From a950059053f7394acfb453cc0d8194aa3dc721fa Mon Sep 17 00:00:00 2001
From: kumvijaya <kuvmijaya@gmail.com>
Date: Thu, 26 Sep 2024 11:31:07 +0530
Subject: T6732: added same as vyos 1x

---
 .../firewall/action-accept-drop-reject.xml.i       |  25 ++
 .../include/firewall/action-and-notrack.xml.i      |  45 +++
 .../include/firewall/action-forward.xml.i          |  49 +++
 .../include/firewall/action-l2.xml.i               |  37 +++
 .../include/firewall/action.xml.i                  |  49 +++
 .../include/firewall/add-addr-to-group-ipv4.xml.i  |  25 ++
 .../include/firewall/add-addr-to-group-ipv6.xml.i  |  25 ++
 .../firewall/add-dynamic-address-groups.xml.i      |  34 ++
 .../firewall/add-dynamic-ipv6-address-groups.xml.i |  34 ++
 .../include/firewall/address-inet.xml.i            |  63 ++++
 .../include/firewall/address-ipv6.xml.i            |  37 +++
 .../include/firewall/address-mask-inet.xml.i       |  19 ++
 .../include/firewall/address-mask-ipv6.xml.i       |  14 +
 .../include/firewall/address-mask.xml.i            |  14 +
 .../include/firewall/address.xml.i                 |  39 +++
 .../include/firewall/bridge-custom-name.xml.i      |  45 +++
 .../include/firewall/bridge-hook-forward.xml.i     |  41 +++
 .../include/firewall/bridge-hook-input.xml.i       |  40 +++
 .../include/firewall/bridge-hook-output.xml.i      |  40 +++
 .../include/firewall/bridge-hook-prerouting.xml.i  |  37 +++
 .../include/firewall/common-rule-bridge.xml.i      |  55 ++++
 .../include/firewall/common-rule-inet.xml.i        |  24 ++
 .../include/firewall/common-rule-ipv4-raw.xml.i    |  47 +++
 .../include/firewall/common-rule-ipv4.xml.i        |  44 +++
 .../include/firewall/common-rule-ipv6-raw.xml.i    |  49 +++
 .../include/firewall/common-rule-ipv6.xml.i        |  44 +++
 .../include/firewall/connection-mark.xml.i         |  15 +
 .../include/firewall/connection-status.xml.i       |  28 ++
 .../include/firewall/conntrack-helper.xml.i        |  46 +++
 .../firewall/default-action-base-chains.xml.i      |  22 ++
 .../include/firewall/default-action-bridge.xml.i   |  34 ++
 .../include/firewall/default-action.xml.i          |  38 +++
 .../include/firewall/default-log.xml.i             |   8 +
 interface-definitions/include/firewall/dscp.xml.i  |  36 ++
 interface-definitions/include/firewall/eq.xml.i    |  14 +
 .../firewall/firewall-hashing-parameters.xml.i     |  35 ++
 .../include/firewall/firewall-mark.xml.i           |  26 ++
 interface-definitions/include/firewall/fqdn.xml.i  |  14 +
 .../include/firewall/fragment.xml.i                |  21 ++
 .../include/firewall/fwmark.xml.i                  |  14 +
 interface-definitions/include/firewall/geoip.xml.i |  28 ++
 .../include/firewall/global-options.xml.i          | 366 +++++++++++++++++++++
 interface-definitions/include/firewall/gre.xml.i   | 116 +++++++
 interface-definitions/include/firewall/gt.xml.i    |  14 +
 .../include/firewall/hop-limit.xml.i               |  12 +
 .../include/firewall/icmp-type-name.xml.i          |  73 ++++
 interface-definitions/include/firewall/icmp.xml.i  |  34 ++
 .../include/firewall/icmpv6-type-name.xml.i        |  85 +++++
 .../include/firewall/icmpv6.xml.i                  |  34 ++
 .../firewall/inbound-interface-no-group.xml.i      |  34 ++
 .../include/firewall/inbound-interface.xml.i       |  10 +
 .../include/firewall/ipv4-custom-name.xml.i        |  43 +++
 .../include/firewall/ipv4-hook-forward.xml.i       |  40 +++
 .../include/firewall/ipv4-hook-input.xml.i         |  37 +++
 .../include/firewall/ipv4-hook-output.xml.i        |  65 ++++
 .../include/firewall/ipv4-hook-prerouting.xml.i    |  52 +++
 .../include/firewall/ipv6-custom-name.xml.i        |  43 +++
 .../include/firewall/ipv6-hook-forward.xml.i       |  40 +++
 .../include/firewall/ipv6-hook-input.xml.i         |  37 +++
 .../include/firewall/ipv6-hook-output.xml.i        |  65 ++++
 .../include/firewall/ipv6-hook-prerouting.xml.i    |  52 +++
 interface-definitions/include/firewall/limit.xml.i |  33 ++
 .../include/firewall/log-options.xml.i             |  89 +++++
 interface-definitions/include/firewall/log.xml.i   |   8 +
 interface-definitions/include/firewall/lt.xml.i    |  14 +
 .../include/firewall/mac-address.xml.i             |  19 ++
 .../include/firewall/mac-group.xml.i               |  10 +
 .../include/firewall/match-ether-type.xml.i        |  30 ++
 .../include/firewall/match-interface.xml.i         |  43 +++
 .../include/firewall/match-ipsec-in.xml.i          |  21 ++
 .../include/firewall/match-ipsec-out.xml.i         |  21 ++
 .../include/firewall/match-ipsec.xml.i             |  33 ++
 .../include/firewall/match-vlan.xml.i              |  42 +++
 interface-definitions/include/firewall/name.xml.i  |  18 +
 .../include/firewall/nat-balance.xml.i             |  28 ++
 .../include/firewall/nft-queue.xml.i               |  34 ++
 .../include/firewall/offload-target.xml.i          |  10 +
 .../firewall/outbound-interface-no-group.xml.i     |  34 ++
 .../include/firewall/outbound-interface.xml.i      |  10 +
 .../include/firewall/packet-options.xml.i          |  63 ++++
 interface-definitions/include/firewall/port.xml.i  |  26 ++
 .../include/firewall/protocol.xml.i                |  34 ++
 .../include/firewall/recent.xml.i                  |  44 +++
 .../include/firewall/rule-log-level.xml.i          |  45 +++
 .../firewall/set-packet-modifications.xml.i        |  96 ++++++
 .../source-destination-dynamic-group-ipv6.xml.i    |  17 +
 .../source-destination-dynamic-group.xml.i         |  17 +
 .../firewall/source-destination-group-inet.xml.i   |  50 +++
 .../firewall/source-destination-group-ipv4.xml.i   |  41 +++
 .../firewall/source-destination-group-ipv6.xml.i   |  42 +++
 .../firewall/source-destination-group.xml.i        |  42 +++
 interface-definitions/include/firewall/state.xml.i |  30 ++
 .../include/firewall/synproxy.xml.i                |  40 +++
 .../include/firewall/tcp-flags.xml.i               | 119 +++++++
 .../include/firewall/tcp-mss.xml.i                 |  25 ++
 interface-definitions/include/firewall/time.xml.i  |  70 ++++
 .../firewall/timeout-common-protocols.xml.i        | 171 ++++++++++
 interface-definitions/include/firewall/ttl.xml.i   |  12 +
 98 files changed, 4087 insertions(+)
 create mode 100644 interface-definitions/include/firewall/action-accept-drop-reject.xml.i
 create mode 100644 interface-definitions/include/firewall/action-and-notrack.xml.i
 create mode 100644 interface-definitions/include/firewall/action-forward.xml.i
 create mode 100644 interface-definitions/include/firewall/action-l2.xml.i
 create mode 100644 interface-definitions/include/firewall/action.xml.i
 create mode 100644 interface-definitions/include/firewall/add-addr-to-group-ipv4.xml.i
 create mode 100644 interface-definitions/include/firewall/add-addr-to-group-ipv6.xml.i
 create mode 100644 interface-definitions/include/firewall/add-dynamic-address-groups.xml.i
 create mode 100644 interface-definitions/include/firewall/add-dynamic-ipv6-address-groups.xml.i
 create mode 100644 interface-definitions/include/firewall/address-inet.xml.i
 create mode 100644 interface-definitions/include/firewall/address-ipv6.xml.i
 create mode 100644 interface-definitions/include/firewall/address-mask-inet.xml.i
 create mode 100644 interface-definitions/include/firewall/address-mask-ipv6.xml.i
 create mode 100644 interface-definitions/include/firewall/address-mask.xml.i
 create mode 100644 interface-definitions/include/firewall/address.xml.i
 create mode 100644 interface-definitions/include/firewall/bridge-custom-name.xml.i
 create mode 100644 interface-definitions/include/firewall/bridge-hook-forward.xml.i
 create mode 100644 interface-definitions/include/firewall/bridge-hook-input.xml.i
 create mode 100644 interface-definitions/include/firewall/bridge-hook-output.xml.i
 create mode 100644 interface-definitions/include/firewall/bridge-hook-prerouting.xml.i
 create mode 100644 interface-definitions/include/firewall/common-rule-bridge.xml.i
 create mode 100644 interface-definitions/include/firewall/common-rule-inet.xml.i
 create mode 100644 interface-definitions/include/firewall/common-rule-ipv4-raw.xml.i
 create mode 100644 interface-definitions/include/firewall/common-rule-ipv4.xml.i
 create mode 100644 interface-definitions/include/firewall/common-rule-ipv6-raw.xml.i
 create mode 100644 interface-definitions/include/firewall/common-rule-ipv6.xml.i
 create mode 100644 interface-definitions/include/firewall/connection-mark.xml.i
 create mode 100644 interface-definitions/include/firewall/connection-status.xml.i
 create mode 100644 interface-definitions/include/firewall/conntrack-helper.xml.i
 create mode 100644 interface-definitions/include/firewall/default-action-base-chains.xml.i
 create mode 100644 interface-definitions/include/firewall/default-action-bridge.xml.i
 create mode 100644 interface-definitions/include/firewall/default-action.xml.i
 create mode 100644 interface-definitions/include/firewall/default-log.xml.i
 create mode 100644 interface-definitions/include/firewall/dscp.xml.i
 create mode 100644 interface-definitions/include/firewall/eq.xml.i
 create mode 100644 interface-definitions/include/firewall/firewall-hashing-parameters.xml.i
 create mode 100644 interface-definitions/include/firewall/firewall-mark.xml.i
 create mode 100644 interface-definitions/include/firewall/fqdn.xml.i
 create mode 100644 interface-definitions/include/firewall/fragment.xml.i
 create mode 100644 interface-definitions/include/firewall/fwmark.xml.i
 create mode 100644 interface-definitions/include/firewall/geoip.xml.i
 create mode 100644 interface-definitions/include/firewall/global-options.xml.i
 create mode 100644 interface-definitions/include/firewall/gre.xml.i
 create mode 100644 interface-definitions/include/firewall/gt.xml.i
 create mode 100644 interface-definitions/include/firewall/hop-limit.xml.i
 create mode 100644 interface-definitions/include/firewall/icmp-type-name.xml.i
 create mode 100644 interface-definitions/include/firewall/icmp.xml.i
 create mode 100644 interface-definitions/include/firewall/icmpv6-type-name.xml.i
 create mode 100644 interface-definitions/include/firewall/icmpv6.xml.i
 create mode 100644 interface-definitions/include/firewall/inbound-interface-no-group.xml.i
 create mode 100644 interface-definitions/include/firewall/inbound-interface.xml.i
 create mode 100644 interface-definitions/include/firewall/ipv4-custom-name.xml.i
 create mode 100644 interface-definitions/include/firewall/ipv4-hook-forward.xml.i
 create mode 100644 interface-definitions/include/firewall/ipv4-hook-input.xml.i
 create mode 100644 interface-definitions/include/firewall/ipv4-hook-output.xml.i
 create mode 100644 interface-definitions/include/firewall/ipv4-hook-prerouting.xml.i
 create mode 100644 interface-definitions/include/firewall/ipv6-custom-name.xml.i
 create mode 100644 interface-definitions/include/firewall/ipv6-hook-forward.xml.i
 create mode 100644 interface-definitions/include/firewall/ipv6-hook-input.xml.i
 create mode 100644 interface-definitions/include/firewall/ipv6-hook-output.xml.i
 create mode 100644 interface-definitions/include/firewall/ipv6-hook-prerouting.xml.i
 create mode 100644 interface-definitions/include/firewall/limit.xml.i
 create mode 100644 interface-definitions/include/firewall/log-options.xml.i
 create mode 100644 interface-definitions/include/firewall/log.xml.i
 create mode 100644 interface-definitions/include/firewall/lt.xml.i
 create mode 100644 interface-definitions/include/firewall/mac-address.xml.i
 create mode 100644 interface-definitions/include/firewall/mac-group.xml.i
 create mode 100644 interface-definitions/include/firewall/match-ether-type.xml.i
 create mode 100644 interface-definitions/include/firewall/match-interface.xml.i
 create mode 100644 interface-definitions/include/firewall/match-ipsec-in.xml.i
 create mode 100644 interface-definitions/include/firewall/match-ipsec-out.xml.i
 create mode 100644 interface-definitions/include/firewall/match-ipsec.xml.i
 create mode 100644 interface-definitions/include/firewall/match-vlan.xml.i
 create mode 100644 interface-definitions/include/firewall/name.xml.i
 create mode 100644 interface-definitions/include/firewall/nat-balance.xml.i
 create mode 100644 interface-definitions/include/firewall/nft-queue.xml.i
 create mode 100644 interface-definitions/include/firewall/offload-target.xml.i
 create mode 100644 interface-definitions/include/firewall/outbound-interface-no-group.xml.i
 create mode 100644 interface-definitions/include/firewall/outbound-interface.xml.i
 create mode 100644 interface-definitions/include/firewall/packet-options.xml.i
 create mode 100644 interface-definitions/include/firewall/port.xml.i
 create mode 100644 interface-definitions/include/firewall/protocol.xml.i
 create mode 100644 interface-definitions/include/firewall/recent.xml.i
 create mode 100644 interface-definitions/include/firewall/rule-log-level.xml.i
 create mode 100644 interface-definitions/include/firewall/set-packet-modifications.xml.i
 create mode 100644 interface-definitions/include/firewall/source-destination-dynamic-group-ipv6.xml.i
 create mode 100644 interface-definitions/include/firewall/source-destination-dynamic-group.xml.i
 create mode 100644 interface-definitions/include/firewall/source-destination-group-inet.xml.i
 create mode 100644 interface-definitions/include/firewall/source-destination-group-ipv4.xml.i
 create mode 100644 interface-definitions/include/firewall/source-destination-group-ipv6.xml.i
 create mode 100644 interface-definitions/include/firewall/source-destination-group.xml.i
 create mode 100644 interface-definitions/include/firewall/state.xml.i
 create mode 100644 interface-definitions/include/firewall/synproxy.xml.i
 create mode 100644 interface-definitions/include/firewall/tcp-flags.xml.i
 create mode 100644 interface-definitions/include/firewall/tcp-mss.xml.i
 create mode 100644 interface-definitions/include/firewall/time.xml.i
 create mode 100644 interface-definitions/include/firewall/timeout-common-protocols.xml.i
 create mode 100644 interface-definitions/include/firewall/ttl.xml.i

(limited to 'interface-definitions/include/firewall')

diff --git a/interface-definitions/include/firewall/action-accept-drop-reject.xml.i b/interface-definitions/include/firewall/action-accept-drop-reject.xml.i
new file mode 100644
index 0000000..7fd5231
--- /dev/null
+++ b/interface-definitions/include/firewall/action-accept-drop-reject.xml.i
@@ -0,0 +1,25 @@
+<!-- include start from firewall/action-accept-drop-reject.xml.i -->
+<leafNode name="action">
+  <properties>
+    <help>Action for packets</help>
+    <completionHelp>
+      <list>accept drop reject</list>
+    </completionHelp>
+    <valueHelp>
+      <format>accept</format>
+      <description>Action to accept</description>
+    </valueHelp>
+    <valueHelp>
+      <format>drop</format>
+      <description>Action to drop</description>
+    </valueHelp>
+    <valueHelp>
+      <format>reject</format>
+      <description>Action to reject</description>
+    </valueHelp>
+    <constraint>
+      <regex>(accept|drop|reject)</regex>
+    </constraint>
+  </properties>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/action-and-notrack.xml.i b/interface-definitions/include/firewall/action-and-notrack.xml.i
new file mode 100644
index 0000000..de11f7d
--- /dev/null
+++ b/interface-definitions/include/firewall/action-and-notrack.xml.i
@@ -0,0 +1,45 @@
+<!-- include start from firewall/action-and-notrack.xml.i -->
+<leafNode name="action">
+  <properties>
+    <help>Rule action</help>
+    <completionHelp>
+      <list>accept continue jump notrack reject return drop queue</list>
+    </completionHelp>
+    <valueHelp>
+      <format>accept</format>
+      <description>Accept matching entries</description>
+    </valueHelp>
+    <valueHelp>
+      <format>continue</format>
+      <description>Continue parsing next rule</description>
