns dict
+    """
+    json_data = cmd(f'bridge --json vni show')
+    data_dict = json.loads(json_data)
+    return data_dict
 
 def _get_raw_data_fdb(bridge):
     """Get MAC-address for the bridge brX
@@ -165,6 +172,22 @@ def _get_formatted_output_vlan_tunnel(data):
     output = tabulate(data_entries, headers)
     return output
 
+def _get_formatted_output_vni(data):
+    data_entries = []
+    for entry in data:
+        interface = entry.get('ifname')
+        vlans = entry.get('vnis')
+        for vlan_entry in vlans:
+            vlan = vlan_entry.get('vni')
+            if vlan_entry.get('vniEnd'):
+                vlan_end = vlan_entry.get('vniEnd')
+                vlan = f'{vlan}-{vlan_end}'
+            data_entries.append([interface, vlan])
+
+    headers = ["Interface", "VNI"]
+    output = tabulate(data_entries, headers)
+    return output
+
 def _get_formatted_output_fdb(data):
     data_entries = []
     for entry in data:
@@ -228,6 +251,12 @@ def show_vlan(raw: bool, tunnel: typing.Optional[bool]):
         else:
             return _get_formatted_output_vlan(bridge_vlan)
 
+def show_vni(raw: bool):
+    bridge_vni = _get_raw_data_vni()
+    if raw:
+        return bridge_vni
+    else:
+        return _get_formatted_output_vni(bridge_vni)
 
 def show_fdb(raw: bool, interface: str):
     fdb_data = _get_raw_data_fdb(interface)
diff --git a/src/op_mode/connect_disconnect.py b/src/op_mode/connect_disconnect.py
index 89f929be7..10034e499 100755
--- a/src/op_mode/connect_disconnect.py
+++ b/src/op_mode/connect_disconnect.py
@@ -55,7 +55,7 @@ def connect(interface):
         if is_wwan_connected(interface):
             print(f'Interface {interface}: already connected!')
         else:
-            call(f'VYOS_TAGNODE_VALUE={interface} /usr/libexec/vyos/conf_mode/interfaces-wwan.py')
+            call(f'VYOS_TAGNODE_VALUE={interface} /usr/libexec/vyos/conf_mode/interfaces_wwan.py')
     else:
         print(f'Unknown interface {interface}, can not connect. Aborting!')
 
diff --git a/src/op_mode/dhcp.py b/src/op_mode/dhcp.py
index 77f38992b..d6b8aa0b8 100755
--- a/src/op_mode/dhcp.py
+++ b/src/op_mode/dhcp.py
@@ -43,6 +43,7 @@ sort_valid_inet6 = ['end', 'iaid_duid', 'ip', 'last_communication', 'pool', 'rem
 
 ArgFamily = typing.Literal['inet', 'inet6']
 ArgState = typing.Literal['all', 'active', 'free', 'expired', 'released', 'abandoned', 'reset', 'backup']
+ArgOrigin = typing.Literal['local', 'remote']
 
 def _utc_to_local(utc_dt):
     return datetime.fromtimestamp((datetime.fromtimestamp(utc_dt) - datetime(1970, 1, 1)).total_seconds())
@@ -71,7 +72,7 @@ def _find_list_of_dict_index(lst, key='ip', value='') -> int:
     return idx
 
 
-def _get_raw_server_leases(family='inet', pool=None, sorted=None, state=[]) -> list:
+def _get_raw_server_leases(family='inet', pool=None, sorted=None, state=[], origin=None) -> list:
     """
     Get DHCP server leases
     :return list
@@ -82,51 +83,61 @@ def _get_raw_server_leases(family='inet', pool=None, sorted=None, state=[]) -> l
 
     if pool is None:
         pool = _get_dhcp_pools(family=family)
+        aux = False
     else:
         pool = [pool]
-
-    for lease in leases:
-        data_lease = {}
-        data_lease['ip'] = lease.ip
-        data_lease['state'] = lease.binding_state
-        data_lease['pool'] = lease.sets.get('shared-networkname', '')
-        data_lease['end'] = lease.end.timestamp() if lease.end else None
-
-        if family == 'inet':
-            data_lease['mac'] = lease.ethernet
-            data_lease['start'] = lease.start.timestamp()
-            data_lease['hostname'] = lease.hostname
-
-        if family == 'inet6':
-            data_lease['last_communication'] = lease.last_communication.timestamp()
-            data_lease['iaid_duid'] = _format_hex_string(lease.host_identifier_string)
-            lease_types_long = {'na': 'non-temporary', 'ta': 'temporary', 'pd': 'prefix delegation'}
-            data_lease['type'] = lease_types_long[lease.type]
-
-        data_lease['remaining'] = '-'
-
-        if lease.end:
-            data_lease['remaining'] = lease.end - datetime.utcnow()
-
-            if data_lease['remaining'].days >= 0:
-                # substraction gives us a timedelta object which can't be formatted with strftime
-                # so we use str(), split gets rid of the microseconds
-                data_lease['remaining'] = str(data_lease["remaining"]).split('.')[0]
-
-        # Do not add old leases
-        if data_lease['remaining'] != '' and data_lease['pool'] in pool and data_lease['state'] != 'free':
-            if not state or data_lease['state'] in state:
-                data.append(data_lease)
-
-        # deduplicate
-        checked = []
-        for entry in data:
-            addr = entry.get('ip')
-            if addr not in checked:
-                checked.append(addr)
-            else:
-                idx = _find_list_of_dict_index(data, key='ip', value=addr)
-                data.pop(idx)
+        aux = True
+
+    ## Search leases for every pool
+    for pool_name in pool:
+        for lease in leases:
+            if lease.sets.get('shared-networkname', '') == pool_name or lease.sets.get('shared-networkname', '') == '':
+            #if lease.sets.get('shared-networkname', '') == pool_name:
+                data_lease = {}
+                data_lease['ip'] = lease.ip
+                data_lease['state'] = lease.binding_state
+                #data_lease['pool'] = pool_name if lease.sets.get('shared-networkname', '') != '' else 'Fail-Over Server'
+                data_lease['pool'] = lease.sets.get('shared-networkname', '')
+                data_lease['end'] = lease.end.timestamp() if lease.end else None
+                data_lease['origin'] = 'local' if data_lease['pool'] != '' else 'remote'
+
+                if family == 'inet':
+                    data_lease['mac'] = lease.ethernet
+                    data_lease['start'] = lease.start.timestamp()
+                    data_lease['hostname'] = lease.hostname
+
+                if family == 'inet6':
+                    data_lease['last_communication'] = lease.last_communication.timestamp()
+                    data_lease['iaid_duid'] = _format_hex_string(lease.host_identifier_string)
+                    lease_types_long = {'na': 'non-temporary', 'ta': 'temporary', 'pd': 'prefix delegation'}
+                    data_lease['type'] = lease_types_long[lease.type]
+
+                data_lease['remaining'] = '-'
+
+                if lease.end:
+                    data_lease['remaining'] = lease.end - datetime.utcnow()
+
+                    if data_lease['remaining'].days >= 0:
+                        # substraction gives us a timedelta object which can't be formatted with strftime
+                        # so we use str(), split gets rid of the microseconds
+                        data_lease['remaining'] = str(data_lease["remaining"]).split('.')[0]
+
+                # Do not add old leases
+                if data_lease['remaining'] != '' and data_lease['state'] != 'free':
+                    if not state or data_lease['state'] in state or state == 'all':
+                        if not origin or data_lease['origin'] in origin:
+                            if not aux or (aux and data_lease['pool'] == pool_name):
+                                data.append(data_lease)
+
+                # deduplicate
+                checked = []
+                for entry in data:
+                    addr = entry.get('ip')
+                    if addr not in checked:
+                        checked.append(addr)
+                    else:
+                        idx = _find_list_of_dict_index(data, key='ip', value=addr)
+                        data.pop(idx)
 
     if sorted:
         if sorted == 'ip':
@@ -150,10 +161,11 @@ def _get_formatted_server_leases(raw_data, family='inet'):
             remain = lease.get('remaining')
             pool = lease.get('pool')
             hostname = lease.get('hostname')
-            data_entries.append([ipaddr, hw_addr, state, start, end, remain, pool, hostname])
+            origin = lease.get('origin')
+            data_entries.append([ipaddr, hw_addr, state, start, end, remain, pool, hostname, origin])
 
         headers = ['IP Address', 'MAC address', 'State', 'Lease start', 'Lease expiration', 'Remaining', 'Pool',
-                   'Hostname']
+                   'Hostname', 'Origin']
 
     if family == 'inet6':
         for lease in raw_data:
@@ -267,7 +279,8 @@ def show_pool_statistics(raw: bool, family: ArgFamily, pool: typing.Optional[str
 
 @_verify
 def show_server_leases(raw: bool, family: ArgFamily, pool: typing.Optional[str],
-                       sorted: typing.Optional[str], state: typing.Optional[ArgState]):
+                       sorted: typing.Optional[str], state: typing.Optional[ArgState],
+                       origin: typing.Optional[ArgOrigin] ):
     # if dhcp server is down, inactive leases may still be shown as active, so warn the user.
     v = '6' if family == 'inet6' else ''
     service_name = 'DHCPv6' if family == 'inet6' else 'DHCP'
@@ -285,7 +298,7 @@ def show_server_leases(raw: bool, family: ArgFamily, pool: typing.Optional[str],
     if sorted and sorted not in sort_valid:
         raise vyos.opmode.IncorrectValue(f'DHCP{v} sort "{sorted}" is invalid!')
 
-    lease_data = _get_raw_server_leases(family=family, pool=pool, sorted=sorted, state=state)
+    lease_data = _get_raw_server_leases(family=family, pool=pool, sorted=sorted, state=state, origin=origin)
     if raw:
         return lease_data
     else:
diff --git a/src/op_mode/firewall.py b/src/op_mode/firewall.py
index 581710b31..d426b62e5 100755
--- a/src/op_mode/firewall.py
+++ b/src/op_mode/firewall.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 #
-# Copyright (C) 2021 VyOS maintainers and contributors
+# Copyright (C) 2023 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
@@ -24,27 +24,48 @@ from vyos.config import Config
 from vyos.utils.process import cmd
 from vyos.utils.dict import dict_search_args
 
-def get_config_firewall(conf, hook=None, priority=None, ipv6=False):
-    config_path = ['firewall']
-    if hook:
-        config_path += ['ipv6' if ipv6 else 'ipv4', hook]
-        if priority:
-            config_path += [priority]
+def get_config_node(conf, node=None, family=None, hook=None, priority=None):
+    if node == 'nat':
+        if family == 'ipv6':
+            config_path = ['nat66']
+        else:
+            config_path = ['nat']
 
-    firewall = conf.get_config_dict(config_path, key_mangling=('-', '_'),
+    elif node == 'policy':
+        config_path = ['policy']
+    else:
+        config_path = ['firewall']
+        if family:
+            config_path += [family]
+            if hook:
+                config_path += [hook]
+                if priority:
+                    config_path += [priority]
+
+    node_config = conf.get_config_dict(config_path, key_mangling=('-', '_'),
                                 get_first_key=True, no_tag_node_value_mangle=True)
 
-    return firewall
+    return node_config
+
+def get_nftables_details(family, hook, priority):
+    if family == 'ipv6':
+        suffix = 'ip6'
+        name_prefix = 'NAME6_'
+        aux='IPV6_'
+    elif family == 'ipv4':
+        suffix = 'ip'
+        name_prefix = 'NAME_'
+        aux=''
+    else:
+        suffix = 'bridge'
+        name_prefix = 'NAME_'
+        aux=''
 
-def get_nftables_details(hook, priority, ipv6=False):
-    suffix = '6' if ipv6 else ''
-    aux = 'IPV6_' if ipv6 else ''
-    name_prefix = 'NAME6_' if ipv6 else 'NAME_'
     if hook == 'name' or hook == 'ipv6-name':
-        command = f'sudo nft list chain ip{suffix} vyos_filter {name_prefix}{priority}'
+        command = f'sudo nft list chain {suffix} vyos_filter {name_prefix}{priority}'
     else:
         up_hook = hook.upper()
-        command = f'sudo nft list chain ip{suffix} vyos_filter VYOS_{aux}{up_hook}_{priority}'
+        command = f'sudo nft list chain {suffix} vyos_filter VYOS_{aux}{up_hook}_{priority}'
 
     try:
         results = cmd(command)
@@ -68,11 +89,10 @@ def get_nftables_details(hook, priority, ipv6=False):
         out[rule_id] = rule
     return out
 
-def output_firewall_name(hook, priority, firewall_conf, ipv6=False, single_rule_id=None):
-    ip_str = 'IPv6' if ipv6 else 'IPv4'
-    print(f'\n---------------------------------\n{ip_str} Firewall "{hook} {priority}"\n')
+def output_firewall_name(family, hook, priority, firewall_conf, single_rule_id=None):
+    print(f'\n---------------------------------\n{family} Firewall "{hook} {priority}"\n')
 
-    details = get_nftables_details(hook, priority, ipv6)
+    details = get_nftables_details(family, hook, priority)
     rows = []
 
     if 'rule' in firewall_conf:
@@ -91,7 +111,15 @@ def output_firewall_name(hook, priority, firewall_conf, ipv6=False, single_rule_
                 row.append(rule_details['conditions'])
             rows.append(row)
 
-    if 'default_action' in firewall_conf and not single_rule_id:
+    if hook in ['input', 'forward', 'output']:
+        def_action = firewall_conf['default_action'] if 'default_action' in firewall_conf else 'accept'
+        row = ['default', def_action, 'all']
+        rule_details = details['default-action']
+        row.append(rule_details.get('packets', 0))
+        row.append(rule_details.get('bytes', 0))
+        rows.append(row)
+
+    elif 'default_action' in firewall_conf and not single_rule_id:
         row = ['default', firewall_conf['default_action'], 'all']
         if 'default-action' in details:
             rule_details = details['default-action']
@@ -103,11 +131,10 @@ def output_firewall_name(hook, priority, firewall_conf, ipv6=False, single_rule_
         header = ['Rule', 'Action', 'Protocol', 'Packets', 'Bytes', 'Conditions']
         print(tabulate.tabulate(rows, header) + '\n')
 
-def output_firewall_name_statistics(hook, prior, prior_conf, ipv6=False, single_rule_id=None):
-    ip_str = 'IPv6' if ipv6 else 'IPv4'
-    print(f'\n---------------------------------\n{ip_str} Firewall "{hook} {prior}"\n')
+def output_firewall_name_statistics(family, hook, prior, prior_conf, single_rule_id=None):
+    print(f'\n---------------------------------\n{family} Firewall "{hook} {prior}"\n')
 
-    details = get_nftables_details(hook, prior, ipv6)
+    details = get_nftables_details(family, hook, prior)
     rows = []
 
     if 'rule' in prior_conf:
@@ -127,7 +154,15 @@ def output_firewall_name_statistics(hook, prior, prior_conf, ipv6=False, single_
                     if not source_addr:
                         source_addr = dict_search_args(rule_conf, 'source', 'group', 'domain_group')
                         if not source_addr:
-                            source_addr = '::/0' if ipv6 else '0.0.0.0/0'
+                            source_addr = dict_search_args(rule_conf, 'source', 'fqdn')
+                            if not source_addr:
+                                source_addr = dict_search_args(rule_conf, 'source', 'geoip', 'country_code')
+                                if source_addr:
+                                    source_addr = str(source_addr)[1:-1].replace('\'','')
+                                    if 'inverse_match' in dict_search_args(rule_conf, 'source', 'geoip'):
+                                        source_addr = 'NOT ' + str(source_addr)
+                                if not source_addr:
+                                    source_addr = 'any'
 
             # Get destination
             dest_addr = dict_search_args(rule_conf, 'destination', 'address')
@@ -138,19 +173,27 @@ def output_firewall_name_statistics(hook, prior, prior_conf, ipv6=False, single_
                     if not dest_addr:
                         dest_addr = dict_search_args(rule_conf, 'destination', 'group', 'domain_group')
                         if not dest_addr:
-                            dest_addr = '::/0' if ipv6 else '0.0.0.0/0'
+                            dest_addr = dict_search_args(rule_conf, 'destination', 'fqdn')
+                            if not dest_addr:
+                                dest_addr = dict_search_args(rule_conf, 'destination', 'geoip', 'country_code')
+                                if dest_addr:
+                                    dest_addr = str(dest_addr)[1:-1].replace('\'','')
+                                    if 'inverse_match' in dict_search_args(rule_conf, 'destination', 'geoip'):
+                                        dest_addr = 'NOT ' + str(dest_addr)
+                                if not dest_addr:
+                                    dest_addr = 'any'
 
             # Get inbound interface
-            iiface = dict_search_args(rule_conf, 'inbound_interface', 'interface_name')
+            iiface = dict_search_args(rule_conf, 'inbound_interface', 'name')
             if not iiface:
-                iiface = dict_search_args(rule_conf, 'inbound_interface', 'interface_group')
+                iiface = dict_search_args(rule_conf, 'inbound_interface', 'group')
                 if not iiface:
                     iiface = 'any'
 
             # Get outbound interface
-            oiface = dict_search_args(rule_conf, 'outbound_interface', 'interface_name')
+            oiface = dict_search_args(rule_conf, 'outbound_interface', 'name')
             if not oiface:
-                oiface = dict_search_args(rule_conf, 'outbound_interface', 'interface_group')
+                oiface = dict_search_args(rule_conf, 'outbound_interface', 'group')
                 if not oiface:
                     oiface = 'any'
 
@@ -169,7 +212,23 @@ def output_firewall_name_statistics(hook, prior, prior_conf, ipv6=False, single_
             row.append(oiface)
             rows.append(row)
 
-    if 'default_action' in prior_conf and not single_rule_id:
+
+    if hook in ['input', 'forward', 'output']:
+        row = ['default']
+        rule_details = details['default-action']
+        row.append(rule_details.get('packets', 0))
+        row.append(rule_details.get('bytes', 0))
+        if 'default_action' in prior_conf:
+            row.append(prior_conf['default_action'])
+        else:
+            row.append('accept')
+        row.append('any')
+        row.append('any')
+        row.append('any')
+        row.append('any')
+        rows.append(row)
+
+    elif 'default_action' in prior_conf and not single_rule_id:
         row = ['default']
         if 'default-action' in details:
             rule_details = details['default-action']
@@ -179,8 +238,10 @@ def output_firewall_name_statistics(hook, prior, prior_conf, ipv6=False, single_
             row.append('0')
             row.append('0')
         row.append(prior_conf['default_action'])
-        row.append('0.0.0.0/0') # Source
-        row.append('0.0.0.0/0') # Dest
+        row.append('any')   # Source
+        row.append('any')   # Dest
+        row.append('any')   # inbound-interface
+        row.append('any')   # outbound-interface
         rows.append(row)
 
     if rows:
@@ -191,60 +252,56 @@ def show_firewall():
     print('Rulesets Information')
 
     conf = Config()
-    firewall = get_config_firewall(conf)
+    firewall = get_config_node(conf)
 
     if not firewall:
         return
 
-    if 'ipv4' in firewall:
-        for hook, hook_conf in firewall['ipv4'].items():
-            for prior, prior_conf in firewall['ipv4'][hook].items():
-                output_firewall_name(hook, prior, prior_conf, ipv6=False)
-
-    if 'ipv6' in firewall:
-        for hook, hook_conf in firewall['ipv6'].items():
-            for prior, prior_conf in firewall['ipv6'][hook].items():
-                output_firewall_name(hook, prior, prior_conf, ipv6=True)
+    for family in ['ipv4', 'ipv6', 'bridge']:
+        if family in firewall:
+            for hook, hook_conf in firewall[family].items():
+                for prior, prior_conf in firewall[family][hook].items():
+                    output_firewall_name(family, hook, prior, prior_conf)
 
 def show_firewall_family(family):
     print(f'Rulesets {family} Information')
 
     conf = Config()
-    firewall = get_config_firewall(conf)
+    firewall = get_config_node(conf)
 
-    if not firewall:
+    if not firewall or family not in firewall:
         return
 
     for hook, hook_conf in firewall[family].items():
         for prior, prior_conf in firewall[family][hook].items():
-            if family == 'ipv6':
-                output_firewall_name(hook, prior, prior_conf, ipv6=True)
-            else:
-                output_firewall_name(hook, prior, prior_conf, ipv6=False)
+            output_firewall_name(family, hook, prior, prior_conf)
 
-def show_firewall_name(hook, priority, ipv6=False):
+def show_firewall_name(family, hook, priority):
     print('Ruleset Information')
 
     conf = Config()
-    firewall = get_config_firewall(conf, hook, priority, ipv6)
+    firewall = get_config_node(conf, 'firewall', family, hook, priority)
     if firewall:
-        output_firewall_name(hook, priority, firewall, ipv6)
+        output_firewall_name(family, hook, priority, firewall)
 
