From 4ae434d50337b6a1543176b0b86e938fc0663626 Mon Sep 17 00:00:00 2001
From: Christian Poessinger <christian@poessinger.com>
Date: Thu, 3 Nov 2022 17:39:19 +0100
Subject: xml: T4795: provide common and re-usable XML definitions for policy

Remove duplicated code and move to single-source of truth.
---
 interface-definitions/firewall.xml.in              |   2 +-
 .../include/firewall/common-rule.xml.i             |  17 +-
 .../include/firewall/mac-address.xml.i             |  18 +
 .../include/policy/route-common-rule-ipv6.xml.i    | 557 ---------------------
 .../include/policy/route-common-rule.xml.i         | 406 ---------------
 .../include/policy/route-common.xml.i              | 348 +++++++++++++
 .../include/policy/route-ipv4.xml.i                |  45 ++
 .../include/policy/route-ipv6.xml.i                | 196 ++++++++
 interface-definitions/policy-route.xml.in          |   6 +-
 9 files changed, 613 insertions(+), 982 deletions(-)
 create mode 100644 interface-definitions/include/firewall/mac-address.xml.i
 delete mode 100644 interface-definitions/include/policy/route-common-rule-ipv6.xml.i
 delete mode 100644 interface-definitions/include/policy/route-common-rule.xml.i
 create mode 100644 interface-definitions/include/policy/route-common.xml.i
 create mode 100644 interface-definitions/include/policy/route-ipv4.xml.i
 create mode 100644 interface-definitions/include/policy/route-ipv6.xml.i

diff --git a/interface-definitions/firewall.xml.in b/interface-definitions/firewall.xml.in
index 673461036..c8685a187 100644
--- a/interface-definitions/firewall.xml.in
+++ b/interface-definitions/firewall.xml.in
@@ -218,7 +218,7 @@
                 <properties>
                   <help>Mac-group member</help>
                   <valueHelp>
-                    <format>&lt;MAC address&gt;</format>
+                    <format>macaddr</format>
                     <description>MAC address to match</description>
                   </valueHelp>
                   <constraint>
diff --git a/interface-definitions/include/firewall/common-rule.xml.i b/interface-definitions/include/firewall/common-rule.xml.i
index a4f66f5cb..75ad427f9 100644
--- a/interface-definitions/include/firewall/common-rule.xml.i
+++ b/interface-definitions/include/firewall/common-rule.xml.i
@@ -219,22 +219,7 @@
   <children>
     #include <include/firewall/address.xml.i>
     #include <include/firewall/source-destination-group.xml.i>
-    <leafNode name="mac-address">
-      <properties>
-        <help>Source MAC address</help>
-        <valueHelp>
-          <format>&lt;MAC address&gt;</format>
-          <description>MAC address to match</description>
-        </valueHelp>
-        <valueHelp>
-          <format>!&lt;MAC address&gt;</format>
-          <description>Match everything except the specified MAC address</description>
-        </valueHelp>
-        <constraint>
-          <validator name="mac-address-firewall"/>
-        </constraint>
-      </properties>
-    </leafNode>
+    #include <include/firewall/mac-address.xml.i>
     #include <include/firewall/port.xml.i>
   </children>
 </node>
diff --git a/interface-definitions/include/firewall/mac-address.xml.i b/interface-definitions/include/firewall/mac-address.xml.i
new file mode 100644
index 000000000..83aaf1ce1
--- /dev/null
+++ b/interface-definitions/include/firewall/mac-address.xml.i
@@ -0,0 +1,18 @@
+<!-- include start from firewall/mac-address.xml.i -->
+<leafNode name="mac-address">
+  <properties>
+    <help>MAC address</help>
+    <valueHelp>
+      <format>macaddr;</format>
+      <description>MAC address to match</description>
+    </valueHelp>
+    <valueHelp>
+      <format>!macaddr</format>
+      <description>Match everything except the specified MAC address</description>
+    </valueHelp>
+    <constraint>
+      <validator name="mac-address-firewall"/>
+    </constraint>
+  </properties>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/include/policy/route-common-rule-ipv6.xml.i b/interface-definitions/include/policy/route-common-rule-ipv6.xml.i
deleted file mode 100644
index 662206336..000000000
--- a/interface-definitions/include/policy/route-common-rule-ipv6.xml.i
+++ /dev/null
@@ -1,557 +0,0 @@
-<!-- include start from policy/route-common-rule.xml.i -->
-#include <include/policy/route-rule-action.xml.i>
-#include <include/generic-description.xml.i>
-<leafNode name="disable">
-  <properties>
-    <help>Option to disable firewall rule</help>
-    <valueless/>
-  </properties>
-</leafNode>
-<node name="fragment">
-  <properties>
-    <help>IP fragment match</help>
-  </properties>
-  <children>
-    <leafNode name="match-frag">
-      <properties>
-        <help>Second and further fragments of fragmented packets</help>
-        <valueless/>
-      </properties>
-    </leafNode>
-    <leafNode name="match-non-frag">
-      <properties>
-        <help>Head fragments or unfragmented packets</help>
-        <valueless/>
-      </properties>
-    </leafNode>
-  </children>
-</node>
-<node name="ipsec">
-  <properties>
-    <help>Inbound IPsec packets</help>
-  </properties>
-  <children>
-    <leafNode name="match-ipsec">
-      <properties>
-        <help>Inbound IPsec packets</help>
-        <valueless/>
-      </properties>
-    </leafNode>
-    <leafNode name="match-none">
-      <properties>
-        <help>Inbound non-IPsec packets</help>
-        <valueless/>
-      </properties>
-    </leafNode>
-  </children>
-</node>
-<node name="limit">
-  <properties>
-    <help>Rate limit using a token bucket filter</help>
-  </properties>
-  <children>
-    <leafNode name="burst">
-      <properties>
-        <help>Maximum number of packets to allow in excess of rate</help>
-        <valueHelp>
-          <format>u32:0-4294967295</format>
-          <description>Maximum number of packets to allow in excess of rate</description>
-        </valueHelp>
-        <constraint>
-          <validator name="numeric" argument="--range 0-4294967295"/>
-        </constraint>
-      </properties>
-    </leafNode>
-    <leafNode name="rate">
-      <properties>
-        <help>Maximum average matching rate</help>
-        <valueHelp>
-          <format>u32:0-4294967295</format>
-          <description>Maximum average matching rate</description>
-        </valueHelp>
-        <constraint>
-          <validator name="numeric" argument="--range 0-4294967295"/>
-        </constraint>
-      </properties>
-    </leafNode>
-  </children>
-</node>
-<leafNode name="log">
-  <properties>
-    <help>Option to log packets matching rule</help>
-    <completionHelp>
-      <list>enable disable</list>
-    </completionHelp>
-    <valueHelp>
-      <format>enable</format>
-      <description>Enable log</description>
-    </valueHelp>
-    <valueHelp>
-      <format>disable</format>
-      <description>Disable log</description>
-    </valueHelp>
-    <constraint>
-      <regex>(enable|disable)</regex>
-    </constraint>
-  </properties>
-</leafNode>
-<leafNode name="protocol">
-  <properties>
-    <help>Protocol to match (protocol name, number, or "all")</help>