+    </valueHelp>
+    <valueHelp>
+      <format>jump</format>
+      <description>Jump to another chain</description>
+    </valueHelp>
+    <valueHelp>
+      <format>reject</format>
+      <description>Reject matching entries</description>
+    </valueHelp>
+    <valueHelp>
+      <format>return</format>
+      <description>Return from the current chain and continue at the next rule of the last chain</description>
+    </valueHelp>
+    <valueHelp>
+      <format>drop</format>
+      <description>Drop matching entries</description>
+    </valueHelp>
+    <valueHelp>
+      <format>queue</format>
+      <description>Enqueue packet to userspace</description>
+    </valueHelp>
+    <valueHelp>
+      <format>notrack</format>
+      <description>Ignore connection tracking</description>
+    </valueHelp>
+    <constraint>
+      <regex>(accept|continue|jump|notrack|reject|return|drop|queue)</regex>
+    </constraint>
+  </properties>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/action-forward.xml.i b/interface-definitions/include/firewall/action-forward.xml.i
new file mode 100644
index 0000000..4e59f3c
--- /dev/null
+++ b/interface-definitions/include/firewall/action-forward.xml.i
@@ -0,0 +1,49 @@
+<!-- include start from firewall/action-forward.xml.i -->
+<leafNode name="action">
+  <properties>
+    <help>Rule action</help>
+    <completionHelp>
+      <list>accept continue jump reject return drop queue offload synproxy</list>
+    </completionHelp>
+    <valueHelp>
+      <format>accept</format>
+      <description>Accept matching entries</description>
+    </valueHelp>
+    <valueHelp>
+      <format>continue</format>
+      <description>Continue parsing next rule</description>
+    </valueHelp>
+    <valueHelp>
+      <format>jump</format>
+      <description>Jump to another chain</description>
+    </valueHelp>
+    <valueHelp>
+      <format>reject</format>
+      <description>Reject matching entries</description>
+    </valueHelp>
+    <valueHelp>
+      <format>return</format>
+      <description>Return from the current chain and continue at the next rule of the last chain</description>
+    </valueHelp>
+    <valueHelp>
+      <format>drop</format>
+      <description>Drop matching entries</description>
+    </valueHelp>
+    <valueHelp>
+      <format>queue</format>
+      <description>Enqueue packet to userspace</description>
+    </valueHelp>
+    <valueHelp>
+      <format>offload</format>
+      <description>Offload packet via flowtable</description>
+    </valueHelp>
+    <valueHelp>
+      <format>synproxy</format>
+      <description>Synproxy connections</description>
+    </valueHelp>
+    <constraint>
+      <regex>(accept|continue|jump|reject|return|drop|queue|offload|synproxy)</regex>
+    </constraint>
+  </properties>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/action-l2.xml.i b/interface-definitions/include/firewall/action-l2.xml.i
new file mode 100644
index 0000000..84af576
--- /dev/null
+++ b/interface-definitions/include/firewall/action-l2.xml.i
@@ -0,0 +1,37 @@
+<!-- include start from firewall/action.xml.i -->
+<leafNode name="action">
+  <properties>
+    <help>Rule action</help>
+    <completionHelp>
+      <list>accept continue jump return drop queue</list>
+    </completionHelp>
+    <valueHelp>
+      <format>accept</format>
+      <description>Accept matching entries</description>
+    </valueHelp>
+    <valueHelp>
+      <format>continue</format>
+      <description>Continue parsing next rule</description>
+    </valueHelp>
+    <valueHelp>
+      <format>jump</format>
+      <description>Jump to another chain</description>
+    </valueHelp>
+    <valueHelp>
+      <format>return</format>
+      <description>Return from the current chain and continue at the next rule of the last chain</description>
+    </valueHelp>
+    <valueHelp>
+      <format>drop</format>
+      <description>Drop matching entries</description>
+    </valueHelp>
+    <valueHelp>
+      <format>queue</format>
+      <description>Enqueue packet to userspace</description>
+    </valueHelp>
+    <constraint>
+      <regex>(accept|continue|jump|return|drop|queue)</regex>
+    </constraint>
+  </properties>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/action.xml.i b/interface-definitions/include/firewall/action.xml.i
new file mode 100644
index 0000000..e1f0c6c
--- /dev/null
+++ b/interface-definitions/include/firewall/action.xml.i
@@ -0,0 +1,49 @@
+<!-- include start from firewall/action.xml.i -->
+<leafNode name="action">
+  <properties>
+    <help>Rule action</help>
+    <completionHelp>
+      <list>accept continue jump reject return drop queue offload synproxy</list>
+    </completionHelp>
+    <valueHelp>
+      <format>accept</format>
+      <description>Accept matching entries</description>
+    </valueHelp>
+    <valueHelp>
+      <format>continue</format>
+      <description>Continue parsing next rule</description>
+    </valueHelp>
+    <valueHelp>
+      <format>jump</format>
+      <description>Jump to another chain</description>
+    </valueHelp>
+    <valueHelp>
+      <format>reject</format>
+      <description>Reject matching entries</description>
+    </valueHelp>
+    <valueHelp>
+      <format>return</format>
+      <description>Return from the current chain and continue at the next rule of the last chain</description>
+    </valueHelp>
+    <valueHelp>
+      <format>drop</format>
+      <description>Drop matching entries</description>
+    </valueHelp>
+    <valueHelp>
+      <format>queue</format>
+      <description>Enqueue packet to userspace</description>
+    </valueHelp>
+    <valueHelp>
+      <format>offload</format>
+      <description>Offload packet via flowtable</description>
+    </valueHelp>
+    <valueHelp>
+      <format>synproxy</format>
+      <description>Synproxy connections</description>
+    </valueHelp>
+    <constraint>
+      <regex>(accept|continue|jump|reject|return|drop|queue|offload|synproxy)</regex>
+    </constraint>
+  </properties>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/add-addr-to-group-ipv4.xml.i b/interface-definitions/include/firewall/add-addr-to-group-ipv4.xml.i
new file mode 100644
index 0000000..a47cadd
--- /dev/null
+++ b/interface-definitions/include/firewall/add-addr-to-group-ipv4.xml.i
@@ -0,0 +1,25 @@
+<!-- include start from firewall/add-addr-to-group-ipv4.xml.i -->
+<node name="add-address-to-group">
+  <properties>
+    <help>Add ip address to dynamic address-group</help>
+  </properties>
+  <children>
+    <node name="source-address">
+      <properties>
+        <help>Add source ip addresses to dynamic address-group</help>
+      </properties>
+      <children>
+        #include <include/firewall/add-dynamic-address-groups.xml.i>
+      </children>
+    </node>
+    <node name="destination-address">
+      <properties>
+        <help>Add destination ip addresses to dynamic address-group</help>
+      </properties>
+      <children>
+        #include <include/firewall/add-dynamic-address-groups.xml.i>
+      </children>
+    </node>
+  </children>
+</node>
+<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/include/firewall/add-addr-to-group-ipv6.xml.i b/interface-definitions/include/firewall/add-addr-to-group-ipv6.xml.i
new file mode 100644
index 0000000..2cb0774
--- /dev/null
+++ b/interface-definitions/include/firewall/add-addr-to-group-ipv6.xml.i
@@ -0,0 +1,25 @@
+<!-- include start from firewall/add-addr-to-group-ipv6.xml.i -->
+<node name="add-address-to-group">
+  <properties>
+    <help>Add ipv6 address to dynamic ipv6-address-group</help>
+  </properties>
+  <children>
+    <node name="source-address">
+      <properties>
+        <help>Add source ipv6 addresses to dynamic ipv6-address-group</help>
+      </properties>
+      <children>
+        #include <include/firewall/add-dynamic-ipv6-address-groups.xml.i>
+      </children>
+    </node>
+    <node name="destination-address">
+      <properties>
+        <help>Add destination ipv6 addresses to dynamic ipv6-address-group</help>
+      </properties>
+      <children>
+        #include <include/firewall/add-dynamic-ipv6-address-groups.xml.i>
+      </children>
+    </node>
+  </children>
+</node>
+<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/include/firewall/add-dynamic-address-groups.xml.i b/interface-definitions/include/firewall/add-dynamic-address-groups.xml.i
new file mode 100644
index 0000000..769761c
--- /dev/null
+++ b/interface-definitions/include/firewall/add-dynamic-address-groups.xml.i
@@ -0,0 +1,34 @@
+<!-- include start from firewall/add-dynamic-address-groups.xml.i -->
+<leafNode name="address-group">
+  <properties>
+    <help>Dynamic address-group</help>
+    <completionHelp>
+      <path>firewall group dynamic-group address-group</path>
+    </completionHelp>
+  </properties>
+</leafNode>
+<leafNode name="timeout">
+  <properties>
+    <help>Set timeout</help>
+    <valueHelp>
+      <format>&lt;number&gt;s</format>
+      <description>Timeout value in seconds</description>
+    </valueHelp>
+    <valueHelp>
+      <format>&lt;number&gt;m</format>
+      <description>Timeout value in minutes</description>
+    </valueHelp>
+    <valueHelp>
+      <format>&lt;number&gt;h</format>
+      <description>Timeout value in hours</description>
+    </valueHelp>
+    <valueHelp>
+      <format>&lt;number&gt;d</format>
+      <description>Timeout value in days</description>
+    </valueHelp>
+    <constraint>
+      <regex>\d+(s|m|h|d)</regex>
+    </constraint>
+  </properties>
+</leafNode>
+<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/include/firewall/add-dynamic-ipv6-address-groups.xml.i b/interface-definitions/include/firewall/add-dynamic-ipv6-address-groups.xml.i
new file mode 100644
index 0000000..7bd91c5
--- /dev/null
+++ b/interface-definitions/include/firewall/add-dynamic-ipv6-address-groups.xml.i
@@ -0,0 +1,34 @@
+<!-- include start from firewall/add-dynamic-ipv6-address-groups.xml.i -->
+<leafNode name="address-group">
+  <properties>
+    <help>Dynamic ipv6-address-group</help>
+    <completionHelp>
+      <path>firewall group dynamic-group ipv6-address-group</path>
+    </completionHelp>
+  </properties>
+</leafNode>
+<leafNode name="timeout">
+  <properties>
+    <help>Set timeout</help>
+    <valueHelp>
+      <format>&lt;number&gt;s</format>
+      <description>Timeout value in seconds</description>
+    </valueHelp>
+    <valueHelp>
+      <format>&lt;number&gt;m</format>
+      <description>Timeout value in minutes</description>
+    </valueHelp>
+    <valueHelp>
+      <format>&lt;number&gt;h</format>
+      <description>Timeout value in hours</description>
+    </valueHelp>
+    <valueHelp>
+      <format>&lt;number&gt;d</format>
+      <description>Timeout value in days</description>
+    </valueHelp>
+    <constraint>
+      <regex>\d+(s|m|h|d)</regex>
+    </constraint>
+  </properties>
+</leafNode>
+<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/include/firewall/address-inet.xml.i b/interface-definitions/include/firewall/address-inet.xml.i
new file mode 100644
index 0000000..02ed8f6
--- /dev/null
+++ b/interface-definitions/include/firewall/address-inet.xml.i
@@ -0,0 +1,63 @@
+<!-- include start from firewall/address-inet.xml.i -->
+<leafNode name="address">
+  <properties>
+    <help>IP address, subnet, or range</help>
+    <valueHelp>
+      <format>ipv4</format>
+      <description>IPv4 address to match</description>
+    </valueHelp>
+    <valueHelp>
+      <format>ipv4net</format>
+      <description>IPv4 prefix to match</description>
+    </valueHelp>
+    <valueHelp>
+      <format>ipv4range</format>
+      <description>IPv4 address range to match</description>
+    </valueHelp>
+    <valueHelp>
+      <format>!ipv4</format>
+      <description>Match everything except the specified address</description>
+    </valueHelp>
+    <valueHelp>
+      <format>!ipv4net</format>
+      <description>Match everything except the specified prefix</description>
+    </valueHelp>
+    <valueHelp>
+      <format>!ipv4range</format>
+      <description>Match everything except the specified range</description>
+    </valueHelp>
+    <valueHelp>
+      <format>ipv6net</format>
+      <description>Subnet to match</description>
+    </valueHelp>
+    <valueHelp>
+      <format>ipv6range</format>
+      <description>IP range to match</description>
+    </valueHelp>
+    <valueHelp>
+      <format>!ipv6</format>
+      <description>Match everything except the specified address</description>
+    </valueHelp>
+    <valueHelp>
+      <format>!ipv6net</format>
+      <description>Match everything except the specified prefix</description>
+    </valueHelp>
+    <valueHelp>
+      <format>!ipv6range</format>
+      <description>Match everything except the specified range</description>
+    </valueHelp>
+    <constraint>
+      <validator name="ipv4-address"/>
+      <validator name="ipv4-prefix"/>
+      <validator name="ipv4-range"/>
+      <validator name="ipv4-address-exclude"/>
+      <validator name="ipv4-prefix-exclude"/>
+      <validator name="ipv4-range-exclude"/>
+      <validator name="ipv6"/>
+      <validator name="ipv6-exclude"/>
+      <validator name="ipv6-range"/>
+      <validator name="ipv6-range-exclude"/>
+    </constraint>
+  </properties>
+</leafNode>
+<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/include/firewall/address-ipv6.xml.i b/interface-definitions/include/firewall/address-ipv6.xml.i
new file mode 100644
index 0000000..fa60c0c
--- /dev/null
+++ b/interface-definitions/include/firewall/address-ipv6.xml.i
@@ -0,0 +1,37 @@
+<!-- include start from firewall/address-ipv6.xml.i -->
+<leafNode name="address">
+  <properties>
+    <help>IP address, subnet, or range</help>
+    <valueHelp>
+      <format>ipv6</format>
+      <description>IP address to match</description>
+    </valueHelp>
+    <valueHelp>
+      <format>ipv6net</format>
+      <description>Subnet to match</description>
+    </valueHelp>
+    <valueHelp>
+      <format>ipv6range</format>
+      <description>IP range to match</description>
+    </valueHelp>
+    <valueHelp>
+      <format>!ipv6</format>
+      <description>Match everything except the specified address</description>
+    </valueHelp>
+    <valueHelp>
+      <format>!ipv6net</format>
+      <description>Match everything except the specified prefix</description>
+    </valueHelp>
+    <valueHelp>
+      <format>!ipv6range</format>
+      <description>Match everything except the specified range</description>
+    </valueHelp>
+    <constraint>
+      <validator name="ipv6"/>
+      <validator name="ipv6-exclude"/>
+      <validator name="ipv6-range"/>
+      <validator name="ipv6-range-exclude"/>
+    </constraint>
+  </properties>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/address-mask-inet.xml.i b/interface-definitions/include/firewall/address-mask-inet.xml.i
new file mode 100644
index 0000000..e2a5927
--- /dev/null
+++ b/interface-definitions/include/firewall/address-mask-inet.xml.i
@@ -0,0 +1,19 @@
+<!-- include start from firewall/address-mask-inet.xml.i -->
+<leafNode name="address-mask">
+  <properties>
+    <help>IP mask</help>
+    <valueHelp>
+      <format>ipv4</format>
+      <description>IPv4 mask to apply</description>
+    </valueHelp>
+     <valueHelp>
+      <format>ipv6</format>
+      <description>IP mask to apply</description>
+    </valueHelp>
+    <constraint>
+      <validator name="ipv4-address"/>
+      <validator name="ipv6"/>
+    </constraint>
+  </properties>
+</leafNode>
+<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/include/firewall/address-mask-ipv6.xml.i b/interface-definitions/include/firewall/address-mask-ipv6.xml.i
new file mode 100644
index 0000000..8c04832
--- /dev/null
+++ b/interface-definitions/include/firewall/address-mask-ipv6.xml.i
@@ -0,0 +1,14 @@
+<!-- include start from firewall/address-mask-ipv6.xml.i -->
+<leafNode name="address-mask">
+  <properties>