-def show_firewall_rule(hook, priority, rule_id, ipv6=False):
+def show_firewall_rule(family, hook, priority, rule_id):
     print('Rule Information')
 
     conf = Config()
-    firewall = get_config_firewall(conf, hook, priority, ipv6)
+    firewall = get_config_node(conf, 'firewall', family, hook, priority)
     if firewall:
-        output_firewall_name(hook, priority, firewall, ipv6, rule_id)
+        output_firewall_name(family, hook, priority, firewall, rule_id)
 
 def show_firewall_group(name=None):
     conf = Config()
-    firewall = get_config_firewall(conf)
+    firewall = get_config_node(conf, node='firewall')
 
     if 'group' not in firewall:
         return
 
+    nat = get_config_node(conf, node='nat')
+    policy = get_config_node(conf, node='policy')
+
     def find_references(group_type, group_name):
         out = []
         family = []
@@ -260,6 +317,7 @@ def show_firewall_group(name=None):
             family = ['ipv4', 'ipv6']
 
         for item in family:
+            # Look references in firewall
             for name_type in ['name', 'ipv6_name', 'forward', 'input', 'output']:
                 if item in firewall:
                     if name_type not in firewall[item]:
@@ -267,11 +325,13 @@ def show_firewall_group(name=None):
                     for priority, priority_conf in firewall[item][name_type].items():
                         if priority not in firewall[item][name_type]:
                             continue
+                        if 'rule' not in priority_conf:
+                            continue
                         for rule_id, rule_conf in priority_conf['rule'].items():
                             source_group = dict_search_args(rule_conf, 'source', 'group', group_type)
                             dest_group = dict_search_args(rule_conf, 'destination', 'group', group_type)
-                            in_interface = dict_search_args(rule_conf, 'inbound_interface', 'interface_group')
-                            out_interface = dict_search_args(rule_conf, 'outbound_interface', 'interface_group')
+                            in_interface = dict_search_args(rule_conf, 'inbound_interface', 'group')
+                            out_interface = dict_search_args(rule_conf, 'outbound_interface', 'group')
                             if source_group:
                                 if source_group[0] == "!":
                                     source_group = source_group[1:]
@@ -292,6 +352,76 @@ def show_firewall_group(name=None):
                                     out_interface = out_interface[1:]
                                 if group_name == out_interface:
                                     out.append(f'{item}-{name_type}-{priority}-{rule_id}')
+
+            # Look references in route | route6
+            for name_type in ['route', 'route6']:
+                if name_type not in policy:
+                    continue
+                if name_type == 'route' and item == 'ipv6':
+                    continue
+                elif name_type == 'route6' and item == 'ipv4':
+                    continue
+                else:
+                    for policy_name, policy_conf in policy[name_type].items():
+                        if 'rule' not in policy_conf:
+                            continue
+                        for rule_id, rule_conf in policy_conf['rule'].items():
+                            source_group = dict_search_args(rule_conf, 'source', 'group', group_type)
+                            dest_group = dict_search_args(rule_conf, 'destination', 'group', group_type)
+                            in_interface = dict_search_args(rule_conf, 'inbound_interface', 'group')
+                            out_interface = dict_search_args(rule_conf, 'outbound_interface', 'group')
+                            if source_group:
+                                if source_group[0] == "!":
+                                    source_group = source_group[1:]
+                                if group_name == source_group:
+                                    out.append(f'{name_type}-{policy_name}-{rule_id}')
+                            if dest_group:
+                                if dest_group[0] == "!":
+                                    dest_group = dest_group[1:]
+                                if group_name == dest_group:
+                                    out.append(f'{name_type}-{policy_name}-{rule_id}')
+                            if in_interface:
+                                if in_interface[0] == "!":
+                                    in_interface = in_interface[1:]
+                                if group_name == in_interface:
+                                    out.append(f'{name_type}-{policy_name}-{rule_id}')
+                            if out_interface:
+                                if out_interface[0] == "!":
+                                    out_interface = out_interface[1:]
+                                if group_name == out_interface:
+                                    out.append(f'{name_type}-{policy_name}-{rule_id}')
+
+        ## Look references in nat table
+        for direction in ['source', 'destination']:
+            if direction in nat:
+                if 'rule' not in nat[direction]:
+                    continue
+                for rule_id, rule_conf in nat[direction]['rule'].items():
+                    source_group = dict_search_args(rule_conf, 'source', 'group', group_type)
+                    dest_group = dict_search_args(rule_conf, 'destination', 'group', group_type)
+                    in_interface = dict_search_args(rule_conf, 'inbound_interface', 'group')
+                    out_interface = dict_search_args(rule_conf, 'outbound_interface', 'group')
+                    if source_group:
+                        if source_group[0] == "!":
+                            source_group = source_group[1:]
+                        if group_name == source_group:
+                            out.append(f'nat-{direction}-{rule_id}')
+                    if dest_group:
+                        if dest_group[0] == "!":
+                            dest_group = dest_group[1:]
+                        if group_name == dest_group:
+                            out.append(f'nat-{direction}-{rule_id}')
+                    if in_interface:
+                        if in_interface[0] == "!":
+                            in_interface = in_interface[1:]
+                        if group_name == in_interface:
+                            out.append(f'nat-{direction}-{rule_id}')
+                    if out_interface:
+                        if out_interface[0] == "!":
+                            out_interface = out_interface[1:]
+                        if group_name == out_interface:
+                            out.append(f'nat-{direction}-{rule_id}')
+
         return out
 
     header = ['Name', 'Type', 'References', 'Members']
@@ -303,7 +433,7 @@ def show_firewall_group(name=None):
                 continue
 
             references = find_references(group_type, group_name)
-            row = [group_name, group_type, '\n'.join(references) or 'N/A']
+            row = [group_name, group_type, '\n'.join(references) or 'N/D']
             if 'address' in group_conf:
                 row.append("\n".join(sorted(group_conf['address'])))
             elif 'network' in group_conf:
@@ -315,9 +445,10 @@ def show_firewall_group(name=None):
             elif 'interface' in group_conf:
                 row.append("\n".join(sorted(group_conf['interface'])))
             else:
-                row.append('N/A')
+                row.append('N/D')
             rows.append(row)
 
+
     if rows:
         print('Firewall Groups\n')
         print(tabulate.tabulate(rows, header))
@@ -326,7 +457,7 @@ def show_summary():
     print('Ruleset Summary')
 
     conf = Config()
-    firewall = get_config_firewall(conf)
+    firewall = get_config_node(conf)
 
     if not firewall:
         return
@@ -334,6 +465,7 @@ def show_summary():
     header = ['Ruleset Hook', 'Ruleset Priority', 'Description', 'References']
     v4_out = []
     v6_out = []
+    br_out = []
 
     if 'ipv4' in firewall:
         for hook, hook_conf in firewall['ipv4'].items():
@@ -347,6 +479,12 @@ def show_summary():
                 description = prior_conf.get('description', '')
                 v6_out.append([hook, prior, description])
 
+    if 'bridge' in firewall:
+        for hook, hook_conf in firewall['bridge'].items():
+            for prior, prior_conf in firewall['bridge'][hook].items():
+                description = prior_conf.get('description', '')
+                br_out.append([hook, prior, description])
+
     if v6_out:
         print('\nIPv6 Ruleset:\n')
         print(tabulate.tabulate(v6_out, header) + '\n')
@@ -355,26 +493,26 @@ def show_summary():
         print('\nIPv4 Ruleset:\n')
         print(tabulate.tabulate(v4_out, header) + '\n')
 
+    if br_out:
+        print('\nBridge Ruleset:\n')
+        print(tabulate.tabulate(br_out, header) + '\n')
+
     show_firewall_group()
 
 def show_statistics():
     print('Rulesets Statistics')
 
     conf = Config()
-    firewall = get_config_firewall(conf)
+    firewall = get_config_node(conf)
 
     if not firewall:
         return
 
-    if 'ipv4' in firewall:
-        for hook, hook_conf in firewall['ipv4'].items():
-            for prior, prior_conf in firewall['ipv4'][hook].items():
-                output_firewall_name_statistics(hook,prior, prior_conf, ipv6=False)
-
-    if 'ipv6' in firewall:
-        for hook, hook_conf in firewall['ipv6'].items():
-            for prior, prior_conf in firewall['ipv6'][hook].items():
-                output_firewall_name_statistics(hook,prior, prior_conf, ipv6=True)
+    for family in ['ipv4', 'ipv6', 'bridge']:
+        if family in firewall:
+            for hook, hook_conf in firewall[family].items():
+                for prior, prior_conf in firewall[family][hook].items():
+                    output_firewall_name_statistics(family, hook,prior, prior_conf)
 
 if __name__ == '__main__':
     parser = argparse.ArgumentParser()
@@ -390,9 +528,9 @@ if __name__ == '__main__':
 
     if args.action == 'show':
         if not args.rule:
-            show_firewall_name(args.hook, args.priority, args.ipv6)
+            show_firewall_name(args.family, args.hook, args.priority)
         else:
-            show_firewall_rule(args.hook, args.priority, args.rule, args.ipv6)
+            show_firewall_rule(args.family, args.hook, args.priority, args.rule)
     elif args.action == 'show_all':
         show_firewall()
     elif args.action == 'show_family':
@@ -402,4 +540,4 @@ if __name__ == '__main__':
     elif args.action == 'show_statistics':
         show_statistics()
     elif args.action == 'show_summary':
-        show_summary()
+        show_summary()
\ No newline at end of file
diff --git a/src/op_mode/format_disk.py b/src/op_mode/format_disk.py
index 31ceb196a..dc3c96322 100755
--- a/src/op_mode/format_disk.py
+++ b/src/op_mode/format_disk.py
@@ -24,6 +24,7 @@ from vyos.utils.io import ask_yes_no
 from vyos.utils.process import call
 from vyos.utils.process import cmd
 from vyos.utils.process import DEVNULL
+from vyos.utils.disk import device_from_id
 
 def list_disks():
     disks = set()
@@ -77,12 +78,18 @@ if __name__ == '__main__':
     group = parser.add_argument_group()
     group.add_argument('-t', '--target', type=str, required=True, help='Target device to format')
     group.add_argument('-p', '--proto', type=str, required=True, help='Prototype device to use as reference')
+    parser.add_argument('--by-id', action='store_true', help='Specify device by disk id')
     args = parser.parse_args()
+    target = args.target
+    proto = args.proto
+    if args.by_id:
+        target = device_from_id(target)
+        proto = device_from_id(proto)
 
-    target_disk = args.target
+    target_disk = target
     eligible_target_disks = list_disks()
 
-    proto_disk = args.proto
+    proto_disk = proto
     eligible_proto_disks = eligible_target_disks.copy()
     eligible_proto_disks.remove(target_disk)
 