-    <completionHelp>
-      <script>cat /etc/protocols | sed -e '/^#.*/d' | awk '{ print $1 }'</script>
-    </completionHelp>
-    <valueHelp>
-      <format>all</format>
-      <description>All IP protocols</description>
-    </valueHelp>
-    <valueHelp>
-      <format>tcp_udp</format>
-      <description>Both TCP and UDP</description>
-    </valueHelp>
-    <valueHelp>
-      <format>0-255</format>
-      <description>IP protocol number</description>
-    </valueHelp>
-    <valueHelp>
-      <format>!&lt;protocol&gt;</format>
-      <description>IP protocol number</description>
-    </valueHelp>
-    <constraint>
-      <validator name="ip-protocol"/>
-    </constraint>
-  </properties>
-  <defaultValue>all</defaultValue>
-</leafNode>
-<node name="recent">
-  <properties>
-    <help>Parameters for matching recently seen sources</help>
-  </properties>
-  <children>
-    <leafNode name="count">
-      <properties>
-        <help>Source addresses seen more than N times</help>
-        <valueHelp>
-          <format>u32:1-255</format>
-          <description>Source addresses seen more than N times</description>
-        </valueHelp>
-        <constraint>
-          <validator name="numeric" argument="--range 1-255"/>
-        </constraint>
-      </properties>
-    </leafNode>
-    <leafNode name="time">
-      <properties>
-        <help>Source addresses seen in the last N seconds</help>
-        <valueHelp>
-          <format>u32:0-4294967295</format>
-          <description>Source addresses seen in the last N seconds</description>
-        </valueHelp>
-        <constraint>
-          <validator name="numeric" argument="--range 0-4294967295"/>
-        </constraint>
-      </properties>
-    </leafNode>
-  </children>
-</node>
-<node name="set">
-  <properties>
-    <help>Packet modifications</help>
-  </properties>
-  <children>
-    <leafNode name="dscp">
-      <properties>
-        <help>Packet Differentiated Services Codepoint (DSCP)</help>
-        <valueHelp>
-          <format>u32:0-63</format>
-          <description>DSCP number</description>
-        </valueHelp>
-        <constraint>
-          <validator name="numeric" argument="--range 0-63"/>
-        </constraint>
-      </properties>
-    </leafNode>
-    <leafNode name="mark">
-      <properties>
-        <help>Packet marking</help>
-        <valueHelp>
-          <format>u32:1-2147483647</format>
-          <description>Packet marking</description>
-        </valueHelp>
-        <constraint>
-          <validator name="numeric" argument="--range 1-2147483647"/>
-        </constraint>
-      </properties>
-    </leafNode>
-    <leafNode name="table">
-      <properties>
-        <help>Routing table to forward packet with</help>
-        <valueHelp>
-          <format>u32:1-200</format>
-          <description>Table number</description>
-        </valueHelp>
-        <valueHelp>
-          <format>main</format>
-          <description>Main table</description>
-        </valueHelp>
-        <constraint>
-          <validator name="numeric" argument="--range 1-200"/>
-          <regex>(main)</regex>
-        </constraint>
-        <completionHelp>
-          <list>main</list>
-          <path>protocols static table</path>
-        </completionHelp>
-      </properties>
-    </leafNode>
-    <leafNode name="tcp-mss">
-      <properties>
-        <help>TCP Maximum Segment Size</help>
-        <valueHelp>
-          <format>u32:500-1460</format>
-          <description>Explicitly set TCP MSS value</description>
-        </valueHelp>
-        <constraint>
-          <validator name="numeric" argument="--range 500-1460"/>
-        </constraint>
-      </properties>
-    </leafNode>
-  </children>
-</node>
-<node name="source">
-  <properties>
-    <help>Source parameters</help>
-  </properties>
-  <children>
-    #include <include/firewall/address-ipv6.xml.i>
-    #include <include/firewall/source-destination-group.xml.i>
-    <leafNode name="mac-address">
-      <properties>
-        <help>Source MAC address</help>
-        <valueHelp>
-          <format>&lt;MAC address&gt;</format>
-          <description>MAC address to match</description>
-        </valueHelp>
-        <valueHelp>
-          <format>!&lt;MAC address&gt;</format>
-          <description>Match everything except the specified MAC address</description>
-        </valueHelp>
-        <constraint>
-          <validator name="mac-address-firewall"/>
-        </constraint>
-      </properties>
-    </leafNode>
-    #include <include/firewall/port.xml.i>
-  </children>
-</node>
-<node name="state">
-  <properties>
-    <help>Session state</help>
-  </properties>
-  <children>
-    <leafNode name="established">
-      <properties>
-        <help>Established state</help>
-        <completionHelp>
-          <list>enable disable</list>
-        </completionHelp>
-        <valueHelp>
-          <format>enable</format>
-          <description>Enable</description>
-        </valueHelp>
-        <valueHelp>
-          <format>disable</format>
-          <description>Disable</description>
-        </valueHelp>
-        <constraint>
-          <regex>(enable|disable)</regex>
-        </constraint>
-      </properties>
-    </leafNode>
-    <leafNode name="invalid">
-      <properties>
-        <help>Invalid state</help>
-        <completionHelp>
-          <list>enable disable</list>
-        </completionHelp>
-        <valueHelp>
-          <format>enable</format>
-          <description>Enable</description>
-        </valueHelp>
-        <valueHelp>
-          <format>disable</format>
-          <description>Disable</description>
-        </valueHelp>
-        <constraint>
-          <regex>(enable|disable)</regex>
-        </constraint>
-      </properties>
-    </leafNode>
-    <leafNode name="new">
-      <properties>
-        <help>New state</help>
-        <completionHelp>
-          <list>enable disable</list>
-        </completionHelp>
-        <valueHelp>
-          <format>enable</format>
-          <description>Enable</description>
-        </valueHelp>
-        <valueHelp>
-          <format>disable</format>
-          <description>Disable</description>
-        </valueHelp>
-        <constraint>
-          <regex>(enable|disable)</regex>
-        </constraint>
-      </properties>
-    </leafNode>
-    <leafNode name="related">
-      <properties>
-        <help>Related state</help>
-        <completionHelp>
-          <list>enable disable</list>
-        </completionHelp>
-        <valueHelp>
-          <format>enable</format>
-          <description>Enable</description>
-        </valueHelp>
-        <valueHelp>
-          <format>disable</format>
-          <description>Disable</description>
-        </valueHelp>
-        <constraint>
-          <regex>(enable|disable)</regex>
-        </constraint>
-      </properties>
-    </leafNode>
-  </children>
-</node>
-#include <include/firewall/tcp-flags.xml.i>
-<node name="time">
-  <properties>
-    <help>Time to match rule</help>
-  </properties>
-  <children>