+    <help>IP mask</help>
+    <valueHelp>
+      <format>ipv6</format>
+      <description>IP mask to apply</description>
+    </valueHelp>
+    <constraint>
+      <validator name="ipv6"/>
+    </constraint>
+  </properties>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/address-mask.xml.i b/interface-definitions/include/firewall/address-mask.xml.i
new file mode 100644
index 0000000..7f6f17d
--- /dev/null
+++ b/interface-definitions/include/firewall/address-mask.xml.i
@@ -0,0 +1,14 @@
+<!-- include start from firewall/address-mask.xml.i -->
+<leafNode name="address-mask">
+  <properties>
+    <help>IP mask</help>
+    <valueHelp>
+      <format>ipv4</format>
+      <description>IPv4 mask to apply</description>
+    </valueHelp>
+    <constraint>
+      <validator name="ipv4-address"/>
+    </constraint>
+  </properties>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/address.xml.i b/interface-definitions/include/firewall/address.xml.i
new file mode 100644
index 0000000..2e1bde5
--- /dev/null
+++ b/interface-definitions/include/firewall/address.xml.i
@@ -0,0 +1,39 @@
+<!-- include start from firewall/address.xml.i -->
+<leafNode name="address">
+  <properties>
+    <help>IP address, subnet, or range</help>
+    <valueHelp>
+      <format>ipv4</format>
+      <description>IPv4 address to match</description>
+    </valueHelp>
+    <valueHelp>
+      <format>ipv4net</format>
+      <description>IPv4 prefix to match</description>
+    </valueHelp>
+    <valueHelp>
+      <format>ipv4range</format>
+      <description>IPv4 address range to match</description>
+    </valueHelp>
+    <valueHelp>
+      <format>!ipv4</format>
+      <description>Match everything except the specified address</description>
+    </valueHelp>
+    <valueHelp>
+      <format>!ipv4net</format>
+      <description>Match everything except the specified prefix</description>
+    </valueHelp>
+    <valueHelp>
+      <format>!ipv4range</format>
+      <description>Match everything except the specified range</description>
+    </valueHelp>
+    <constraint>
+      <validator name="ipv4-address"/>
+      <validator name="ipv4-prefix"/>
+      <validator name="ipv4-range"/>
+      <validator name="ipv4-address-exclude"/>
+      <validator name="ipv4-prefix-exclude"/>
+      <validator name="ipv4-range-exclude"/>
+    </constraint>
+  </properties>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/bridge-custom-name.xml.i b/interface-definitions/include/firewall/bridge-custom-name.xml.i
new file mode 100644
index 0000000..9a2a829
--- /dev/null
+++ b/interface-definitions/include/firewall/bridge-custom-name.xml.i
@@ -0,0 +1,45 @@
+<!-- include start from firewall/bridge-custom-name.xml.i -->
+<tagNode name="name">
+  <properties>
+    <help>Bridge custom firewall</help>
+    <constraint>
+      <regex>[a-zA-Z0-9][\w\-\.]*</regex>
+    </constraint>
+  </properties>
+  <children>
+    #include <include/firewall/default-action.xml.i>
+    #include <include/firewall/default-log.xml.i>
+    #include <include/generic-description.xml.i>
+    <leafNode name="default-jump-target">
+      <properties>
+        <help>Set jump target. Action jump must be defined in default-action to use this setting</help>
+        <completionHelp>
+          <path>firewall bridge name</path>
+        </completionHelp>
+      </properties>
+    </leafNode>
+    <tagNode name="rule">
+      <properties>
+        <help>Bridge Firewall forward filter rule number</help>
+        <valueHelp>
+          <format>u32:1-999999</format>
+          <description>Number for this firewall rule</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 1-999999"/>
+        </constraint>
+        <constraintErrorMessage>Firewall rule number must be between 1 and 999999</constraintErrorMessage>
+      </properties>
+      <children>
+        #include <include/firewall/common-rule-bridge.xml.i>
+        #include <include/firewall/action-l2.xml.i>
+        #include <include/firewall/connection-mark.xml.i>
+        #include <include/firewall/connection-status.xml.i>
+        #include <include/firewall/state.xml.i>
+        #include <include/firewall/inbound-interface.xml.i>
+        #include <include/firewall/outbound-interface.xml.i>
+      </children>
+    </tagNode>
+  </children>
+</tagNode>
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/bridge-hook-forward.xml.i b/interface-definitions/include/firewall/bridge-hook-forward.xml.i
new file mode 100644
index 0000000..fcc9819
--- /dev/null
+++ b/interface-definitions/include/firewall/bridge-hook-forward.xml.i
@@ -0,0 +1,41 @@
+<!-- include start from firewall/bridge-hook-forward.xml.i -->
+<node name="forward">
+  <properties>
+    <help>Bridge forward firewall</help>
+  </properties>
+  <children>
+    <node name="filter">
+      <properties>
+        <help>Bridge firewall forward filter</help>
+      </properties>
+      <children>
+        #include <include/firewall/default-action-base-chains.xml.i>
+        #include <include/firewall/default-log.xml.i>
+        #include <include/generic-description.xml.i>
+        <tagNode name="rule">
+          <properties>
+            <help>Bridge Firewall forward filter rule number</help>
+            <valueHelp>
+              <format>u32:1-999999</format>
+              <description>Number for this firewall rule</description>
+            </valueHelp>
+            <constraint>
+              <validator name="numeric" argument="--range 1-999999"/>
+            </constraint>
+            <constraintErrorMessage>Firewall rule number must be between 1 and 999999</constraintErrorMessage>
+          </properties>
+          <children>
+            #include <include/firewall/common-rule-bridge.xml.i>
+            #include <include/firewall/action-l2.xml.i>
+            #include <include/firewall/connection-mark.xml.i>
+            #include <include/firewall/connection-status.xml.i>
+            #include <include/firewall/state.xml.i>
+            #include <include/firewall/inbound-interface.xml.i>
+            #include <include/firewall/outbound-interface.xml.i>
+          </children>
+        </tagNode>
+      </children>
+    </node>
+  </children>
+</node>
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/bridge-hook-input.xml.i b/interface-definitions/include/firewall/bridge-hook-input.xml.i
new file mode 100644
index 0000000..f6a11f8
--- /dev/null
+++ b/interface-definitions/include/firewall/bridge-hook-input.xml.i
@@ -0,0 +1,40 @@
+<!-- include start from firewall/bridge-hook-input.xml.i -->
+<node name="input">
+  <properties>
+    <help>Bridge input firewall</help>
+  </properties>
+  <children>
+    <node name="filter">
+      <properties>
+        <help>Bridge firewall input filter</help>
+      </properties>
+      <children>
+        #include <include/firewall/default-action-base-chains.xml.i>
+        #include <include/firewall/default-log.xml.i>
+        #include <include/generic-description.xml.i>
+        <tagNode name="rule">
+          <properties>
+            <help>Bridge Firewall input filter rule number</help>
+            <valueHelp>
+              <format>u32:1-999999</format>
+              <description>Number for this firewall rule</description>
+            </valueHelp>
+            <constraint>
+              <validator name="numeric" argument="--range 1-999999"/>
+            </constraint>
+            <constraintErrorMessage>Firewall rule number must be between 1 and 999999</constraintErrorMessage>
+          </properties>
+          <children>
+            #include <include/firewall/common-rule-bridge.xml.i>
+            #include <include/firewall/action-l2.xml.i>
+            #include <include/firewall/connection-mark.xml.i>
+            #include <include/firewall/connection-status.xml.i>
+            #include <include/firewall/state.xml.i>
+            #include <include/firewall/inbound-interface.xml.i>
+          </children>
+        </tagNode>
+      </children>
+    </node>
+  </children>
+</node>
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/bridge-hook-output.xml.i b/interface-definitions/include/firewall/bridge-hook-output.xml.i
new file mode 100644
index 0000000..38b8b08
--- /dev/null
+++ b/interface-definitions/include/firewall/bridge-hook-output.xml.i
@@ -0,0 +1,40 @@
+<!-- include start from firewall/bridge-hook-output.xml.i -->
+<node name="output">
+  <properties>
+    <help>Bridge output firewall</help>
+  </properties>
+  <children>
+    <node name="filter">
+      <properties>
+        <help>Bridge firewall output filter</help>
+      </properties>
+      <children>
+        #include <include/firewall/default-action-base-chains.xml.i>
+        #include <include/firewall/default-log.xml.i>
+        #include <include/generic-description.xml.i>
+        <tagNode name="rule">
+          <properties>
+            <help>Bridge Firewall output filter rule number</help>
+            <valueHelp>
+              <format>u32:1-999999</format>
+              <description>Number for this firewall rule</description>
+            </valueHelp>
+            <constraint>
+              <validator name="numeric" argument="--range 1-999999"/>
+            </constraint>
+            <constraintErrorMessage>Firewall rule number must be between 1 and 999999</constraintErrorMessage>
+          </properties>
+          <children>
+            #include <include/firewall/common-rule-bridge.xml.i>
+            #include <include/firewall/action-l2.xml.i>
+            #include <include/firewall/connection-mark.xml.i>
+            #include <include/firewall/connection-status.xml.i>
+            #include <include/firewall/state.xml.i>
+            #include <include/firewall/outbound-interface.xml.i>
+          </children>
+        </tagNode>
+      </children>
+    </node>
+  </children>
+</node>
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/bridge-hook-prerouting.xml.i b/interface-definitions/include/firewall/bridge-hook-prerouting.xml.i
new file mode 100644
index 0000000..ea56764
--- /dev/null
+++ b/interface-definitions/include/firewall/bridge-hook-prerouting.xml.i
@@ -0,0 +1,37 @@
+<!-- include start from firewall/bridge-hook-prerouting.xml.i -->
+<node name="prerouting">
+  <properties>
+    <help>Bridge prerouting firewall</help>
+  </properties>
+  <children>
+    <node name="filter">
+      <properties>
+        <help>Bridge firewall prerouting filter</help>
+      </properties>
+      <children>
+        #include <include/firewall/default-action-base-chains.xml.i>
+        #include <include/firewall/default-log.xml.i>
+        #include <include/generic-description.xml.i>
+        <tagNode name="rule">
+          <properties>
+            <help>Bridge firewall prerouting filter rule number</help>
+            <valueHelp>
+              <format>u32:1-999999</format>
+              <description>Number for this firewall rule</description>
+            </valueHelp>
+            <constraint>
+              <validator name="numeric" argument="--range 1-999999"/>
+            </constraint>
+            <constraintErrorMessage>Firewall rule number must be between 1 and 999999</constraintErrorMessage>
+          </properties>
+          <children>
+            #include <include/firewall/common-rule-bridge.xml.i>
+            #include <include/firewall/action-and-notrack.xml.i>
+            #include <include/firewall/inbound-interface.xml.i>
+          </children>
+        </tagNode>
+      </children>
+    </node>
+  </children>
+</node>
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/common-rule-bridge.xml.i b/interface-definitions/include/firewall/common-rule-bridge.xml.i
new file mode 100644
index 0000000..80088bb
--- /dev/null
+++ b/interface-definitions/include/firewall/common-rule-bridge.xml.i
@@ -0,0 +1,55 @@
+<!-- include start from firewall/common-rule-bridge.xml.i -->
+#include <include/generic-description.xml.i>
+#include <include/generic-disable-node.xml.i>
+#include <include/firewall/dscp.xml.i>
+#include <include/firewall/firewall-mark.xml.i>
+#include <include/firewall/fragment.xml.i>
+#include <include/firewall/hop-limit.xml.i>
+#include <include/firewall/icmp.xml.i>
+#include <include/firewall/icmpv6.xml.i>
+#include <include/firewall/limit.xml.i>
+#include <include/firewall/log.xml.i>
+#include <include/firewall/log-options.xml.i>
+#include <include/firewall/match-ether-type.xml.i>
+#include <include/firewall/match-ipsec.xml.i>
+#include <include/firewall/match-vlan.xml.i>
+#include <include/firewall/nft-queue.xml.i>
+#include <include/firewall/packet-options.xml.i>
+#include <include/firewall/protocol.xml.i>
+#include <include/firewall/tcp-flags.xml.i>
+#include <include/firewall/tcp-mss.xml.i>
+#include <include/firewall/time.xml.i>
+#include <include/firewall/ttl.xml.i>
+<node name="destination">
+  <properties>
+    <help>Destination parameters</help>
+  </properties>
+  <children>
+    #include <include/firewall/mac-address.xml.i>
+    #include <include/firewall/address-inet.xml.i>
+    #include <include/firewall/address-mask-inet.xml.i>
+    #include <include/firewall/port.xml.i>
+    #include <include/firewall/source-destination-group-inet.xml.i>
+  </children>
+</node>
+<leafNode name="jump-target">
+  <properties>
+    <help>Set jump target. Action jump must be defined to use this setting</help>
+    <completionHelp>
+      <path>firewall bridge name</path>
+    </completionHelp>
+  </properties>
+</leafNode>
+<node name="source">
+  <properties>
+    <help>Source parameters</help>
+  </properties>
+  <children>
+    #include <include/firewall/mac-address.xml.i>
+    #include <include/firewall/address-inet.xml.i>
+    #include <include/firewall/address-mask-inet.xml.i>
+    #include <include/firewall/port.xml.i>
+    #include <include/firewall/source-destination-group-inet.xml.i>
+  </children>
+</node>
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/common-rule-inet.xml.i b/interface-definitions/include/firewall/common-rule-inet.xml.i
new file mode 100644
index 0000000..e44938b
--- /dev/null
+++ b/interface-definitions/include/firewall/common-rule-inet.xml.i
@@ -0,0 +1,24 @@
+<!-- include start from firewall/common-rule-inet.xml.i -->
+#include <include/firewall/action.xml.i>
+#include <include/firewall/conntrack-helper.xml.i>
+#include <include/firewall/connection-mark.xml.i>
+#include <include/firewall/connection-status.xml.i>
+#include <include/generic-description.xml.i>
+#include <include/generic-disable-node.xml.i>
+#include <include/firewall/dscp.xml.i>
+#include <include/firewall/fragment.xml.i>
+#include <include/firewall/limit.xml.i>
+#include <include/firewall/log.xml.i>
+#include <include/firewall/log-options.xml.i>
+#include <include/firewall/firewall-mark.xml.i>
+#include <include/firewall/packet-options.xml.i>
+#include <include/firewall/protocol.xml.i>
+#include <include/firewall/nft-queue.xml.i>
+#include <include/firewall/recent.xml.i>
+#include <include/firewall/state.xml.i>
+#include <include/firewall/synproxy.xml.i>
+#include <include/firewall/tcp-flags.xml.i>
+#include <include/firewall/tcp-mss.xml.i>
+#include <include/firewall/gre.xml.i>
+#include <include/firewall/time.xml.i>
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/common-rule-ipv4-raw.xml.i b/interface-definitions/include/firewall/common-rule-ipv4-raw.xml.i
new file mode 100644
index 0000000..e8da1a0
--- /dev/null
+++ b/interface-definitions/include/firewall/common-rule-ipv4-raw.xml.i
@@ -0,0 +1,47 @@
+<!-- include start from firewall/common-rule-ipv4-raw.xml.i -->
+#include <include/firewall/add-addr-to-group-ipv4.xml.i>
+#include <include/firewall/action-and-notrack.xml.i>
+#include <include/generic-description.xml.i>
+#include <include/firewall/dscp.xml.i>
+#include <include/firewall/fragment.xml.i>
+#include <include/generic-disable-node.xml.i>
+#include <include/firewall/icmp.xml.i>
+#include <include/firewall/limit.xml.i>
+#include <include/firewall/log.xml.i>
+#include <include/firewall/log-options.xml.i>