diff --git a/src/op_mode/generate_firewall_rule-resequence.py b/src/op_mode/generate_firewall_rule-resequence.py
new file mode 100755
index 000000000..21441f689
--- /dev/null
+++ b/src/op_mode/generate_firewall_rule-resequence.py
@@ -0,0 +1,148 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2023 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+import argparse
+from vyos.configquery import ConfigTreeQuery
+
+
+def convert_to_set_commands(config_dict, parent_key=''):
+    """
+    Converts a configuration dictionary into a list of set commands.
+
+    Args:
+        config_dict (dict): The configuration dictionary.
+        parent_key (str): The parent key for nested dictionaries.
+
+    Returns:
+        list: A list of set commands.
+    """
+    commands = []
+    for key, value in config_dict.items():
+        current_key = parent_key + key if parent_key else key
+
+        if isinstance(value, dict):
+            if not value:
+                commands.append(f"set {current_key}")
+            else:
+                commands.extend(
+                    convert_to_set_commands(value, f"{current_key} "))
+
+        elif isinstance(value, list):
+            for item in value:
+                commands.append(f"set {current_key} '{item}'")
+
+        elif isinstance(value, str):
+            commands.append(f"set {current_key} '{value}'")
+
+    return commands
+
+
+def change_rule_numbers(config_dict, start, step):
+    """
+    Changes rule numbers in the configuration dictionary.
+
+    Args:
+        config_dict (dict): The configuration dictionary.
+        start (int): The starting rule number.
+        step (int): The step to increment the rule numbers.
+
+    Returns:
+        None
+    """
+    if 'rule' in config_dict:
+        rule_dict = config_dict['rule']
+        updated_rule_dict = {}
+        rule_num = start
+        for rule_key in sorted(rule_dict.keys()):
+            updated_rule_dict[str(rule_num)] = rule_dict[rule_key]
+            rule_num += step
+        config_dict['rule'] = updated_rule_dict
+
+    for key in config_dict:
+        if isinstance(config_dict[key], dict):
+            change_rule_numbers(config_dict[key], start, step)
+
+
+def convert_rule_keys_to_int(config_dict):
+    """
+    Converts rule keys in the configuration dictionary to integers.
+
+    Args:
+        config_dict (dict or list): The configuration dictionary or list.
+
+    Returns:
+        dict or list: The modified dictionary or list.
+    """
+    if isinstance(config_dict, dict):
+        new_dict = {}
+        for key, value in config_dict.items():
+            # Convert key to integer if possible
+            new_key = int(key) if key.isdigit() else key
+
+            # Recur for nested dictionaries
+            if isinstance(value, dict):
+                new_value = convert_rule_keys_to_int(value)
+            else:
+                new_value = value
+
+            new_dict[new_key] = new_value
+
+        return new_dict
+    elif isinstance(config_dict, list):
+        return [convert_rule_keys_to_int(item) for item in config_dict]
+    else:
+        return config_dict
+
+
+if __name__ == "__main__":
+    # Parse command-line arguments
+    parser = argparse.ArgumentParser(description='Convert dictionary to set commands with rule number modifications.')
+    parser.add_argument('--start', type=int, default=100, help='Start rule number')
+    parser.add_argument('--step', type=int, default=10, help='Step for rule numbers (default: 10)')
+    args = parser.parse_args()
+
+    config = ConfigTreeQuery()
+    if not config.exists('firewall'):
+        print('Firewall is not configured')
+        exit(1)
+
+    config_dict = config.get_config_dict('firewall')
+
+    # Remove global-options, group and flowtable as they don't need sequencing
+    if 'global-options' in config_dict['firewall']:
+        del config_dict['firewall']['global-options']
+
+    if 'group' in config_dict['firewall']:
+        del config_dict['firewall']['group']
+
+    if 'flowtable' in config_dict['firewall']:
+        del config_dict['firewall']['flowtable']
+    
+    # Convert rule keys to integers, rule "10" -> rule 10
+    # This is necessary for sorting the rules
+    config_dict = convert_rule_keys_to_int(config_dict)
+
+    # Apply rule number modifications
+    change_rule_numbers(config_dict, start=args.start, step=args.step)
+
+    # Convert to 'set' commands
+    set_commands = convert_to_set_commands(config_dict)
+
+    print()
+    for command in set_commands:
+        print(command)
+    print()
diff --git a/src/op_mode/generate_tech-support_archive.py b/src/op_mode/generate_tech-support_archive.py
new file mode 100755
index 000000000..c490b0137
--- /dev/null
+++ b/src/op_mode/generate_tech-support_archive.py
@@ -0,0 +1,148 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2023 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+import os
+import argparse
+import glob
+from datetime import datetime
+from pathlib import Path
+from shutil import rmtree
+
+from socket import gethostname
+from sys import exit
+from tarfile import open as tar_open
+from vyos.utils.process import rc_cmd
+from vyos.remote import upload
+
+def op(cmd: str) -> str:
+    """Returns a command with the VyOS operational mode wrapper."""
+    return f'/opt/vyatta/bin/vyatta-op-cmd-wrapper {cmd}'
+
+def save_stdout(command: str, file: Path) -> None:
+    rc, stdout = rc_cmd(command)
+    body: str = f'''### {command} ###
+Command: {command}
+Exit code: {rc}
+Stdout:
+{stdout}
+
+'''
+    with file.open(mode='a') as f:
+        f.write(body)
+def __rotate_logs(path: str, log_pattern:str):
+    files_list = glob.glob(f'{path}/{log_pattern}')
+    if len(files_list) > 5:
+        oldest_file = min(files_list, key=os.path.getctime)
+        os.remove(oldest_file)
+
+
+def __generate_archived_files(location_path: str) -> None:
+    """
+    Generate arhives of main directories
+    :param location_path: path to temporary directory
+    :type location_path: str
+    """
+    # Dictionary arhive_name:directory_to_arhive
+    archive_dict = {
+        'etc': '/etc',
+        'home': '/home',
+        'var-log': '/var/log',
+        'root': '/root',
+        'tmp': '/tmp',
+        'core-dump': '/var/core',
+        'config': '/opt/vyatta/etc/config'
+    }
+    # Dictionary arhive_name:excluding pattern
+    archive_excludes = {
+        # Old location of archives
+        'config': 'tech-support-archive',
+        # New locations of arhives
+        'tmp': 'tech-support-archive'
+    }
+    for archive_name, path in archive_dict.items():
+        archive_file: str = f'{location_path}/{archive_name}.tar.gz'
+        with tar_open(name=archive_file, mode='x:gz') as tar_file:
+            if archive_name in archive_excludes:
+                tar_file.add(path, filter=lambda x: None if str(archive_excludes[archive_name]) in str(x.name) else x)
+            else:
+                tar_file.add(path)
+
+
+def __generate_main_archive_file(archive_file: str, tmp_dir_path: str) -> None:
+    """
+    Generate main arhive file
+    :param archive_file: name of arhive file
+    :type archive_file: str
+    :param tmp_dir_path: path to arhive memeber
+    :type tmp_dir_path: str
+    """
+    with tar_open(name=archive_file, mode='x:gz') as tar_file:
+        tar_file.add(tmp_dir_path, arcname=os.path.basename(tmp_dir_path))
+
+
+if __name__ == '__main__':
+    defualt_tmp_dir = '/tmp'
+    parser = argparse.ArgumentParser()
+    parser.add_argument("path", nargs='?', default=defualt_tmp_dir)
+    args = parser.parse_args()
+    location_path = args.path[:-1] if args.path[-1] == '/' else args.path
+
+    hostname: str = gethostname()
+    time_now: str = datetime.now().isoformat(timespec='seconds').replace(":", "-")
+
+    remote = False
+    tmp_path = ''
+    tmp_dir_path = ''
+    if 'ftp://' in args.path or 'scp://' in args.path:
+        remote = True
+        tmp_path = defualt_tmp_dir
+    else:
+        tmp_path = location_path
+    archive_pattern = f'_tech-support-archive_'
+    archive_file_name = f'{hostname}{archive_pattern}{time_now}.tar.gz'
+
+    # Log rotation in tmp directory
+    if tmp_path == defualt_tmp_dir:
+        __rotate_logs(tmp_path, f'*{archive_pattern}*')
+
+    # Temporary directory creation
+    tmp_dir_path = f'{tmp_path}/drops-debug_{time_now}'
+    tmp_dir: Path = Path(tmp_dir_path)
+    tmp_dir.mkdir()
+
+    report_file: Path = Path(f'{tmp_dir_path}/show_tech-support_report.txt')
+    report_file.touch()
+    try:
+
+        save_stdout(op('show tech-support report'), report_file)
+        # Generate included archives
+        __generate_archived_files(tmp_dir_path)
+
+        # Generate main archive
+        __generate_main_archive_file(f'{tmp_path}/{archive_file_name}', tmp_dir_path)
+        # Delete temporary directory
+        rmtree(tmp_dir)
+        # Upload to remote site if it is scpecified
+        if remote:
+            upload(f'{tmp_path}/{archive_file_name}', args.path)
+        print(f'Debug file is generated and located in {location_path}/{archive_file_name}')
+    except Exception as err:
+        print(f'Error during generating a debug file: {err}')
+        # cleanup
+        if tmp_dir.exists():
+            rmtree(tmp_dir)
+    finally:
+        # cleanup
+        exit()
diff --git a/src/op_mode/image_info.py b/src/op_mode/image_info.py
new file mode 100755
index 000000000..791001e00
--- /dev/null
+++ b/src/op_mode/image_info.py
@@ -0,0 +1,109 @@
+#!/usr/bin/env python3
+#
+# Copyright 2023 VyOS maintainers and contributors <maintainers@vyos.io>
+#
+# This file is part of VyOS.
+#
+# VyOS is free software: you can redistribute it and/or modify it under the
+# terms of the GNU General Public License as published by the Free Software
+# Foundation, either version 3 of the License, or (at your option) any later
+# version.
+#
+# VyOS is distributed in the hope that it will be useful, but WITHOUT ANY
+# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+# FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
+# details.
+#
+# You should have received a copy of the GNU General Public License along with
+# VyOS. If not, see <https://www.gnu.org/licenses/>.
+
+import sys
+from typing import List, Union
+
+from tabulate import tabulate
+
+from vyos import opmode
+from vyos.system import disk, grub, image
+from vyos.utils.convert import bytes_to_human
+
+
+def _format_show_images_summary(images_summary: image.BootDetails) -> str:
+    headers: list[str] = ['Name', 'Default boot', 'Running']
+    table_data: list[list[str]] = list()
+    for image_item in images_summary.get('images_available', []):
+        name: str = image_item
+        if images_summary.get('image_default') == name:
+            default: str = 'Yes'
+        else:
+            default: str = ''
+
+        if images_summary.get('image_running') == name:
+            running: str = 'Yes'
+        else:
+            running: str = ''
+
+        table_data.append([name, default, running])
+    tabulated: str = tabulate(table_data, headers)
+
+    return tabulated
+
+
+def _format_show_images_details(
+        images_details: list[image.ImageDetails]) -> str:
+    headers: list[str] = [
+        'Name', 'Version', 'Storage Read-Only', 'Storage Read-Write',
+        'Storage Total'
+    ]
+    table_data: list[list[Union[str, int]]] = list()
+    for image_item in images_details:
+        name: str = image_item.get('name')
+        version: str = image_item.get('version')
+        disk_ro: str = bytes_to_human(image_item.get('disk_ro'),
+                                      precision=1, int_below_exponent=30)
+        disk_rw: str = bytes_to_human(image_item.get('disk_rw'),
+                                      precision=1, int_below_exponent=30)
+        disk_total: str = bytes_to_human(image_item.get('disk_total'),
+                                         precision=1, int_below_exponent=30)
+        table_data.append([name, version, disk_ro, disk_rw, disk_total])
+    tabulated: str = tabulate(table_data, headers,
+                              colalign=('left', 'left', 'right', 'right', 'right'))
+
+    return tabulated
+
+
+def show_images_summary(raw: bool) -> Union[image.BootDetails, str]:
+    images_available: list[str] = grub.version_list()
+    root_dir: str = disk.find_persistence()
+    boot_vars: dict = grub.vars_read(f'{root_dir}/{image.CFG_VYOS_VARS}')
+
+    images_summary: image.BootDetails = dict()
+
+    images_summary['image_default'] = image.get_default_image()
+    images_summary['image_running'] = image.get_running_image()
+    images_summary['images_available'] = images_available
+    images_summary['console_type'] = boot_vars.get('console_type')
+    images_summary['console_num'] = boot_vars.get('console_num')
+
+    if raw:
+        return images_summary
+    else:
+        return _format_show_images_summary(images_summary)
+
+
+def show_images_details(raw: bool) -> Union[list[image.ImageDetails], str]:
+    images_details = image.get_images_details()
+
+    if raw:
+        return images_details
+    else:
+        return _format_show_images_details(images_details)
+
+
+if __name__ == '__main__':
+    try:
+        res = opmode.run(sys.modules[__name__])
+        if res:
+            print(res)
+    except (ValueError, opmode.Error) as e:
+        print(e)
+        sys.exit(1)
diff --git a/src/op_mode/image_installer.py b/src/op_mode/image_installer.py
new file mode 100755
index 000000000..5e2af2d97
--- /dev/null
+++ b/src/op_mode/image_installer.py
@@ -0,0 +1,913 @@
+#!/usr/bin/env python3
+#
+# Copyright 2023 VyOS maintainers and contributors <maintainers@vyos.io>
+#
+# This file is part of VyOS.
+#
+# VyOS is free software: you can redistribute it and/or modify it under the
+# terms of the GNU General Public License as published by the Free Software
+# Foundation, either version 3 of the License, or (at your option) any later
+# version.
+#
+# VyOS is distributed in the hope that it will be useful, but WITHOUT ANY
+# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+# FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
+# details.
+#
+# You should have received a copy of the GNU General Public License along with
+# VyOS. If not, see <https://www.gnu.org/licenses/>.
+
+from argparse import ArgumentParser, Namespace
+from pathlib import Path
+from shutil import copy, chown, rmtree, copytree
+from glob import glob
+from sys import exit
+from os import environ
+from time import sleep
+from typing import Union
+from urllib.parse import urlparse
+from passlib.hosts import linux_context
+
+from psutil import disk_partitions
+
+from vyos.configtree import ConfigTree
+from vyos.remote import download
+from vyos.system import disk, grub, image, compat, raid, SYSTEM_CFG_VER
+from vyos.template import render
+from vyos.utils.io import ask_input, ask_yes_no, select_entry
+from vyos.utils.file import chmod_2775
+from vyos.utils.process import cmd, run
+
+# define text messages
+MSG_ERR_NOT_LIVE: str = 'The system is already installed. Please use "add system image" instead.'
+MSG_ERR_LIVE: str = 'The system is in live-boot mode. Please use "install image" instead.'
+MSG_ERR_NO_DISK: str = 'No suitable disk was found. There must be at least one disk of 2GB or greater size.'
+MSG_ERR_IMPROPER_IMAGE: str = 'Missing sha256sum.txt.\nEither this image is corrupted, or of era 1.2.x (md5sum) and would downgrade image tools;\ndisallowed in either case.'
+MSG_INFO_INSTALL_WELCOME: str = 'Welcome to VyOS installation!\nThis command will install VyOS to your permanent storage.'
+MSG_INFO_INSTALL_EXIT: str = 'Exiting from VyOS installation'
+MSG_INFO_INSTALL_SUCCESS: str = 'The image installed successfully; please reboot now.'
+MSG_INFO_INSTALL_DISKS_LIST: str = 'The following disks were found:'
+MSG_INFO_INSTALL_DISK_SELECT: str = 'Which one should be used for installation?'
+MSG_INFO_INSTALL_RAID_CONFIGURE: str = 'Would you like to configure RAID-1 mirroring?'
+MSG_INFO_INSTALL_RAID_FOUND_DISKS: str = 'Would you like to configure RAID-1 mirroring on them?'
+MSG_INFO_INSTALL_RAID_CHOOSE_DISKS: str = 'Would you like to choose two disks for RAID-1 mirroring?'
+MSG_INFO_INSTALL_DISK_CONFIRM: str = 'Installation will delete all data on the drive. Continue?'
+MSG_INFO_INSTALL_RAID_CONFIRM: str = 'Installation will delete all data on both drives. Continue?'
+MSG_INFO_INSTALL_PARTITONING: str = 'Creating partition table...'
+MSG_INPUT_CONFIG_FOUND: str = 'An active configuration was found. Would you like to copy it to the new image?'
+MSG_INPUT_IMAGE_NAME: str = 'What would you like to name this image?'
+MSG_INPUT_IMAGE_DEFAULT: str = 'Would you like to set the new image as the default one for boot?'
+MSG_INPUT_PASSWORD: str = 'Please enter a password for the "vyos" user'
+MSG_INPUT_ROOT_SIZE_ALL: str = 'Would you like to use all the free space on the drive?'
+MSG_INPUT_ROOT_SIZE_SET: str = 'Please specify the size (in GB) of the root partition (min is 1.5 GB)?'
+MSG_INPUT_CONSOLE_TYPE: str = 'What console should be used by default? (K: KVM, S: Serial, U: USB-Serial)?'
+MSG_INPUT_COPY_DATA: str = 'Would you like to copy data to the new image?'
+MSG_INPUT_CHOOSE_COPY_DATA: str = 'From which image would you like to save config information?'
+MSG_WARN_ISO_SIGN_INVALID: str = 'Signature is not valid. Do you want to continue with installation?'
+MSG_WARN_ISO_SIGN_UNAVAL: str = 'Signature is not available. Do you want to continue with installation?'
+MSG_WARN_ROOT_SIZE_TOOBIG: str = 'The size is too big. Try again.'
+MSG_WARN_ROOT_SIZE_TOOSMALL: str = 'The size is too small. Try again'
+MSG_WARN_IMAGE_NAME_WRONG: str = 'The suggested name is unsupported!\n'
+'It must be between 1 and 32 characters long and contains only the next characters: .+-_ a-z A-Z 0-9'
+CONST_MIN_DISK_SIZE: int = 2147483648  # 2 GB
+CONST_MIN_ROOT_SIZE: int = 1610612736  # 1.5 GB
+# a reserved space: 2MB for header, 1 MB for BIOS partition, 256 MB for EFI
+CONST_RESERVED_SPACE: int = (2 + 1 + 256) * 1024**2
+
+# define directories and paths
+DIR_INSTALLATION: str = '/mnt/installation'
+DIR_ROOTFS_SRC: str = f'{DIR_INSTALLATION}/root_src'
+DIR_ROOTFS_DST: str = f'{DIR_INSTALLATION}/root_dst'
+DIR_ISO_MOUNT: str = f'{DIR_INSTALLATION}/iso_src'
+DIR_DST_ROOT: str = f'{DIR_INSTALLATION}/disk_dst'
+DIR_KERNEL_SRC: str = '/boot/'
+FILE_ROOTFS_SRC: str = '/usr/lib/live/mount/medium/live/filesystem.squashfs'
+ISO_DOWNLOAD_PATH: str = '/tmp/vyos_installation.iso'
+
+external_download_script = '/usr/libexec/vyos/simple-download.py'
+
+# default boot variables
+DEFAULT_BOOT_VARS: dict[str, str] = {
+    'timeout': '5',
+    'console_type': 'tty',
+    'console_num': '0',
+    'bootmode': 'normal'
+}
+
+
+def bytes_to_gb(size: int) -> float:
+    """Convert Bytes to GBytes, rounded to 1 decimal number
+
+    Args:
+        size (int): input size in bytes
+
+    Returns:
+        float: size in GB
+    """
+    return round(size / 1024**3, 1)
+
+
+def gb_to_bytes(size: float) -> int:
+    """Convert GBytes to Bytes
+
+    Args:
+        size (float): input size in GBytes
+
+    Returns:
+        int: size in bytes
+    """
+    return int(size * 1024**3)
+
+
+def find_disks() -> dict[str, int]:
+    """Find a target disk for installation
+
+    Returns:
+        dict[str, int]: a list of available disks by name and size
+    """
+    # check for available disks
+    print('Probing disks')
+    disks_available: dict[str, int] = disk.disks_size()
+    for disk_name, disk_size in disks_available.copy().items():
+        if disk_size < CONST_MIN_DISK_SIZE:
+            del disks_available[disk_name]
+    if not disks_available:
+        print(MSG_ERR_NO_DISK)
+        exit(MSG_INFO_INSTALL_EXIT)
+
+    num_disks: int = len(disks_available)
+    print(f'{num_disks} disk(s) found')
+
+    return disks_available
+
+
+def ask_root_size(available_space: int) -> int:
+    """Define a size of root partition
+
+    Args:
+        available_space (int): available space in bytes for a root partition
+
+    Returns:
+        int: defined size
+    """
+    if ask_yes_no(MSG_INPUT_ROOT_SIZE_ALL, default=True):
+        return available_space
+
+    while True:
+        root_size_gb: str = ask_input(MSG_INPUT_ROOT_SIZE_SET)
+        root_size_kbytes: int = (gb_to_bytes(float(root_size_gb))) // 1024
+
+        if root_size_kbytes > available_space:
+            print(MSG_WARN_ROOT_SIZE_TOOBIG)
+            continue
+        if root_size_kbytes < CONST_MIN_ROOT_SIZE / 1024:
+            print(MSG_WARN_ROOT_SIZE_TOOSMALL)
+            continue
+
+        return root_size_kbytes
+
+def create_partitions(target_disk: str, target_size: int,
+                      prompt: bool = True) -> None:
+    """Create partitions on a target disk
+
+    Args:
+        target_disk (str): a target disk
+        target_size (int): size of disk in bytes
+    """
+    # define target rootfs size in KB (smallest unit acceptable by sgdisk)
+    available_size: int = (target_size - CONST_RESERVED_SPACE) // 1024
+    if prompt:
+        rootfs_size: int = ask_root_size(available_size)
+    else:
+        rootfs_size: int = available_size
+
+    print(MSG_INFO_INSTALL_PARTITONING)
+    raid.clear()
+    disk.disk_cleanup(target_disk)
+    disk_details: disk.DiskDetails = disk.parttable_create(target_disk,
+                                                           rootfs_size)
+
+    return disk_details
+
+
+def search_format_selection(image: tuple[str, str]) -> str:
+    """Format a string for selection of image
+
+    Args:
+        image (tuple[str, str]): a tuple of image name and drive
+
+    Returns:
+        str: formatted string
+    """
+    return f'{image[0]} on {image[1]}'
+
+
+def search_previous_installation(disks: list[str]) -> None:
+    """Search disks for previous installation config and SSH keys
+
+    Args:
+        disks (list[str]): a list of available disks
+    """
+    mnt_config = '/mnt/config'
+    mnt_ssh = '/mnt/ssh'
+    mnt_tmp = '/mnt/tmp'
+    rmtree(Path(mnt_config), ignore_errors=True)
+    rmtree(Path(mnt_ssh), ignore_errors=True)
+    Path(mnt_tmp).mkdir(exist_ok=True)
+
+    print('Searching for data from previous installations')
+    image_data = []
+    for disk_name in disks:
+        for partition in disk.partition_list(disk_name):
+            if disk.partition_mount(partition, mnt_tmp):
+                if Path(mnt_tmp + '/boot').exists():
+                    for path in Path(mnt_tmp + '/boot').iterdir():
+                        if path.joinpath('rw/config/.vyatta_config').exists():
+                            image_data.append((path.name, partition))
+
+                disk.partition_umount(partition)
+
+    if len(image_data) == 1:
+        image_name, image_drive = image_data[0]
+        print('Found data from previous installation:')
+        print(f'\t{image_name} on {image_drive}')
+        if not ask_yes_no(MSG_INPUT_COPY_DATA, default=True):
+            return
+
+    elif len(image_data) > 1:
+        print('Found data from previous installations')
+        if not ask_yes_no(MSG_INPUT_COPY_DATA, default=True):
+            return
+
+        image_name, image_drive = select_entry(image_data,
+                                               'Available versions:',
+                                               MSG_INPUT_CHOOSE_COPY_DATA,
+                                               search_format_selection)
+    else:
+        print('No previous installation found')
+        return
+
+    disk.partition_mount(image_drive, mnt_tmp)
+
+    copytree(f'{mnt_tmp}/boot/{image_name}/rw/config', mnt_config)
+    Path(mnt_ssh).mkdir()
+    host_keys: list[str] = glob(f'{mnt_tmp}/boot/{image_name}/rw/etc/ssh/ssh_host*')
+    for host_key in host_keys:
+        copy(host_key, mnt_ssh)
+
+    disk.partition_umount(image_drive)
+
+def copy_preserve_owner(src: str, dst: str, *, follow_symlinks=True):
+    if not Path(src).is_file():
+        return
+    if Path(dst).is_dir():
+        dst = Path(dst).joinpath(Path(src).name)
+    st = Path(src).stat()
+    copy(src, dst, follow_symlinks=follow_symlinks)
+    chown(dst, user=st.st_uid)
+
+
+def copy_previous_installation_data(target_dir: str) -> None:
+    if Path('/mnt/config').exists():
+        copytree('/mnt/config', f'{target_dir}/opt/vyatta/etc/config',
+                 dirs_exist_ok=True)
+    if Path('/mnt/ssh').exists():
+        copytree('/mnt/ssh', f'{target_dir}/etc/ssh',
+                 dirs_exist_ok=True)
+
+
+def ask_single_disk(disks_available: dict[str, int]) -> str:
+    """Ask user to select a disk for installation
+
+    Args:
+        disks_available (dict[str, int]): a list of available disks
+    """
+    print(MSG_INFO_INSTALL_DISKS_LIST)
+    default_disk: str = list(disks_available)[0]
+    for disk_name, disk_size in disks_available.items():
+        disk_size_human: str = bytes_to_gb(disk_size)
+        print(f'Drive: {disk_name} ({disk_size_human} GB)')
+    disk_selected: str = ask_input(MSG_INFO_INSTALL_DISK_SELECT,
+                                   default=default_disk,
+                                   valid_responses=list(disks_available))
+
+    # create partitions
+    if not ask_yes_no(MSG_INFO_INSTALL_DISK_CONFIRM):
+        print(MSG_INFO_INSTALL_EXIT)
+        exit()
+
+    search_previous_installation(list(disks_available))
+
+    disk_details: disk.DiskDetails = create_partitions(disk_selected,
+                                                       disks_available[disk_selected])
+
+    disk.filesystem_create(disk_details.partition['efi'], 'efi')
+    disk.filesystem_create(disk_details.partition['root'], 'ext4')
+
+    return disk_details
+
+
+def check_raid_install(disks_available: dict[str, int]) -> Union[str, None]:
+    """Ask user to select disks for RAID installation
+
+    Args:
+        disks_available (dict[str, int]): a list of available disks
+    """
+    if len(disks_available) < 2:
+        return None
+
+    if not ask_yes_no(MSG_INFO_INSTALL_RAID_CONFIGURE, default=True):
+        return None
+
+    def format_selection(disk_name: str) -> str:
+        return f'{disk_name}\t({bytes_to_gb(disks_available[disk_name])} GB)'
+
+    disk0, disk1 = list(disks_available)[0], list(disks_available)[1]
+    disks_selected: dict[str, int] = { disk0: disks_available[disk0],
+                                       disk1: disks_available[disk1] }
+
+    target_size: int = min(disks_selected[disk0], disks_selected[disk1])
+
+    print(MSG_INFO_INSTALL_DISKS_LIST)
+    for disk_name, disk_size in disks_selected.items():
+        disk_size_human: str = bytes_to_gb(disk_size)
+        print(f'\t{disk_name} ({disk_size_human} GB)')
+    if not ask_yes_no(MSG_INFO_INSTALL_RAID_FOUND_DISKS, default=True):
+        if not ask_yes_no(MSG_INFO_INSTALL_RAID_CHOOSE_DISKS, default=True):
+            return None
+        else:
+            disks_selected = {}
+            disk0 = select_entry(list(disks_available), 'Disks available:',
+                                 'Select first disk:', format_selection)
+
+            disks_selected[disk0] = disks_available[disk0]
+            del disks_available[disk0]
+            disk1 = select_entry(list(disks_available), 'Remaining disks:',
+                                 'Select second disk:', format_selection)
+            disks_selected[disk1] = disks_available[disk1]
+
+            target_size: int = min(disks_selected[disk0],
+                                   disks_selected[disk1])
+
+    # create partitions
+    if not ask_yes_no(MSG_INFO_INSTALL_RAID_CONFIRM):
+        print(MSG_INFO_INSTALL_EXIT)
+        exit()
+
+    search_previous_installation(list(disks_available))
+
+    disks: list[disk.DiskDetails] = []
+    for disk_selected in list(disks_selected):
+        print(f'Creating partitions on {disk_selected}')
+        disk_details = create_partitions(disk_selected, target_size,
+                                         prompt=False)
+        disk.filesystem_create(disk_details.partition['efi'], 'efi')
+
+        disks.append(disk_details)
+
+    print('Creating RAID array')
+    members = [disk.partition['root'] for disk in disks]
+    raid_details: raid.RaidDetails = raid.raid_create(members)
+    # raid init stuff
+    print('Updating initramfs')
+    raid.update_initramfs()
+    # end init
+    print('Creating filesystem on RAID array')
+    disk.filesystem_create(raid_details.name, 'ext4')
+
+    return raid_details
+
+
+def prepare_tmp_disr() -> None:
+    """Create temporary directories for installation
+    """
+    print('Creating temporary directories')
+    for dir in [DIR_ROOTFS_SRC, DIR_ROOTFS_DST, DIR_DST_ROOT]:
+        dirpath = Path(dir)
+        dirpath.mkdir(mode=0o755, parents=True)
+
+
+def setup_grub(root_dir: str) -> None:
+    """Install GRUB configurations
+
+    Args:
+        root_dir (str): a path to the root of target filesystem
+    """
+    print('Installing GRUB configuration files')
+    grub_cfg_main = f'{root_dir}/{grub.GRUB_DIR_MAIN}/grub.cfg'
+    grub_cfg_vars = f'{root_dir}/{grub.CFG_VYOS_VARS}'
+    grub_cfg_modules = f'{root_dir}/{grub.CFG_VYOS_MODULES}'
+    grub_cfg_menu = f'{root_dir}/{grub.CFG_VYOS_MENU}'
+    grub_cfg_options = f'{root_dir}/{grub.CFG_VYOS_OPTIONS}'
+
+    # create new files
+    render(grub_cfg_main, grub.TMPL_GRUB_MAIN, {})
+    grub.common_write(root_dir)
+    grub.vars_write(grub_cfg_vars, DEFAULT_BOOT_VARS)
+    grub.modules_write(grub_cfg_modules, [])
+    grub.write_cfg_ver(1, root_dir)
+    render(grub_cfg_menu, grub.TMPL_GRUB_MENU, {})
+    render(grub_cfg_options, grub.TMPL_GRUB_OPTS, {})
+
+
+def configure_authentication(config_file: str, password: str) -> None:
+    """Write encrypted password to config file
+
+    Args:
+        config_file (str): path of target config file
+        password (str): plaintext password
+
+    N.B. this can not be deferred by simply setting the plaintext password
+    and relying on the config mode script to process at boot, as the config
+    will not automatically be saved in that case, thus leaving the
+    plaintext exposed
+    """
+    encrypted_password = linux_context.hash(password)
+
+    with open(config_file) as f:
+        config_string = f.read()
+
+    config = ConfigTree(config_string)
+    config.set([
+        'system', 'login', 'user', 'vyos', 'authentication',
+        'encrypted-password'
+    ],
+               value=encrypted_password,
+               replace=True)
+    config.set_tag(['system', 'login', 'user'])
+
+    with open(config_file, 'w') as f:
+        f.write(config.to_string())
+
+def validate_signature(file_path: str, sign_type: str) -> None:
+    """Validate a file by signature and delete a signature file
+
+    Args:
+        file_path (str): a path to file
+        sign_type (str): a signature type
+    """
+    print('Validating signature')
+    signature_valid: bool = False
+    # validate with minisig
+    if sign_type == 'minisig':
+        for pubkey in [
+                '/usr/share/vyos/keys/vyos-release.minisign.pub',
+                '/usr/share/vyos/keys/vyos-backup.minisign.pub'
+        ]:
+            if run(f'minisign -V -q -p {pubkey} -m {file_path} -x {file_path}.minisig'
+                  ) == 0:
+                signature_valid = True
+                break
+        Path(f'{file_path}.minisig').unlink()
+    # validate with GPG
+    if sign_type == 'asc':
+        if run(f'gpg --verify ${file_path}.asc ${file_path}') == 0:
+            signature_valid = True
+        Path(f'{file_path}.asc').unlink()
+
+    # warn or pass
+    if not signature_valid:
+        if not ask_yes_no(MSG_WARN_ISO_SIGN_INVALID, default=False):
+            exit(MSG_INFO_INSTALL_EXIT)
+    else:
+        print('Signature is valid')
+
+def download_file(local_file: str, remote_path: str, vrf: str,
+                  username: str, password: str,
+                  progressbar: bool = False, check_space: bool = False):
+    environ['REMOTE_USERNAME'] = username
+    environ['REMOTE_PASSWORD'] = password
+    if vrf is None:
+        download(local_file, remote_path, progressbar=progressbar,
+                 check_space=check_space, raise_error=True)
+    else:
+        vrf_cmd = f'REMOTE_USERNAME={username} REMOTE_PASSWORD={password} \
+                ip vrf exec {vrf} {external_download_script} \
+                --local-file {local_file} --remote-path {remote_path}'
+        cmd(vrf_cmd)
+
+def image_fetch(image_path: str, vrf: str = None,
+                username: str = '', password: str = '',
+                no_prompt: bool = False) -> Path:
+    """Fetch an ISO image
+
+    Args:
+        image_path (str): a path, remote or local
+
+    Returns:
+        Path: a path to a local file
+    """
+    try:
+        # check a type of path
+        if urlparse(image_path).scheme:
+            # download an image
+            download_file(ISO_DOWNLOAD_PATH, image_path, vrf,
+                          username, password,
+                          progressbar=True, check_space=True)
+
+            # download a signature
+            sign_file = (False, '')
+            for sign_type in ['minisig', 'asc']:
+                try:
+                    download_file(f'{ISO_DOWNLOAD_PATH}.{sign_type}',
+                                  f'{image_path}.{sign_type}', vrf,
+                                  username, password)
+                    sign_file = (True, sign_type)
+                    break
+                except Exception:
+                    print(f'{sign_type} signature is not available')
+            # validate a signature if it is available
+            if sign_file[0]:
+                validate_signature(ISO_DOWNLOAD_PATH, sign_file[1])
+            else:
+                if (not no_prompt and
+                    not ask_yes_no(MSG_WARN_ISO_SIGN_UNAVAL, default=False)):
+                    cleanup()
+                    exit(MSG_INFO_INSTALL_EXIT)
+
+            return Path(ISO_DOWNLOAD_PATH)
+        else:
+            local_path: Path = Path(image_path)
+            if local_path.is_file():
+                return local_path
+            else:
+                raise FileNotFoundError
+    except Exception as e:
+        print(f'The image cannot be fetched from: {image_path} {e}')
+        exit(1)
+
+
+def migrate_config() -> bool:
+    """Check for active config and ask user for migration
+
+    Returns:
+        bool: user's decision
+    """
+    active_config_path: Path = Path('/opt/vyatta/etc/config/config.boot')
+    if active_config_path.exists():
+        if ask_yes_no(MSG_INPUT_CONFIG_FOUND, default=True):
+            return True
+    return False
+
+
+def copy_ssh_host_keys() -> bool:
+    """Ask user to copy SSH host keys
+
+    Returns:
+        bool: user's decision
+    """
+    if ask_yes_no('Would you like to copy SSH host keys?', default=True):
+        return True
+    return False
+
+
+def cleanup(mounts: list[str] = [], remove_items: list[str] = []) -> None:
+    """Clean up after installation
+
+    Args:
+        mounts (list[str], optional): List of mounts to unmount.
+        Defaults to [].
+        remove_items (list[str], optional): List of files or directories
+        to remove. Defaults to [].
+    """
+    print('Cleaning up')
+    # clean up installation directory by default
+    mounts_all = disk_partitions(all=True)
+    for mounted_device in mounts_all:
+        if mounted_device.mountpoint.startswith(DIR_INSTALLATION) and not (
+                mounted_device.device in mounts or
+                mounted_device.mountpoint in mounts):
+            mounts.append(mounted_device.mountpoint)
+    # add installation dir to cleanup list
+    if DIR_INSTALLATION not in remove_items:
+        remove_items.append(DIR_INSTALLATION)
+    # also delete an ISO file
+    if Path(ISO_DOWNLOAD_PATH).exists(
+    ) and ISO_DOWNLOAD_PATH not in remove_items:
+        remove_items.append(ISO_DOWNLOAD_PATH)
+
+    if mounts:
+        print('Unmounting target filesystems')
+        for mountpoint in mounts:
+            disk.partition_umount(mountpoint)
+    if remove_items:
+        print('Removing temporary files')
+        for remove_item in remove_items:
+            if Path(remove_item).exists():
+                if Path(remove_item).is_file():
+                    Path(remove_item).unlink()
+                if Path(remove_item).is_dir():
+                    rmtree(remove_item)
+
+def cleanup_raid(details: raid.RaidDetails) -> None:
+    efiparts = []
+    for raid_disk in details.disks:
+        efiparts.append(raid_disk.partition['efi'])
+    cleanup([details.name, *efiparts],
+            ['/mnt/installation'])
+
+
+def is_raid_install(install_object: Union[disk.DiskDetails, raid.RaidDetails]) -> bool:
+    """Check if installation target is a RAID array
+
+    Args:
+        install_object (Union[disk.DiskDetails, raid.RaidDetails]): a target disk
+
+    Returns:
+        bool: True if it is a RAID array
+    """
+    if isinstance(install_object, raid.RaidDetails):
+        return True
+    return False
+
+
+def install_image() -> None:
+    """Install an image to a disk
+    """
+    if not image.is_live_boot():
+        exit(MSG_ERR_NOT_LIVE)
+
+    print(MSG_INFO_INSTALL_WELCOME)
+    if not ask_yes_no('Would you like to continue?'):
+        print(MSG_INFO_INSTALL_EXIT)
+        exit()
+
+    # configure image name
+    running_image_name: str = image.get_running_image()
+    while True:
+        image_name: str = ask_input(MSG_INPUT_IMAGE_NAME,
+                                    running_image_name)
+        if image.validate_name(image_name):
+            break
+        print(MSG_WARN_IMAGE_NAME_WRONG)
+
+    # ask for password
+    user_password: str = ask_input(MSG_INPUT_PASSWORD, default='vyos',
+                                   no_echo=True)
+
+    # ask for default console
+    console_type: str = ask_input(MSG_INPUT_CONSOLE_TYPE,
+                                  default='K',
+                                  valid_responses=['K', 'S', 'U'])
+    console_dict: dict[str, str] = {'K': 'tty', 'S': 'ttyS', 'U': 'ttyUSB'}
+
+    disks: dict[str, int] = find_disks()
+
+    install_target: Union[disk.DiskDetails, raid.RaidDetails, None] = None
+    try:
+        install_target = check_raid_install(disks)
+        if install_target is None:
+            install_target = ask_single_disk(disks)
+
+        # create directories for installation media
+        prepare_tmp_disr()
+
+        # mount target filesystem and create required dirs inside
+        print('Mounting new partitions')
+        if is_raid_install(install_target):
+            disk.partition_mount(install_target.name, DIR_DST_ROOT)
+            Path(f'{DIR_DST_ROOT}/boot/efi').mkdir(parents=True)
+        else:
+            disk.partition_mount(install_target.partition['root'], DIR_DST_ROOT)
+            Path(f'{DIR_DST_ROOT}/boot/efi').mkdir(parents=True)
+            disk.partition_mount(install_target.partition['efi'], f'{DIR_DST_ROOT}/boot/efi')
+
+        # a config dir. It is the deepest one, so the comand will
+        # create all the rest in a single step
+        print('Creating a configuration file')
+        target_config_dir: str = f'{DIR_DST_ROOT}/boot/{image_name}/rw/opt/vyatta/etc/config/'
+        Path(target_config_dir).mkdir(parents=True)
+        chown(target_config_dir, group='vyattacfg')
+        chmod_2775(target_config_dir)
+        # copy config
+        copy('/opt/vyatta/etc/config/config.boot', target_config_dir)
+        configure_authentication(f'{target_config_dir}/config.boot',
+                                 user_password)
+        Path(f'{target_config_dir}/.vyatta_config').touch()
+
+        # create a persistence.conf
+        Path(f'{DIR_DST_ROOT}/persistence.conf').write_text('/ union\n')
+
+        # copy system image and kernel files
+        print('Copying system image files')
+        for file in Path(DIR_KERNEL_SRC).iterdir():
+            if file.is_file():
+                copy(file, f'{DIR_DST_ROOT}/boot/{image_name}/')
+        copy(FILE_ROOTFS_SRC,
+             f'{DIR_DST_ROOT}/boot/{image_name}/{image_name}.squashfs')
+
+        # copy saved config data and SSH keys
+        # owner restored on copy of config data by chmod_2775, above
+        copy_previous_installation_data(f'{DIR_DST_ROOT}/boot/{image_name}/rw')
+
+        if is_raid_install(install_target):
+            write_dir: str = f'{DIR_DST_ROOT}/boot/{image_name}/rw'
+            raid.update_default(write_dir)
+
+        setup_grub(DIR_DST_ROOT)
+        # add information about version
+        grub.create_structure()
+        grub.version_add(image_name, DIR_DST_ROOT)
+        grub.set_default(image_name, DIR_DST_ROOT)
+        grub.set_console_type(console_dict[console_type], DIR_DST_ROOT)
+
+        if is_raid_install(install_target):
+            # add RAID specific modules
+            grub.modules_write(f'{DIR_DST_ROOT}/{grub.CFG_VYOS_MODULES}',
+                               ['part_msdos', 'part_gpt', 'diskfilter',
+                                'ext2','mdraid1x'])
+        # install GRUB
+        if is_raid_install(install_target):
+            print('Installing GRUB to the drives')
+            l = install_target.disks
+            for disk_target in l:
+                disk.partition_mount(disk_target.partition['efi'], f'{DIR_DST_ROOT}/boot/efi')
+                grub.install(disk_target.name, f'{DIR_DST_ROOT}/boot/',
+                             f'{DIR_DST_ROOT}/boot/efi',
+                             id=f'VyOS (RAID disk {l.index(disk_target) + 1})')
+                disk.partition_umount(disk_target.partition['efi'])
+        else:
+            print('Installing GRUB to the drive')
+            grub.install(install_target.name, f'{DIR_DST_ROOT}/boot/',
+                         f'{DIR_DST_ROOT}/boot/efi')
+
+        # umount filesystems and remove temporary files
+        if is_raid_install(install_target):
+            cleanup([install_target.name],
+                    ['/mnt/installation'])
+        else:
+            cleanup([install_target.partition['efi'],
+                     install_target.partition['root']],
+                    ['/mnt/installation'])
+
+        # we are done
+        print(MSG_INFO_INSTALL_SUCCESS)
+        exit()
+
+    except Exception as err:
+        print(f'Unable to install VyOS: {err}')
+        # unmount filesystems and clenup
+        try:
+            if install_target is not None:
+                if is_raid_install(install_target):
+                    cleanup_raid(install_target)
+                else:
+                    cleanup([install_target.partition['efi'],
+                             install_target.partition['root']],
+                            ['/mnt/installation'])
+        except Exception as err:
+            print(f'Cleanup failed: {err}')
+
+        exit(1)
+
+
+@compat.grub_cfg_update
+def add_image(image_path: str, vrf: str = None, username: str = '',
+              password: str = '', no_prompt: bool = False) -> None:
+    """Add a new image
+
+    Args:
+        image_path (str): a path to an ISO image
+    """
+    if image.is_live_boot():
+        exit(MSG_ERR_LIVE)
+
+    # fetch an image
+    iso_path: Path = image_fetch(image_path, vrf, username, password, no_prompt)
+    try:
+        # mount an ISO
+        Path(DIR_ISO_MOUNT).mkdir(mode=0o755, parents=True)
+        disk.partition_mount(iso_path, DIR_ISO_MOUNT, 'iso9660')
+
+        # check sums
+        print('Validating image checksums')
+        if not Path(DIR_ISO_MOUNT).joinpath('sha256sum.txt').exists():
+            cleanup()
+            exit(MSG_ERR_IMPROPER_IMAGE)
+        if run(f'cd {DIR_ISO_MOUNT} && sha256sum --status -c sha256sum.txt'):
+            cleanup()
+            exit('Image checksum verification failed.')
+
+        # mount rootfs (to get a system version)
+        Path(DIR_ROOTFS_SRC).mkdir(mode=0o755, parents=True)
+        disk.partition_mount(f'{DIR_ISO_MOUNT}/live/filesystem.squashfs',
+                             DIR_ROOTFS_SRC, 'squashfs')
+
+        cfg_ver: str = image.get_image_tools_version(DIR_ROOTFS_SRC)
+        version_name: str = image.get_image_version(DIR_ROOTFS_SRC)
+
+        disk.partition_umount(f'{DIR_ISO_MOUNT}/live/filesystem.squashfs')
+
+        if cfg_ver < SYSTEM_CFG_VER:
+            raise compat.DowngradingImageTools(
+                f'Adding image would downgrade image tools to v.{cfg_ver}; disallowed')
+
+        if not no_prompt:
+            image_name: str = ask_input(MSG_INPUT_IMAGE_NAME, version_name)
+            set_as_default: bool = ask_yes_no(MSG_INPUT_IMAGE_DEFAULT, default=True)
+        else:
+            image_name: str = version_name
+            set_as_default: bool = True
+
+        # find target directory
+        root_dir: str = disk.find_persistence()
+
+        # a config dir. It is the deepest one, so the comand will
+        # create all the rest in a single step
+        target_config_dir: str = f'{root_dir}/boot/{image_name}/rw/opt/vyatta/etc/config/'
+        # copy config
+        if no_prompt or migrate_config():
+            print('Copying configuration directory')
+            # copytree preserves perms but not ownership:
+            Path(target_config_dir).mkdir(parents=True)
+            chown(target_config_dir, group='vyattacfg')
+            chmod_2775(target_config_dir)
+            copytree('/opt/vyatta/etc/config/', target_config_dir,
+                     copy_function=copy_preserve_owner, dirs_exist_ok=True)
+        else:
+            Path(target_config_dir).mkdir(parents=True)
+            chown(target_config_dir, group='vyattacfg')
+            chmod_2775(target_config_dir)
+            Path(f'{target_config_dir}/.vyatta_config').touch()
+
+        target_ssh_dir: str = f'{root_dir}/boot/{image_name}/rw/etc/ssh/'
+        if no_prompt or copy_ssh_host_keys():
+            print('Copying SSH host keys')
+            Path(target_ssh_dir).mkdir(parents=True)
+            host_keys: list[str] = glob('/etc/ssh/ssh_host*')
+            for host_key in host_keys:
+                copy(host_key, target_ssh_dir)
+
+        # copy system image and kernel files
+        print('Copying system image files')
+        for file in Path(f'{DIR_ISO_MOUNT}/live').iterdir():
+            if file.is_file() and (file.match('initrd*') or
+                                   file.match('vmlinuz*')):
+                copy(file, f'{root_dir}/boot/{image_name}/')
+        copy(f'{DIR_ISO_MOUNT}/live/filesystem.squashfs',
+             f'{root_dir}/boot/{image_name}/{image_name}.squashfs')
+
+        # unmount an ISO and cleanup
+        cleanup([str(iso_path)])
+
+        # add information about version
+        grub.version_add(image_name, root_dir)
+        if set_as_default:
+            grub.set_default(image_name, root_dir)
+
+    except Exception as err:
+        # unmount an ISO and cleanup
+        cleanup([str(iso_path)])
+        exit(f'Whooops: {err}')
+
+
+def parse_arguments() -> Namespace:
+    """Parse arguments
+
+    Returns:
+        Namespace: a namespace with parsed arguments
+    """
+    parser: ArgumentParser = ArgumentParser(
+        description='Install new system images')
+    parser.add_argument('--action',
+                        choices=['install', 'add'],
+                        required=True,
+                        help='action to perform with an image')
+    parser.add_argument('--vrf',
+                        help='vrf name for image download')
+    parser.add_argument('--no-prompt', action='store_true',
+                        help='perform action non-interactively')
+    parser.add_argument('--username', default='',
+                        help='username for image download')
+    parser.add_argument('--password', default='',
+                        help='password for image download')
+    parser.add_argument('--image-path',
+        help='a path (HTTP or local file) to an image that needs to be installed'
+    )
+    # parser.add_argument('--image_new_name', help='a new name for image')
+    args: Namespace = parser.parse_args()
+    # Validate arguments
+    if args.action == 'add' and not args.image_path:
+        exit('A path to image is required for add action')
+
+    return args
+
+
+if __name__ == '__main__':
+    try:
+        args: Namespace = parse_arguments()
+        if args.action == 'install':
+            install_image()
+        if args.action == 'add':
+            add_image(args.image_path, args.vrf,
+                      args.username, args.password, args.no_prompt)
+
+        exit()
+
+    except KeyboardInterrupt:
+        print('Stopped by Ctrl+C')
+        cleanup()
+        exit()
+
+    except Exception as err:
+        exit(f'{err}')
diff --git a/src/op_mode/image_manager.py b/src/op_mode/image_manager.py
new file mode 100755
index 000000000..e64a85b95
--- /dev/null
+++ b/src/op_mode/image_manager.py
@@ -0,0 +1,231 @@
+#!/usr/bin/env python3
+#
+# Copyright 2023 VyOS maintainers and contributors <maintainers@vyos.io>
+#
+# This file is part of VyOS.
+#
+# VyOS is free software: you can redistribute it and/or modify it under the
+# terms of the GNU General Public License as published by the Free Software
+# Foundation, either version 3 of the License, or (at your option) any later
+# version.
+#
+# VyOS is distributed in the hope that it will be useful, but WITHOUT ANY
+# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+# FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
+# details.
+#
+# You should have received a copy of the GNU General Public License along with
+# VyOS. If not, see <https://www.gnu.org/licenses/>.
+
+from argparse import ArgumentParser, Namespace
+from pathlib import Path
+from shutil import rmtree
+from sys import exit
+from typing import Optional
+
+from vyos.system import disk, grub, image, compat
+from vyos.utils.io import ask_yes_no, select_entry
+
+SET_IMAGE_LIST_MSG: str = 'The following images are available:'
+SET_IMAGE_PROMPT_MSG: str = 'Select an image to set as default:'
+DELETE_IMAGE_LIST_MSG: str = 'The following images are installed:'
+DELETE_IMAGE_PROMPT_MSG: str = 'Select an image to delete:'
+MSG_DELETE_IMAGE_RUNNING: str = 'Currently running image cannot be deleted; reboot into another image first'
+MSG_DELETE_IMAGE_DEFAULT: str = 'Default image cannot be deleted; set another image as default first'
+
+def annotated_list(images_list: list[str]) -> list[str]:
+    """Annotate list of images with additional info
+
+    Args:
+        images_list (list[str]): a list of image names
+
+    Returns:
+        list[str]: a list of image names with additional info
+    """
+    index_running: int = None
+    index_default: int = None
+    try:
+        index_running = images_list.index(image.get_running_image())
+        index_default = images_list.index(image.get_default_image())
+    except ValueError:
+        pass
+    if index_running is not None:
+        images_list[index_running] += ' (running)'
+    if index_default is not None:
+        images_list[index_default] += ' (default boot)'
+    return images_list
+
+@compat.grub_cfg_update
+def delete_image(image_name: Optional[str] = None,
+                 no_prompt: bool = False) -> None:
+    """Remove installed image files and boot entry
+
+    Args:
+        image_name (str): a name of image to delete
+    """
+    available_images: list[str] = annotated_list(grub.version_list())
+    if image_name is None:
+        if no_prompt:
+            exit('An image name is required for delete action')
+        else:
+            image_name = select_entry(available_images,
+                                      DELETE_IMAGE_LIST_MSG,
+                                      DELETE_IMAGE_PROMPT_MSG)
+    if image_name == image.get_running_image():
+        exit(MSG_DELETE_IMAGE_RUNNING)
+    if image_name == image.get_default_image():
+        exit(MSG_DELETE_IMAGE_DEFAULT)
+    if image_name not in available_images:
+        exit(f'The image "{image_name}" cannot be found')
+    persistence_storage: str = disk.find_persistence()
+    if not persistence_storage:
+        exit('Persistence storage cannot be found')
+
+    if (not no_prompt and
+        not ask_yes_no(f'Do you really want to delete the image {image_name}?',
+                       default=False)):
+        exit()
+
+    # remove files and menu entry
+    version_path: Path = Path(f'{persistence_storage}/boot/{image_name}')
+    try:
+        rmtree(version_path)
+        grub.version_del(image_name, persistence_storage)
+        print(f'The image "{image_name}" was successfully deleted')
+    except Exception as err:
+        exit(f'Unable to remove the image "{image_name}": {err}')
+
+
+@compat.grub_cfg_update
+def set_image(image_name: Optional[str] = None,
+              prompt: bool = True) -> None:
+    """Set default boot image
+
+    Args:
+        image_name (str): an image name
+    """
+    available_images: list[str] = annotated_list(grub.version_list())
+    if image_name is None:
+        if not prompt:
+            exit('An image name is required for set action')
+        else:
+            image_name = select_entry(available_images,
+                                      SET_IMAGE_LIST_MSG,
+                                      SET_IMAGE_PROMPT_MSG)
+    if image_name == image.get_default_image():
+        exit(f'The image "{image_name}" already configured as default')
+    if image_name not in available_images:
+        exit(f'The image "{image_name}" cannot be found')
+    persistence_storage: str = disk.find_persistence()
+    if not persistence_storage:
+        exit('Persistence storage cannot be found')
+
+    # set default boot image
+    try:
+        grub.set_default(image_name, persistence_storage)
+        print(f'The image "{image_name}" is now default boot image')
+    except Exception as err:
+        exit(f'Unable to set default image "{image_name}": {err}')
+
+
+@compat.grub_cfg_update
+def rename_image(name_old: str, name_new: str) -> None:
+    """Rename installed image
+
+    Args:
+        name_old (str): old name
+        name_new (str): new name
+    """
+    if name_old == image.get_running_image():
+        exit('Currently running image cannot be renamed')
+    available_images: list[str] = grub.version_list()
+    if name_old not in available_images:
+        exit(f'The image "{name_old}" cannot be found')
+    if name_new in available_images:
+        exit(f'The image "{name_new}" already exists')
+    if not image.validate_name(name_new):
+        exit(f'The image name "{name_new}" is not allowed')
+
+    persistence_storage: str = disk.find_persistence()
+    if not persistence_storage:
+        exit('Persistence storage cannot be found')
+
+    if not ask_yes_no(
+            f'Do you really want to rename the image {name_old} '
+            f'to the {name_new}?',
+            default=False):
+        exit()
+
+    try:
+        # replace default boot item
+        if name_old == image.get_default_image():
+            grub.set_default(name_new, persistence_storage)
+
+        # rename files and dirs
+        old_path: Path = Path(f'{persistence_storage}/boot/{name_old}')
+        new_path: Path = Path(f'{persistence_storage}/boot/{name_new}')
+        old_path.rename(new_path)
+
+        # replace boot item
+        grub.version_del(name_old, persistence_storage)
+        grub.version_add(name_new, persistence_storage)
+
+        print(f'The image "{name_old}" was renamed to "{name_new}"')
+    except Exception as err:
+        exit(f'Unable to rename image "{name_old}" to "{name_new}": {err}')
+
+
+def list_images() -> None:
+    """Print list of available images for CLI hints"""
+    images_list: list[str] = grub.version_list()
+    for image_name in images_list:
+        print(image_name)
+
+
+def parse_arguments() -> Namespace:
+    """Parse arguments
+
+    Returns:
+        Namespace: a namespace with parsed arguments
+    """
+    parser: ArgumentParser = ArgumentParser(description='Manage system images')
+    parser.add_argument('--action',
+                        choices=['delete', 'set', 'rename', 'list'],
+                        required=True,
+                        help='action to perform with an image')
+    parser.add_argument('--no-prompt', action='store_true',
+                        help='perform action non-interactively')
+    parser.add_argument(
+        '--image-name',
+        help=
+        'a name of an image to add, delete, install, rename, or set as default')
+    parser.add_argument('--image-new-name', help='a new name for image')
+    args: Namespace = parser.parse_args()
+    # Validate arguments
+    if args.action == 'rename' and (not args.image_name or
+                                    not args.image_new_name):
+        exit('Both old and new image names are required for rename action')
+
+    return args
+
+
+if __name__ == '__main__':
+    try:
+        args: Namespace = parse_arguments()
+        if args.action == 'delete':
+            delete_image(args.image_name, args.no_prompt)
+        if args.action == 'set':
+            set_image(args.image_name)
+        if args.action == 'rename':
+            rename_image(args.image_name, args.image_new_name)
+        if args.action == 'list':
+            list_images()
+
+        exit()
+
+    except KeyboardInterrupt:
+        print('Stopped by Ctrl+C')
+        exit()
+
+    except Exception as err:
+        exit(f'{err}')
diff --git a/src/op_mode/interfaces.py b/src/op_mode/interfaces.py
index 782e178c6..14ffdca9f 100755
--- a/src/op_mode/interfaces.py
+++ b/src/op_mode/interfaces.py
@@ -235,6 +235,11 @@ def _get_summary_data(ifname: typing.Optional[str],
     if iftype is None:
         iftype = ''
     ret = []
+
+    def is_interface_has_mac(interface_name):
+        interface_no_mac = ('tun', 'wg')
+        return not any(interface_name.startswith(prefix) for prefix in interface_no_mac)
+
     for interface in filtered_interfaces(ifname, iftype, vif, vrrp):
         res_intf = {}
 