-    <leafNode name="monthdays">
-      <properties>
-        <help>Monthdays to match rule on</help>
-      </properties>
-    </leafNode>
-    <leafNode name="startdate">
-      <properties>
-        <help>Date to start matching rule</help>
-      </properties>
-    </leafNode>
-    <leafNode name="starttime">
-      <properties>
-        <help>Time of day to start matching rule</help>
-      </properties>
-    </leafNode>
-    <leafNode name="stopdate">
-      <properties>
-        <help>Date to stop matching rule</help>
-      </properties>
-    </leafNode>
-    <leafNode name="stoptime">
-      <properties>
-        <help>Time of day to stop matching rule</help>
-      </properties>
-    </leafNode>
-    <leafNode name="utc">
-      <properties>
-        <help>Interpret times for startdate, stopdate, starttime and stoptime to be UTC</help>
-        <valueless/>
-      </properties>
-    </leafNode>
-    <leafNode name="weekdays">
-      <properties>
-        <help>Weekdays to match rule on</help>
-      </properties>
-    </leafNode>
-  </children>
-</node>
-<node name="icmpv6">
-  <properties>
-    <help>ICMPv6 type and code information</help>
-  </properties>
-  <children>
-    <leafNode name="type">
-      <properties>
-        <help>ICMP type-name</help>
-        <completionHelp>
-          <list>any echo-reply pong destination-unreachable network-unreachable host-unreachable protocol-unreachable port-unreachable fragmentation-needed source-route-failed network-unknown host-unknown network-prohibited host-prohibited TOS-network-unreachable TOS-host-unreachable communication-prohibited host-precedence-violation precedence-cutoff source-quench redirect network-redirect host-redirect TOS-network-redirect TOS host-redirect echo-request ping router-advertisement router-solicitation time-exceeded ttl-exceeded ttl-zero-during-transit ttl-zero-during-reassembly parameter-problem ip-header-bad required-option-missing timestamp-request timestamp-reply address-mask-request address-mask-reply packet-too-big</list>
-        </completionHelp>
-        <valueHelp>
-          <format>any</format>
-          <description>Any ICMP type/code</description>
-        </valueHelp>
-        <valueHelp>
-          <format>echo-reply</format>
-          <description>ICMP type/code name</description>
-        </valueHelp>
-        <valueHelp>
-          <format>pong</format>
-          <description>ICMP type/code name</description>
-        </valueHelp>
-        <valueHelp>
-          <format>destination-unreachable</format>
-          <description>ICMP type/code name</description>
-        </valueHelp>
-        <valueHelp>
-          <format>network-unreachable</format>
-          <description>ICMP type/code name</description>
-        </valueHelp>
-        <valueHelp>
-          <format>host-unreachable</format>
-          <description>ICMP type/code name</description>
-        </valueHelp>
-        <valueHelp>
-          <format>protocol-unreachable</format>
-          <description>ICMP type/code name</description>
-        </valueHelp>
-        <valueHelp>
-          <format>port-unreachable</format>
-          <description>ICMP type/code name</description>
-        </valueHelp>
-        <valueHelp>
-          <format>fragmentation-needed</format>
-          <description>ICMP type/code name</description>
-        </valueHelp>
-        <valueHelp>
-          <format>source-route-failed</format>
-          <description>ICMP type/code name</description>
-        </valueHelp>
-        <valueHelp>
-          <format>network-unknown</format>
-          <description>ICMP type/code name</description>
-        </valueHelp>
-        <valueHelp>
-          <format>host-unknown</format>
-          <description>ICMP type/code name</description>
-        </valueHelp>
-        <valueHelp>
-          <format>network-prohibited</format>
-          <description>ICMP type/code name</description>
-        </valueHelp>
-        <valueHelp>
-          <format>host-prohibited</format>
-          <description>ICMP type/code name</description>
-        </valueHelp>
-        <valueHelp>
-          <format>TOS-network-unreachable</format>
-          <description>ICMP type/code name</description>
-        </valueHelp>
-        <valueHelp>
-          <format>TOS-host-unreachable</format>
-          <description>ICMP type/code name</description>
-        </valueHelp>
-        <valueHelp>
-          <format>communication-prohibited</format>
-          <description>ICMP type/code name</description>
-        </valueHelp>
-        <valueHelp>
-          <format>host-precedence-violation</format>
-          <description>ICMP type/code name</description>
-        </valueHelp>
-        <valueHelp>
-          <format>precedence-cutoff</format>
-          <description>ICMP type/code name</description>
-        </valueHelp>
-        <valueHelp>
-          <format>source-quench</format>
-          <description>ICMP type/code name</description>
-        </valueHelp>
-        <valueHelp>
-          <format>redirect</format>
-          <description>ICMP type/code name</description>
-        </valueHelp>
-        <valueHelp>
-          <format>network-redirect</format>
-          <description>ICMP type/code name</description>
-        </valueHelp>
-        <valueHelp>
-          <format>host-redirect</format>
-          <description>ICMP type/code name</description>
-        </valueHelp>
-        <valueHelp>
-          <format>TOS-network-redirect</format>
-          <description>ICMP type/code name</description>
-        </valueHelp>
-        <valueHelp>
-          <format>TOS host-redirect</format>
-          <description>ICMP type/code name</description>
-        </valueHelp>
-        <valueHelp>
-          <format>echo-request</format>
-          <description>ICMP type/code name</description>
-        </valueHelp>
-        <valueHelp>
-          <format>ping</format>
-          <description>ICMP type/code name</description>
-        </valueHelp>
-        <valueHelp>
-          <format>router-advertisement</format>
-          <description>ICMP type/code name</description>
-        </valueHelp>
-        <valueHelp>
-          <format>router-solicitation</format>
-          <description>ICMP type/code name</description>
-        </valueHelp>
-        <valueHelp>
-          <format>time-exceeded</format>
-          <description>ICMP type/code name</description>
-        </valueHelp>
-        <valueHelp>
-          <format>ttl-exceeded</format>
-          <description>ICMP type/code name</description>
-        </valueHelp>
-        <valueHelp>
-          <format>ttl-zero-during-transit</format>
-          <description>ICMP type/code name</description>
-        </valueHelp>
-        <valueHelp>
-          <format>ttl-zero-during-reassembly</format>
-          <description>ICMP type/code name</description>
-        </valueHelp>
-        <valueHelp>
-          <format>parameter-problem</format>
-          <description>ICMP type/code name</description>
-        </valueHelp>
-        <valueHelp>
-          <format>ip-header-bad</format>