+#include <include/firewall/protocol.xml.i>
+#include <include/firewall/nft-queue.xml.i>
+#include <include/firewall/recent.xml.i>
+#include <include/firewall/tcp-flags.xml.i>
+#include <include/firewall/tcp-mss.xml.i>
+#include <include/firewall/time.xml.i>
+#include <include/firewall/ttl.xml.i>
+<node name="destination">
+  <properties>
+    <help>Destination parameters</help>
+  </properties>
+  <children>
+    #include <include/firewall/address.xml.i>
+    #include <include/firewall/address-mask.xml.i>
+    #include <include/firewall/fqdn.xml.i>
+    #include <include/firewall/geoip.xml.i>
+    #include <include/firewall/mac-address.xml.i>
+    #include <include/firewall/port.xml.i>
+    #include <include/firewall/source-destination-group.xml.i>
+  </children>
+</node>
+<node name="source">
+  <properties>
+    <help>Source parameters</help>
+  </properties>
+  <children>
+    #include <include/firewall/address.xml.i>
+    #include <include/firewall/address-mask.xml.i>
+    #include <include/firewall/fqdn.xml.i>
+    #include <include/firewall/geoip.xml.i>
+    #include <include/firewall/mac-address.xml.i>
+    #include <include/firewall/port.xml.i>
+    #include <include/firewall/source-destination-group.xml.i>
+  </children>
+</node>
+<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/include/firewall/common-rule-ipv4.xml.i b/interface-definitions/include/firewall/common-rule-ipv4.xml.i
new file mode 100644
index 0000000..803b94b
--- /dev/null
+++ b/interface-definitions/include/firewall/common-rule-ipv4.xml.i
@@ -0,0 +1,44 @@
+<!-- include start from firewall/common-rule-ipv4.xml.i -->
+#include <include/firewall/add-addr-to-group-ipv4.xml.i>
+#include <include/firewall/common-rule-inet.xml.i>
+#include <include/firewall/icmp.xml.i>
+#include <include/firewall/ttl.xml.i>
+<node name="destination">
+  <properties>
+    <help>Destination parameters</help>
+  </properties>
+  <children>
+    #include <include/firewall/address.xml.i>
+    #include <include/firewall/address-mask.xml.i>
+    #include <include/firewall/fqdn.xml.i>
+    #include <include/firewall/geoip.xml.i>
+    #include <include/firewall/mac-address.xml.i>
+    #include <include/firewall/port.xml.i>
+    #include <include/firewall/source-destination-group.xml.i>
+    #include <include/firewall/source-destination-dynamic-group.xml.i>
+  </children>
+</node>
+<leafNode name="jump-target">
+  <properties>
+    <help>Set jump target. Action jump must be defined to use this setting</help>
+    <completionHelp>
+      <path>firewall ipv4 name</path>
+    </completionHelp>
+  </properties>
+</leafNode>
+<node name="source">
+  <properties>
+    <help>Source parameters</help>
+  </properties>
+  <children>
+    #include <include/firewall/address.xml.i>
+    #include <include/firewall/address-mask.xml.i>
+    #include <include/firewall/fqdn.xml.i>
+    #include <include/firewall/geoip.xml.i>
+    #include <include/firewall/mac-address.xml.i>
+    #include <include/firewall/port.xml.i>
+    #include <include/firewall/source-destination-group.xml.i>
+    #include <include/firewall/source-destination-dynamic-group.xml.i>
+  </children>
+</node>
+<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/include/firewall/common-rule-ipv6-raw.xml.i b/interface-definitions/include/firewall/common-rule-ipv6-raw.xml.i
new file mode 100644
index 0000000..3f7c5a0
--- /dev/null
+++ b/interface-definitions/include/firewall/common-rule-ipv6-raw.xml.i
@@ -0,0 +1,49 @@
+<!-- include start from firewall/common-rule-ipv6-raw.xml.i -->
+#include <include/firewall/add-addr-to-group-ipv6.xml.i>
+#include <include/firewall/action-and-notrack.xml.i>
+#include <include/generic-description.xml.i>
+#include <include/firewall/dscp.xml.i>
+#include <include/firewall/fragment.xml.i>
+#include <include/generic-disable-node.xml.i>
+#include <include/firewall/icmpv6.xml.i>
+#include <include/firewall/limit.xml.i>
+#include <include/firewall/log.xml.i>
+#include <include/firewall/log-options.xml.i>
+#include <include/firewall/protocol.xml.i>
+#include <include/firewall/nft-queue.xml.i>
+#include <include/firewall/recent.xml.i>
+#include <include/firewall/tcp-flags.xml.i>
+#include <include/firewall/tcp-mss.xml.i>
+#include <include/firewall/time.xml.i>
+#include <include/firewall/hop-limit.xml.i>
+<node name="destination">
+  <properties>
+    <help>Destination parameters</help>
+  </properties>
+  <children>
+    #include <include/firewall/address-ipv6.xml.i>
+    #include <include/firewall/address-mask-ipv6.xml.i>
+    #include <include/firewall/fqdn.xml.i>
+    #include <include/firewall/geoip.xml.i>
+    #include <include/firewall/mac-address.xml.i>
+    #include <include/firewall/port.xml.i>
+    #include <include/firewall/source-destination-group-ipv6.xml.i>
+    #include <include/firewall/source-destination-dynamic-group-ipv6.xml.i>
+  </children>
+</node>
+<node name="source">
+  <properties>
+    <help>Source parameters</help>
+  </properties>
+  <children>
+    #include <include/firewall/address-ipv6.xml.i>
+    #include <include/firewall/address-mask-ipv6.xml.i>
+    #include <include/firewall/fqdn.xml.i>
+    #include <include/firewall/geoip.xml.i>
+    #include <include/firewall/mac-address.xml.i>
+    #include <include/firewall/port.xml.i>
+    #include <include/firewall/source-destination-group-ipv6.xml.i>
+    #include <include/firewall/source-destination-dynamic-group-ipv6.xml.i>
+  </children>
+</node>
+<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/include/firewall/common-rule-ipv6.xml.i b/interface-definitions/include/firewall/common-rule-ipv6.xml.i
new file mode 100644
index 0000000..bb176fe
--- /dev/null
+++ b/interface-definitions/include/firewall/common-rule-ipv6.xml.i
@@ -0,0 +1,44 @@
+<!-- include start from firewall/common-rule-ipv6.xml.i -->
+#include <include/firewall/add-addr-to-group-ipv6.xml.i>
+#include <include/firewall/common-rule-inet.xml.i>
+#include <include/firewall/hop-limit.xml.i>
+#include <include/firewall/icmpv6.xml.i>
+<node name="destination">
+  <properties>
+    <help>Destination parameters</help>
+  </properties>
+  <children>
+    #include <include/firewall/address-ipv6.xml.i>
+    #include <include/firewall/address-mask-ipv6.xml.i>
+    #include <include/firewall/fqdn.xml.i>
+    #include <include/firewall/geoip.xml.i>
+    #include <include/firewall/mac-address.xml.i>
+    #include <include/firewall/port.xml.i>
+    #include <include/firewall/source-destination-group-ipv6.xml.i>
+    #include <include/firewall/source-destination-dynamic-group-ipv6.xml.i>
+  </children>
+</node>
+<leafNode name="jump-target">
+  <properties>
+    <help>Set jump target. Action jump must be defined to use this setting</help>
+    <completionHelp>
+      <path>firewall ipv6 name</path>
+    </completionHelp>
+  </properties>
+</leafNode>
+<node name="source">
+  <properties>
+    <help>Source parameters</help>
+  </properties>
+  <children>
+    #include <include/firewall/address-ipv6.xml.i>
+    #include <include/firewall/address-mask-ipv6.xml.i>
+    #include <include/firewall/fqdn.xml.i>
+    #include <include/firewall/geoip.xml.i>
+    #include <include/firewall/mac-address.xml.i>
+    #include <include/firewall/port.xml.i>
+    #include <include/firewall/source-destination-group-ipv6.xml.i>
+    #include <include/firewall/source-destination-dynamic-group-ipv6.xml.i>
+  </children>
+</node>
+<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/include/firewall/connection-mark.xml.i b/interface-definitions/include/firewall/connection-mark.xml.i
new file mode 100644
index 0000000..69f7fe6
--- /dev/null
+++ b/interface-definitions/include/firewall/connection-mark.xml.i
@@ -0,0 +1,15 @@
+<!-- include start from firewall/connection-mark.xml.i -->
+<leafNode name="connection-mark">
+  <properties>
+    <help>Connection mark</help>
+    <valueHelp>
+      <format>u32:0-2147483647</format>
+      <description>Connection-mark to match</description>
+    </valueHelp>
+    <constraint>
+      <validator name="numeric" argument="--range 0-2147483647"/>
+    </constraint>
+    <multi/>
+  </properties>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/connection-status.xml.i b/interface-definitions/include/firewall/connection-status.xml.i
new file mode 100644
index 0000000..5236c2f
--- /dev/null
+++ b/interface-definitions/include/firewall/connection-status.xml.i
@@ -0,0 +1,28 @@
+<!-- include start from firewall/connection-status.xml.i -->
+<node name="connection-status">
+  <properties>
+    <help>Connection status</help>
+  </properties>
+  <children>
+    <leafNode name="nat">
+      <properties>
+        <help>NAT connection status</help>
+        <completionHelp>
+          <list>destination source</list>
+        </completionHelp>
+        <valueHelp>
+          <format>destination</format>
+          <description>Match connections that are subject to destination NAT</description>
+        </valueHelp>
+        <valueHelp>
+          <format>source</format>
+          <description>Match connections that are subject to source NAT</description>
+        </valueHelp>
+        <constraint>
+          <regex>(destination|source)</regex>
+        </constraint>
+      </properties>
+    </leafNode>
+  </children>
+</node>
+<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/include/firewall/conntrack-helper.xml.i b/interface-definitions/include/firewall/conntrack-helper.xml.i
new file mode 100644
index 0000000..3ca1a03
--- /dev/null
+++ b/interface-definitions/include/firewall/conntrack-helper.xml.i
@@ -0,0 +1,46 @@
+<!-- include start from firewall/conntrack-helper.xml.i -->
+<leafNode name="conntrack-helper">
+  <properties>
+    <help>Match related traffic from conntrack helpers</help>
+    <completionHelp>
+      <list>ftp h323 pptp nfs sip tftp sqlnet</list>
+    </completionHelp>
+    <valueHelp>
+      <format>ftp</format>
+      <description>Related traffic from FTP helper</description>
+    </valueHelp>
+    <valueHelp>
+      <format>h323</format>
+      <description>Related traffic from H.323 helper</description>
+    </valueHelp>
+    <valueHelp>
+      <format>pptp</format>
+      <description>Related traffic from PPTP helper</description>
+    </valueHelp>
+    <valueHelp>
+      <format>nfs</format>
+      <description>Related traffic from NFS helper</description>
+    </valueHelp>
+    <valueHelp>
+      <format>rtsp</format>
+      <description>Related traffic from RTSP helper</description>
+    </valueHelp>
+    <valueHelp>
+      <format>sip</format>
+      <description>Related traffic from SIP helper</description>
+    </valueHelp>
+    <valueHelp>
+      <format>tftp</format>
+      <description>Related traffic from TFTP helper</description>
+    </valueHelp>
+    <valueHelp>
+      <format>sqlnet</format>
+      <description>Related traffic from SQLNet helper</description>
+    </valueHelp>
+    <constraint>
+      <regex>(ftp|h323|pptp|nfs|rtsp|sip|tftp|sqlnet)</regex>
+    </constraint>
+    <multi/>
+  </properties>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/default-action-base-chains.xml.i b/interface-definitions/include/firewall/default-action-base-chains.xml.i
new file mode 100644
index 0000000..aa62abf
--- /dev/null
+++ b/interface-definitions/include/firewall/default-action-base-chains.xml.i
@@ -0,0 +1,22 @@
+<!-- include start from firewall/default-action-base-chains.xml.i -->
+<leafNode name="default-action">
+  <properties>
+    <help>Default-action for rule-set</help>
+    <completionHelp>
+      <list>drop accept</list>
+    </completionHelp>
+    <valueHelp>
+      <format>drop</format>
+      <description>Drop if no prior rules are hit</description>
+    </valueHelp>
+    <valueHelp>
+      <format>accept</format>
+      <description>Accept if no prior rules are hit</description>
+    </valueHelp>
+    <constraint>
+      <regex>(drop|accept)</regex>
+    </constraint>
+  </properties>
+  <defaultValue>accept</defaultValue>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/default-action-bridge.xml.i b/interface-definitions/include/firewall/default-action-bridge.xml.i
new file mode 100644
index 0000000..858c7ae
--- /dev/null
+++ b/interface-definitions/include/firewall/default-action-bridge.xml.i
@@ -0,0 +1,34 @@
+<!-- include start from firewall/default-action.xml.i -->
+<leafNode name="default-action">
+  <properties>
+    <help>Default-action for rule-set</help>
+    <completionHelp>
+      <list>drop jump return accept continue</list>
+    </completionHelp>
+    <valueHelp>
+      <format>drop</format>
+      <description>Drop if no prior rules are hit</description>
+    </valueHelp>
+    <valueHelp>
+      <format>jump</format>
+      <description>Jump to another chain if no prior rules are hit</description>
+    </valueHelp>
+    <valueHelp>
+      <format>return</format>
+      <description>Return from the current chain and continue at the next rule of the last chain</description>
+    </valueHelp>
+    <valueHelp>
+      <format>accept</format>
+      <description>Accept if no prior rules are hit</description>
+    </valueHelp>
+    <valueHelp>
+      <format>continue</format>
+      <description>Continue parsing next rule</description>
+    </valueHelp>
+    <constraint>
+      <regex>(drop|jump|return|accept|continue)</regex>
+    </constraint>
+  </properties>
+  <defaultValue>drop</defaultValue>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/default-action.xml.i b/interface-definitions/include/firewall/default-action.xml.i
new file mode 100644
index 0000000..53a1614
--- /dev/null
+++ b/interface-definitions/include/firewall/default-action.xml.i
@@ -0,0 +1,38 @@
+<!-- include start from firewall/default-action.xml.i -->
+<leafNode name="default-action">
+  <properties>
+    <help>Default-action for rule-set</help>
+    <completionHelp>
+      <list>drop jump reject return accept continue</list>
+    </completionHelp>
+    <valueHelp>
+      <format>drop</format>
+      <description>Drop if no prior rules are hit</description>
+    </valueHelp>
+    <valueHelp>
+      <format>jump</format>
+      <description>Jump to another chain if no prior rules are hit</description>
+    </valueHelp>
+    <valueHelp>
+      <format>reject</format>
+      <description>Drop and notify source if no prior rules are hit</description>
+    </valueHelp>
+    <valueHelp>
+      <format>return</format>
+      <description>Return from the current chain and continue at the next rule of the last chain</description>
+    </valueHelp>
+    <valueHelp>
+      <format>accept</format>
+      <description>Accept if no prior rules are hit</description>
+    </valueHelp>
+    <valueHelp>
+      <format>continue</format>
+      <description>Continue parsing next rule</description>
+    </valueHelp>
+    <constraint>
+      <regex>(drop|jump|reject|return|accept|continue)</regex>
+    </constraint>
+  </properties>
+  <defaultValue>drop</defaultValue>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/default-log.xml.i b/interface-definitions/include/firewall/default-log.xml.i
new file mode 100644
index 0000000..dceacdb
--- /dev/null
+++ b/interface-definitions/include/firewall/default-log.xml.i
@@ -0,0 +1,8 @@
+<!-- include start from firewall/default-log.xml.i -->
+<leafNode name="default-log">
+  <properties>
+    <help>Log packets hitting default-action</help>
+    <valueless/>
+  </properties>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/dscp.xml.i b/interface-definitions/include/firewall/dscp.xml.i
new file mode 100644
index 0000000..dd4da48
--- /dev/null
+++ b/interface-definitions/include/firewall/dscp.xml.i
@@ -0,0 +1,36 @@
+<!-- include start from firewall/dscp.xml.i -->
+<leafNode name="dscp">
+  <properties>
+    <help>DSCP value</help>
+    <valueHelp>
+      <format>u32:0-63</format>
+      <description>DSCP value to match</description>
+    </valueHelp>
+    <valueHelp>
+      <format>&lt;start-end&gt;</format>
+      <description>DSCP range to match</description>