@@ -243,6 +248,9 @@ def _get_summary_data(ifname: typing.Optional[str],
         res_intf['admin_state'] = interface.get_admin_state()
         res_intf['addr'] = [_ for _ in interface.get_addr() if not _.startswith('fe80::')]
         res_intf['description'] = interface.get_alias()
+        res_intf['mtu'] = interface.get_mtu()
+        res_intf['mac'] = interface.get_mac() if is_interface_has_mac(interface.ifname) else 'n/a'
+        res_intf['vrf'] = interface.get_vrf()
 
         ret.append(res_intf)
 
@@ -373,6 +381,51 @@ def _format_show_summary(data):
     return 0
 
 @catch_broken_pipe
+def _format_show_summary_extended(data):
+    headers = ["Interface", "IP Address", "MAC", "VRF", "MTU", "S/L", "Description"]
+    table_data = []
+
+    print('Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down')
+
+    for intf in data:
+        if 'unhandled' in intf:
+            continue
+
+        ifname = intf['ifname']
+        oper_state = 'u' if intf['oper_state'] in ('up', 'unknown') else 'D'
+        admin_state = 'u' if intf['admin_state'] in ('up', 'unknown') else 'A'
+        addrs = intf['addr'] or ['-']
+        description = '\n'.join(_split_text(intf['description'], 0))
+        mac = intf['mac'] if intf['mac'] else 'n/a'
+        mtu = intf['mtu'] if intf['mtu'] else 'n/a'
+        vrf = intf['vrf'] if intf['vrf'] else 'default'
+
+        ip_addresses = '\n'.join(ip for ip in addrs)
+
+        # Create a row for the table
+        row = [
+            ifname,
+            ip_addresses,
+            mac,
+            vrf,
+            mtu,
+            f"{admin_state}/{oper_state}",
+            description,
+        ]
+
+        # Append the row to the table data
+        table_data.append(row)
+
+    for intf in data:
+        if 'unhandled' in intf:
+            string = {'C': 'u/D', 'D': 'A/D'}[intf['state']]
+            table_data.append([intf['ifname'], '', '', '', '', string, ''])
+
+    print(tabulate(table_data, headers))
+
+    return 0
+
+@catch_broken_pipe
 def _format_show_counters(data: list):
     data_entries = []
     for entry in data:
@@ -408,6 +461,14 @@ def show_summary(raw: bool, intf_name: typing.Optional[str],
         return data
     return _format_show_summary(data)
 