-          <description>ICMP type/code name</description>
-        </valueHelp>
-        <valueHelp>
-          <format>required-option-missing</format>
-          <description>ICMP type/code name</description>
-        </valueHelp>
-        <valueHelp>
-          <format>timestamp-request</format>
-          <description>ICMP type/code name</description>
-        </valueHelp>
-        <valueHelp>
-          <format>timestamp-reply</format>
-          <description>ICMP type/code name</description>
-        </valueHelp>
-        <valueHelp>
-          <format>address-mask-request</format>
-          <description>ICMP type/code name</description>
-        </valueHelp>
-        <valueHelp>
-          <format>address-mask-reply</format>
-          <description>ICMP type/code name</description>
-        </valueHelp>
-        <valueHelp>
-          <format>packet-too-big</format>
-          <description>ICMP type/code name</description>
-        </valueHelp>
-        <constraint>
-          <regex>(any|echo-reply|pong|destination-unreachable|network-unreachable|host-unreachable|protocol-unreachable|port-unreachable|fragmentation-needed|source-route-failed|network-unknown|host-unknown|network-prohibited|host-prohibited|TOS-network-unreachable|TOS-host-unreachable|communication-prohibited|host-precedence-violation|precedence-cutoff|source-quench|redirect|network-redirect|host-redirect|TOS-network-redirect|TOS host-redirect|echo-request|ping|router-advertisement|router-solicitation|time-exceeded|ttl-exceeded|ttl-zero-during-transit|ttl-zero-during-reassembly|parameter-problem|ip-header-bad|required-option-missing|timestamp-request|timestamp-reply|address-mask-request|address-mask-reply|packet-too-big)</regex>
-          <validator name="numeric" argument="--range 0-255"/>
-        </constraint>
-      </properties>
-    </leafNode>
-  </children>
-</node>
-<!-- include end -->
diff --git a/interface-definitions/include/policy/route-common-rule.xml.i b/interface-definitions/include/policy/route-common-rule.xml.i
deleted file mode 100644
index 35fccca50..000000000
--- a/interface-definitions/include/policy/route-common-rule.xml.i
+++ /dev/null
@@ -1,406 +0,0 @@
-<!-- include start from policy/route-common-rule.xml.i -->
-#include <include/policy/route-rule-action.xml.i>
-#include <include/generic-description.xml.i>
-<leafNode name="disable">
-  <properties>
-    <help>Option to disable firewall rule</help>
-    <valueless/>
-  </properties>
-</leafNode>
-<node name="fragment">
-  <properties>
-    <help>IP fragment match</help>
-  </properties>
-  <children>
-    <leafNode name="match-frag">
-      <properties>
-        <help>Second and further fragments of fragmented packets</help>
-        <valueless/>
-      </properties>
-    </leafNode>
-    <leafNode name="match-non-frag">
-      <properties>
-        <help>Head fragments or unfragmented packets</help>
-        <valueless/>
-      </properties>
-    </leafNode>
-  </children>
-</node>
-<node name="ipsec">
-  <properties>
-    <help>Inbound IPsec packets</help>
-  </properties>
-  <children>
-    <leafNode name="match-ipsec">
-      <properties>
-        <help>Inbound IPsec packets</help>
-        <valueless/>
-      </properties>
-    </leafNode>
-    <leafNode name="match-none">
-      <properties>
-        <help>Inbound non-IPsec packets</help>
-        <valueless/>
-      </properties>
-    </leafNode>
-  </children>
-</node>
-<node name="limit">
-  <properties>
-    <help>Rate limit using a token bucket filter</help>
-  </properties>
-  <children>
-    <leafNode name="burst">
-      <properties>
-        <help>Maximum number of packets to allow in excess of rate</help>
-        <valueHelp>
-          <format>u32:0-4294967295</format>
-          <description>Maximum number of packets to allow in excess of rate</description>
-        </valueHelp>
-        <constraint>
-          <validator name="numeric" argument="--range 0-4294967295"/>
-        </constraint>
-      </properties>
-    </leafNode>
-    <leafNode name="rate">
-      <properties>
-        <help>Maximum average matching rate</help>
-        <valueHelp>
-          <format>u32:0-4294967295</format>
-          <description>Maximum average matching rate</description>
-        </valueHelp>
-        <constraint>
-          <validator name="numeric" argument="--range 0-4294967295"/>
-        </constraint>
-      </properties>
-    </leafNode>
-  </children>
-</node>
-<leafNode name="log">
-  <properties>
-    <help>Option to log packets matching rule</help>
-    <completionHelp>
-      <list>enable disable</list>
-    </completionHelp>
-    <valueHelp>
-      <format>enable</format>
-      <description>Enable log</description>
-    </valueHelp>
-    <valueHelp>
-      <format>disable</format>
-      <description>Disable log</description>
-    </valueHelp>
-    <constraint>
-      <regex>(enable|disable)</regex>
-    </constraint>
-  </properties>
-</leafNode>
-<leafNode name="protocol">
-  <properties>
-    <help>Protocol to match (protocol name, number, or "all")</help>
-    <completionHelp>
-      <script>cat /etc/protocols | sed -e '/^#.*/d' | awk '{ print $1 }'</script>
-    </completionHelp>
-    <valueHelp>
-      <format>all</format>
-      <description>All IP protocols</description>
-    </valueHelp>
-    <valueHelp>
-      <format>tcp_udp</format>
-      <description>Both TCP and UDP</description>
-    </valueHelp>
-    <valueHelp>
-      <format>0-255</format>
-      <description>IP protocol number</description>
-    </valueHelp>
-    <valueHelp>
-      <format>!&lt;protocol&gt;</format>
-      <description>IP protocol number</description>
-    </valueHelp>
-    <constraint>
-      <validator name="ip-protocol"/>
-    </constraint>
-  </properties>
-  <defaultValue>all</defaultValue>
-</leafNode>
-<node name="recent">
-  <properties>
-    <help>Parameters for matching recently seen sources</help>
-  </properties>
-  <children>
-    <leafNode name="count">
-      <properties>
-        <help>Source addresses seen more than N times</help>
-        <valueHelp>
-          <format>u32:1-255</format>
-          <description>Source addresses seen more than N times</description>
-        </valueHelp>
-        <constraint>
-          <validator name="numeric" argument="--range 1-255"/>
-        </constraint>
-      </properties>
-    </leafNode>
-    <leafNode name="time">
-      <properties>
-        <help>Source addresses seen in the last N seconds</help>
-        <valueHelp>
-          <format>u32:0-4294967295</format>
-          <description>Source addresses seen in the last N seconds</description>
-        </valueHelp>
-        <constraint>
-          <validator name="numeric" argument="--range 0-4294967295"/>
-        </constraint>
-      </properties>
-    </leafNode>
-  </children>
-</node>
-<node name="set">
-  <properties>
-    <help>Packet modifications</help>
-  </properties>
-  <children>
-    <leafNode name="dscp">
-      <properties>
-        <help>Packet Differentiated Services Codepoint (DSCP)</help>
-        <valueHelp>
-          <format>u32:0-63</format>