+    </valueHelp>
+    <constraint>
+      <validator name="numeric" argument="--allow-range --range 0-63"/>
+    </constraint>
+    <multi/>
+  </properties>
+</leafNode>
+<leafNode name="dscp-exclude">
+  <properties>
+    <help>DSCP value not to match</help>
+    <valueHelp>
+      <format>u32:0-63</format>
+      <description>DSCP value not to match</description>
+    </valueHelp>
+    <valueHelp>
+      <format>&lt;start-end&gt;</format>
+      <description>DSCP range not to match</description>
+    </valueHelp>
+    <constraint>
+      <validator name="numeric" argument="--allow-range --range 0-63"/>
+    </constraint>
+    <multi/>
+  </properties>
+</leafNode>
+<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/include/firewall/eq.xml.i b/interface-definitions/include/firewall/eq.xml.i
new file mode 100644
index 0000000..e1b4f37
--- /dev/null
+++ b/interface-definitions/include/firewall/eq.xml.i
@@ -0,0 +1,14 @@
+<!-- include start from firewall/eq.xml.i -->
+<leafNode name="eq">
+  <properties>
+    <help>Match on equal value</help>
+    <valueHelp>
+      <format>u32:0-255</format>
+      <description>Equal to value</description>
+    </valueHelp>
+    <constraint>
+      <validator name="numeric" argument="--range 0-255"/>
+    </constraint>
+  </properties>
+</leafNode>
+<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/include/firewall/firewall-hashing-parameters.xml.i b/interface-definitions/include/firewall/firewall-hashing-parameters.xml.i
new file mode 100644
index 0000000..7f34de3
--- /dev/null
+++ b/interface-definitions/include/firewall/firewall-hashing-parameters.xml.i
@@ -0,0 +1,35 @@
+<!-- include start from firewall/firewall-hashing-parameters.xml.i -->
+<leafNode name="hash">
+  <properties>
+    <help>Define the parameters of the packet header to apply the hashing</help>
+    <completionHelp>
+      <list>source-address destination-address source-port destination-port random</list>
+    </completionHelp>
+    <valueHelp>
+      <format>source-address</format>
+      <description>Use source IP address for hashing</description>
+    </valueHelp>
+    <valueHelp>
+      <format>destination-address</format>
+      <description>Use destination IP address for hashing</description>
+    </valueHelp>
+    <valueHelp>
+      <format>source-port</format>
+      <description>Use source port for hashing</description>
+    </valueHelp>
+    <valueHelp>
+      <format>destination-port</format>
+      <description>Use destination port for hashing</description>
+    </valueHelp>
+    <valueHelp>
+      <format>random</format>
+      <description>Do not use information from ip header. Use random value.</description>
+    </valueHelp>
+    <constraint>
+      <regex>(source-address|destination-address|source-port|destination-port|random)</regex>
+    </constraint>
+    <multi/>
+  </properties>
+  <defaultValue>random</defaultValue>
+</leafNode>
+<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/include/firewall/firewall-mark.xml.i b/interface-definitions/include/firewall/firewall-mark.xml.i
new file mode 100644
index 0000000..36a939b
--- /dev/null
+++ b/interface-definitions/include/firewall/firewall-mark.xml.i
@@ -0,0 +1,26 @@
+<!-- include start from firewall/firewall-mark.xml.i -->
+<leafNode name="mark">
+  <properties>
+    <help>Firewall mark</help>
+    <valueHelp>
+      <format>u32:0-2147483647</format>
+      <description>Firewall mark to match</description>
+    </valueHelp>
+    <valueHelp>
+      <format>!u32:0-2147483647</format>
+      <description>Inverted Firewall mark to match</description>
+    </valueHelp>
+    <valueHelp>
+      <format>&lt;start-end&gt;</format>
+      <description>Firewall mark range to match</description>
+    </valueHelp>
+    <valueHelp>
+      <format>!&lt;start-end&gt;</format>
+      <description>Firewall mark inverted range to match</description>
+    </valueHelp>
+    <constraint>
+      <validator name="numeric-exclude" argument="--allow-range --range 0-2147483647"/>
+    </constraint>
+  </properties>
+</leafNode>
+<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/include/firewall/fqdn.xml.i b/interface-definitions/include/firewall/fqdn.xml.i
new file mode 100644
index 0000000..9eb3925
--- /dev/null
+++ b/interface-definitions/include/firewall/fqdn.xml.i
@@ -0,0 +1,14 @@
+<!-- include start from firewall/fqdn.xml.i -->
+<leafNode name="fqdn">
+  <properties>
+    <help>Fully qualified domain name</help>
+    <valueHelp>
+      <format>&lt;fqdn&gt;</format>
+      <description>Fully qualified domain name</description>
+    </valueHelp>
+    <constraint>
+      <validator name="fqdn"/>
+    </constraint>
+  </properties>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/fragment.xml.i b/interface-definitions/include/firewall/fragment.xml.i
new file mode 100644
index 0000000..1f4c110
--- /dev/null
+++ b/interface-definitions/include/firewall/fragment.xml.i
@@ -0,0 +1,21 @@
+<!-- include start from firewall/fragment.xml.i -->
+<node name="fragment">
+  <properties>
+    <help>IP fragment match</help>
+  </properties>
+  <children>
+    <leafNode name="match-frag">
+      <properties>
+        <help>Second and further fragments of fragmented packets</help>
+        <valueless/>
+      </properties>
+    </leafNode>
+    <leafNode name="match-non-frag">
+      <properties>
+        <help>Head fragments or unfragmented packets</help>
+        <valueless/>
+      </properties>
+    </leafNode>
+  </children>
+</node>
+<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/include/firewall/fwmark.xml.i b/interface-definitions/include/firewall/fwmark.xml.i
new file mode 100644
index 0000000..4607ef5
--- /dev/null
+++ b/interface-definitions/include/firewall/fwmark.xml.i
@@ -0,0 +1,14 @@
+<!-- include start from firewall/fwmark.xml.i -->
+<leafNode name="fwmark">
+  <properties>
+    <help>Match fwmark value</help>
+    <valueHelp>
+      <format>u32:1-2147483647</format>
+      <description>Match firewall mark value</description>
+    </valueHelp>
+    <constraint>
+      <validator name="numeric" argument="--range 1-2147483647"/>
+    </constraint>
+  </properties>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/geoip.xml.i b/interface-definitions/include/firewall/geoip.xml.i
new file mode 100644
index 0000000..9fb37a5
--- /dev/null
+++ b/interface-definitions/include/firewall/geoip.xml.i
@@ -0,0 +1,28 @@
+<!-- include start from firewall/geoip.xml.i -->
+<node name="geoip">
+  <properties>
+    <help>GeoIP options - Data provided by DB-IP.com</help>
+  </properties>
+  <children>
+    <leafNode name="country-code">
+      <properties>
+        <help>GeoIP country code</help>
+        <valueHelp>
+          <format>&lt;country&gt;</format>
+          <description>Country code (2 characters)</description>
+        </valueHelp>
+        <constraint>
+          <regex>^(ad|ae|af|ag|ai|al|am|ao|aq|ar|as|at|au|aw|ax|az|ba|bb|bd|be|bf|bg|bh|bi|bj|bl|bm|bn|bo|bq|br|bs|bt|bv|bw|by|bz|ca|cc|cd|cf|cg|ch|ci|ck|cl|cm|cn|co|cr|cu|cv|cw|cx|cy|cz|de|dj|dk|dm|do|dz|ec|ee|eg|eh|er|es|et|fi|fj|fk|fm|fo|fr|ga|gb|gd|ge|gf|gg|gh|gi|gl|gm|gn|gp|gq|gr|gs|gt|gu|gw|gy|hk|hm|hn|hr|ht|hu|id|ie|il|im|in|io|iq|ir|is|it|je|jm|jo|jp|ke|kg|kh|ki|km|kn|kp|kr|kw|ky|kz|la|lb|lc|li|lk|lr|ls|lt|lu|lv|ly|ma|mc|md|me|mf|mg|mh|mk|ml|mm|mn|mo|mp|mq|mr|ms|mt|mu|mv|mw|mx|my|mz|na|nc|ne|nf|ng|ni|nl|no|np|nr|nu|nz|om|pa|pe|pf|pg|ph|pk|pl|pm|pn|pr|ps|pt|pw|py|qa|re|ro|rs|ru|rw|sa|sb|sc|sd|se|sg|sh|si|sj|sk|sl|sm|sn|so|sr|ss|st|sv|sx|sy|sz|tc|td|tf|tg|th|tj|tk|tl|tm|tn|to|tr|tt|tv|tw|tz|ua|ug|um|us|uy|uz|va|vc|ve|vg|vi|vn|vu|wf|ws|ye|yt|za|zm|zw)$</regex>
+        </constraint>
+        <multi />
+      </properties>
+    </leafNode>
+    <leafNode name="inverse-match">
+      <properties>
+        <help>Inverse match of country-codes</help>
+        <valueless/>
+      </properties>
+    </leafNode>
+  </children>
+</node>
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/global-options.xml.i b/interface-definitions/include/firewall/global-options.xml.i
new file mode 100644
index 0000000..05fdd75
--- /dev/null
+++ b/interface-definitions/include/firewall/global-options.xml.i
@@ -0,0 +1,366 @@
+<!-- include start from firewall/global-options.xml.i -->
+<node name="global-options">
+  <properties>
+    <help>Global Options</help>
+  </properties>
+  <children>
+    <leafNode name="all-ping">
+      <properties>
+        <help>Policy for handling of all IPv4 ICMP echo requests</help>
+        <completionHelp>
+          <list>enable disable</list>
+        </completionHelp>
+        <valueHelp>
+          <format>enable</format>
+          <description>Enable processing of all IPv4 ICMP echo requests</description>
+        </valueHelp>
+        <valueHelp>
+          <format>disable</format>
+          <description>Disable processing of all IPv4 ICMP echo requests</description>
+        </valueHelp>
+        <constraint>
+          <regex>(enable|disable)</regex>
+        </constraint>
+      </properties>
+      <defaultValue>enable</defaultValue>
+    </leafNode>
+    <leafNode name="broadcast-ping">
+      <properties>
+        <help>Policy for handling broadcast IPv4 ICMP echo and timestamp requests</help>
+        <completionHelp>
+          <list>enable disable</list>
+        </completionHelp>
+        <valueHelp>
+          <format>enable</format>
+          <description>Enable processing of broadcast IPv4 ICMP echo/timestamp requests</description>
+        </valueHelp>
+        <valueHelp>
+          <format>disable</format>
+          <description>Disable processing of broadcast IPv4 ICMP echo/timestamp requests</description>
+        </valueHelp>
+        <constraint>
+          <regex>(enable|disable)</regex>
+        </constraint>
+      </properties>
+      <defaultValue>disable</defaultValue>
+    </leafNode>
+    <node name="apply-to-bridged-traffic">
+      <properties>
+        <help>Apply configured firewall rules to traffic switched by bridges</help>
+      </properties>
+      <children>
+        <leafNode name="invalid-connections">
+          <properties>
+            <help>Accept ARP and DHCP despite they are marked as invalid connection</help>
+            <valueless/>
+          </properties>
+        </leafNode>
+        <leafNode name="ipv4">
+          <properties>
+            <help>Apply configured IPv4 firewall rules</help>
+            <valueless/>
+          </properties>
+        </leafNode>
+        <leafNode name="ipv6">
+          <properties>
+            <help>Apply configured IPv6 firewall rules</help>
+            <valueless/>
+          </properties>
+        </leafNode>
+      </children>
+    </node>
+    <leafNode name="directed-broadcast">
+      <properties>
+        <help>Policy for handling IPv4 directed broadcast forwarding on all interfaces</help>
+        <completionHelp>
+          <list>enable disable</list>
+        </completionHelp>
+        <valueHelp>
+          <format>enable</format>
+          <description>Enable IPv4 directed broadcast forwarding on all interfaces</description>
+        </valueHelp>
+        <valueHelp>
+          <format>disable</format>
+          <description>Disable IPv4 directed broadcast forwarding on all interfaces</description>
+        </valueHelp>
+        <constraint>
+          <regex>(enable|disable)</regex>
+        </constraint>
+      </properties>
+      <defaultValue>enable</defaultValue>
+    </leafNode>
+    <leafNode name="ip-src-route">
+      <properties>
+        <help>Policy for handling IPv4 packets with source route option</help>
+        <completionHelp>
+          <list>enable disable</list>
+        </completionHelp>
+        <valueHelp>
+          <format>enable</format>
+          <description>Enable processing of IPv4 packets with source route option</description>
+        </valueHelp>
+        <valueHelp>
+          <format>disable</format>
+          <description>Disable processing of IPv4 packets with source route option</description>
+        </valueHelp>
+        <constraint>
+          <regex>(enable|disable)</regex>
+        </constraint>
+      </properties>
+      <defaultValue>disable</defaultValue>
+    </leafNode>
+    <leafNode name="log-martians">
+      <properties>
+        <help>Policy for logging IPv4 packets with invalid addresses</help>
+        <completionHelp>
+          <list>enable disable</list>
+        </completionHelp>
+        <valueHelp>
+          <format>enable</format>
+          <description>Enable logging of IPv4 packets with invalid addresses</description>
+        </valueHelp>
+        <valueHelp>
+          <format>disable</format>
+          <description>Disable logging of Ipv4 packets with invalid addresses</description>
+        </valueHelp>
+        <constraint>
+          <regex>(enable|disable)</regex>
+        </constraint>
+      </properties>
+      <defaultValue>enable</defaultValue>
+    </leafNode>
+    <leafNode name="receive-redirects">
+      <properties>
+        <help>Policy for handling received IPv4 ICMP redirect messages</help>
+        <completionHelp>
+          <list>enable disable</list>
+        </completionHelp>
+        <valueHelp>
+          <format>enable</format>
+          <description>Enable processing of received IPv4 ICMP redirect messages</description>
+        </valueHelp>
+        <valueHelp>
+          <format>disable</format>
+          <description>Disable processing of received IPv4 ICMP redirect messages</description>
+        </valueHelp>
+        <constraint>
+          <regex>(enable|disable)</regex>
+        </constraint>
+      </properties>
+      <defaultValue>disable</defaultValue>
+    </leafNode>
+    <leafNode name="resolver-cache">
+      <properties>
+        <help>Retains last successful value if domain resolution fails</help>
+        <valueless/>
+      </properties>
+    </leafNode>
+    <leafNode name="resolver-interval">
+      <properties>
+        <help>Domain resolver update interval</help>
+        <valueHelp>
+          <format>u32:10-3600</format>
+          <description>Interval (seconds)</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 10-3600"/>
+        </constraint>
+      </properties>
+      <defaultValue>300</defaultValue>
+    </leafNode>
+    <leafNode name="send-redirects">
+      <properties>
+        <help>Policy for sending IPv4 ICMP redirect messages</help>
+        <completionHelp>
+          <list>enable disable</list>
+        </completionHelp>
+        <valueHelp>
+          <format>enable</format>
+          <description>Enable sending IPv4 ICMP redirect messages</description>
+        </valueHelp>
+        <valueHelp>
+          <format>disable</format>
+          <description>Disable sending IPv4 ICMP redirect messages</description>
+        </valueHelp>
+        <constraint>
+          <regex>(enable|disable)</regex>
+        </constraint>
+      </properties>
+      <defaultValue>enable</defaultValue>
+    </leafNode>
+    <leafNode name="source-validation">
+      <properties>
+        <help>Policy for IPv4 source validation by reversed path, as specified in RFC3704</help>
+        <completionHelp>
+          <list>strict loose disable</list>
+        </completionHelp>
+        <valueHelp>
+          <format>strict</format>
+          <description>Enable IPv4 Strict Reverse Path Forwarding as defined in RFC3704</description>
+        </valueHelp>
+        <valueHelp>
+          <format>loose</format>
+          <description>Enable IPv4 Loose Reverse Path Forwarding as defined in RFC3704</description>
+        </valueHelp>
+        <valueHelp>
+          <format>disable</format>
+          <description>No IPv4 source validation</description>
+        </valueHelp>
+        <constraint>
+          <regex>(strict|loose|disable)</regex>
+        </constraint>
+      </properties>
+      <defaultValue>disable</defaultValue>
+    </leafNode>
+    <node name="state-policy">
+      <properties>
