4 files changed, 48 insertions, 1 deletions

diff --git a/interface-definitions/firewall.xml.in b/interface-definitions/firewall.xml.in
index c8685a187..2ebce79e5 100644
--- a/interface-definitions/firewall.xml.in
+++ b/interface-definitions/firewall.xml.in
@@ -126,7 +126,7 @@
                     <description>Domain address to match</description>
                   </valueHelp>
                   <constraint>
-                    <regex>[a-z0-9]+([\-\.]{1}[a-z0-9]+)*\.[a-z]{2,99}?(\/.*)?</regex>
+                    <validator name="fqdn"/>
                   </constraint>
                   <multi/>
                 </properties>
@@ -408,6 +408,7 @@
                 </properties>
                 <children>
                   #include <include/firewall/address-ipv6.xml.i>
+                  #include <include/firewall/fqdn.xml.i>
                   #include <include/firewall/geoip.xml.i>
                   #include <include/firewall/source-destination-group-ipv6.xml.i>
                   #include <include/firewall/port.xml.i>
@@ -419,6 +420,7 @@
                 </properties>
                 <children>
                   #include <include/firewall/address-ipv6.xml.i>
+                  #include <include/firewall/fqdn.xml.i>
                   #include <include/firewall/geoip.xml.i>
                   #include <include/firewall/source-destination-group-ipv6.xml.i>
                   #include <include/firewall/port.xml.i>
@@ -572,6 +574,7 @@
                 </properties>
                 <children>
                   #include <include/firewall/address.xml.i>
+                  #include <include/firewall/fqdn.xml.i>
                   #include <include/firewall/geoip.xml.i>
                   #include <include/firewall/source-destination-group.xml.i>
                   #include <include/firewall/port.xml.i>
@@ -583,6 +586,7 @@
                 </properties>
                 <children>
                   #include <include/firewall/address.xml.i>
+                  #include <include/firewall/fqdn.xml.i>
                   #include <include/firewall/geoip.xml.i>
                   #include <include/firewall/source-destination-group.xml.i>
                   #include <include/firewall/port.xml.i>
@@ -656,6 +660,25 @@
         </properties>
         <defaultValue>disable</defaultValue>
       </leafNode>
+      <leafNode name="resolver-cache">
+        <properties>
+          <help>Retains last successful value if domain resolution fails</help>
+          <valueless/>
+        </properties>
+      </leafNode>
+      <leafNode name="resolver-interval">
+        <properties>
+          <help>Domain resolver update interval</help>
+          <valueHelp>
+            <format>u32:10-3600</format>
+            <description>Interval (seconds)</description>
+          </valueHelp>
+          <constraint>
+            <validator name="numeric" argument="--range 10-3600"/>
+          </constraint>
+        </properties>
+        <defaultValue>300</defaultValue>
+      </leafNode>
       <leafNode name="send-redirects">
         <properties>
           <help>Policy for sending IPv4 ICMP redirect messages</help>
diff --git a/interface-definitions/include/firewall/fqdn.xml.i b/interface-definitions/include/firewall/fqdn.xml.i
new file mode 100644
index 000000000..9eb3925b5
--- /dev/null
+++ b/interface-definitions/include/firewall/fqdn.xml.i
@@ -0,0 +1,14 @@
+<!-- include start from firewall/fqdn.xml.i -->
+<leafNode name="fqdn">
+  <properties>
+    <help>Fully qualified domain name</help>
+    <valueHelp>
+      <format>&lt;fqdn&gt;</format>
+      <description>Fully qualified domain name</description>
+    </valueHelp>
+    <constraint>
+      <validator name="fqdn"/>
+    </constraint>
+  </properties>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/source-destination-group-ipv6.xml.i b/interface-definitions/include/firewall/source-destination-group-ipv6.xml.i
index c2cc7edb3..2a42d236c 100644
--- a/interface-definitions/include/firewall/source-destination-group-ipv6.xml.i
+++ b/interface-definitions/include/firewall/source-destination-group-ipv6.xml.i
@@ -12,6 +12,14 @@
         </completionHelp>
       </properties>
     </leafNode>
+    <leafNode name="domain-group">
+      <properties>
+        <help>Group of domains</help>
+        <completionHelp>
+          <path>firewall group domain-group</path>
+        </completionHelp>
+      </properties>
+    </leafNode>
     #include <include/firewall/mac-group.xml.i>
     <leafNode name="network-group">
       <properties>
diff --git a/interface-definitions/include/nat-rule.xml.i b/interface-definitions/include/nat-rule.xml.i
index 84941aa6a..8f2029388 100644
--- a/interface-definitions/include/nat-rule.xml.i
+++ b/interface-definitions/include/nat-rule.xml.i
@@ -20,6 +20,7 @@
       <children>
         #include <include/nat-address.xml.i>
         #include <include/nat-port.xml.i>
+        #include <include/firewall/source-destination-group.xml.i>
       </children>
     </node>
     #include <include/generic-disable-node.xml.i>
@@ -285,6 +286,7 @@
       <children>
         #include <include/nat-address.xml.i>
         #include <include/nat-port.xml.i>
+        #include <include/firewall/source-destination-group.xml.i>
       </children>
     </node>
   </children>