+def show_summary_extended(raw: bool, intf_name: typing.Optional[str],
+                            intf_type: typing.Optional[str],
+                            vif: bool, vrrp: bool):
+    data = _get_summary_data(intf_name, intf_type, vif, vrrp)
+    if raw:
+        return data
+    return _format_show_summary_extended(data)
+
 def show_counters(raw: bool, intf_name: typing.Optional[str],
                              intf_type: typing.Optional[str],
                              vif: bool, vrrp: bool):
diff --git a/src/op_mode/interfaces_wireless.py b/src/op_mode/interfaces_wireless.py
new file mode 100755
index 000000000..dfe50e2cb
--- /dev/null
+++ b/src/op_mode/interfaces_wireless.py
@@ -0,0 +1,186 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2023 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+import re
+import sys
+import typing
+import vyos.opmode
+
+from copy import deepcopy
+from tabulate import tabulate
+from vyos.utils.process import popen
+from vyos.configquery import ConfigTreeQuery
+
+def _verify(func):
+    """Decorator checks if Wireless LAN config exists"""
+    from functools import wraps
+
+    @wraps(func)
+    def _wrapper(*args, **kwargs):
+        config = ConfigTreeQuery()
+        if not config.exists(['interfaces', 'wireless']):
+            raise vyos.opmode.UnconfiguredSubsystem(unconf_message)
+        return func(*args, **kwargs)
+    return _wrapper
+
+def _get_raw_info_data():
+    output_data = []
+
+    config = ConfigTreeQuery()
+    raw = config.get_config_dict(['interfaces', 'wireless'], effective=True,
+                                 get_first_key=True, key_mangling=('-', '_'))
+    for interface, interface_config in raw.items():
+        tmp = {'name' : interface}
+
+        if 'type' in interface_config:
+            tmp.update({'type' : interface_config['type']})
+        else:
+            tmp.update({'type' : '-'})
+
+        if 'ssid' in interface_config:
+            tmp.update({'ssid' : interface_config['ssid']})
+        else:
+            tmp.update({'ssid' : '-'})
+
+        if 'channel' in interface_config:
+            tmp.update({'channel' : interface_config['channel']})
+        else:
+            tmp.update({'channel' : '-'})
+
+        output_data.append(tmp)
+
+    return output_data
+
+def _get_formatted_info_output(raw_data):
+    output=[]
+    for ssid in raw_data:
+        output.append([ssid['name'], ssid['type'], ssid['ssid'], ssid['channel']])
+
+    headers = ["Interface", "Type", "SSID", "Channel"]
+    print(tabulate(output, headers, numalign="left"))
+
+def _get_raw_scan_data(intf_name):
+    # XXX: This ignores errors
+    tmp, _ = popen(f'iw dev {intf_name} scan ap-force')
+    networks = []
+    data = {
+        'ssid': '',
+        'mac': '',
+        'channel': '',
+        'signal': ''
+    }
+    re_mac = re.compile(r'([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})')
+    for line in tmp.splitlines():
+        if line.startswith('BSS '):
+            ssid = deepcopy(data)
+            ssid['mac'] = re.search(re_mac, line).group()
+
+        elif line.lstrip().startswith('SSID: '):
+            # SSID can be "    SSID: WLAN-57 6405", thus strip all leading whitespaces
+            ssid['ssid'] = line.lstrip().split(':')[-1].lstrip()
+
+        elif line.lstrip().startswith('signal: '):
+            # Siganl can be "   signal: -67.00 dBm", thus strip all leading whitespaces
+            ssid['signal'] = line.lstrip().split(':')[-1].split()[0]
+
+        elif line.lstrip().startswith('DS Parameter set: channel'):
+            # Channel can be "        DS Parameter set: channel 6" , thus
+            # strip all leading whitespaces
+            ssid['channel'] = line.lstrip().split(':')[-1].split()[-1]
+            networks.append(ssid)
+            continue
+
+    return networks
+
+def _format_scan_data(raw_data):
+    output=[]
+    for ssid in raw_data:
+        output.append([ssid['mac'], ssid['ssid'], ssid['channel'], ssid['signal']])
+    headers = ["Address", "SSID", "Channel", "Signal (dbm)"]
+    return tabulate(output, headers, numalign="left")
+
+def _get_raw_station_data(intf_name):
+    # XXX: This ignores errors
+    tmp, _ = popen(f'iw dev {intf_name} station dump')
+    clients = []
+    data = {
+        'mac': '',
+        'signal': '',
+        'rx_bytes': '',
+        'rx_packets': '',
+        'tx_bytes': '',
+        'tx_packets': ''
+    }
+    re_mac = re.compile(r'([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})')
+    for line in tmp.splitlines():
+        if line.startswith('Station'):
+            client = deepcopy(data)
+            client['mac'] = re.search(re_mac, line).group()
+
+        elif line.lstrip().startswith('signal avg:'):
+            client['signal'] = line.lstrip().split(':')[-1].lstrip().split()[0]
+
+        elif line.lstrip().startswith('rx bytes:'):
+            client['rx_bytes'] = line.lstrip().split(':')[-1].lstrip()
+
+        elif line.lstrip().startswith('rx packets:'):
+            client['rx_packets'] = line.lstrip().split(':')[-1].lstrip()
+
+        elif line.lstrip().startswith('tx bytes:'):
+            client['tx_bytes'] = line.lstrip().split(':')[-1].lstrip()
+
+        elif line.lstrip().startswith('tx packets:'):
+            client['tx_packets'] = line.lstrip().split(':')[-1].lstrip()
+            clients.append(client)
+            continue
+
+    return clients
+
+def _format_station_data(raw_data):
+    output=[]
+    for ssid in raw_data:
+        output.append([ssid['mac'], ssid['signal'], ssid['rx_bytes'], ssid['rx_packets'], ssid['tx_bytes'], ssid['tx_packets']])
+    headers = ["Station", "Signal", "RX bytes", "RX packets", "TX bytes", "TX packets"]
+    return tabulate(output, headers, numalign="left")
+
+@_verify
+def show_info(raw: bool):
+    info_data = _get_raw_info_data()
+    if raw:
+        return info_data
+    return _get_formatted_info_output(info_data)
+
+def show_scan(raw: bool, intf_name: str):
+    data = _get_raw_scan_data(intf_name)
+    if raw:
+        return data
+    return _format_scan_data(data)
+
+@_verify
+def show_stations(raw: bool, intf_name: str):
+    data = _get_raw_station_data(intf_name)
+    if raw:
+        return data
+    return _format_station_data(data)
+
+if __name__ == '__main__':
+    try:
+        res = vyos.opmode.run(sys.modules[__name__])
+        if res:
+            print(res)
+    except (ValueError, vyos.opmode.Error) as e:
+        print(e)
+        sys.exit(1)
diff --git a/src/op_mode/ipsec.py b/src/op_mode/ipsec.py
index 57d3cfed9..44d41219e 100755
--- a/src/op_mode/ipsec.py
+++ b/src/op_mode/ipsec.py
@@ -779,6 +779,45 @@ def show_ra_summary(raw: bool):
     return _get_formatted_output_ra_summary(list_sa)
 
 
+# PSK block
+def _get_raw_psk():
+    conf: ConfigTreeQuery = ConfigTreeQuery()
+    config_path = ['vpn', 'ipsec', 'authentication', 'psk']
+    psk_config = conf.get_config_dict(config_path, key_mangling=('-', '_'),
+                                       get_first_key=True,
+                                       no_tag_node_value_mangle=True)
+
+    psk_list = []
+    for psk, psk_data in psk_config.items():
+        psk_data['psk'] = psk
+        psk_list.append(psk_data)
+
+    return psk_list
+
+
+def _get_formatted_psk(psk_list):
+    headers = ["PSK", "Id", "Secret"]
+    formatted_data = []
+
+    for psk_data in psk_list:
+        formatted_data.append([psk_data["psk"], "\n".join(psk_data["id"]), psk_data["secret"]])
+
+    return tabulate(formatted_data, headers=headers)
+
+
+def show_psk(raw: bool):
+    config = ConfigTreeQuery()
+    if not config.exists('vpn ipsec authentication psk'):
+        raise vyos.opmode.UnconfiguredSubsystem('VPN ipsec psk authentication is not configured')
+
+    psk = _get_raw_psk()
+    if raw:
+        return psk
+    return _get_formatted_psk(psk)
+
+# PSK block end
+
+
 if __name__ == '__main__':
     try:
         res = vyos.opmode.run(sys.modules[__name__])
diff --git a/src/op_mode/lldp.py b/src/op_mode/lldp.py
index c287b8fa6..58cfce443 100755
--- a/src/op_mode/lldp.py
+++ b/src/op_mode/lldp.py
@@ -114,7 +114,10 @@ def _get_formatted_output(raw_data):
 
             # Remote software platform
             platform = jmespath.search('chassis.[*][0][0].descr', values)
-            tmp.append(platform[:37])
+            if platform:
+                tmp.append(platform[:37])
+            else:
+                tmp.append('')
 
             # Remote interface
             interface = jmespath.search('port.descr', values)
diff --git a/src/op_mode/mtr.py b/src/op_mode/mtr.py
new file mode 100644
index 000000000..de139f2fa
--- /dev/null
+++ b/src/op_mode/mtr.py
@@ -0,0 +1,306 @@
+#! /usr/bin/env python3
+
+# Copyright (C) 2023 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+import sys
+import socket
+import ipaddress
+
+from vyos.utils.network import interface_list
+from vyos.utils.network import vrf_list
+from vyos.utils.process import call
+
+options = {
+    'report': {
+        'mtr': '{command} --report',
+        'type': 'noarg',
+        'help': 'This option puts mtr into report mode. When in this mode, mtr will run for the number of cycles specified by the -c option, and then print statistics and exit.'
+    },
+    'report-wide': {
+        'mtr': '{command} --report-wide',
+        'type': 'noarg',
+        'help': 'This option puts mtr into wide report mode. When in this mode, mtr will not cut hostnames in the report.'
+    },
+    'raw': {
+        'mtr': '{command} --raw',
+        'type': 'noarg',
+        'help': 'Use the raw output format. This format is better suited for archival of the measurement results.'
+    },
+    'json': {
+        'mtr': '{command} --json',
+        'type': 'noarg',
+        'help': 'Use this option to tell mtr to use the JSON output format.'
+    },
+    'split': {
+        'mtr': '{command} --split',
+        'type': 'noarg',
+        'help': 'Use this option to set mtr to spit out a format that is suitable for a split-user interface.'
+    },
+    'no-dns': {
+        'mtr': '{command} --no-dns',
+        'type': 'noarg',
+        'help': 'Use this option to force mtr to display numeric IP numbers and not try to resolve the host names.'
+    },
+    'show-ips': {
+        'mtr': '{command} --show-ips {value}',
+        'type': '<num>',
+        'help': 'Use this option to tell mtr to display both the host names and numeric IP numbers.'
+    },
+    'ipinfo': {
+        'mtr': '{command} --ipinfo {value}',
+        'type': '<num>',
+        'help': 'Displays information about each IP hop.'
+    },
+    'aslookup': {
+        'mtr': '{command} --aslookup',
+        'type': 'noarg',
+        'help': 'Displays the Autonomous System (AS) number alongside each hop. Equivalent to --ipinfo 0.'
+    },
+    'interval': {
+        'mtr': '{command} --interval {value}',
+        'type': '<num>',
+        'help': 'Use this option to specify the positive number of seconds between ICMP ECHO requests. The default value for this parameter is one second. The root user may choose values between zero and one.'
+    },
+    'report-cycles': {
+        'mtr': '{command} --report-cycles {value}',
+        'type': '<num>',
+        'help': 'Use this option to set the number of pings sent to determine both the machines on the network and the reliability of those machines.  Each cycle lasts one second.'
+    },
+    'psize': {
+        'mtr': '{command} --psize {value}',
+        'type': '<num>',
+        'help': 'This option sets the packet size used for probing. It is in bytes, inclusive IP and ICMP headers. If set to a negative number, every iteration will use a different, random packet size up to that number.'
+    },
+    'bitpattern': {
+        'mtr': '{command} --bitpattern {value}',
+        'type': '<num>',
+        'help': 'Specifies bit pattern to use in payload. Should be within range 0 - 255. If NUM is greater than 255, a random pattern is used.'
+    },
+    'gracetime': {
+        'mtr': '{command} --gracetime {value}',
+        'type': '<num>',
+        'help': 'Use this option to specify the positive number of seconds to wait for responses after the final request. The default value is five seconds.'
+    },
+    'tos': {
+        'mtr': '{command} --tos {value}',
+        'type': '<tos>',
+        'help': 'Specifies value for type of service field in IP header. Should be within range 0 - 255.'
+    },
+    'mpls': {
+        'mtr': '{command} --mpls {value}',
+        'type': 'noarg',
+        'help': 'Use this option to tell mtr to display information from ICMP extensions for MPLS (RFC 4950) that are encoded in the response packets.'
+    },
+    'interface': {
+        'mtr': '{command} --interface {value}',
+        'type': '<interface>',
+        'helpfunction': interface_list,
+        'help': 'Use the network interface with a specific name for sending network probes. This can be useful when you have multiple network interfaces with routes to your destination, for example both wired Ethernet and WiFi, and wish to test a particular interface.'
+    },
+    'address': {
+        'mtr': '{command} --address {value}',
+        'type': '<x.x.x.x> <h:h:h:h:h:h:h:h>',
+        'help': 'Use this option to bind the outgoing socket to ADDRESS, so that all packets will be sent with ADDRESS as source address.'
+    },
+    'first-ttl': {
+        'mtr': '{command} --first-ttl {value}',
+        'type': '<num>',
+        'help': 'Specifies with what TTL to start. Defaults to 1.'
+    },
+    'max-ttl': {
+        'mtr': '{command} --max-ttl {value}',
+        'type': '<num>',
+        'help': 'Specifies the maximum number of hops or max time-to-live value mtr will probe. Default is 30.'
+    },
+    'max-unknown': {
+        'mtr': '{command} --max-unknown {value}',
+        'type': '<num>',
+        'help': 'Specifies the maximum unknown host. Default is 5.'
+    },
+    'udp': {
+        'mtr': '{command} --udp',
+        'type': 'noarg',
+        'help': 'Use UDP datagrams instead of ICMP ECHO.'
+    },
+    'tcp': {
+        'mtr': '{command} --tcp',
+        'type': 'noarg',
+        'help': ' Use TCP SYN packets instead of ICMP ECHO. PACKETSIZE is ignored, since SYN packets can not contain data.'
+    },
+    'sctp': {
+        'mtr': '{command} --sctp',
+        'type': 'noarg',
+        'help': 'Use Stream Control Transmission Protocol packets instead of ICMP ECHO.'
+    },
+    'port': {
+        'mtr': '{command} --port {value}',
+        'type': '<port>',
+        'help': 'The target port number for TCP/SCTP/UDP traces.'
+    },
+    'localport': {
+        'mtr': '{command} --localport {value}',
+        'type': '<port>',
+        'help': 'The source port number for UDP traces.'
+    },
+    'timeout': {
+        'mtr': '{command} --timeout {value}',
+        'type': '<num>',
+        'help': ' The number of seconds to keep probe sockets open before giving up on the connection.'
+    },
+    'mark': {
+        'mtr': '{command} --mark {value}',
+        'type': '<num>',
+        'help': ' Set the mark for each packet sent through this socket similar to the netfilter MARK target but socket-based. MARK is 32 unsigned integer.'
+    },
+    'vrf': {
+        'mtr': 'sudo ip vrf exec {value} {command}',
+        'type': '<vrf>',
+        'help': 'Use specified VRF table',
+        'helpfunction': vrf_list,
+        'dflt': 'default'
+        }
+    }
+
+mtr = {
+    4: '/bin/mtr -4',
+    6: '/bin/mtr -6',
+}
+
+class List(list):
+    def first(self):
+        return self.pop(0) if self else ''
+
+    def last(self):
+        return self.pop() if self else ''
+
+    def prepend(self, value):
+        self.insert(0, value)
+
+
+def completion_failure(option: str) -> None:
+    """
+    Shows failure message after TAB when option is wrong
+    :param option: failure option
+    :type str:
+    """
+    sys.stderr.write('\n\n Invalid option: {}\n\n'.format(option))
+    sys.stdout.write('<nocomps>')
+    sys.exit(1)
+
+
+def expension_failure(option, completions):
+    reason = 'Ambiguous' if completions else 'Invalid'
+    sys.stderr.write(
+        '\n\n  {} command: {} [{}]\n\n'.format(reason, ' '.join(sys.argv),
+                                               option))
+    if completions:
+        sys.stderr.write('  Possible completions:\n   ')
+        sys.stderr.write('\n   '.join(completions))
+        sys.stderr.write('\n')
+    sys.stdout.write('<nocomps>')
+    sys.exit(1)
+
+
+def complete(prefix):
+    return [o for o in options if o.startswith(prefix)]
+
+
+def convert(command, args):
+    while args:
+        shortname = args.first()
+        longnames = complete(shortname)
+        if len(longnames) != 1:
+            expension_failure(shortname, longnames)
+        longname = longnames[0]
+        if options[longname]['type'] == 'noarg':
+            command = options[longname]['mtr'].format(
+                command=command, value='')
+        elif not args:
+            sys.exit(f'mtr: missing argument for {longname} option')
+        else:
+            command = options[longname]['mtr'].format(
+                command=command, value=args.first())
+    return command
+
+
+if __name__ == '__main__':
+    args = List(sys.argv[1:])
+    host = args.first()
+
+    if not host:
+        sys.exit("mtr: Missing host")
+
+
+    if host == '--get-options' or host == '--get-options-nested':
+        if host == '--get-options-nested':
+            args.first()  # pop monitor
+        args.first()  # pop mtr | traceroute
+        args.first()  # pop IP
+        usedoptionslist = []
+        while args:
+            option = args.first()  # pop option
+            matched = complete(option)  # get option parameters
+            usedoptionslist.append(option)  # list of used options
+            # Select options
+            if not args:
+                # remove from Possible completions used options
+                for o in usedoptionslist:
+                    if o in matched:
+                        matched.remove(o)
+                sys.stdout.write(' '.join(matched))
+                sys.exit(0)
+
+            if len(matched) > 1:
+                sys.stdout.write(' '.join(matched))
+                sys.exit(0)
+            # If option doesn't have value
+            if matched:
+                if options[matched[0]]['type'] == 'noarg':
+                    continue
+            else:
+                # Unexpected option
+                completion_failure(option)
+
+            value = args.first()  # pop option's value
+            if not args:
+                matched = complete(option)
+                helplines = options[matched[0]]['type']
+                # Run helpfunction to get list of possible values
+                if 'helpfunction' in options[matched[0]]:
+                    result = options[matched[0]]['helpfunction']()
+                    if result:
+                        helplines = '\n' + ' '.join(result)
+                sys.stdout.write(helplines)
+                sys.exit(0)
+
+    for name, option in options.items():
+        if 'dflt' in option and name not in args:
+            args.append(name)
+            args.append(option['dflt'])
+
+    try:
+        ip = socket.gethostbyname(host)
+    except UnicodeError:
+        sys.exit(f'mtr: Unknown host: {host}')
+    except socket.gaierror:
+        ip = host
+
+    try:
+        version = ipaddress.ip_address(ip).version
+    except ValueError:
+        sys.exit(f'mtr: Unknown host: {host}')
+
+    command = convert(mtr[version], args)
+    call(f'{command} --curses --displaymode 0 {host}')
diff --git a/src/op_mode/nat.py b/src/op_mode/nat.py
index 71a40c0e1..2bc7e24fe 100755
--- a/src/op_mode/nat.py
+++ b/src/op_mode/nat.py
@@ -28,9 +28,6 @@ from vyos.configquery import ConfigTreeQuery
 from vyos.utils.process import cmd
 from vyos.utils.dict import dict_search
 
-base = 'nat'
-unconf_message = 'NAT is not configured'
-
 ArgDirection = typing.Literal['source', 'destination']
 ArgFamily = typing.Literal['inet', 'inet6']
 
@@ -293,8 +290,9 @@ def _verify(func):
     @wraps(func)
     def _wrapper(*args, **kwargs):
         config = ConfigTreeQuery()
+        base = 'nat66' if 'inet6' in sys.argv[1:] else 'nat'
         if not config.exists(base):
-            raise vyos.opmode.UnconfiguredSubsystem(unconf_message)
+            raise vyos.opmode.UnconfiguredSubsystem(f'{base.upper()} is not configured')
         return func(*args, **kwargs)
     return _wrapper
 
diff --git a/src/op_mode/ping.py b/src/op_mode/ping.py
index f1d87a118..583d8792c 100755
--- a/src/op_mode/ping.py
+++ b/src/op_mode/ping.py
@@ -1,6 +1,6 @@
 #! /usr/bin/env python3
 
-# Copyright (C) 2020 VyOS maintainers and contributors
+# Copyright (C) 2023 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
@@ -14,29 +14,13 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-import os
 import sys
 import socket
 import ipaddress
-from vyos.utils.network import get_all_vrfs
-from vyos.ifconfig import Section
-
-
-def interface_list() -> list:
-    """
-    Get list of interfaces in system
-    :rtype: list
-    """
-    return Section.interfaces()
-
-
-def vrf_list() -> list:
-    """
-    Get list of VRFs in system
-    :rtype: list
-    """
-    return list(get_all_vrfs().keys())
 
+from vyos.utils.network import interface_list
+from vyos.utils.network import vrf_list
+from vyos.utils.process import call
 
 options = {
     'audible': {
@@ -295,6 +279,4 @@ if __name__ == '__main__':
         sys.exit(f'ping: Unknown host: {host}')
 
     command = convert(ping[version], args)
-
-    # print(f'{command} {host}')
-    os.system(f'{command} {host}')
+    call(f'{command} {host}')
diff --git a/src/op_mode/pki.py b/src/op_mode/pki.py
index 35c7ce0e2..ad2c1ada0 100755
--- a/src/op_mode/pki.py
+++ b/src/op_mode/pki.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 #
-# Copyright (C) 2021-2023 VyOS maintainers and contributors
+# Copyright (C) 2021-2024 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
@@ -25,6 +25,7 @@ from cryptography import x509
 from cryptography.x509.oid import ExtendedKeyUsageOID
 
 from vyos.config import Config
+from vyos.config import config_dict_mangle_acme
 from vyos.pki import encode_certificate, encode_public_key, encode_private_key, encode_dh_parameters
 from vyos.pki import get_certificate_fingerprint
 from vyos.pki import create_certificate, create_certificate_request, create_certificate_revocation_list
@@ -79,9 +80,14 @@ def get_config_certificate(name=None):
         if not conf.exists(base + ['private', 'key']) or not conf.exists(base + ['certificate']):
             return False
 