+        <help>Global firewall state-policy</help>
+      </properties>
+      <children>
+        <node name="established">
+          <properties>
+            <help>Global firewall policy for packets part of an established connection</help>
+          </properties>
+          <children>
+            #include <include/firewall/action-accept-drop-reject.xml.i>
+            #include <include/firewall/log.xml.i>
+            #include <include/firewall/rule-log-level.xml.i>
+          </children>
+        </node>
+        <node name="invalid">
+          <properties>
+            <help>Global firewall policy for packets part of an invalid connection</help>
+          </properties>
+          <children>
+            #include <include/firewall/action-accept-drop-reject.xml.i>
+            #include <include/firewall/log.xml.i>
+            #include <include/firewall/rule-log-level.xml.i>
+          </children>
+        </node>
+        <node name="related">
+          <properties>
+            <help>Global firewall policy for packets part of a related connection</help>
+          </properties>
+          <children>
+            #include <include/firewall/action-accept-drop-reject.xml.i>
+            #include <include/firewall/log.xml.i>
+            #include <include/firewall/rule-log-level.xml.i>
+          </children>
+        </node>
+      </children>
+    </node>
+    <leafNode name="syn-cookies">
+      <properties>
+        <help>Policy for using TCP SYN cookies with IPv4</help>
+        <completionHelp>
+          <list>enable disable</list>
+        </completionHelp>
+        <valueHelp>
+          <format>enable</format>
+          <description>Enable use of TCP SYN cookies with IPv4</description>
+        </valueHelp>
+        <valueHelp>
+          <format>disable</format>
+          <description>Disable use of TCP SYN cookies with IPv4</description>
+        </valueHelp>
+        <constraint>
+          <regex>(enable|disable)</regex>
+        </constraint>
+      </properties>
+      <defaultValue>enable</defaultValue>
+    </leafNode>
+    <node name="timeout">
+      <properties>
+        <help>Connection timeout options</help>
+      </properties>
+      <children>
+        #include <include/firewall/timeout-common-protocols.xml.i>
+      </children>
+    </node>
+    <leafNode name="twa-hazards-protection">
+      <properties>
+        <help>RFC1337 TCP TIME-WAIT assasination hazards protection</help>
+        <completionHelp>
+          <list>enable disable</list>
+        </completionHelp>
+        <valueHelp>
+          <format>enable</format>
+          <description>Enable RFC1337 TIME-WAIT hazards protection</description>
+        </valueHelp>
+        <valueHelp>
+          <format>disable</format>
+          <description>Disable RFC1337 TIME-WAIT hazards protection</description>
+        </valueHelp>
+        <constraint>
+          <regex>(enable|disable)</regex>
+        </constraint>
+      </properties>
+      <defaultValue>disable</defaultValue>
+    </leafNode>
+    <leafNode name="ipv6-receive-redirects">
+      <properties>
+        <help>Policy for handling received ICMPv6 redirect messages</help>
+        <completionHelp>
+          <list>enable disable</list>
+        </completionHelp>
+        <valueHelp>
+          <format>enable</format>
+          <description>Enable processing of received ICMPv6 redirect messages</description>
+        </valueHelp>
+        <valueHelp>
+          <format>disable</format>
+          <description>Disable processing of received ICMPv6 redirect messages</description>
+        </valueHelp>
+        <constraint>
+          <regex>(enable|disable)</regex>
+        </constraint>
+      </properties>
+      <defaultValue>disable</defaultValue>
+    </leafNode>
+    <leafNode name="ipv6-source-validation">
+      <properties>
+        <help>Policy for IPv6 source validation by reversed path, as specified in RFC3704</help>
+        <completionHelp>
+          <list>strict loose disable</list>
+        </completionHelp>
+        <valueHelp>
+          <format>strict</format>
+          <description>Enable IPv6 Strict Reverse Path Forwarding as defined in RFC3704</description>
+        </valueHelp>
+        <valueHelp>
+          <format>loose</format>
+          <description>Enable IPv6 Loose Reverse Path Forwarding as defined in RFC3704</description>
+        </valueHelp>
+        <valueHelp>
+          <format>disable</format>
+          <description>No IPv6 source validation</description>
+        </valueHelp>
+        <constraint>
+          <regex>(strict|loose|disable)</regex>
+        </constraint>
+      </properties>
+      <defaultValue>disable</defaultValue>
+    </leafNode>
+    <leafNode name="ipv6-src-route">
+      <properties>
+        <help>Policy for handling IPv6 packets with routing extension header</help>
+        <completionHelp>
+          <list>enable disable</list>
+        </completionHelp>
+        <valueHelp>
+          <format>enable</format>
+          <description>Enable processing of IPv6 packets with routing header type 2</description>
+        </valueHelp>
+        <valueHelp>
+          <format>disable</format>
+          <description>Disable processing of IPv6 packets with routing header</description>
+        </valueHelp>
+        <constraint>
+          <regex>(enable|disable)</regex>
+        </constraint>
+      </properties>
+      <defaultValue>disable</defaultValue>
+    </leafNode>
+  </children>
+</node>
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/gre.xml.i b/interface-definitions/include/firewall/gre.xml.i
new file mode 100644
index 0000000..e7b9fd5
--- /dev/null
+++ b/interface-definitions/include/firewall/gre.xml.i
@@ -0,0 +1,116 @@
+<!-- include start from firewall/gre.xml.i -->
+<node name="gre">
+  <properties>
+    <help>GRE fields to match</help>
+  </properties>
+  <children>
+    <node name="flags">
+      <properties>
+        <help>GRE flag bits to match</help>
+      </properties>
+      <children>
+        <node name="key">
+          <properties>
+            <help>Header includes optional key field</help>
+          </properties>
+          <children>
+            <leafNode name="unset">
+              <properties>
+                <help>Header does not include optional key field</help>
+                <valueless/>
+              </properties>
+            </leafNode>
+          </children>
+        </node>
+        <node name="checksum">
+          <properties>
+            <help>Header includes optional checksum</help>
+          </properties>
+          <children>
+            <leafNode name="unset">
+              <properties>
+                <help>Header does not include optional checksum</help>
+                <valueless/>
+              </properties>
+            </leafNode>
+          </children>
+        </node>
+        <node name="sequence">
+          <properties>
+            <help>Header includes a sequence number field</help>
+          </properties>
+          <children>
+            <leafNode name="unset">
+              <properties>
+                <help>Header does not include a sequence number field</help>
+                <valueless/>
+              </properties>
+            </leafNode>
+          </children>
+        </node>
+      </children>
+    </node>
+    <leafNode name="inner-proto">
+      <properties>
+        <help>EtherType of encapsulated packet</help>
+        <completionHelp>
+          <list>ip ip6 arp 802.1q 802.1ad</list>
+        </completionHelp>
+        <valueHelp>
+          <format>u32:0-65535</format>
+          <description>Ethernet protocol number</description>
+        </valueHelp>
+        <valueHelp>
+          <format>u32:0x0-0xffff</format>
+          <description>Ethernet protocol number (hex)</description>
+        </valueHelp>
+        <valueHelp>
+          <format>ip</format>
+          <description>IPv4</description>
+        </valueHelp>
+        <valueHelp>
+          <format>ip6</format>
+          <description>IPv6</description>
+        </valueHelp>
+        <valueHelp>
+          <format>arp</format>
+          <description>Address Resolution Protocol</description>
+        </valueHelp>
+        <valueHelp>
+          <format>802.1q</format>
+          <description>VLAN-tagged frames (IEEE 802.1q)</description>
+        </valueHelp>
+        <valueHelp>
+          <format>802.1ad</format>
+          <description>Provider Bridging (IEEE 802.1ad, Q-in-Q)</description>
+        </valueHelp>
+        <valueHelp>
+          <format>gretap</format>
+          <description>Transparent Ethernet Bridging (L2 Ethernet over GRE, gretap)</description>
+        </valueHelp>
+        <constraint>
+          <regex>(ip|ip6|arp|802.1q|802.1ad|gretap|0x[0-9a-fA-F]{1,4})</regex>
+          <validator name="numeric" argument="--range 0-65535"/>
+        </constraint>
+      </properties>
+    </leafNode>
+    #include <include/interface/parameters-key.xml.i>
+    <leafNode name="version">
+      <properties>
+        <help>GRE Version</help>
+        <valueHelp>
+          <format>gre</format>
+          <description>Standard GRE</description>
+        </valueHelp>
+        <valueHelp>
+          <format>pptp</format>
+          <description>Point to Point Tunnelling Protocol</description>
+        </valueHelp>
+        <constraint>
+          <regex>(gre|pptp)</regex>
+        </constraint>
+      </properties>
+    </leafNode>
+  </children>
+</node>
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/gt.xml.i b/interface-definitions/include/firewall/gt.xml.i
new file mode 100644
index 0000000..c879171
--- /dev/null
+++ b/interface-definitions/include/firewall/gt.xml.i
@@ -0,0 +1,14 @@
+<!-- include start from firewall/gt.xml.i -->
+<leafNode name="gt">
+  <properties>
+    <help>Match on greater then value</help>
+    <valueHelp>
+      <format>u32:0-255</format>
+      <description>Greater then value</description>
+    </valueHelp>
+    <constraint>
+      <validator name="numeric" argument="--range 0-255"/>
+    </constraint>
+  </properties>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/hop-limit.xml.i b/interface-definitions/include/firewall/hop-limit.xml.i
new file mode 100644
index 0000000..d375dc9
--- /dev/null
+++ b/interface-definitions/include/firewall/hop-limit.xml.i
@@ -0,0 +1,12 @@
+<!-- include start from firewall/hop-limit.xml.i -->
+<node name="hop-limit">
+  <properties>
+    <help>Hop limit</help>
+  </properties>
+  <children>
+    #include <include/firewall/eq.xml.i>
+    #include <include/firewall/gt.xml.i>
+    #include <include/firewall/lt.xml.i>
+  </children>
+</node>
+<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/include/firewall/icmp-type-name.xml.i b/interface-definitions/include/firewall/icmp-type-name.xml.i
new file mode 100644
index 0000000..d4197cf
--- /dev/null
+++ b/interface-definitions/include/firewall/icmp-type-name.xml.i
@@ -0,0 +1,73 @@
+<!-- include start from firewall/icmp-type-name.xml.i -->
+<leafNode name="type-name">
+  <properties>
+    <help>ICMP type-name</help>
+    <completionHelp>
+      <list>echo-reply destination-unreachable source-quench redirect echo-request router-advertisement router-solicitation time-exceeded parameter-problem timestamp-request timestamp-reply info-request info-reply address-mask-request address-mask-reply</list>
+    </completionHelp>
+    <valueHelp>
+      <format>echo-reply</format>
+      <description>ICMP type 0: echo-reply</description>
+    </valueHelp>
+    <valueHelp>
+      <format>destination-unreachable</format>
+      <description>ICMP type 3: destination-unreachable</description>
+    </valueHelp>
+    <valueHelp>
+      <format>source-quench</format>
+      <description>ICMP type 4: source-quench</description>
+    </valueHelp>
+    <valueHelp>
+      <format>redirect</format>
+      <description>ICMP type 5: redirect</description>
+    </valueHelp>
+    <valueHelp>
+      <format>echo-request</format>
+      <description>ICMP type 8: echo-request</description>
+    </valueHelp>
+    <valueHelp>
+      <format>router-advertisement</format>
+      <description>ICMP type 9: router-advertisement</description>
+    </valueHelp>
+    <valueHelp>
+      <format>router-solicitation</format>
+      <description>ICMP type 10: router-solicitation</description>
+    </valueHelp>
+    <valueHelp>
+      <format>time-exceeded</format>
+      <description>ICMP type 11: time-exceeded</description>
+    </valueHelp>
+    <valueHelp>
+      <format>parameter-problem</format>
+      <description>ICMP type 12: parameter-problem</description>
+    </valueHelp>
+    <valueHelp>
+      <format>timestamp-request</format>
+      <description>ICMP type 13: timestamp-request</description>
+    </valueHelp>
+    <valueHelp>
+      <format>timestamp-reply</format>
+      <description>ICMP type 14: timestamp-reply</description>
+    </valueHelp>
+    <valueHelp>
+      <format>info-request</format>
+      <description>ICMP type 15: info-request</description>
+    </valueHelp>
+    <valueHelp>
+      <format>info-reply</format>
+      <description>ICMP type 16: info-reply</description>
+    </valueHelp>
+    <valueHelp>
+      <format>address-mask-request</format>
+      <description>ICMP type 17: address-mask-request</description>
+    </valueHelp>
+    <valueHelp>
+      <format>address-mask-reply</format>
+      <description>ICMP type 18: address-mask-reply</description>
+    </valueHelp>
+    <constraint>
+      <regex>(echo-reply|destination-unreachable|source-quench|redirect|echo-request|router-advertisement|router-solicitation|time-exceeded|parameter-problem|timestamp-request|timestamp-reply|info-request|info-reply|address-mask-request|address-mask-reply)</regex>
+    </constraint>
+  </properties>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/icmp.xml.i b/interface-definitions/include/firewall/icmp.xml.i
new file mode 100644
index 0000000..deb50a4
--- /dev/null
+++ b/interface-definitions/include/firewall/icmp.xml.i
@@ -0,0 +1,34 @@
+<!-- include start from firewall/icmp.xml.i -->
+<node name="icmp">
+  <properties>
+    <help>ICMP type and code information</help>
+  </properties>
+  <children>
+    <leafNode name="code">
+      <properties>
+        <help>ICMP code</help>
+        <valueHelp>
+          <format>u32:0-255</format>
+          <description>ICMP code (0-255)</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 0-255"/>
+        </constraint>
+      </properties>
+    </leafNode>
+    <leafNode name="type">
+      <properties>
+        <help>ICMP type</help>
+        <valueHelp>
+          <format>u32:0-255</format>
+          <description>ICMP type (0-255)</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 0-255"/>
+        </constraint>
+      </properties>
+    </leafNode>
+    #include <include/firewall/icmp-type-name.xml.i>
+  </children>
+</node>
+<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/include/firewall/icmpv6-type-name.xml.i b/interface-definitions/include/firewall/icmpv6-type-name.xml.i
new file mode 100644
index 0000000..e17a20e
--- /dev/null
+++ b/interface-definitions/include/firewall/icmpv6-type-name.xml.i
@@ -0,0 +1,85 @@
+<!-- include start from firewall/icmpv6-type-name.xml.i -->
+<leafNode name="type-name">
+  <properties>
+    <help>ICMPv6 type-name</help>
+    <completionHelp>
+      <list>destination-unreachable packet-too-big time-exceeded echo-request echo-reply mld-listener-query mld-listener-report mld-listener-reduction nd-router-solicit nd-router-advert nd-neighbor-solicit nd-neighbor-advert nd-redirect parameter-problem router-renumbering ind-neighbor-solicit ind-neighbor-advert mld2-listener-report</list>
+    </completionHelp>
+    <valueHelp>
+      <format>destination-unreachable</format>
+      <description>ICMPv6 type 1: destination-unreachable</description>
+    </valueHelp>
+    <valueHelp>
+      <format>packet-too-big</format>
