1 files changed, 23 insertions, 16 deletions

diff --git a/interface-definitions/include/firewall/common-rule.xml.i b/interface-definitions/include/firewall/common-rule.xml.i
index e74ce4ee4..85e586e1b 100644
--- a/interface-definitions/include/firewall/common-rule.xml.i
+++ b/interface-definitions/include/firewall/common-rule.xml.i
@@ -95,25 +95,32 @@
     </constraint>
   </properties>
 </leafNode>
-<leafNode name="connection-status">
+<node name="connection-status">
   <properties>
     <help>Connection status</help>
-    <completionHelp>
-      <list>dnat snat</list>
-    </completionHelp>
-    <valueHelp>
-      <format>dnat</format>
-      <description>Match connections that are subject to destination NAT</description>
-    </valueHelp>
-    <valueHelp>
-      <format>snat</format>
-      <description>Match connections that are subject to source NAT</description>
-    </valueHelp>
-    <constraint>
-      <regex>^(dnat|snat)$</regex>
-    </constraint>
   </properties>
-</leafNode>
+  <children>
+    <leafNode name="nat">
+      <properties>
+        <help>NAT connection status</help>
+        <completionHelp>
+          <list>destination source</list>
+        </completionHelp>
+        <valueHelp>
+          <format>destination</format>
+          <description>Match connections that are subject to destination NAT</description>
+        </valueHelp>
+        <valueHelp>
+          <format>source</format>
+          <description>Match connections that are subject to source NAT</description>
+        </valueHelp>
+        <constraint>
+          <regex>^(destination|source)$</regex>
+        </constraint>
+      </properties>
+    </leafNode>
+  </children>
+</node>
 <leafNode name="protocol">
   <properties>
     <help>Protocol to match (protocol name, number, or "all")</help>