-    return conf.get_config_dict(base, key_mangling=('-', '_'),
+    pki = conf.get_config_dict(base, key_mangling=('-', '_'),
                                 get_first_key=True,
                                 no_tag_node_value_mangle=True)
+    if pki:
+        for certificate in pki:
+            pki[certificate] = config_dict_mangle_acme(certificate, pki[certificate])
+
+    return pki
 
 def get_certificate_ca(cert, ca_certs):
     # Find CA certificate for given certificate
@@ -896,11 +902,15 @@ def show_certificate(name=None, pem=False):
             cert_subject_cn = cert.subject.rfc4514_string().split(",")[0]
             cert_issuer_cn = cert.issuer.rfc4514_string().split(",")[0]
             cert_type = 'Unknown'
-            ext = cert.extensions.get_extension_for_class(x509.ExtendedKeyUsage)
-            if ext and ExtendedKeyUsageOID.SERVER_AUTH in ext.value:
-                cert_type = 'Server'
-            elif ext and ExtendedKeyUsageOID.CLIENT_AUTH in ext.value:
-                cert_type = 'Client'
+
+            try:
+                ext = cert.extensions.get_extension_for_class(x509.ExtendedKeyUsage)
+                if ext and ExtendedKeyUsageOID.SERVER_AUTH in ext.value:
+                    cert_type = 'Server'
+                elif ext and ExtendedKeyUsageOID.CLIENT_AUTH in ext.value:
+                    cert_type = 'Client'
+            except:
+                pass
 
             revoked = 'Yes' if 'revoke' in cert_dict else 'No'
             have_private = 'Yes' if 'private' in cert_dict and 'key' in cert_dict['private'] else 'No'
@@ -1069,7 +1079,9 @@ if __name__ == '__main__':
                 show_crl(None if args.crl == 'all' else args.crl, args.pem)
             else:
                 show_certificate_authority()
+                print('\n')
                 show_certificate()
+                print('\n')
                 show_crl()
     except KeyboardInterrupt:
         print("Aborted")
diff --git a/src/op_mode/raid.py b/src/op_mode/raid.py
new file mode 100755
index 000000000..fed8ae2c3
--- /dev/null
+++ b/src/op_mode/raid.py
@@ -0,0 +1,44 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2023 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+#
+import sys
+
+import vyos.opmode
+from vyos.raid import add_raid_member
+from vyos.raid import delete_raid_member
+
+def add(raid_set_name: str, member: str, by_id: bool = False):
+    try:
+        add_raid_member(raid_set_name, member, by_id)
+    except ValueError as e:
+        raise vyos.opmode.IncorrectValue(str(e))
+
+def delete(raid_set_name: str, member: str, by_id: bool = False):
+    try:
+        delete_raid_member(raid_set_name, member, by_id)
+    except ValueError as e:
+        raise vyos.opmode.IncorrectValue(str(e))
+
+if __name__ == '__main__':
+    try:
+        res = vyos.opmode.run(sys.modules[__name__])
+        if res:
+            print(res)
+    except (ValueError, vyos.opmode.Error) as e:
+        print(e)
+        sys.exit(1)
+
diff --git a/src/op_mode/restart_frr.py b/src/op_mode/restart_frr.py
index 5cce377eb..8841b0eca 100755
--- a/src/op_mode/restart_frr.py
+++ b/src/op_mode/restart_frr.py
@@ -139,7 +139,7 @@ def _reload_config(daemon):
 # define program arguments
 cmd_args_parser = argparse.ArgumentParser(description='restart frr daemons')
 cmd_args_parser.add_argument('--action', choices=['restart'], required=True, help='action to frr daemons')
-cmd_args_parser.add_argument('--daemon', choices=['bfdd', 'bgpd', 'ldpd', 'ospfd', 'ospf6d', 'isisd', 'ripd', 'ripngd', 'staticd', 'zebra', 'babeld'], required=False,  nargs='*', help='select single or multiple daemons')
+cmd_args_parser.add_argument('--daemon', choices=['zebra', 'staticd', 'bgpd', 'eigrpd', 'ospfd', 'ospf6d', 'ripd', 'ripngd', 'isisd', 'pimd', 'pim6d', 'ldpd', 'babeld', 'bfdd'], required=False,  nargs='*', help='select single or multiple daemons')
 # parse arguments
 cmd_args = cmd_args_parser.parse_args()
 
diff --git a/src/op_mode/show_users.py b/src/op_mode/show_users.py
index 8e4f12851..82bd585c9 100755
--- a/src/op_mode/show_users.py
+++ b/src/op_mode/show_users.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 #
-# Copyright (C) 2019 VyOS maintainers and contributors
+# Copyright (C) 2019-2023 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
@@ -15,7 +15,6 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 import argparse
 import pwd
-import spwd
 import struct
 import sys
 from time import ctime
@@ -48,6 +47,10 @@ def is_locked(user_name: str) -> bool:
     """Check if a given user has password in shadow db"""
 
     try:
+        import warnings
+        with warnings.catch_warnings():
+            warnings.filterwarnings("ignore",category=DeprecationWarning)
+            import spwd
         encrypted_password = spwd.getspnam(user_name)[1]
         return encrypted_password == '*' or encrypted_password.startswith('!')
     except (KeyError, PermissionError):
diff --git a/src/op_mode/show_wireless.py b/src/op_mode/show_wireless.py
deleted file mode 100755
index 340163057..000000000
--- a/src/op_mode/show_wireless.py
+++ /dev/null
@@ -1,149 +0,0 @@
-#!/usr/bin/env python3
-#
-# Copyright (C) 2019-2023 VyOS maintainers and contributors
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 or later as
-# published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-import argparse
-import re
-
-from sys import exit
-from copy import deepcopy
-
-from vyos.config import Config
-from vyos.utils.process import popen
-
-parser = argparse.ArgumentParser()
-parser.add_argument("-s", "--scan", help="Scan for Wireless APs on given interface, e.g. 'wlan0'")
-parser.add_argument("-b", "--brief", action="store_true", help="Show wireless configuration")
-parser.add_argument("-c", "--stations", help="Show wireless clients connected on interface, e.g. 'wlan0'")
-
-def show_brief():
-    config = Config()
-    if len(config.list_effective_nodes('interfaces wireless')) == 0:
-        print("No Wireless interfaces configured")
-        exit(0)
-
-    interfaces = []
-    for intf in config.list_effective_nodes('interfaces wireless'):
-        config.set_level(f'interfaces wireless {intf}')
-        data = { 'name': intf }
-        data['type'] = config.return_effective_value('type') or '-'
-        data['ssid'] = config.return_effective_value('ssid') or '-'
-        data['channel'] = config.return_effective_value('channel') or '-'
-        interfaces.append(data)
-
-    return interfaces
-
-def ssid_scan(intf):
-    # XXX: This ignores errors
-    tmp, _ = popen(f'/sbin/iw dev {intf} scan ap-force')
-    networks = []
-    data = {
-        'ssid': '',
-        'mac': '',
-        'channel': '',
-        'signal': ''
-    }
-    re_mac = re.compile(r'([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})')
-    for line in tmp.splitlines():
-        if line.startswith('BSS '):
-            ssid = deepcopy(data)
-            ssid['mac'] = re.search(re_mac, line).group()
-
-        elif line.lstrip().startswith('SSID: '):
-            # SSID can be "    SSID: WLAN-57 6405", thus strip all leading whitespaces
-            ssid['ssid'] = line.lstrip().split(':')[-1].lstrip()
-
-        elif line.lstrip().startswith('signal: '):
-            # Siganl can be "   signal: -67.00 dBm", thus strip all leading whitespaces
-            ssid['signal'] = line.lstrip().split(':')[-1].split()[0]
-
-        elif line.lstrip().startswith('DS Parameter set: channel'):
-            # Channel can be "        DS Parameter set: channel 6" , thus
-            # strip all leading whitespaces
-            ssid['channel'] = line.lstrip().split(':')[-1].split()[-1]
-            networks.append(ssid)
-            continue
-
-    return networks
-
-def show_clients(intf):
-    # XXX: This ignores errors
-    tmp, _ = popen(f'/sbin/iw dev {intf} station dump')
-    clients = []
-    data = {
-        'mac': '',
-        'signal': '',
-        'rx_bytes': '',
-        'rx_packets': '',
-        'tx_bytes': '',
-        'tx_packets': ''
-    }
-    re_mac = re.compile(r'([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})')
-    for line in tmp.splitlines():
-        if line.startswith('Station'):
-            client = deepcopy(data)
-            client['mac'] = re.search(re_mac, line).group()
-
-        elif line.lstrip().startswith('signal avg:'):
-            client['signal'] = line.lstrip().split(':')[-1].lstrip().split()[0]
-
-        elif line.lstrip().startswith('rx bytes:'):
-            client['rx_bytes'] = line.lstrip().split(':')[-1].lstrip()
-
-        elif line.lstrip().startswith('rx packets:'):
-            client['rx_packets'] = line.lstrip().split(':')[-1].lstrip()
-
-        elif line.lstrip().startswith('tx bytes:'):
-            client['tx_bytes'] = line.lstrip().split(':')[-1].lstrip()
-
-        elif line.lstrip().startswith('tx packets:'):
-            client['tx_packets'] = line.lstrip().split(':')[-1].lstrip()
-            clients.append(client)
-            continue
-
-    return clients
-
-if __name__ == '__main__':
-    args = parser.parse_args()
-
-    if args.scan:
-        print("Address            SSID                          Channel  Signal (dbm)")
-        for network in ssid_scan(args.scan):
-            print("{:<17}  {:<32}  {:>3}  {}".format(network['mac'],
-                                                     network['ssid'],
-                                                     network['channel'],
-                                                     network['signal']))
-        exit(0)
-
-    elif args.brief:
-        print("Interface  Type          SSID                         Channel")
-        for intf in show_brief():
-            print("{:<9}  {:<12}  {:<32} {:>3}".format(intf['name'],
-                                                      intf['type'],
-                                                      intf['ssid'],
-                                                      intf['channel']))
-        exit(0)
-
-    elif args.stations:
-        print("Station            Signal     RX: bytes    packets        TX: bytes     packets")
-        for client in show_clients(args.stations):
-            print("{:<17}  {:>3}  {:>15}  {:>9}  {:>15}  {:>10} ".format(client['mac'],
-                                                 client['signal'], client['rx_bytes'], client['rx_packets'], client['tx_bytes'], client['tx_packets']))
-
-        exit(0)
-
-    else:
-        parser.print_help()
-        exit(1)
diff --git a/src/op_mode/ssh.py b/src/op_mode/ssh.py
new file mode 100755
index 000000000..acb066144
--- /dev/null
+++ b/src/op_mode/ssh.py
@@ -0,0 +1,100 @@
+#!/usr/bin/env python3
+#
+# Copyright 2023 VyOS maintainers and contributors <maintainers@vyos.io>
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library.  If not, see <http://www.gnu.org/licenses/>.
+
+import json
+import sys
+import glob
+import vyos.opmode
+from vyos.utils.process import cmd
+from vyos.configquery import ConfigTreeQuery
+from tabulate import tabulate
+
+def show_fingerprints(raw: bool, ascii: bool):
+    config = ConfigTreeQuery()
+    if not config.exists("service ssh"):
+        raise vyos.opmode.UnconfiguredSubsystem("SSH server is not enabled.")
+
+    publickeys = glob.glob("/etc/ssh/*.pub")
+
+    if publickeys:
+        keys = []
+        for keyfile in publickeys:
+            try:
+                if ascii:
+                    keydata = cmd("ssh-keygen -l -v -E sha256 -f " + keyfile).splitlines()
+                else:
+                    keydata = cmd("ssh-keygen -l -E sha256 -f " + keyfile).splitlines()
+                type = keydata[0].split(None)[-1].strip("()")
+                key_size = keydata[0].split(None)[0]
+                fingerprint = keydata[0].split(None)[1]
+                comment = keydata[0].split(None)[2:-1][0]
+                if ascii:
+                    ascii_art = "\n".join(keydata[1:])
+                    keys.append({"type": type, "key_size": key_size, "fingerprint": fingerprint, "comment": comment, "ascii_art": ascii_art})
+                else:
+                    keys.append({"type": type, "key_size": key_size, "fingerprint": fingerprint, "comment": comment})
+            except:
+                # Ignore invalid public keys
+                pass
+        if raw:
+            return keys
+        else:
+            headers = {"type": "Type", "key_size": "Key Size", "fingerprint": "Fingerprint", "comment": "Comment", "ascii_art": "ASCII Art"}
+            output = "SSH server public key fingerprints:\n\n" + tabulate(keys, headers=headers, tablefmt="simple")
+            return output
+    else:
+        if raw:
+            return []
+        else:
+            return "No SSH server public keys are found."
+
+def show_dynamic_protection(raw: bool):
+    config = ConfigTreeQuery()
+    if not config.exists(['service', 'ssh', 'dynamic-protection']):
+        raise vyos.opmode.UnconfiguredSubsystem("SSH server dynamic-protection is not enabled.")
+
+    attackers = []
+    try:
+        # IPv4
+        attackers = attackers + json.loads(cmd("nft -j list set ip sshguard attackers"))["nftables"][1]["set"]["elem"]
+    except:
+        pass
+    try:
+        # IPv6
+        attackers = attackers + json.loads(cmd("nft -j list set ip6 sshguard attackers"))["nftables"][1]["set"]["elem"]
+    except:
+        pass
+    if attackers:
+        if raw:
+            return attackers
+        else:
+            output = "Blocked attackers:\n" + "\n".join(attackers)
+            return output
+    else:
+        if raw:
+            return []
+        else:
+            return "No blocked attackers."
+
+if __name__ == '__main__':
+    try:
+        res = vyos.opmode.run(sys.modules[__name__])
+        if res:
+            print(res)
+    except (ValueError, vyos.opmode.Error) as e:
+        print(e)
+        sys.exit(1)
diff --git a/src/op_mode/traceroute.py b/src/op_mode/traceroute.py
index 2f0edf53a..d2bac3f7c 100755
--- a/src/op_mode/traceroute.py
+++ b/src/op_mode/traceroute.py
@@ -14,29 +14,13 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-import os
 import sys
 import socket
 import ipaddress
-from vyos.utils.network import get_all_vrfs
-from vyos.ifconfig import Section
-
-
-def interface_list() -> list:
-    """
-    Get list of interfaces in system
-    :rtype: list
-    """
-    return Section.interfaces()
-
-
-def vrf_list() -> list:
-    """
-    Get list of VRFs in system
-    :rtype: list
-    """
-    return list(get_all_vrfs().keys())
 
+from vyos.utils.network import interface_list
+from vyos.utils.network import vrf_list
+from vyos.utils.process import call
 
 options = {
     'backward-hops': {
@@ -251,6 +235,4 @@ if __name__ == '__main__':
         sys.exit(f'traceroute: Unknown host: {host}')
 
     command = convert(traceroute[version], args)
-
-    # print(f'{command} {host}')
-    os.system(f'{command} {host}')
+    call(f'{command} {host}')
diff --git a/src/op_mode/zone.py b/src/op_mode/zone.py
deleted file mode 100755
index 17ce90396..000000000
--- a/src/op_mode/zone.py
+++ /dev/null
@@ -1,215 +0,0 @@
-#!/usr/bin/env python3
-#
-# Copyright (C) 2023 VyOS maintainers and contributors
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 or later as
-# published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-import typing
-import sys
-import vyos.opmode
-
-import tabulate
-from vyos.configquery import ConfigTreeQuery
-from vyos.utils.dict import dict_search_args
-from vyos.utils.dict import dict_search
-
-
-def get_config_zone(conf, name=None):
-    config_path = ['firewall', 'zone']
-    if name:
-        config_path += [name]
-
-    zone_policy = conf.get_config_dict(config_path, key_mangling=('-', '_'),
-                                       get_first_key=True,
-                                       no_tag_node_value_mangle=True)
-    return zone_policy
-
-
-def _convert_one_zone_data(zone: str, zone_config: dict) -> dict:
-    """
-    Convert config dictionary of one zone to API dictionary
-    :param zone: Zone name
-    :type zone: str
-    :param zone_config: config dictionary
-    :type zone_config: dict
-    :return: AP dictionary
-    :rtype: dict
-    """
-    list_of_rules = []
-    intrazone_dict = {}
-    if dict_search('from', zone_config):
-        for from_zone, from_zone_config in zone_config['from'].items():
-            from_zone_dict = {'name': from_zone}
-            if dict_search('firewall.name', from_zone_config):
-                from_zone_dict['firewall'] = dict_search('firewall.name',
-                                                         from_zone_config)
-            if dict_search('firewall.ipv6_name', from_zone_config):
-                from_zone_dict['firewall_v6'] = dict_search(
-                    'firewall.ipv6_name', from_zone_config)
-            list_of_rules.append(from_zone_dict)
-
-    zone_dict = {
-        'name': zone,
-        'interface': dict_search('interface', zone_config),
-        'type': 'LOCAL' if dict_search('local_zone',
-                                       zone_config) is not None else None,
-    }
-    if list_of_rules:
-        zone_dict['from'] = list_of_rules
-    if dict_search('intra_zone_filtering.firewall.name', zone_config):
-        intrazone_dict['firewall'] = dict_search(
-            'intra_zone_filtering.firewall.name', zone_config)
-    if dict_search('intra_zone_filtering.firewall.ipv6_name', zone_config):
-        intrazone_dict['firewall_v6'] = dict_search(
-            'intra_zone_filtering.firewall.ipv6_name', zone_config)
-    if intrazone_dict:
-        zone_dict['intrazone'] = intrazone_dict
-    return zone_dict
-
-
-def _convert_zones_data(zone_policies: dict) -> list:
-    """
-    Convert all config dictionary to API list of zone dictionaries
-    :param zone_policies: config dictionary
-    :type zone_policies: dict
-    :return: API list
-    :rtype: list
-    """
-    zone_list = []
-    for zone, zone_config in zone_policies.items():
-        zone_list.append(_convert_one_zone_data(zone, zone_config))
-    return zone_list
-
-
-def _convert_config(zones_config: dict, zone: str = None) -> list:
-    """
-    convert config to API list
-    :param zones_config: zones config
-    :type zones_config:
-    :param zone: zone name
-    :type zone: str
-    :return: API list
-    :rtype: list
-    """
-    if zone:
-        if zones_config:
-            output = [_convert_one_zone_data(zone, zones_config)]
-        else:
-            raise vyos.opmode.DataUnavailable(f'Zone {zone} not found')
-    else:
-        if zones_config:
-            output = _convert_zones_data(zones_config)
-        else:
-            raise vyos.opmode.UnconfiguredSubsystem(
-                'Zone entries are not configured')
-    return output
-
-
-def output_zone_list(zone_conf: dict) -> list:
-    """
-    Format one zone row
-    :param zone_conf: zone config
-    :type zone_conf: dict
-    :return: formatted list of zones
-    :rtype: list
-    """
-    zone_info = [zone_conf['name']]
-    if zone_conf['type'] == 'LOCAL':
-        zone_info.append('LOCAL')
-    else:
-        zone_info.append("\n".join(zone_conf['interface']))
-
-    from_zone = []
-    firewall = []
-    firewall_v6 = []
-    if 'intrazone' in zone_conf:
-        from_zone.append(zone_conf['name'])
-
-        v4_name = dict_search_args(zone_conf['intrazone'], 'firewall')
-        v6_name = dict_search_args(zone_conf['intrazone'], 'firewall_v6')
-        if v4_name:
-            firewall.append(v4_name)
-        else:
-            firewall.append('')
-        if v6_name:
-            firewall_v6.append(v6_name)
-        else:
-            firewall_v6.append('')
-
-    if 'from' in zone_conf:
-        for from_conf in zone_conf['from']:
-            from_zone.append(from_conf['name'])
-
-            v4_name = dict_search_args(from_conf, 'firewall')
-            v6_name = dict_search_args(from_conf, 'firewall_v6')
-            if v4_name:
-                firewall.append(v4_name)
-            else:
-                firewall.append('')
-            if v6_name:
-                firewall_v6.append(v6_name)
-            else:
-                firewall_v6.append('')
-
-    zone_info.append("\n".join(from_zone))
-    zone_info.append("\n".join(firewall))
-    zone_info.append("\n".join(firewall_v6))
-    return zone_info
-
-
-def get_formatted_output(zone_policy: list) -> str:
-    """
-    Formatted output of all zones
-    :param zone_policy: list of zones
-    :type zone_policy: list
-    :return: formatted table with zones
-    :rtype: str
-    """
-    headers = ["Zone",
-               "Interfaces",
-               "From Zone",
-               "Firewall IPv4",
-               "Firewall IPv6"
-               ]
-    formatted_list = []
-    for zone_conf in zone_policy:
-        formatted_list.append(output_zone_list(zone_conf))
-    tabulate.PRESERVE_WHITESPACE = True
-    output = tabulate.tabulate(formatted_list, headers, numalign="left")
-    return output
-
-
-def show(raw: bool, zone: typing.Optional[str]):
-    """
-    Show zone-policy command
-    :param raw: if API
-    :type raw: bool
-    :param zone: zone name
-    :type zone: str
-    """
-    conf: ConfigTreeQuery = ConfigTreeQuery()
-    zones_config: dict = get_config_zone(conf, zone)
-    zone_policy_api: list = _convert_config(zones_config, zone)
-    if raw:
-        return zone_policy_api
-    else:
-        return get_formatted_output(zone_policy_api)
-
-
-if __name__ == '__main__':
-    try:
-        res = vyos.opmode.run(sys.modules[__name__])
-        if res:
-            print(res)
-    except (ValueError, vyos.opmode.Error) as e:
-        print(e)
-        sys.exit(1)
diff --git a/src/pam-configs/mfa-google-authenticator b/src/pam-configs/mfa-google-authenticator
new file mode 100644
index 000000000..9e49e5ef9
--- /dev/null
+++ b/src/pam-configs/mfa-google-authenticator
@@ -0,0 +1,8 @@
+Name: Google Authenticator PAM module (2FA/MFA)
+Default: no
+Priority: 384
+
+Auth-Type: Primary
+Auth:
+    [default=ignore success=ok auth_err=die] pam_google_authenticator.so nullok forward_pass
+
diff --git a/src/pam-configs/radius b/src/pam-configs/radius
deleted file mode 100644
index 08247f77c..000000000
--- a/src/pam-configs/radius
+++ /dev/null
@@ -1,17 +0,0 @@
-Name: RADIUS authentication
-Default: no
-Priority: 257
-Auth-Type: Primary
-Auth:
-    [default=ignore success=ignore] pam_succeed_if.so user ingroup aaa quiet
-    [authinfo_unavail=ignore success=end default=ignore] pam_radius_auth.so
-
-Account-Type: Primary
-Account:
-    [default=ignore success=ignore] pam_succeed_if.so user ingroup aaa quiet
-    [authinfo_unavail=ignore success=end perm_denied=bad default=ignore] pam_radius_auth.so
-
-Session-Type: Additional
-Session:
-    [default=ignore success=ignore] pam_succeed_if.so user ingroup aaa quiet
-    [authinfo_unavail=ignore success=ok default=ignore] pam_radius_auth.so
diff --git a/src/pam-configs/radius-mandatory b/src/pam-configs/radius-mandatory
new file mode 100644
index 000000000..3368fe7ff
--- /dev/null
+++ b/src/pam-configs/radius-mandatory
@@ -0,0 +1,19 @@
+Name: RADIUS authentication (mandatory mode)
+Default: no
+Priority: 576
+
+Auth-Type: Primary
+Auth-Initial:
+    [default=ignore success=end auth_err=die perm_denied=die user_unknown=die] pam_radius_auth.so
+Auth:
+    [default=ignore success=end auth_err=die perm_denied=die user_unknown=die] pam_radius_auth.so use_first_pass
+
+Account-Type: Primary
+Account:
+    [default=ignore success=1] pam_succeed_if.so user notingroup radius quiet
+    [default=ignore success=end] pam_radius_auth.so
+
+Session-Type: Additional
+Session:
+    [default=ignore success=1] pam_succeed_if.so user notingroup radius quiet
+    [default=bad success=ok] pam_radius_auth.so
diff --git a/src/pam-configs/radius-optional b/src/pam-configs/radius-optional
new file mode 100644
index 000000000..73085061d
--- /dev/null
+++ b/src/pam-configs/radius-optional
@@ -0,0 +1,19 @@
+Name: RADIUS authentication (optional mode)
+Default: no
+Priority: 576
+
+Auth-Type: Primary
+Auth-Initial:
+    [default=ignore success=end] pam_radius_auth.so
+Auth:
+    [default=ignore success=end] pam_radius_auth.so use_first_pass
+
+Account-Type: Primary
+Account:
+    [default=ignore success=1] pam_succeed_if.so user notingroup radius quiet
+    [default=ignore success=end] pam_radius_auth.so
+
+Session-Type: Additional
+Session:
+    [default=ignore success=1] pam_succeed_if.so user notingroup radius quiet
+    [default=ignore success=ok perm_denied=bad user_unknown=bad] pam_radius_auth.so
diff --git a/src/pam-configs/tacplus b/src/pam-configs/tacplus
deleted file mode 100644
index 66a1eaa4c..000000000
--- a/src/pam-configs/tacplus
+++ /dev/null
@@ -1,17 +0,0 @@
-Name: TACACS+ authentication
-Default: no
-Priority: 257
-Auth-Type: Primary
-Auth:
-    [default=ignore success=ignore] pam_succeed_if.so user ingroup aaa quiet
-    [authinfo_unavail=ignore success=end auth_err=bad default=ignore] pam_tacplus.so include=/etc/tacplus_servers login=login
-
-Account-Type: Primary
-Account:
-    [default=ignore success=ignore] pam_succeed_if.so user ingroup aaa quiet
-    [authinfo_unavail=ignore success=end perm_denied=bad default=ignore] pam_tacplus.so include=/etc/tacplus_servers login=login
-
-Session-Type: Additional
-Session:
-    [default=ignore success=ignore] pam_succeed_if.so user ingroup aaa quiet
-    [authinfo_unavail=ignore success=ok default=ignore] pam_tacplus.so include=/etc/tacplus_servers login=login
diff --git a/src/pam-configs/tacplus-mandatory b/src/pam-configs/tacplus-mandatory
new file mode 100644
index 000000000..ffccece19
--- /dev/null
+++ b/src/pam-configs/tacplus-mandatory
@@ -0,0 +1,17 @@
+Name: TACACS+ authentication (mandatory mode)
+Default: no
+Priority: 576
+
+Auth-Type: Primary
+Auth:
+    [default=ignore success=end auth_err=die perm_denied=die user_unknown=die] pam_tacplus.so include=/etc/tacplus_servers login=login
+
+Account-Type: Primary
+Account:
+    [default=ignore success=1] pam_succeed_if.so user notingroup tacacs quiet
+    [default=bad success=end] pam_tacplus.so include=/etc/tacplus_servers login=login
+
+Session-Type: Additional
+Session:
+    [default=ignore success=1] pam_succeed_if.so user notingroup tacacs quiet
+    [default=bad success=ok] pam_tacplus.so include=/etc/tacplus_servers login=login
diff --git a/src/pam-configs/tacplus-optional b/src/pam-configs/tacplus-optional
new file mode 100644
index 000000000..095c3a164
--- /dev/null
+++ b/src/pam-configs/tacplus-optional
@@ -0,0 +1,17 @@
+Name: TACACS+ authentication (optional mode)
+Default: no
+Priority: 576
+
+Auth-Type: Primary
+Auth:
+    [default=ignore success=end] pam_tacplus.so include=/etc/tacplus_servers login=login
+
+Account-Type: Primary
+Account:
+    [default=ignore success=1] pam_succeed_if.so user notingroup tacacs quiet
+    [default=ignore success=end auth_err=bad perm_denied=bad user_unknown=bad] pam_tacplus.so include=/etc/tacplus_servers login=login
+
+Session-Type: Additional
+Session:
+    [default=ignore success=1] pam_succeed_if.so user notingroup tacacs quiet
+    [default=ignore success=ok session_err=bad user_unknown=bad] pam_tacplus.so include=/etc/tacplus_servers login=login
diff --git a/src/services/vyos-http-api-server b/src/services/vyos-http-api-server
index 66e80ced5..40d442e30 100755
--- a/src/services/vyos-http-api-server
+++ b/src/services/vyos-http-api-server
@@ -1,6 +1,6 @@
 #!/usr/share/vyos-http-api-tools/bin/python3
 #
-# Copyright (C) 2019-2023 VyOS maintainers and contributors
+# Copyright (C) 2019-2024 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
@@ -13,8 +13,6 @@
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
-#
-#
 