+      <description>ICMPv6 type 2: packet-too-big</description>
+    </valueHelp>
+    <valueHelp>
+      <format>time-exceeded</format>
+      <description>ICMPv6 type 3: time-exceeded</description>
+    </valueHelp>
+    <valueHelp>
+      <format>echo-request</format>
+      <description>ICMPv6 type 128: echo-request</description>
+    </valueHelp>
+    <valueHelp>
+      <format>echo-reply</format>
+      <description>ICMPv6 type 129: echo-reply</description>
+    </valueHelp>
+    <valueHelp>
+      <format>mld-listener-query</format>
+      <description>ICMPv6 type 130: mld-listener-query</description>
+    </valueHelp>
+    <valueHelp>
+      <format>mld-listener-report</format>
+      <description>ICMPv6 type 131: mld-listener-report</description>
+    </valueHelp>
+    <valueHelp>
+      <format>mld-listener-reduction</format>
+      <description>ICMPv6 type 132: mld-listener-reduction</description>
+    </valueHelp>
+    <valueHelp>
+      <format>nd-router-solicit</format>
+      <description>ICMPv6 type 133: nd-router-solicit</description>
+    </valueHelp>
+    <valueHelp>
+      <format>nd-router-advert</format>
+      <description>ICMPv6 type 134: nd-router-advert</description>
+    </valueHelp>
+    <valueHelp>
+      <format>nd-neighbor-solicit</format>
+      <description>ICMPv6 type 135: nd-neighbor-solicit</description>
+    </valueHelp>
+    <valueHelp>
+      <format>nd-neighbor-advert</format>
+      <description>ICMPv6 type 136: nd-neighbor-advert</description>
+    </valueHelp>
+    <valueHelp>
+      <format>nd-redirect</format>
+      <description>ICMPv6 type 137: nd-redirect</description>
+    </valueHelp>
+    <valueHelp>
+      <format>parameter-problem</format>
+      <description>ICMPv6 type 4: parameter-problem</description>
+    </valueHelp>
+    <valueHelp>
+      <format>router-renumbering</format>
+      <description>ICMPv6 type 138: router-renumbering</description>
+    </valueHelp>
+    <valueHelp>
+      <format>ind-neighbor-solicit</format>
+      <description>ICMPv6 type 141: ind-neighbor-solicit</description>
+    </valueHelp>
+    <valueHelp>
+      <format>ind-neighbor-advert</format>
+      <description>ICMPv6 type 142: ind-neighbor-advert</description>
+    </valueHelp>
+    <valueHelp>
+      <format>mld2-listener-report</format>
+      <description>ICMPv6 type 143: mld2-listener-report</description>
+    </valueHelp>
+    <constraint>
+      <regex>(destination-unreachable|packet-too-big|time-exceeded|echo-request|echo-reply|mld-listener-query|mld-listener-report|mld-listener-reduction|nd-router-solicit|nd-router-advert|nd-neighbor-solicit|nd-neighbor-advert|nd-redirect|parameter-problem|router-renumbering|ind-neighbor-solicit|ind-neighbor-advert|mld2-listener-report)</regex>
+    </constraint>
+  </properties>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/icmpv6.xml.i b/interface-definitions/include/firewall/icmpv6.xml.i
new file mode 100644
index 0000000..c011862
--- /dev/null
+++ b/interface-definitions/include/firewall/icmpv6.xml.i
@@ -0,0 +1,34 @@
+<!-- include start from firewall/icmpv6.xml.i -->
+<node name="icmpv6">
+  <properties>
+    <help>ICMPv6 type and code information</help>
+  </properties>
+  <children>
+    <leafNode name="code">
+      <properties>
+        <help>ICMPv6 code</help>
+        <valueHelp>
+          <format>u32:0-255</format>
+          <description>ICMPv6 code (0-255)</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 0-255"/>
+        </constraint>
+      </properties>
+    </leafNode>
+    <leafNode name="type">
+      <properties>
+        <help>ICMPv6 type</help>
+        <valueHelp>
+          <format>u32:0-255</format>
+          <description>ICMPv6 type (0-255)</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 0-255"/>
+        </constraint>
+      </properties>
+    </leafNode>
+    #include <include/firewall/icmpv6-type-name.xml.i>
+  </children>
+</node>
+<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/include/firewall/inbound-interface-no-group.xml.i b/interface-definitions/include/firewall/inbound-interface-no-group.xml.i
new file mode 100644
index 0000000..bcd4c95
--- /dev/null
+++ b/interface-definitions/include/firewall/inbound-interface-no-group.xml.i
@@ -0,0 +1,34 @@
+<!-- include start from firewall/inbound-interface-no-group.xml.i -->
+<node name="inbound-interface">
+  <properties>
+    <help>Match inbound-interface</help>
+  </properties>
+  <children>
+    <leafNode name="name">
+      <properties>
+        <help>Match interface</help>
+        <completionHelp>
+          <script>${vyos_completion_dir}/list_interfaces</script>
+          <path>vrf name</path>
+        </completionHelp>
+        <valueHelp>
+          <format>txt</format>
+          <description>Interface name</description>
+        </valueHelp>
+        <valueHelp>
+          <format>txt*</format>
+          <description>Interface name with wildcard</description>
+        </valueHelp>
+        <valueHelp>
+          <format>!txt</format>
+          <description>Inverted interface name to match</description>
+        </valueHelp>
+        <constraint>
+          <regex>(\!?)(bond|br|dum|en|ersp|eth|gnv|ifb|lan|l2tp|l2tpeth|macsec|peth|ppp|pppoe|pptp|sstp|tun|veth|vti|vtun|vxlan|wg|wlan|wwan)([0-9]?)(\*?)(.+)?|(\!?)lo</regex>
+          <validator name="vrf-name"/>
+        </constraint>
+      </properties>
+    </leafNode>
+  </children>
+</node>
+<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/include/firewall/inbound-interface.xml.i b/interface-definitions/include/firewall/inbound-interface.xml.i
new file mode 100644
index 0000000..13df71d
--- /dev/null
+++ b/interface-definitions/include/firewall/inbound-interface.xml.i
@@ -0,0 +1,10 @@
+<!-- include start from firewall/inbound-interface.xml.i -->
+<node name="inbound-interface">
+  <properties>
+    <help>Match inbound-interface</help>
+  </properties>
+  <children>
+    #include <include/firewall/match-interface.xml.i>
+  </children>
+</node>
+<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/include/firewall/ipv4-custom-name.xml.i b/interface-definitions/include/firewall/ipv4-custom-name.xml.i
new file mode 100644
index 0000000..8046b2d
--- /dev/null
+++ b/interface-definitions/include/firewall/ipv4-custom-name.xml.i
@@ -0,0 +1,43 @@
+<!-- include start from firewall/ipv4-custom-name.xml.i -->
+<tagNode name="name">
+  <properties>
+    <help>IPv4 custom firewall</help>
+    <constraint>
+      <regex>[a-zA-Z0-9][\w\-\.]*</regex>
+    </constraint>
+  </properties>
+  <children>
+    #include <include/firewall/default-action.xml.i>
+    #include <include/firewall/default-log.xml.i>
+    #include <include/generic-description.xml.i>
+    <leafNode name="default-jump-target">
+      <properties>
+        <help>Set jump target. Action jump must be defined in default-action to use this setting</help>
+        <completionHelp>
+          <path>firewall ipv4 name</path>
+        </completionHelp>
+      </properties>
+    </leafNode>
+    <tagNode name="rule">
+      <properties>
+        <help>IPv4 Firewall custom rule number</help>
+        <valueHelp>
+          <format>u32:1-999999</format>
+          <description>Number for this firewall rule</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 1-999999"/>
+        </constraint>
+        <constraintErrorMessage>Firewall rule number must be between 1 and 999999</constraintErrorMessage>
+      </properties>
+      <children>
+        #include <include/firewall/common-rule-ipv4.xml.i>
+        #include <include/firewall/inbound-interface.xml.i>
+        #include <include/firewall/match-ipsec.xml.i>
+        #include <include/firewall/offload-target.xml.i>
+        #include <include/firewall/outbound-interface.xml.i>
+      </children>
+    </tagNode>
+  </children>
+</tagNode>
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/ipv4-hook-forward.xml.i b/interface-definitions/include/firewall/ipv4-hook-forward.xml.i
new file mode 100644
index 0000000..b0e240a
--- /dev/null
+++ b/interface-definitions/include/firewall/ipv4-hook-forward.xml.i
@@ -0,0 +1,40 @@
+<!-- include start from firewall/ipv4-hook-forward.xml.i -->
+<node name="forward">
+  <properties>
+    <help>IPv4 forward firewall</help>
+  </properties>
+  <children>
+    <node name="filter">
+      <properties>
+        <help>IPv4 firewall forward filter</help>
+      </properties>
+      <children>
+        #include <include/firewall/default-action-base-chains.xml.i>
+        #include <include/firewall/default-log.xml.i>
+        #include <include/generic-description.xml.i>
+        <tagNode name="rule">
+          <properties>
+            <help>IPv4 Firewall forward filter rule number</help>
+            <valueHelp>
+              <format>u32:1-999999</format>
+              <description>Number for this firewall rule</description>
+            </valueHelp>
+            <constraint>
+              <validator name="numeric" argument="--range 1-999999"/>
+            </constraint>
+            <constraintErrorMessage>Firewall rule number must be between 1 and 999999</constraintErrorMessage>
+          </properties>
+          <children>
+            #include <include/firewall/action-forward.xml.i>
+            #include <include/firewall/common-rule-ipv4.xml.i>
+            #include <include/firewall/inbound-interface.xml.i>
+            #include <include/firewall/match-ipsec.xml.i>
+            #include <include/firewall/offload-target.xml.i>
+            #include <include/firewall/outbound-interface.xml.i>
+          </children>
+        </tagNode>
+      </children>
+    </node>
+  </children>
+</node>
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/ipv4-hook-input.xml.i b/interface-definitions/include/firewall/ipv4-hook-input.xml.i
new file mode 100644
index 0000000..491d1a9
--- /dev/null
+++ b/interface-definitions/include/firewall/ipv4-hook-input.xml.i
@@ -0,0 +1,37 @@
+<!-- include start from firewall/ipv4-hook-input.xml.i -->
+<node name="input">
+  <properties>
+    <help>IPv4 input firewall</help>
+  </properties>
+  <children>
+    <node name="filter">
+      <properties>
+        <help>IPv4 firewall input filter</help>
+      </properties>
+      <children>
+        #include <include/firewall/default-action-base-chains.xml.i>
+        #include <include/firewall/default-log.xml.i>
+        #include <include/generic-description.xml.i>
+        <tagNode name="rule">
+          <properties>
+            <help>IPv4 Firewall input filter rule number</help>
+            <valueHelp>
+              <format>u32:1-999999</format>
+              <description>Number for this firewall rule</description>
+            </valueHelp>
+            <constraint>
+              <validator name="numeric" argument="--range 1-999999"/>
+            </constraint>
+            <constraintErrorMessage>Firewall rule number must be between 1 and 999999</constraintErrorMessage>
+          </properties>
+          <children>
+            #include <include/firewall/common-rule-ipv4.xml.i>
+            #include <include/firewall/inbound-interface.xml.i>
+            #include <include/firewall/match-ipsec-in.xml.i>
+          </children>
+        </tagNode>
+      </children>
+    </node>
+  </children>
+</node>
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/ipv4-hook-output.xml.i b/interface-definitions/include/firewall/ipv4-hook-output.xml.i
new file mode 100644
index 0000000..ee91575
--- /dev/null
+++ b/interface-definitions/include/firewall/ipv4-hook-output.xml.i
@@ -0,0 +1,65 @@
+<!-- include start from firewall/ipv4-hook-output.xml.i -->
+<node name="output">
+  <properties>
+    <help>IPv4 output firewall</help>
+  </properties>
+  <children>
+    <node name="filter">
+      <properties>
+        <help>IPv4 firewall output filter</help>
+      </properties>
+      <children>
+        #include <include/firewall/default-action-base-chains.xml.i>
+        #include <include/firewall/default-log.xml.i>
+        #include <include/generic-description.xml.i>
+        <tagNode name="rule">
+          <properties>
+            <help>IPv4 Firewall output filter rule number</help>
+            <valueHelp>
+              <format>u32:1-999999</format>
+              <description>Number for this firewall rule</description>
+            </valueHelp>
+            <constraint>
+              <validator name="numeric" argument="--range 1-999999"/>
+            </constraint>
+            <constraintErrorMessage>Firewall rule number must be between 1 and 999999</constraintErrorMessage>
+          </properties>
+          <children>
+            #include <include/firewall/common-rule-ipv4.xml.i>
+            #include <include/firewall/match-ipsec-out.xml.i>
+            #include <include/firewall/outbound-interface.xml.i>
+          </children>
+        </tagNode>
+      </children>
+    </node>
+    <node name="raw">
+      <properties>
+        <help>IPv4 firewall output raw</help>
+      </properties>
+      <children>
+        #include <include/firewall/default-action-base-chains.xml.i>
+        #include <include/firewall/default-log.xml.i>
+        #include <include/generic-description.xml.i>
+        <tagNode name="rule">
+          <properties>
+            <help>IPv4 Firewall output raw rule number</help>
+            <valueHelp>
+              <format>u32:1-999999</format>
+              <description>Number for this firewall rule</description>
+            </valueHelp>
+            <constraint>
+              <validator name="numeric" argument="--range 1-999999"/>
+            </constraint>
+            <constraintErrorMessage>Firewall rule number must be between 1 and 999999</constraintErrorMessage>
+          </properties>
+          <children>
+            #include <include/firewall/common-rule-ipv4-raw.xml.i>
+            #include <include/firewall/match-ipsec-out.xml.i>
+            #include <include/firewall/outbound-interface.xml.i>
+          </children>
+        </tagNode>
+      </children>
+    </node>
+  </children>
+</node>
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/ipv4-hook-prerouting.xml.i b/interface-definitions/include/firewall/ipv4-hook-prerouting.xml.i
new file mode 100644
index 0000000..b431303
--- /dev/null
+++ b/interface-definitions/include/firewall/ipv4-hook-prerouting.xml.i
@@ -0,0 +1,52 @@
+<!-- include start from firewall/ipv4-hook-prerouting.xml.i -->
+<node name="prerouting">
+  <properties>
+    <help>IPv4 prerouting firewall</help>
+  </properties>
+  <children>
+    <node name="raw">
+      <properties>
+        <help>IPv4 firewall prerouting raw</help>
+      </properties>
+      <children>
+        #include <include/firewall/default-action-base-chains.xml.i>
+        #include <include/generic-description.xml.i>
+        <leafNode name="default-jump-target">
+          <properties>
+            <help>Set jump target. Action jump must be defined in default-action to use this setting</help>
+            <completionHelp>
+              <path>firewall ipv4 name</path>
+            </completionHelp>
+          </properties>
+        </leafNode>
+        <tagNode name="rule">
+          <properties>
+            <help>IPv4 Firewall prerouting raw rule number</help>
+            <valueHelp>
+              <format>u32:1-999999</format>
+              <description>Number for this firewall rule</description>
+            </valueHelp>
+            <constraint>
+              <validator name="numeric" argument="--range 1-999999"/>
+            </constraint>
+            <constraintErrorMessage>Firewall rule number must be between 1 and 999999</constraintErrorMessage>
+          </properties>
+          <children>
+            #include <include/firewall/common-rule-ipv4-raw.xml.i>
+            #include <include/firewall/match-ipsec-in.xml.i>
+            #include <include/firewall/inbound-interface.xml.i>
+            <leafNode name="jump-target">
+              <properties>
+                <help>Set jump target. Action jump must be defined to use this setting</help>