-          <description>DSCP number</description>
-        </valueHelp>
-        <constraint>
-          <validator name="numeric" argument="--range 0-63"/>
-        </constraint>
-      </properties>
-    </leafNode>
-    <leafNode name="mark">
-      <properties>
-        <help>Packet marking</help>
-        <valueHelp>
-          <format>u32:1-2147483647</format>
-          <description>Packet marking</description>
-        </valueHelp>
-        <constraint>
-          <validator name="numeric" argument="--range 1-2147483647"/>
-        </constraint>
-      </properties>
-    </leafNode>
-    <leafNode name="table">
-      <properties>
-        <help>Routing table to forward packet with</help>
-        <valueHelp>
-          <format>u32:1-200</format>
-          <description>Table number</description>
-        </valueHelp>
-        <valueHelp>
-          <format>main</format>
-          <description>Main table</description>
-        </valueHelp>
-        <constraint>
-          <validator name="numeric" argument="--range 1-200"/>
-          <regex>(main)</regex>
-        </constraint>
-        <completionHelp>
-          <list>main</list>
-          <path>protocols static table</path>
-        </completionHelp>
-      </properties>
-    </leafNode>
-    <leafNode name="tcp-mss">
-      <properties>
-        <help>TCP Maximum Segment Size</help>
-        <valueHelp>
-          <format>u32:500-1460</format>
-          <description>Explicitly set TCP MSS value</description>
-        </valueHelp>
-        <constraint>
-          <validator name="numeric" argument="--range 500-1460"/>
-        </constraint>
-      </properties>
-    </leafNode>
-  </children>
-</node>
-<node name="source">
-  <properties>
-    <help>Source parameters</help>
-  </properties>
-  <children>
-    #include <include/firewall/address.xml.i>
-    #include <include/firewall/source-destination-group.xml.i>
-    <leafNode name="mac-address">
-      <properties>
-        <help>Source MAC address</help>
-        <valueHelp>
-          <format>&lt;MAC address&gt;</format>
-          <description>MAC address to match</description>
-        </valueHelp>
-        <valueHelp>
-          <format>!&lt;MAC address&gt;</format>
-          <description>Match everything except the specified MAC address</description>
-        </valueHelp>
-        <constraint>
-          <validator name="mac-address-firewall"/>
-        </constraint>
-      </properties>
-    </leafNode>
-    #include <include/firewall/port.xml.i>
-  </children>
-</node>
-<node name="state">
-  <properties>
-    <help>Session state</help>
-  </properties>
-  <children>
-    <leafNode name="established">
-      <properties>
-        <help>Established state</help>
-        <completionHelp>
-          <list>enable disable</list>
-        </completionHelp>
-        <valueHelp>
-          <format>enable</format>
-          <description>Enable</description>
-        </valueHelp>
-        <valueHelp>
-          <format>disable</format>
-          <description>Disable</description>
-        </valueHelp>
-        <constraint>
-          <regex>(enable|disable)</regex>
-        </constraint>
-      </properties>
-    </leafNode>
-    <leafNode name="invalid">
-      <properties>
-        <help>Invalid state</help>
-        <completionHelp>
-          <list>enable disable</list>
-        </completionHelp>
-        <valueHelp>
-          <format>enable</format>
-          <description>Enable</description>
-        </valueHelp>
-        <valueHelp>
-          <format>disable</format>
-          <description>Disable</description>
-        </valueHelp>
-        <constraint>
-          <regex>(enable|disable)</regex>
-        </constraint>
-      </properties>
-    </leafNode>
-    <leafNode name="new">
-      <properties>
-        <help>New state</help>
-        <completionHelp>
-          <list>enable disable</list>
-        </completionHelp>
-        <valueHelp>
-          <format>enable</format>
-          <description>Enable</description>
-        </valueHelp>
-        <valueHelp>
-          <format>disable</format>
-          <description>Disable</description>
-        </valueHelp>
-        <constraint>
-          <regex>(enable|disable)</regex>
-        </constraint>
-      </properties>
-    </leafNode>
-    <leafNode name="related">
-      <properties>
-        <help>Related state</help>
-        <completionHelp>
-          <list>enable disable</list>
-        </completionHelp>
-        <valueHelp>
-          <format>enable</format>
-          <description>Enable</description>
-        </valueHelp>
-        <valueHelp>
-          <format>disable</format>
-          <description>Disable</description>
-        </valueHelp>
-        <constraint>
-          <regex>(enable|disable)</regex>
-        </constraint>
-      </properties>
-    </leafNode>
-  </children>
-</node>
-#include <include/firewall/tcp-flags.xml.i>
-<node name="time">
-  <properties>
-    <help>Time to match rule</help>
-  </properties>
-  <children>
-    <leafNode name="monthdays">
-      <properties>
-        <help>Monthdays to match rule on</help>
-      </properties>
-    </leafNode>
-    <leafNode name="startdate">
-      <properties>
-        <help>Date to start matching rule</help>
-      </properties>
-    </leafNode>
-    <leafNode name="starttime">
-      <properties>
-        <help>Time of day to start matching rule</help>
-      </properties>
-    </leafNode>
-    <leafNode name="stopdate">
-      <properties>
-        <help>Date to stop matching rule</help>
-      </properties>
-    </leafNode>
-    <leafNode name="stoptime">
-      <properties>
-        <help>Time of day to stop matching rule</help>
-      </properties>
-    </leafNode>
-    <leafNode name="utc">
-      <properties>
-        <help>Interpret times for startdate, stopdate, starttime and stoptime to be UTC</help>
-        <valueless/>
-      </properties>
-    </leafNode>
-    <leafNode name="weekdays">
-      <properties>
-        <help>Weekdays to match rule on</help>
-      </properties>
-    </leafNode>
-  </children>
-</node>
-<node name="icmp">
-  <properties>
-    <help>ICMP type and code information</help>
-  </properties>
-  <children>
-    <leafNode name="code">
-      <properties>
-        <help>ICMP code (0-255)</help>
-        <valueHelp>
-          <format>u32:0-255</format>
-          <description>ICMP code (0-255)</description>
-        </valueHelp>
-        <constraint>
-          <validator name="numeric" argument="--range 0-255"/>
-        </constraint>
-      </properties>
-    </leafNode>
-    <leafNode name="type">
-      <properties>
-        <help>ICMP type (0-255)</help>
-        <valueHelp>
-          <format>u32:0-255</format>
-          <description>ICMP type (0-255)</description>
-        </valueHelp>
-        <constraint>
-          <validator name="numeric" argument="--range 0-255"/>
-        </constraint>
-      </properties>
-    </leafNode>
-    #include <include/firewall/icmp-type-name.xml.i>
-  </children>
-</node>
-<!-- include end -->