 import os
 import sys
@@ -22,12 +20,15 @@ import grp
 import copy
 import json
 import logging
+import signal
 import traceback
 import threading
+
+from time import sleep
 from typing import List, Union, Callable, Dict
 
-import uvicorn
 from fastapi import FastAPI, Depends, Request, Response, HTTPException
+from fastapi import BackgroundTasks
 from fastapi.responses import HTMLResponse
 from fastapi.exceptions import RequestValidationError
 from fastapi.routing import APIRoute
@@ -36,15 +37,20 @@ from starlette.middleware.cors import CORSMiddleware
 from starlette.datastructures import FormData
 from starlette.formparsers import FormParser, MultiPartParser
 from multipart.multipart import parse_options_header
+from uvicorn import Config as UvicornConfig
+from uvicorn import Server as UvicornServer
 
 from ariadne.asgi import GraphQL
 
-import vyos.config
-from vyos.configsession import ConfigSession, ConfigSessionError
+from vyos.config import Config
+from vyos.configtree import ConfigTree
+from vyos.configdiff import get_config_diff
+from vyos.configsession import ConfigSession
+from vyos.configsession import ConfigSessionError
+from vyos.defaults import api_config_state
 
 import api.graphql.state
 
-DEFAULT_CONFIG_FILE = '/etc/vyos/http-api.conf'
 CFG_GROUP = 'vyattacfg'
 
 debug = True
@@ -62,7 +68,7 @@ else:
 lock = threading.Lock()
 
 def load_server_config():
-    with open(DEFAULT_CONFIG_FILE) as f:
+    with open(api_config_state) as f:
         config = json.load(f)
     return config
 
@@ -217,6 +223,19 @@ class ShowModel(ApiModel):
             }
         }
 
+class RebootModel(ApiModel):
+    op: StrictStr
+    path: List[StrictStr]
+
+    class Config:
+        schema_extra = {
+            "example": {
+                "key": "id_key",
+                "op": "reboot",
+                "path": ["op", "mode", "path"],
+            }
+        }
+
 class ResetModel(ApiModel):
     op: StrictStr
     path: List[StrictStr]
@@ -230,6 +249,19 @@ class ResetModel(ApiModel):
             }
         }
 
+class PoweroffModel(ApiModel):
+    op: StrictStr
+    path: List[StrictStr]
+
+    class Config:
+        schema_extra = {
+            "example": {
+                "key": "id_key",
+                "op": "poweroff",
+                "path": ["op", "mode", "path"],
+            }
+        }
+
 
 class Success(BaseModel):
     success: bool
@@ -410,12 +442,24 @@ app.router.route_class = MultipartRoute
 async def validation_exception_handler(request, exc):
     return error(400, str(exc.errors()[0]))
 
+self_ref_msg = "Requested HTTP API server configuration change; commit will be called in the background"
+
+def call_commit(s: ConfigSession):
+    try:
+        s.commit()
+    except ConfigSessionError as e:
+        s.discard()
+        if app.state.vyos_debug:
+            logger.warning(f"ConfigSessionError:\n {traceback.format_exc()}")
+        else:
+            logger.warning(f"ConfigSessionError: {e}")
+
 def _configure_op(data: Union[ConfigureModel, ConfigureListModel,
                               ConfigSectionModel, ConfigSectionListModel],
-                  request: Request):
+                  request: Request, background_tasks: BackgroundTasks):
     session = app.state.vyos_session
     env = session.get_session_env()
-    config = vyos.config.Config(session_env=env)
+    config = Config(session_env=env)
 
     endpoint = request.url.path
 
@@ -470,7 +514,15 @@ def _configure_op(data: Union[ConfigureModel, ConfigureListModel,
                 else:
                     raise ConfigSessionError(f"'{op}' is not a valid operation")
         # end for
-        session.commit()
+        config = Config(session_env=env)
+        d = get_config_diff(config)
+
+        if d.is_node_changed(['service', 'https']):
+            background_tasks.add_task(call_commit, session)
+            msg = self_ref_msg
+        else:
+            session.commit()
+
         logger.info(f"Configuration modified via HTTP API using key '{app.state.vyos_id}'")
     except ConfigSessionError as e:
         session.discard()
@@ -495,21 +547,21 @@ def _configure_op(data: Union[ConfigureModel, ConfigureListModel,
 
 @app.post('/configure')
 def configure_op(data: Union[ConfigureModel,
-                                   ConfigureListModel],
-                       request: Request):
-    return _configure_op(data, request)
+                             ConfigureListModel],
+                       request: Request, background_tasks: BackgroundTasks):
+    return _configure_op(data, request, background_tasks)
 
 @app.post('/configure-section')
 def configure_section_op(data: Union[ConfigSectionModel,
-                                           ConfigSectionListModel],
-                               request: Request):
-    return _configure_op(data, request)
+                                     ConfigSectionListModel],
+                               request: Request, background_tasks: BackgroundTasks):
+    return _configure_op(data, request, background_tasks)
 
 @app.post("/retrieve")
 async def retrieve_op(data: RetrieveModel):
     session = app.state.vyos_session
     env = session.get_session_env()
-    config = vyos.config.Config(session_env=env)
+    config = Config(session_env=env)
 
     op = data.op
     path = " ".join(data.path)
@@ -528,10 +580,10 @@ async def retrieve_op(data: RetrieveModel):
 
             res = session.show_config(path=data.path)
             if config_format == 'json':
-                config_tree = vyos.configtree.ConfigTree(res)
+                config_tree = ConfigTree(res)
                 res = json.loads(config_tree.to_json())
             elif config_format == 'json_ast':
-                config_tree = vyos.configtree.ConfigTree(res)
+                config_tree = ConfigTree(res)
                 res = json.loads(config_tree.to_json_ast())
             elif config_format == 'raw':
                 pass
@@ -548,10 +600,11 @@ async def retrieve_op(data: RetrieveModel):
     return success(res)
 
 @app.post('/config-file')
-def config_file_op(data: ConfigFileModel):
+def config_file_op(data: ConfigFileModel, background_tasks: BackgroundTasks):
     session = app.state.vyos_session
-
+    env = session.get_session_env()
     op = data.op
+    msg = None
 
     try:
         if op == 'save':
@@ -559,14 +612,23 @@ def config_file_op(data: ConfigFileModel):
                 path = data.file
             else:
                 path = '/config/config.boot'
-            res = session.save_config(path)
+            msg = session.save_config(path)
         elif op == 'load':
             if data.file:
                 path = data.file
             else:
                 return error(400, "Missing required field \"file\"")
-            res = session.migrate_and_load_config(path)
-            res = session.commit()
+
+            session.migrate_and_load_config(path)
+
+            config = Config(session_env=env)
+            d = get_config_diff(config)
+
+            if d.is_node_changed(['service', 'https']):
+                background_tasks.add_task(call_commit, session)
+                msg = self_ref_msg
+            else:
+                session.commit()
         else:
             return error(400, f"'{op}' is not a valid operation")
     except ConfigSessionError as e:
@@ -575,7 +637,7 @@ def config_file_op(data: ConfigFileModel):
         logger.critical(traceback.format_exc())
         return error(500, "An internal error occured. Check the logs for details.")
 
-    return success(res)
+    return success(msg)
 
 @app.post('/image')
 def image_op(data: ImageModel):
@@ -607,7 +669,7 @@ def image_op(data: ImageModel):
     return success(res)
 
 @app.post('/container-image')
-def image_op(data: ContainerImageModel):
+def container_image_op(data: ContainerImageModel):
     session = app.state.vyos_session
 
     op = data.op
@@ -677,6 +739,26 @@ def show_op(data: ShowModel):
 
     return success(res)
 
+@app.post('/reboot')
+def reboot_op(data: RebootModel):
+    session = app.state.vyos_session
+
+    op = data.op
+    path = data.path
+
+    try:
+        if op == 'reboot':
+            res = session.reboot(path)
+        else:
+            return error(400, f"'{op}' is not a valid operation")
+    except ConfigSessionError as e:
+        return error(400, str(e))
+    except Exception as e:
+        logger.critical(traceback.format_exc())
+        return error(500, "An internal error occured. Check the logs for details.")
+
+    return success(res)
+
 @app.post('/reset')
 def reset_op(data: ResetModel):
     session = app.state.vyos_session
@@ -697,12 +779,32 @@ def reset_op(data: ResetModel):
 
     return success(res)
 
+@app.post('/poweroff')
+def poweroff_op(data: PoweroffModel):
+    session = app.state.vyos_session
+
+    op = data.op
+    path = data.path
+
+    try:
+        if op == 'poweroff':
+            res = session.poweroff(path)
+        else:
+            return error(400, f"'{op}' is not a valid operation")
+    except ConfigSessionError as e:
+        return error(400, str(e))
+    except Exception as e:
+        logger.critical(traceback.format_exc())
+        return error(500, "An internal error occured. Check the logs for details.")
+
+    return success(res)
+
 
 ###
 # GraphQL integration
 ###
 
-def graphql_init(fast_api_app):
+def graphql_init(app: FastAPI = app):
     from api.graphql.libs.token_auth import get_user_context
     api.graphql.state.init()
     api.graphql.state.settings['app'] = app
@@ -728,30 +830,60 @@ def graphql_init(fast_api_app):
                                           debug=True,
                                           introspection=in_spec))
 ###
+# Modify uvicorn to allow reloading server within the configsession
+###
 
-if __name__ == '__main__':
-    # systemd's user and group options don't work, do it by hand here,
-    # else no one else will be able to commit
-    cfg_group = grp.getgrnam(CFG_GROUP)
-    os.setgid(cfg_group.gr_gid)
+server = None
+shutdown = False
 
-    # Need to set file permissions to 775 too so that every vyattacfg group member
-    # has write access to the running config
-    os.umask(0o002)
+class ApiServerConfig(UvicornConfig):
+    pass
 
+class ApiServer(UvicornServer):
+    def install_signal_handlers(self):
+        pass
+
+def reload_handler(signum, frame):
+    global server
+    logger.debug('Reload signal received...')
+    if server is not None:
+        server.handle_exit(signum, frame)
+        server = None
+        logger.info('Server stopping for reload...')
+    else:
+        logger.warning('Reload called for non-running server...')
+
+def shutdown_handler(signum, frame):
+    global shutdown
+    logger.debug('Shutdown signal received...')
+    server.handle_exit(signum, frame)
+    logger.info('Server shutdown...')
+    shutdown = True
+
+def flatten_keys(d: dict) -> list[dict]:
+    keys_list = []
+    for el in list(d['keys'].get('id', {})):
+        key = d['keys']['id'][el].get('key', '')
+        if key:
+            keys_list.append({'id': el, 'key': key})
+    return keys_list
+
+def initialization(session: ConfigSession, app: FastAPI = app):
+    global server
     try:
         server_config = load_server_config()
-    except Exception as err:
-        logger.critical(f"Failed to load the HTTP API server config: {err}")
+    except Exception as e:
+        logger.critical(f'Failed to load the HTTP API server config: {e}')
         sys.exit(1)
 
-    config_session = ConfigSession(os.getpid())
+    app.state.vyos_session = session
+    app.state.vyos_keys = []
 
-    app.state.vyos_session = config_session
-    app.state.vyos_keys = server_config['api_keys']
+    if 'keys' in server_config:
+        app.state.vyos_keys = flatten_keys(server_config)
 
-    app.state.vyos_debug = server_config['debug']
-    app.state.vyos_strict = server_config['strict']
+    app.state.vyos_debug = bool('debug' in server_config)
+    app.state.vyos_strict = bool('strict' in server_config)
     app.state.vyos_origins = server_config.get('cors', {}).get('allow_origin', [])
     if 'graphql' in server_config:
         app.state.vyos_graphql = True
@@ -760,7 +892,7 @@ if __name__ == '__main__':
                 app.state.vyos_introspection = True
             else:
                 app.state.vyos_introspection = False
-            # default value is merged in conf_mode http-api.py, if not set
+            # default values if not set explicitly
             app.state.vyos_auth_type = server_config['graphql']['authentication']['type']
             app.state.vyos_token_exp = server_config['graphql']['authentication']['expiration']
             app.state.vyos_secret_len = server_config['graphql']['authentication']['secret_length']
@@ -770,14 +902,36 @@ if __name__ == '__main__':
     if app.state.vyos_graphql:
         graphql_init(app)
 
+    config = ApiServerConfig(app, uds="/run/api.sock", proxy_headers=True)
+    server = ApiServer(config)
+
+def run_server():
     try:
-        if not server_config['socket']:
-            uvicorn.run(app, host=server_config["listen_address"],
-                             port=int(server_config["port"]),
-                             proxy_headers=True)
-        else:
-            uvicorn.run(app, uds="/run/api.sock",
-                             proxy_headers=True)
-    except OSError as err:
-        logger.critical(f"OSError {err}")
+        server.run()
+    except OSError as e:
+        logger.critical(e)
         sys.exit(1)
+
+if __name__ == '__main__':
+    # systemd's user and group options don't work, do it by hand here,
+    # else no one else will be able to commit
+    cfg_group = grp.getgrnam(CFG_GROUP)
+    os.setgid(cfg_group.gr_gid)
+
+    # Need to set file permissions to 775 too so that every vyattacfg group member
+    # has write access to the running config
+    os.umask(0o002)
+
+    signal.signal(signal.SIGHUP, reload_handler)
+    signal.signal(signal.SIGTERM, shutdown_handler)
+
+    config_session = ConfigSession(os.getpid())
+
+    while True:
+        logger.debug('Enter main loop...')
+        if shutdown:
+            break
+        if server is None:
+            initialization(config_session)
+            server.run()
+        sleep(1)
diff --git a/src/system/grub_update.py b/src/system/grub_update.py
new file mode 100644
index 000000000..3c851f0e0
--- /dev/null
+++ b/src/system/grub_update.py
@@ -0,0 +1,107 @@
+#!/usr/bin/env python3
+#
+# Copyright 2023 VyOS maintainers and contributors <maintainers@vyos.io>
+#
+# This file is part of VyOS.
+#
+# VyOS is free software: you can redistribute it and/or modify it under the
+# terms of the GNU General Public License as published by the Free Software
+# Foundation, either version 3 of the License, or (at your option) any later
+# version.
+#
+# VyOS is distributed in the hope that it will be useful, but WITHOUT ANY
+# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+# FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
+# details.
+#
+# You should have received a copy of the GNU General Public License along with
+# VyOS. If not, see <https://www.gnu.org/licenses/>.
+
+from pathlib import Path
+from sys import exit
+
+from vyos.system import disk, grub, image, compat, SYSTEM_CFG_VER
+from vyos.template import render
+
+
+def cfg_check_update() -> bool:
+    """Check if GRUB structure update is required
+
+    Returns:
+        bool: False if not required, True if required
+    """
+    current_ver = grub.get_cfg_ver()
+    if current_ver and current_ver >= SYSTEM_CFG_VER:
+        return False
+
+    return True
+
+
+if __name__ == '__main__':
+    if image.is_live_boot():
+        exit(0)
+
+    if image.is_running_as_container():
+        exit(0)
+
+    # Skip everything if update is not required
+    if not cfg_check_update():
+        exit(0)
+
+    # find root directory of persistent storage
+    root_dir = disk.find_persistence()
+
+    # read current GRUB config
+    grub_cfg_main = f'{root_dir}/{grub.GRUB_CFG_MAIN}'
+    vars = grub.vars_read(grub_cfg_main)
+    modules = grub.modules_read(grub_cfg_main)
+    vyos_menuentries = compat.parse_menuentries(grub_cfg_main)
+    vyos_versions = compat.find_versions(vyos_menuentries)
+    unparsed_items = compat.filter_unparsed(grub_cfg_main)
+    # compatibilty for raid installs
+    search_root = compat.get_search_root(unparsed_items)
+    common_dict = {}
+    common_dict['search_root'] = search_root
+    # find default values
+    default_entry = vyos_menuentries[int(vars['default'])]
+    default_settings = {
+        'default': grub.gen_version_uuid(default_entry['version']),
+        'bootmode': default_entry['bootmode'],
+        'console_type': default_entry['console_type'],
+        'console_num': default_entry['console_num']
+    }
+    vars.update(default_settings)
+
+    # create new files
+    grub_cfg_vars = f'{root_dir}/{grub.CFG_VYOS_VARS}'
+    grub_cfg_modules = f'{root_dir}/{grub.CFG_VYOS_MODULES}'
+    grub_cfg_platform = f'{root_dir}/{grub.CFG_VYOS_PLATFORM}'
+    grub_cfg_menu = f'{root_dir}/{grub.CFG_VYOS_MENU}'
+    grub_cfg_options = f'{root_dir}/{grub.CFG_VYOS_OPTIONS}'
+
+    Path(image.GRUB_DIR_VYOS).mkdir(exist_ok=True)
+    grub.vars_write(grub_cfg_vars, vars)
+    grub.modules_write(grub_cfg_modules, modules)
+    grub.common_write(grub_common=common_dict)
+    render(grub_cfg_menu, grub.TMPL_GRUB_MENU, {})
+    render(grub_cfg_options, grub.TMPL_GRUB_OPTS, {})
+
+    # create menu entries
+    for vyos_ver in vyos_versions:
+        boot_opts = None
+        for entry in vyos_menuentries:
+            if entry.get('version') == vyos_ver and entry.get(
+                    'bootmode') == 'normal':
+                boot_opts = entry.get('boot_opts')
+        grub.version_add(vyos_ver, root_dir, boot_opts)
+
+    # update structure version
+    cfg_ver = compat.update_cfg_ver(root_dir)
+    grub.write_cfg_ver(cfg_ver, root_dir)
+
+    if compat.mode():
+        compat.render_grub_cfg(root_dir)
+    else:
+        render(grub_cfg_main, grub.TMPL_GRUB_MAIN, {})
+
+    exit(0)
diff --git a/src/system/keepalived-fifo.py b/src/system/keepalived-fifo.py
index 5e19bdbad..6d33e372d 100755
--- a/src/system/keepalived-fifo.py
+++ b/src/system/keepalived-fifo.py
@@ -41,7 +41,7 @@ logger.addHandler(logs_handler_syslog)
 logger.setLevel(logging.DEBUG)
 
 mdns_running_file = '/run/mdns_vrrp_active'
-mdns_update_command = 'sudo /usr/libexec/vyos/conf_mode/service_mdns-repeater.py'
+mdns_update_command = 'sudo /usr/libexec/vyos/conf_mode/service_mdns_repeater.py'
 