diff --git a/interface-definitions/include/policy/route-common.xml.i b/interface-definitions/include/policy/route-common.xml.i
new file mode 100644
index 000000000..8b959c2a4
--- /dev/null
+++ b/interface-definitions/include/policy/route-common.xml.i
@@ -0,0 +1,348 @@
+<!-- include start from policy/route-common.xml.i -->
+#include <include/policy/route-rule-action.xml.i>
+#include <include/generic-description.xml.i>
+<leafNode name="disable">
+  <properties>
+    <help>Option to disable firewall rule</help>
+    <valueless/>
+  </properties>
+</leafNode>
+<node name="fragment">
+  <properties>
+    <help>IP fragment match</help>
+  </properties>
+  <children>
+    <leafNode name="match-frag">
+      <properties>
+        <help>Second and further fragments of fragmented packets</help>
+        <valueless/>
+      </properties>
+    </leafNode>
+    <leafNode name="match-non-frag">
+      <properties>
+        <help>Head fragments or unfragmented packets</help>
+        <valueless/>
+      </properties>
+    </leafNode>
+  </children>
+</node>
+<node name="ipsec">
+  <properties>
+    <help>Inbound IPsec packets</help>
+  </properties>
+  <children>
+    <leafNode name="match-ipsec">
+      <properties>
+        <help>Inbound IPsec packets</help>
+        <valueless/>
+      </properties>
+    </leafNode>
+    <leafNode name="match-none">
+      <properties>
+        <help>Inbound non-IPsec packets</help>
+        <valueless/>
+      </properties>
+    </leafNode>
+  </children>
+</node>
+<node name="limit">
+  <properties>
+    <help>Rate limit using a token bucket filter</help>
+  </properties>
+  <children>
+    <leafNode name="burst">
+      <properties>
+        <help>Maximum number of packets to allow in excess of rate</help>
+        <valueHelp>
+          <format>u32:0-4294967295</format>
+          <description>Maximum number of packets to allow in excess of rate</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 0-4294967295"/>
+        </constraint>
+      </properties>
+    </leafNode>
+    <leafNode name="rate">
+      <properties>
+        <help>Maximum average matching rate</help>
+        <valueHelp>
+          <format>u32:0-4294967295</format>
+          <description>Maximum average matching rate</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 0-4294967295"/>
+        </constraint>
+      </properties>
+    </leafNode>
+  </children>
+</node>
+<leafNode name="log">
+  <properties>
+    <help>Option to log packets matching rule</help>
+    <completionHelp>
+      <list>enable disable</list>
+    </completionHelp>
+    <valueHelp>
+      <format>enable</format>
+      <description>Enable log</description>
+    </valueHelp>
+    <valueHelp>
+      <format>disable</format>
+      <description>Disable log</description>
+    </valueHelp>
+    <constraint>
+      <regex>(enable|disable)</regex>
+    </constraint>
+  </properties>
+</leafNode>
+<leafNode name="protocol">
+  <properties>
+    <help>Protocol to match (protocol name, number, or "all")</help>
+    <completionHelp>
+      <script>cat /etc/protocols | sed -e '/^#.*/d' | awk '{ print $1 }'</script>
+    </completionHelp>
+    <valueHelp>
+      <format>all</format>
+      <description>All IP protocols</description>
+    </valueHelp>
+    <valueHelp>
+      <format>tcp_udp</format>
+      <description>Both TCP and UDP</description>
+    </valueHelp>
+    <valueHelp>
+      <format>0-255</format>
+      <description>IP protocol number</description>
+    </valueHelp>
+    <valueHelp>
+      <format>!&lt;protocol&gt;</format>
+      <description>IP protocol number</description>
+    </valueHelp>
+    <constraint>
+      <validator name="ip-protocol"/>
+    </constraint>
+  </properties>
+  <defaultValue>all</defaultValue>
+</leafNode>
+<node name="recent">
+  <properties>
+    <help>Parameters for matching recently seen sources</help>
+  </properties>
+  <children>
+    <leafNode name="count">
+      <properties>
+        <help>Source addresses seen more than N times</help>
+        <valueHelp>
+          <format>u32:1-255</format>
+          <description>Source addresses seen more than N times</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 1-255"/>
+        </constraint>
+      </properties>
+    </leafNode>
+    <leafNode name="time">
+      <properties>
+        <help>Source addresses seen in the last N seconds</help>
+        <valueHelp>
+          <format>u32:0-4294967295</format>
+          <description>Source addresses seen in the last N seconds</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 0-4294967295"/>
+        </constraint>
+      </properties>
+    </leafNode>
+  </children>
+</node>
+<node name="set">
+  <properties>
+    <help>Packet modifications</help>
+  </properties>
+  <children>
+    <leafNode name="dscp">
+      <properties>
+        <help>Packet Differentiated Services Codepoint (DSCP)</help>
+        <valueHelp>
+          <format>u32:0-63</format>
+          <description>DSCP number</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 0-63"/>
+        </constraint>
+      </properties>
+    </leafNode>
+    <leafNode name="mark">
+      <properties>
+        <help>Packet marking</help>
+        <valueHelp>
+          <format>u32:1-2147483647</format>
+          <description>Packet marking</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 1-2147483647"/>
+        </constraint>
+      </properties>
+    </leafNode>
+    <leafNode name="table">
+      <properties>
+        <help>Routing table to forward packet with</help>
+        <valueHelp>
+          <format>u32:1-200</format>
+          <description>Table number</description>
+        </valueHelp>
+        <valueHelp>
+          <format>main</format>
+          <description>Main table</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 1-200"/>
+          <regex>(main)</regex>
+        </constraint>
+        <completionHelp>
+          <list>main</list>
+          <path>protocols static table</path>
+        </completionHelp>
+      </properties>
+    </leafNode>
+    <leafNode name="tcp-mss">
+      <properties>
+        <help>TCP Maximum Segment Size</help>
+        <valueHelp>
+          <format>u32:500-1460</format>
+          <description>Explicitly set TCP MSS value</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 500-1460"/>
+        </constraint>
+      </properties>
+    </leafNode>
+  </children>
+</node>
+<node name="state">
+  <properties>
+    <help>Session state</help>
+  </properties>
+  <children>
+    <leafNode name="established">
+      <properties>
+        <help>Established state</help>
+        <completionHelp>
+          <list>enable disable</list>
+        </completionHelp>
+        <valueHelp>
+          <format>enable</format>
+          <description>Enable</description>
+        </valueHelp>
+        <valueHelp>
+          <format>disable</format>
+          <description>Disable</description>
+        </valueHelp>
+        <constraint>
+          <regex>(enable|disable)</regex>
+        </constraint>
+      </properties>
+    </leafNode>
+    <leafNode name="invalid">
+      <properties>
+        <help>Invalid state</help>
+        <completionHelp>
+          <list>enable disable</list>
+        </completionHelp>
+        <valueHelp>
+          <format>enable</format>
+          <description>Enable</description>
+        </valueHelp>
+        <valueHelp>
+          <format>disable</format>
+          <description>Disable</description>
+        </valueHelp>
+        <constraint>
+          <regex>(enable|disable)</regex>
+        </constraint>
+      </properties>
+    </leafNode>
+    <leafNode name="new">
+      <properties>
+        <help>New state</help>
+        <completionHelp>
+          <list>enable disable</list>
+        </completionHelp>
+        <valueHelp>
+          <format>enable</format>
+          <description>Enable</description>
+        </valueHelp>
+        <valueHelp>
+          <format>disable</format>
+          <description>Disable</description>
+        </valueHelp>
+        <constraint>
+          <regex>(enable|disable)</regex>
+        </constraint>
+      </properties>
+    </leafNode>
+    <leafNode name="related">
+      <properties>
+        <help>Related state</help>
+        <completionHelp>
+          <list>enable disable</list>
+        </completionHelp>
+        <valueHelp>
+          <format>enable</format>
+          <description>Enable</description>
+        </valueHelp>
+        <valueHelp>
+          <format>disable</format>
+          <description>Disable</description>
+        </valueHelp>
+        <constraint>
+          <regex>(enable|disable)</regex>
+        </constraint>
+      </properties>
+    </leafNode>
+  </children>
+</node>
+#include <include/firewall/tcp-flags.xml.i>
+<node name="time">
+  <properties>
+    <help>Time to match rule</help>
+  </properties>
+  <children>
+    <leafNode name="monthdays">
+      <properties>
+        <help>Monthdays to match rule on</help>
+      </properties>
+    </leafNode>
+    <leafNode name="startdate">
+      <properties>
+        <help>Date to start matching rule</help>
+      </properties>
+    </leafNode>
+    <leafNode name="starttime">
+      <properties>
+        <help>Time of day to start matching rule</help>
+      </properties>
+    </leafNode>
+    <leafNode name="stopdate">
+      <properties>
+        <help>Date to stop matching rule</help>
+      </properties>
+    </leafNode>
+    <leafNode name="stoptime">
+      <properties>
+        <help>Time of day to stop matching rule</help>
+      </properties>
+    </leafNode>
+    <leafNode name="utc">
+      <properties>
+        <help>Interpret times for startdate, stopdate, starttime and stoptime to be UTC</help>
+        <valueless/>
+      </properties>
+    </leafNode>
+    <leafNode name="weekdays">
+      <properties>
+        <help>Weekdays to match rule on</help>
+      </properties>
+    </leafNode>
+  </children>
+</node>
+<!-- include end -->
diff --git a/interface-definitions/include/policy/route-ipv4.xml.i b/interface-definitions/include/policy/route-ipv4.xml.i
new file mode 100644
index 000000000..1f717a1a4
--- /dev/null
+++ b/interface-definitions/include/policy/route-ipv4.xml.i
@@ -0,0 +1,45 @@
+<!-- include start from policy/route-ipv4.xml.i -->
+<node name="source">
+  <properties>
+    <help>Source parameters</help>
+  </properties>
+  <children>
+    #include <include/firewall/address.xml.i>
+    #include <include/firewall/source-destination-group.xml.i>
+    #include <include/firewall/mac-address.xml.i>
+    #include <include/firewall/port.xml.i>
+  </children>
+</node>
+<node name="icmp">
+  <properties>
+    <help>ICMP type and code information</help>
+  </properties>
+  <children>
+    <leafNode name="code">
+      <properties>
+        <help>ICMP code (0-255)</help>
+        <valueHelp>
+          <format>u32:0-255</format>
+          <description>ICMP code (0-255)</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 0-255"/>
+        </constraint>
+      </properties>
+    </leafNode>
+    <leafNode name="type">
+      <properties>
+        <help>ICMP type (0-255)</help>
+        <valueHelp>
+          <format>u32:0-255</format>
+          <description>ICMP type (0-255)</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 0-255"/>
+        </constraint>
+      </properties>
+    </leafNode>
+    #include <include/firewall/icmp-type-name.xml.i>
+  </children>
+</node>
+<!-- include end -->
diff --git a/interface-definitions/include/policy/route-ipv6.xml.i b/interface-definitions/include/policy/route-ipv6.xml.i
new file mode 100644
index 000000000..d636a654b
--- /dev/null
+++ b/interface-definitions/include/policy/route-ipv6.xml.i
@@ -0,0 +1,196 @@
+<!-- include start from policy/route-ipv6.xml.i -->
+<node name="source">
+  <properties>
+    <help>Source parameters</help>
+  </properties>
+  <children>
+    #include <include/firewall/address-ipv6.xml.i>
+    #include <include/firewall/source-destination-group.xml.i>
+    #include <include/firewall/mac-address.xml.i>
+    #include <include/firewall/port.xml.i>
+  </children>
+</node>
+<node name="icmpv6">
+  <properties>
+    <help>ICMPv6 type and code information</help>
+  </properties>
+  <children>
+    <leafNode name="type">
+      <properties>
+        <help>ICMP type-name</help>
+        <completionHelp>
+          <list>any echo-reply pong destination-unreachable network-unreachable host-unreachable protocol-unreachable port-unreachable fragmentation-needed source-route-failed network-unknown host-unknown network-prohibited host-prohibited TOS-network-unreachable TOS-host-unreachable communication-prohibited host-precedence-violation precedence-cutoff source-quench redirect network-redirect host-redirect TOS-network-redirect TOS host-redirect echo-request ping router-advertisement router-solicitation time-exceeded ttl-exceeded ttl-zero-during-transit ttl-zero-during-reassembly parameter-problem ip-header-bad required-option-missing timestamp-request timestamp-reply address-mask-request address-mask-reply packet-too-big</list>
+        </completionHelp>
+        <valueHelp>
+          <format>any</format>
+          <description>Any ICMP type/code</description>
+        </valueHelp>
+        <valueHelp>
+          <format>echo-reply</format>
+          <description>ICMP type/code name</description>
+        </valueHelp>
+        <valueHelp>
+          <format>pong</format>
+          <description>ICMP type/code name</description>
+        </valueHelp>
+        <valueHelp>
+          <format>destination-unreachable</format>
+          <description>ICMP type/code name</description>
+        </valueHelp>
+        <valueHelp>
+          <format>network-unreachable</format>
+          <description>ICMP type/code name</description>
+        </valueHelp>
+        <valueHelp>
+          <format>host-unreachable</format>
+          <description>ICMP type/code name</description>
+        </valueHelp>
+        <valueHelp>
+          <format>protocol-unreachable</format>
+          <description>ICMP type/code name</description>
+        </valueHelp>
+        <valueHelp>
+          <format>port-unreachable</format>