 # class for all operations
 class KeepalivedFifo:
diff --git a/src/system/standalone_root_pw_reset b/src/system/standalone_root_pw_reset
new file mode 100755
index 000000000..c82cea321
--- /dev/null
+++ b/src/system/standalone_root_pw_reset
@@ -0,0 +1,178 @@
+#!/bin/bash
+# **** License ****
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# This code was originally developed by Vyatta, Inc.
+# Portions created by Vyatta are Copyright (C) 2007 Vyatta, Inc.
+# All Rights Reserved.
+#
+# Author:	Bob Gilligan <gilligan@vyatta.com>
+# Description:	Standalone script to set the admin passwd to new value
+#		value.  Note:  This script can ONLY be run as a standalone
+#		init program by grub.
+#
+# **** End License ****
+
+# The Vyatta config file:
+CF=/opt/vyatta/etc/config/config.boot
+
+# Admin user name
+ADMIN=vyos
+
+set_encrypted_password() {
+    sed -i \
+       -e "/ user $1 {/,/encrypted-password/s/encrypted-password .*\$/encrypted-password \"$2\"/" $3
+}
+
+
+# How long to wait for user to respond, in seconds
+TIME_TO_WAIT=30
+
+change_password() {
+    local user=$1
+    local pwd1="1"
+    local pwd2="2"
+
+    until [ "$pwd1" == "$pwd2" ]
+    do
+        read -p "Enter $user password: " -r -s pwd1
+	echo
+	read -p "Retype $user password: " -r -s pwd2
+	echo
+
+	if [ "$pwd1" != "$pwd2" ]
+	then echo "Passwords do not match"
+	fi
+    done
+
+    # set the password for the user then store it in the config
+    # so the user is recreated on the next full system boot.
+    local epwd=$(mkpasswd --method=sha-512 "$pwd1")
+    # escape any slashes in resulting password
+    local eepwd=$(sed 's:/:\\/:g' <<< $epwd)
+    set_encrypted_password $user $eepwd $CF
+}
+
+# System is so messed up that doing anything would be a mistake
+dead() {
+    echo $*
+    echo
+    echo "This tool can only recover missing admininistrator password."
+    echo "It is not a full system restore"
+    echo
+    echo -n "Hit return to reboot system: "
+    read
+    /sbin/reboot -f
+}
+
+echo "Standalone root password recovery tool."
+echo
+#
+# Check to see if we are running in standalone mode.  We'll
+# know that we are if our pid is 1.
+#
+if [ "$$" != "1" ]; then
+    echo "This tool can only be run in standalone mode."
+    exit 1
+fi
+
+#
+# OK, now we know we are running in standalone mode.  Talk to the
+# user.
+#
+echo -n "Do you wish to reset the admin password? (y or n) "
+read -t $TIME_TO_WAIT response
+if [ "$?" != "0" ]; then
+    echo 
+    echo "Response not received in time."
+    echo "The admin password will not be reset."
+    echo "Rebooting in 5 seconds..."
+    sleep 5
+    echo
+    /sbin/reboot -f
+fi
+
+response=${response:0:1}
+if [ "$response" != "y" -a "$response" != "Y" ]; then
+    echo "OK, the admin password will not be reset."
+    echo -n "Rebooting in 5 seconds..."
+    sleep 5
+    echo
+    /sbin/reboot -f
+fi
+
+echo -en "Which admin account do you want to reset? [$ADMIN] "
+read admin_user
+ADMIN=${admin_user:-$ADMIN}
+
+echo "Starting process to reset the admin password..."
+
+echo "Re-mounting root filesystem read/write..."
+mount -o remount,rw /
+
+if [ ! -f /etc/passwd ]
+then dead "Missing password file"
+fi
+
+if [ ! -d /opt/vyatta/etc/config ]
+then dead "Missing VyOS config directory /opt/vyatta/etc/config"
+fi
+
+# Leftover from V3.0
+if grep -q /opt/vyatta/etc/config /etc/fstab
+then 
+    echo "Mounting the config filesystem..."
+    mount /opt/vyatta/etc/config/
+fi
+
+if [ ! -f $CF ]
+then dead "$CF file not found"
+fi
+
+if ! grep -q 'system {' $CF
+then dead "$CF file does not contain system settings"
+fi
+
+if ! grep -q ' login {' $CF
+then
+    # Recreate login section of system
+    sed -i -e '/system {/a\
+    login {\
+    }' $CF
+fi
+
+if ! grep -q " user $ADMIN " $CF
+then
+    echo "Recreating administrator $ADMIN in $CF..."
+    sed -i -e "/ login {/a\\
+        user $ADMIN {\\
+            authentication {\\
+                encrypted-password \$6$IhbXHdwgYkLnt/$VRIsIN5c2f2v4L2l4F9WPDrRDEtWXzH75yBswmWGERAdX7oBxmq6m.sWON6pO6mi6mrVgYBxdVrFcCP5bI.nt.\\
+                plaintext-password \"\"\\
+            }\\
+            level admin\\
+        }" $CF
+fi
+
+echo "Saving backup copy of config.boot..."
+cp $CF ${CF}.before_pwrecovery
+sync
+
+echo "Setting the administrator ($ADMIN) password..."
+change_password $ADMIN
+
+echo $(date "+%b%e %T") $(hostname) "Admin password changed" \
+    | tee -a /var/log/auth.log  >>/var/log/messages
+
+sync
+
+echo "System will reboot in 10 seconds..."
+sleep 10
+/sbin/reboot -f
diff --git a/src/system/uacctd_stop.py b/src/system/uacctd_stop.py
new file mode 100755
index 000000000..a1b57335b
--- /dev/null
+++ b/src/system/uacctd_stop.py
@@ -0,0 +1,68 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2023 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# Control pmacct daemons in a tricky way.
+# Pmacct has signal processing in a main loop, together with packet
+# processing. Because of this, while it is waiting for packets, it cannot
+# handle the control signal. We need to start the systemctl command and then
+# send some packets to pmacct to wake it up
+
+from argparse import ArgumentParser
+from socket import socket, AF_INET, SOCK_DGRAM
+from sys import exit
+from time import sleep
+
+from psutil import Process
+
+
+def stop_process(pid: int, timeout: int) -> None:
+    """Send a signal to uacctd
+    and then send packets to special address predefined in a firewall
+    to unlock main loop in uacctd and finish the process properly
+
+    Args:
+        pid (int): uacctd PID
+        timeout (int): seconds to wait for a process end
+    """
+    # find a process
+    uacctd = Process(pid)
+    uacctd.terminate()
+
+    # create a socket
+    trigger = socket(AF_INET, SOCK_DGRAM)
+
+    first_cycle: bool = True
+    while uacctd.is_running() and timeout:
+        print('sending a packet to uacctd...')
+        trigger.sendto(b'WAKEUP', ('127.0.254.0', 1))
+        # do not sleep during first attempt
+        if not first_cycle:
+            sleep(1)
+            timeout -= 1
+        first_cycle = False
+
+
+if __name__ == '__main__':
+    parser = ArgumentParser()
+    parser.add_argument('process_id',
+                        type=int,
+                        help='PID file of uacctd core process')
+    parser.add_argument('timeout',
+                        type=int,
+                        help='time to wait for process end')
+    args = parser.parse_args()
+    stop_process(args.process_id, args.timeout)
+    exit()
diff --git a/src/systemd/vyos-grub-update.service b/src/systemd/vyos-grub-update.service
new file mode 100644
index 000000000..522b13a33
--- /dev/null
+++ b/src/systemd/vyos-grub-update.service
@@ -0,0 +1,14 @@
+[Unit]
+Description=Update GRUB loader configuration structure
+After=local-fs.target
+Before=vyos-router.service
+
+[Service]
+Type=oneshot
+ExecStart=/usr/libexec/vyos/system/grub_update.py
+TimeoutSec=5
+KillMode=process
+StandardOutput=journal+console
+
+[Install]
+WantedBy=vyos-router.service
\ No newline at end of file
diff --git a/src/systemd/vyos-router.service b/src/systemd/vyos-router.service
index 6f683cebb..7a1638f11 100644
--- a/src/systemd/vyos-router.service
+++ b/src/systemd/vyos-router.service
@@ -1,7 +1,6 @@
 [Unit]
 Description=VyOS Router
 After=systemd-journald-dev-log.socket time-sync.target local-fs.target cloud-config.service
-Requires=frr.service
 Conflicts=shutdown.target
 Before=systemd-user-sessions.service
 
diff --git a/src/tests/test_dependency_graph.py b/src/tests/test_dependency_graph.py
new file mode 100644
index 000000000..f682e87bb
--- /dev/null
+++ b/src/tests/test_dependency_graph.py
@@ -0,0 +1,31 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2023 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+import os
+from vyos.configdep import check_dependency_graph
+
+_here = os.path.dirname(__file__)
+ddir = os.path.join(_here, '../../data/config-mode-dependencies')
+
+from unittest import TestCase
+
+class TestDependencyGraph(TestCase):
+    def setUp(self):
+        pass
+
+    def test_acyclic(self):
+        res = check_dependency_graph(dependency_dir=ddir)
+        self.assertTrue(res)
diff --git a/src/tests/test_jinja_filters.py b/src/tests/test_jinja_filters.py
deleted file mode 100644
index 8a7241fe3..000000000
--- a/src/tests/test_jinja_filters.py
+++ /dev/null
@@ -1,69 +0,0 @@
-#!/usr/bin/env python3
-#
-# Copyright (C) 2020 VyOS maintainers and contributors
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 or later as
-# published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-from unittest import TestCase
-
-from ipaddress import ip_network
-from vyos.template import address_from_cidr
-from vyos.template import netmask_from_cidr
-from vyos.template import is_ipv4
-from vyos.template import is_ipv6
-from vyos.template import first_host_address
-from vyos.template import last_host_address
-from vyos.template import inc_ip
-
-class TestTeamplteHelpers(TestCase):
-    def setUp(self):
-        pass
-
-    def test_helpers_from_cidr(self):
-        network_v4 = '192.0.2.0/26'
-        self.assertEqual(address_from_cidr(network_v4), str(ip_network(network_v4).network_address))
-        self.assertEqual(netmask_from_cidr(network_v4), str(ip_network(network_v4).netmask))
-
-    def test_helpers_ipv4(self):
-        self.assertTrue(is_ipv4('192.0.2.1'))
-        self.assertTrue(is_ipv4('192.0.2.0/24'))
-        self.assertTrue(is_ipv4('192.0.2.1/32'))
-        self.assertTrue(is_ipv4('10.255.1.2'))
-        self.assertTrue(is_ipv4('10.255.1.0/24'))
-        self.assertTrue(is_ipv4('10.255.1.2/32'))
-        self.assertFalse(is_ipv4('2001:db8::'))
-        self.assertFalse(is_ipv4('2001:db8::1'))
-        self.assertFalse(is_ipv4('2001:db8::/64'))
-
-    def test_helpers_ipv6(self):
-        self.assertFalse(is_ipv6('192.0.2.1'))
-        self.assertFalse(is_ipv6('192.0.2.0/24'))
-        self.assertFalse(is_ipv6('192.0.2.1/32'))
-        self.assertFalse(is_ipv6('10.255.1.2'))
-        self.assertFalse(is_ipv6('10.255.1.0/24'))
-        self.assertFalse(is_ipv6('10.255.1.2/32'))
-        self.assertTrue(is_ipv6('2001:db8::'))
-        self.assertTrue(is_ipv6('2001:db8::1'))
-        self.assertTrue(is_ipv6('2001:db8::1/64'))
-        self.assertTrue(is_ipv6('2001:db8::/32'))
-        self.assertTrue(is_ipv6('2001:db8::/64'))
-
-    def test_helpers_first_host_address(self):
-        self.assertEqual(first_host_address('10.0.0.0/24'), '10.0.0.1')
-        self.assertEqual(first_host_address('10.0.0.128/25'), '10.0.0.129')
-        self.assertEqual(first_host_address('10.0.0.200/29'), '10.0.0.201')
-
-        self.assertEqual(first_host_address('2001:db8::/64'), '2001:db8::')
-        self.assertEqual(first_host_address('2001:db8::/112'), '2001:db8::')
-        self.assertEqual(first_host_address('2001:db8::10/112'), '2001:db8::10')
-        self.assertEqual(first_host_address('2001:db8::100/112'), '2001:db8::100')
diff --git a/src/tests/test_task_scheduler.py b/src/tests/test_task_scheduler.py
index f15fcde88..130f825e6 100644
--- a/src/tests/test_task_scheduler.py
+++ b/src/tests/test_task_scheduler.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 #
-# Copyright (C) 2018-2020 VyOS maintainers and contributors
+# Copyright (C) 2018-2023 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
@@ -17,16 +17,16 @@
 import os
 import tempfile
 import unittest
+import importlib
 
 from vyos import ConfigError
 
 try:
-    from src.conf_mode import task_scheduler
+    task_scheduler = importlib.import_module("src.conf_mode.system_task-scheduler")
 except ModuleNotFoundError:  # for unittest.main()
     import sys
     sys.path.append(os.path.join(os.path.dirname(__file__), '../..'))
-    from src.conf_mode import task_scheduler
-
+    task_scheduler = importlib.import_module("src.conf_mode.system_task-scheduler")
 
 class TestUpdateCrontab(unittest.TestCase):
 
diff --git a/src/tests/test_template.py b/src/tests/test_template.py
index 2d065f545..aba97015e 100644
--- a/src/tests/test_template.py
+++ b/src/tests/test_template.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 #
-# Copyright (C) 2020 VyOS maintainers and contributors
+# Copyright (C) 2020-2023 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
@@ -17,6 +17,7 @@
 import os
 import vyos.template
 
+from ipaddress import ip_network
 from unittest import TestCase
 
 class TestVyOSTemplate(TestCase):
@@ -67,6 +68,9 @@ class TestVyOSTemplate(TestCase):
             # ValueError: 2001:db8::1/48 has host bits set
             self.assertEqual(vyos.template.address_from_cidr('2001:db8::1/48'), '2001:db8::1')
 
+        network_v4 = '192.0.2.0/26'
+        self.assertEqual(vyos.template.address_from_cidr(network_v4), str(ip_network(network_v4).network_address))
+
     def test_netmask_from_cidr(self):
         self.assertEqual(vyos.template.netmask_from_cidr('192.0.2.0/24'),  '255.255.255.0')
         self.assertEqual(vyos.template.netmask_from_cidr('192.0.2.128/25'),  '255.255.255.128')
@@ -80,28 +84,35 @@ class TestVyOSTemplate(TestCase):
             # ValueError: 2001:db8:1:/64 has host bits set
             self.assertEqual(vyos.template.netmask_from_cidr('2001:db8:1:/64'), 'ffff:ffff:ffff:ffff::')
 
+        network_v4 = '192.0.2.0/26'
+        self.assertEqual(vyos.template.netmask_from_cidr(network_v4), str(ip_network(network_v4).netmask))
+
     def test_first_host_address(self):
-        self.assertEqual(vyos.template.first_host_address('10.0.0.0/24'),  '10.0.0.1')
-        self.assertEqual(vyos.template.first_host_address('10.0.0.128/25'),  '10.0.0.129')
-        self.assertEqual(vyos.template.first_host_address('2001:db8::/64'),  '2001:db8::')
+        self.assertEqual(vyos.template.first_host_address('10.0.0.0/24'), '10.0.0.1')
+        self.assertEqual(vyos.template.first_host_address('10.0.0.10/24'), '10.0.0.1')
+        self.assertEqual(vyos.template.first_host_address('10.0.0.255/24'), '10.0.0.1')
+        self.assertEqual(vyos.template.first_host_address('10.0.0.128/25'), '10.0.0.129')
+        self.assertEqual(vyos.template.first_host_address('2001:db8::/64'), '2001:db8::1')
+        self.assertEqual(vyos.template.first_host_address('2001:db8::1000/64'), '2001:db8::1')
+        self.assertEqual(vyos.template.first_host_address('2001:db8::ffff:ffff:ffff:ffff/64'), '2001:db8::1')
 
     def test_last_host_address(self):
-        self.assertEqual(vyos.template.last_host_address('10.0.0.0/24'),  '10.0.0.254')
-        self.assertEqual(vyos.template.last_host_address('10.0.0.128/25'),  '10.0.0.254')
-        self.assertEqual(vyos.template.last_host_address('2001:db8::/64'),  '2001:db8::ffff:ffff:ffff:ffff')
+        self.assertEqual(vyos.template.last_host_address('10.0.0.0/24'), '10.0.0.254')
+        self.assertEqual(vyos.template.last_host_address('10.0.0.128/25'), '10.0.0.254')
+        self.assertEqual(vyos.template.last_host_address('2001:db8::/64'), '2001:db8::ffff:ffff:ffff:ffff')
 
     def test_increment_ip(self):
-        self.assertEqual(vyos.template.inc_ip('10.0.0.0/24', '2'),  '10.0.0.2')
-        self.assertEqual(vyos.template.inc_ip('10.0.0.0', '2'),  '10.0.0.2')
-        self.assertEqual(vyos.template.inc_ip('10.0.0.0', '10'),  '10.0.0.10')
-        self.assertEqual(vyos.template.inc_ip('2001:db8::/64', '2'),  '2001:db8::2')
-        self.assertEqual(vyos.template.inc_ip('2001:db8::', '10'),  '2001:db8::a')
+        self.assertEqual(vyos.template.inc_ip('10.0.0.0/24', '2'), '10.0.0.2')
+        self.assertEqual(vyos.template.inc_ip('10.0.0.0', '2'), '10.0.0.2')
+        self.assertEqual(vyos.template.inc_ip('10.0.0.0', '10'), '10.0.0.10')
+        self.assertEqual(vyos.template.inc_ip('2001:db8::/64', '2'), '2001:db8::2')
+        self.assertEqual(vyos.template.inc_ip('2001:db8::', '10'), '2001:db8::a')
 
     def test_decrement_ip(self):
-        self.assertEqual(vyos.template.dec_ip('10.0.0.100/24', '1'),  '10.0.0.99')
-        self.assertEqual(vyos.template.dec_ip('10.0.0.90', '10'),  '10.0.0.80')
-        self.assertEqual(vyos.template.dec_ip('2001:db8::b/64', '10'),  '2001:db8::1')
-        self.assertEqual(vyos.template.dec_ip('2001:db8::f', '5'),  '2001:db8::a')
+        self.assertEqual(vyos.template.dec_ip('10.0.0.100/24', '1'), '10.0.0.99')
+        self.assertEqual(vyos.template.dec_ip('10.0.0.90', '10'), '10.0.0.80')
+        self.assertEqual(vyos.template.dec_ip('2001:db8::b/64', '10'), '2001:db8::1')
+        self.assertEqual(vyos.template.dec_ip('2001:db8::f', '5'), '2001:db8::a')
 
     def test_is_network(self):
         self.assertFalse(vyos.template.is_ip_network('192.0.2.0'))
@@ -181,4 +192,3 @@ class TestVyOSTemplate(TestCase):
         for group_name, group_config in data['ike_group'].items():
             ciphers = vyos.template.get_esp_ike_cipher(group_config)
             self.assertIn(IKEv2_DEFAULT, ','.join(ciphers))
-
diff --git a/src/validators/accel-radius-dictionary b/src/validators/accel-radius-dictionary
deleted file mode 100755
index 05287e770..000000000
--- a/src/validators/accel-radius-dictionary
+++ /dev/null
@@ -1,13 +0,0 @@
-#!/bin/sh
-
-DICT_PATH=/usr/share/accel-ppp/radius
-NAME=$1
-
-if [ -n "$NAME" -a -e $DICT_PATH/dictionary.$NAME ]; then
-    exit 0
-else
-    echo "$NAME is not a valid RADIUS dictionary name"
-    echo "Please make sure that $DICT_PATH/dictionary.$NAME file exists"
-    exit 1
-fi
-
diff --git a/src/validators/bgp-large-community-list b/src/validators/bgp-large-community-list
index 80112dfdc..9ba5b27eb 100755
--- a/src/validators/bgp-large-community-list
+++ b/src/validators/bgp-large-community-list
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 #
-# Copyright (C) 2021 VyOS maintainers and contributors
+# Copyright (C) 2021-2023 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
@@ -17,9 +17,8 @@
 import re
 import sys
 
-from vyos.template import is_ipv4
-
 pattern = '(.*):(.*):(.*)'
+allowedChars = { '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', '.', '+', '*', '?', '^', '$', '(', ')', '[', ']', '{', '}', '|', '\\', ':', '-' }
 
 if __name__ == '__main__':
     if len(sys.argv) != 2:
@@ -29,8 +28,7 @@ if __name__ == '__main__':
     if not len(value) == 3:
         sys.exit(1)
 
-    if not (re.match(pattern, sys.argv[1]) and
-           (is_ipv4(value[0]) or value[0].isdigit()) and (value[1].isdigit() or value[1] == '*')):
+    if not (re.match(pattern, sys.argv[1]) and set(sys.argv[1]).issubset(allowedChars)):
         sys.exit(1)
 
     sys.exit(0)
diff --git a/src/validators/ddclient-protocol b/src/validators/ddclient-protocol
index 6f927927b..ce5efbd52 100755
--- a/src/validators/ddclient-protocol
+++ b/src/validators/ddclient-protocol
@@ -14,7 +14,7 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-ddclient -list-protocols | grep -qw $1
+ddclient -list-protocols | grep -vE 'cloudns|porkbun' | grep -qw $1
 
 if [ $? -gt 0 ]; then
     echo "Error: $1 is not a valid protocol, please choose from the supported list of protocols"
diff --git a/src/validators/ipv4-range-mask b/src/validators/ipv4-range-mask
new file mode 100755
index 000000000..7bb4539af
--- /dev/null
+++ b/src/validators/ipv4-range-mask
@@ -0,0 +1,59 @@
+#!/bin/bash
+
+# snippet from https://stackoverflow.com/questions/10768160/ip-address-converter
+ip2dec () {
+    local a b c d ip=$@
+    IFS=. read -r a b c d <<< "$ip"
+    printf '%d\n' "$((a * 256 ** 3 + b * 256 ** 2 + c * 256 + d))"
+}
+
+error_exit() {
+  echo "Error: $1 is not a valid IPv4 address range or these IPs are not under /$2"
+  exit 1
+}
+
+# Check if address range is under the same netmask
+# -m - mask
+# -r - IP range in format x.x.x.x-y.y.y.y
+while getopts m:r: flag
+do
+    case "${flag}" in
+        m) mask=${OPTARG};;
+        r) range=${OPTARG}
+    esac
+done
+if [[ "${range}" =~ "-" ]]&&[[ ! -z ${mask} ]]; then
+  # This only works with real bash (<<<) - split IP addresses into array with
+  # hyphen as delimiter
+  readarray -d - -t strarr <<< ${range}
+
+  ipaddrcheck --is-ipv4-single ${strarr[0]}
+  if [ $? -gt 0 ]; then
+    error_exit ${range} ${mask}
+  fi
+
+  ipaddrcheck --is-ipv4-single ${strarr[1]}
+  if [ $? -gt 0 ]; then
+    error_exit ${range} ${mask}
+  fi
+
+  ${vyos_validators_dir}/numeric --range 0-32 ${mask} > /dev/null
+   if [ $? -ne 0 ]; then
+     error_exit ${range} ${mask}
+   fi
+
+  is_in_24=$( grepcidr ${strarr[0]}"/"${mask} <(echo ${strarr[1]}) )
+  if [ -z $is_in_24 ]; then
+    error_exit ${range} ${mask}
+  fi
+
+  start=$(ip2dec ${strarr[0]})
+  stop=$(ip2dec ${strarr[1]})
+  if [ $start -ge $stop ]; then
+    error_exit ${range} ${mask}
+  fi
+
+  exit 0
+fi
+
+error_exit ${range} ${mask}
diff --git a/src/validators/numeric-exclude b/src/validators/numeric-exclude
new file mode 100755
index 000000000..d693ad16d
--- /dev/null
+++ b/src/validators/numeric-exclude
@@ -0,0 +1,8 @@
+#!/bin/sh
+path=$(dirname "$0")
+num="${@: -1}"
+if [ "${num:0:1}" != "!" ]; then
+   ${path}/numeric $@
+else
+    ${path}/numeric ${@:1:$#-1} ${num:1}
+fi
\ No newline at end of file