+          <description>ICMP type/code name</description>
+        </valueHelp>
+        <valueHelp>
+          <format>fragmentation-needed</format>
+          <description>ICMP type/code name</description>
+        </valueHelp>
+        <valueHelp>
+          <format>source-route-failed</format>
+          <description>ICMP type/code name</description>
+        </valueHelp>
+        <valueHelp>
+          <format>network-unknown</format>
+          <description>ICMP type/code name</description>
+        </valueHelp>
+        <valueHelp>
+          <format>host-unknown</format>
+          <description>ICMP type/code name</description>
+        </valueHelp>
+        <valueHelp>
+          <format>network-prohibited</format>
+          <description>ICMP type/code name</description>
+        </valueHelp>
+        <valueHelp>
+          <format>host-prohibited</format>
+          <description>ICMP type/code name</description>
+        </valueHelp>
+        <valueHelp>
+          <format>TOS-network-unreachable</format>
+          <description>ICMP type/code name</description>
+        </valueHelp>
+        <valueHelp>
+          <format>TOS-host-unreachable</format>
+          <description>ICMP type/code name</description>
+        </valueHelp>
+        <valueHelp>
+          <format>communication-prohibited</format>
+          <description>ICMP type/code name</description>
+        </valueHelp>
+        <valueHelp>
+          <format>host-precedence-violation</format>
+          <description>ICMP type/code name</description>
+        </valueHelp>
+        <valueHelp>
+          <format>precedence-cutoff</format>
+          <description>ICMP type/code name</description>
+        </valueHelp>
+        <valueHelp>
+          <format>source-quench</format>
+          <description>ICMP type/code name</description>
+        </valueHelp>
+        <valueHelp>
+          <format>redirect</format>
+          <description>ICMP type/code name</description>
+        </valueHelp>
+        <valueHelp>
+          <format>network-redirect</format>
+          <description>ICMP type/code name</description>
+        </valueHelp>
+        <valueHelp>
+          <format>host-redirect</format>
+          <description>ICMP type/code name</description>
+        </valueHelp>
+        <valueHelp>
+          <format>TOS-network-redirect</format>
+          <description>ICMP type/code name</description>
+        </valueHelp>
+        <valueHelp>
+          <format>TOS host-redirect</format>
+          <description>ICMP type/code name</description>
+        </valueHelp>
+        <valueHelp>
+          <format>echo-request</format>
+          <description>ICMP type/code name</description>
+        </valueHelp>
+        <valueHelp>
+          <format>ping</format>
+          <description>ICMP type/code name</description>
+        </valueHelp>
+        <valueHelp>
+          <format>router-advertisement</format>
+          <description>ICMP type/code name</description>
+        </valueHelp>
+        <valueHelp>
+          <format>router-solicitation</format>
+          <description>ICMP type/code name</description>
+        </valueHelp>
+        <valueHelp>
+          <format>time-exceeded</format>
+          <description>ICMP type/code name</description>
+        </valueHelp>
+        <valueHelp>
+          <format>ttl-exceeded</format>
+          <description>ICMP type/code name</description>
+        </valueHelp>
+        <valueHelp>
+          <format>ttl-zero-during-transit</format>
+          <description>ICMP type/code name</description>
+        </valueHelp>
+        <valueHelp>
+          <format>ttl-zero-during-reassembly</format>
+          <description>ICMP type/code name</description>
+        </valueHelp>
+        <valueHelp>
+          <format>parameter-problem</format>
+          <description>ICMP type/code name</description>
+        </valueHelp>
+        <valueHelp>
+          <format>ip-header-bad</format>
+          <description>ICMP type/code name</description>
+        </valueHelp>
+        <valueHelp>
+          <format>required-option-missing</format>
+          <description>ICMP type/code name</description>
+        </valueHelp>
+        <valueHelp>
+          <format>timestamp-request</format>
+          <description>ICMP type/code name</description>
+        </valueHelp>
+        <valueHelp>
+          <format>timestamp-reply</format>
+          <description>ICMP type/code name</description>
+        </valueHelp>
+        <valueHelp>
+          <format>address-mask-request</format>
+          <description>ICMP type/code name</description>
+        </valueHelp>
+        <valueHelp>
+          <format>address-mask-reply</format>
+          <description>ICMP type/code name</description>
+        </valueHelp>
+        <valueHelp>
+          <format>packet-too-big</format>
+          <description>ICMP type/code name</description>
+        </valueHelp>
+        <constraint>
+          <regex>(any|echo-reply|pong|destination-unreachable|network-unreachable|host-unreachable|protocol-unreachable|port-unreachable|fragmentation-needed|source-route-failed|network-unknown|host-unknown|network-prohibited|host-prohibited|TOS-network-unreachable|TOS-host-unreachable|communication-prohibited|host-precedence-violation|precedence-cutoff|source-quench|redirect|network-redirect|host-redirect|TOS-network-redirect|TOS host-redirect|echo-request|ping|router-advertisement|router-solicitation|time-exceeded|ttl-exceeded|ttl-zero-during-transit|ttl-zero-during-reassembly|parameter-problem|ip-header-bad|required-option-missing|timestamp-request|timestamp-reply|address-mask-request|address-mask-reply|packet-too-big)</regex>
+          <validator name="numeric" argument="--range 0-255"/>
+        </constraint>
+      </properties>
+    </leafNode>
+  </children>
+</node>
+<!-- include end -->
diff --git a/interface-definitions/policy-route.xml.in b/interface-definitions/policy-route.xml.in
index f480f3bd5..44b96c2e6 100644
--- a/interface-definitions/policy-route.xml.in
+++ b/interface-definitions/policy-route.xml.in
@@ -46,7 +46,8 @@
                   #include <include/firewall/port.xml.i>
                 </children>
               </node>
-              #include <include/policy/route-common-rule-ipv6.xml.i>
+              #include <include/policy/route-common.xml.i>
+              #include <include/policy/route-ipv6.xml.i>
               #include <include/firewall/dscp.xml.i>
               #include <include/firewall/packet-length.xml.i>
               #include <include/firewall/hop-limit.xml.i>
@@ -98,7 +99,8 @@
                   #include <include/firewall/port.xml.i>
                 </children>
               </node>
-              #include <include/policy/route-common-rule.xml.i>
+              #include <include/policy/route-common.xml.i>
+              #include <include/policy/route-ipv4.xml.i>
               #include <include/firewall/dscp.xml.i>
               #include <include/firewall/packet-length.xml.i>
               #include <include/firewall/ttl.xml.i>
-- 
cgit v1.2.3