+                <completionHelp>
+                  <path>firewall ipv4 name</path>
+                </completionHelp>
+              </properties>
+            </leafNode>
+          </children>
+        </tagNode>
+      </children>
+    </node>
+  </children>
+</node>
+<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/include/firewall/ipv6-custom-name.xml.i b/interface-definitions/include/firewall/ipv6-custom-name.xml.i
new file mode 100644
index 0000000..fb8740c
--- /dev/null
+++ b/interface-definitions/include/firewall/ipv6-custom-name.xml.i
@@ -0,0 +1,43 @@
+<!-- include start from firewall/ipv6-custom-name.xml.i -->
+<tagNode name="name">
+  <properties>
+    <help>IPv6 custom firewall</help>
+    <constraint>
+      <regex>[a-zA-Z0-9][\w\-\.]*</regex>
+    </constraint>
+  </properties>
+  <children>
+    #include <include/firewall/default-action.xml.i>
+    #include <include/firewall/default-log.xml.i>
+    #include <include/generic-description.xml.i>
+    <leafNode name="default-jump-target">
+      <properties>
+        <help>Set jump target. Action jump must be defined in default-action to use this setting</help>
+        <completionHelp>
+          <path>firewall ipv6 name</path>
+        </completionHelp>
+      </properties>
+    </leafNode>
+    <tagNode name="rule">
+      <properties>
+        <help>IPv6 Firewall custom rule number</help>
+        <valueHelp>
+          <format>u32:1-999999</format>
+          <description>Number for this firewall rule</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 1-999999"/>
+        </constraint>
+        <constraintErrorMessage>Firewall rule number must be between 1 and 999999</constraintErrorMessage>
+      </properties>
+      <children>
+        #include <include/firewall/common-rule-ipv6.xml.i>
+        #include <include/firewall/inbound-interface.xml.i>
+        #include <include/firewall/match-ipsec.xml.i>
+        #include <include/firewall/offload-target.xml.i>
+        #include <include/firewall/outbound-interface.xml.i>
+      </children>
+    </tagNode>
+  </children>
+</tagNode>
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/ipv6-hook-forward.xml.i b/interface-definitions/include/firewall/ipv6-hook-forward.xml.i
new file mode 100644
index 0000000..7efc261
--- /dev/null
+++ b/interface-definitions/include/firewall/ipv6-hook-forward.xml.i
@@ -0,0 +1,40 @@
+<!-- include start from firewall/ipv6-hook-forward.xml.i -->
+<node name="forward">
+  <properties>
+    <help>IPv6 forward firewall</help>
+  </properties>
+  <children>
+    <node name="filter">
+      <properties>
+        <help>IPv6 firewall forward filter</help>
+      </properties>
+      <children>
+        #include <include/firewall/default-action-base-chains.xml.i>
+        #include <include/firewall/default-log.xml.i>
+        #include <include/generic-description.xml.i>
+        <tagNode name="rule">
+          <properties>
+            <help>IPv6 Firewall forward filter rule number</help>
+            <valueHelp>
+              <format>u32:1-999999</format>
+              <description>Number for this firewall rule</description>
+            </valueHelp>
+            <constraint>
+              <validator name="numeric" argument="--range 1-999999"/>
+            </constraint>
+            <constraintErrorMessage>Firewall rule number must be between 1 and 999999</constraintErrorMessage>
+          </properties>
+          <children>
+            #include <include/firewall/action-forward.xml.i>
+            #include <include/firewall/common-rule-ipv6.xml.i>
+            #include <include/firewall/inbound-interface.xml.i>
+            #include <include/firewall/match-ipsec.xml.i>
+            #include <include/firewall/offload-target.xml.i>
+            #include <include/firewall/outbound-interface.xml.i>
+          </children>
+        </tagNode>
+      </children>
+    </node>
+  </children>
+</node>
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/ipv6-hook-input.xml.i b/interface-definitions/include/firewall/ipv6-hook-input.xml.i
new file mode 100644
index 0000000..154b102
--- /dev/null
+++ b/interface-definitions/include/firewall/ipv6-hook-input.xml.i
@@ -0,0 +1,37 @@
+<!-- include start from firewall/ipv6-hook-input.xml.i -->
+<node name="input">
+  <properties>
+    <help>IPv6 input firewall</help>
+  </properties>
+  <children>
+    <node name="filter">
+      <properties>
+        <help>IPv6 firewall input filter</help>
+      </properties>
+      <children>
+        #include <include/firewall/default-action-base-chains.xml.i>
+        #include <include/firewall/default-log.xml.i>
+        #include <include/generic-description.xml.i>
+        <tagNode name="rule">
+          <properties>
+            <help>IPv6 Firewall input filter rule number</help>
+            <valueHelp>
+              <format>u32:1-999999</format>
+              <description>Number for this firewall rule</description>
+            </valueHelp>
+            <constraint>
+              <validator name="numeric" argument="--range 1-999999"/>
+            </constraint>
+            <constraintErrorMessage>Firewall rule number must be between 1 and 999999</constraintErrorMessage>
+          </properties>
+          <children>
+            #include <include/firewall/common-rule-ipv6.xml.i>
+            #include <include/firewall/inbound-interface.xml.i>
+            #include <include/firewall/match-ipsec-in.xml.i>
+          </children>
+        </tagNode>
+      </children>
+    </node>
+  </children>
+</node>
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/ipv6-hook-output.xml.i b/interface-definitions/include/firewall/ipv6-hook-output.xml.i
new file mode 100644
index 0000000..d3c4c1e
--- /dev/null
+++ b/interface-definitions/include/firewall/ipv6-hook-output.xml.i
@@ -0,0 +1,65 @@
+<!-- include start from firewall/ipv6-hook-output.xml.i -->
+<node name="output">
+  <properties>
+    <help>IPv6 output firewall</help>
+  </properties>
+  <children>
+    <node name="filter">
+      <properties>
+        <help>IPv6 firewall output filter</help>
+      </properties>
+      <children>
+        #include <include/firewall/default-action-base-chains.xml.i>
+        #include <include/firewall/default-log.xml.i>
+        #include <include/generic-description.xml.i>
+        <tagNode name="rule">
+          <properties>
+            <help>IPv6 Firewall output filter rule number</help>
+            <valueHelp>
+              <format>u32:1-999999</format>
+              <description>Number for this firewall rule</description>
+            </valueHelp>
+            <constraint>
+              <validator name="numeric" argument="--range 1-999999"/>
+            </constraint>
+            <constraintErrorMessage>Firewall rule number must be between 1 and 999999</constraintErrorMessage>
+          </properties>
+          <children>
+            #include <include/firewall/common-rule-ipv6.xml.i>
+            #include <include/firewall/match-ipsec-out.xml.i>
+            #include <include/firewall/outbound-interface.xml.i>
+          </children>
+        </tagNode>
+      </children>
+    </node>
+        <node name="raw">
+      <properties>
+        <help>IPv6 firewall output raw</help>
+      </properties>
+      <children>
+        #include <include/firewall/default-action-base-chains.xml.i>
+        #include <include/firewall/default-log.xml.i>
+        #include <include/generic-description.xml.i>
+        <tagNode name="rule">
+          <properties>
+            <help>IPv6 Firewall output raw rule number</help>
+            <valueHelp>
+              <format>u32:1-999999</format>
+              <description>Number for this firewall rule</description>
+            </valueHelp>
+            <constraint>
+              <validator name="numeric" argument="--range 1-999999"/>
+            </constraint>
+            <constraintErrorMessage>Firewall rule number must be between 1 and 999999</constraintErrorMessage>
+          </properties>
+          <children>
+            #include <include/firewall/common-rule-ipv6-raw.xml.i>
+            #include <include/firewall/match-ipsec-out.xml.i>
+            #include <include/firewall/outbound-interface.xml.i>
+          </children>
+        </tagNode>
+      </children>
+    </node>
+  </children>
+</node>
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/ipv6-hook-prerouting.xml.i b/interface-definitions/include/firewall/ipv6-hook-prerouting.xml.i
new file mode 100644
index 0000000..21f8de6
--- /dev/null
+++ b/interface-definitions/include/firewall/ipv6-hook-prerouting.xml.i
@@ -0,0 +1,52 @@
+<!-- include start from firewall/ipv6-hook-prerouting.xml.i -->
+<node name="prerouting">
+  <properties>
+    <help>IPv6 prerouting firewall</help>
+  </properties>
+  <children>
+    <node name="raw">
+      <properties>
+        <help>IPv6 firewall prerouting raw</help>
+      </properties>
+      <children>
+        #include <include/firewall/default-action-base-chains.xml.i>
+        #include <include/generic-description.xml.i>
+        <leafNode name="default-jump-target">
+          <properties>
+            <help>Set jump target. Action jump must be defined in default-action to use this setting</help>
+            <completionHelp>
+              <path>firewall ipv6 name</path>
+            </completionHelp>
+          </properties>
+        </leafNode>
+        <tagNode name="rule">
+          <properties>
+            <help>IPv6 Firewall prerouting raw rule number</help>
+            <valueHelp>
+              <format>u32:1-999999</format>
+              <description>Number for this firewall rule</description>
+            </valueHelp>
+            <constraint>
+              <validator name="numeric" argument="--range 1-999999"/>
+            </constraint>
+            <constraintErrorMessage>Firewall rule number must be between 1 and 999999</constraintErrorMessage>
+          </properties>
+          <children>
+            #include <include/firewall/common-rule-ipv6-raw.xml.i>
+            #include <include/firewall/match-ipsec-in.xml.i>
+            #include <include/firewall/inbound-interface.xml.i>
+            <leafNode name="jump-target">
+              <properties>
+                <help>Set jump target. Action jump must be defined to use this setting</help>
+                <completionHelp>
+                  <path>firewall ipv6 name</path>
+                </completionHelp>
+              </properties>
+            </leafNode>
+          </children>
+        </tagNode>
+      </children>
+    </node>
+  </children>
+</node>
+<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/include/firewall/limit.xml.i b/interface-definitions/include/firewall/limit.xml.i
new file mode 100644
index 0000000..21068de
--- /dev/null
+++ b/interface-definitions/include/firewall/limit.xml.i
@@ -0,0 +1,33 @@
+<!-- include start from firewall/limit.xml.i -->
+<node name="limit">
+  <properties>
+    <help>Rate limit using a token bucket filter</help>
+  </properties>
+  <children>
+    <leafNode name="burst">
+      <properties>
+        <help>Maximum number of packets to allow in excess of rate</help>
+        <valueHelp>
+          <format>u32:0-4294967295</format>
+          <description>Maximum number of packets to allow in excess of rate</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 0-4294967295"/>
+        </constraint>
+      </properties>
+    </leafNode>
+    <leafNode name="rate">
+      <properties>
+        <help>Maximum average matching rate</help>
+        <valueHelp>
+          <format>txt</format>
+          <description>integer/unit (Example: 5/minute)</description>
+        </valueHelp>
+        <constraint>
+          <regex>\d+/(second|minute|hour|day)</regex>
+        </constraint>
+      </properties>
+    </leafNode>
+  </children>
+</node>
+<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/include/firewall/log-options.xml.i b/interface-definitions/include/firewall/log-options.xml.i
new file mode 100644
index 0000000..e8b0cde
--- /dev/null
+++ b/interface-definitions/include/firewall/log-options.xml.i
@@ -0,0 +1,89 @@
+<!-- include start from firewall/rule-log-options.xml.i -->
+<node name="log-options">
+   <properties>
+    <help>Log options</help>
+  </properties>
+  <children>
+    <leafNode name="group">
+      <properties>
+        <help>Set log group</help>
+        <valueHelp>
+          <format>u32:0-65535</format>
+          <description>Log group to send messages to</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 0-65535"/>
+        </constraint>
+      </properties>
+    </leafNode>
+    <leafNode name="snapshot-length">
+      <properties>
+        <help>Length of packet payload to include in netlink message</help>
+        <valueHelp>
+          <format>u32:0-9000</format>
+          <description>Length of packet payload to include in netlink message</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 0-9000"/>
+        </constraint>
+      </properties>
+    </leafNode>
+    <leafNode name="queue-threshold">
+      <properties>
+        <help>Number of packets to queue inside the kernel before sending them to userspace</help>
+        <valueHelp>
+          <format>u32:0-65535</format>
+          <description>Number of packets to queue inside the kernel before sending them to userspace</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 0-65535"/>
+        </constraint>
+      </properties>
+    </leafNode>
+    <leafNode name="level">
+      <properties>
+        <help>Set log-level</help>
+        <completionHelp>
+          <list>emerg alert crit err warn notice info debug</list>
+        </completionHelp>
+        <valueHelp>
+          <format>emerg</format>
+          <description>Emerg log level</description>
+        </valueHelp>
+        <valueHelp>
+          <format>alert</format>
+          <description>Alert log level</description>
+        </valueHelp>
+        <valueHelp>
+          <format>crit</format>
+          <description>Critical log level</description>
+        </valueHelp>
+        <valueHelp>
+          <format>err</format>
+          <description>Error log level</description>
+        </valueHelp>
+        <valueHelp>
+          <format>warn</format>
+          <description>Warning log level</description>
+        </valueHelp>
+        <valueHelp>
+          <format>notice</format>
+          <description>Notice log level</description>
+        </valueHelp>
+        <valueHelp>
+          <format>info</format>
+          <description>Info log level</description>
+        </valueHelp>
+        <valueHelp>
+          <format>debug</format>
+          <description>Debug log level</description>
+        </valueHelp>
+        <constraint>
+          <regex>(emerg|alert|crit|err|warn|notice|info|debug)</regex>
+        </constraint>
+        <constraintErrorMessage>level must be alert, crit, debug, emerg, err, info, notice or warn</constraintErrorMessage>
+      </properties>
+    </leafNode>
+  </children>
+</node>
+<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/include/firewall/log.xml.i b/interface-definitions/include/firewall/log.xml.i
new file mode 100644
index 0000000..21548f3
--- /dev/null
+++ b/interface-definitions/include/firewall/log.xml.i
@@ -0,0 +1,8 @@
+<!-- include start from firewall/log.xml.i -->
+<leafNode name="log">
+  <properties>
+    <help>Log packets hitting this rule</help>
+    <valueless/>
+  </properties>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/lt.xml.i b/interface-definitions/include/firewall/lt.xml.i
new file mode 100644
index 0000000..77894d3
--- /dev/null
+++ b/interface-definitions/include/firewall/lt.xml.i
@@ -0,0 +1,14 @@
+<!-- include start from firewall/lt.xml.i -->
+<leafNode name="lt">
+  <properties>
+    <help>Match on less then value</help>
+    <valueHelp>
+      <format>u32:0-255</format>
+      <description>Less then value</description>
+    </valueHelp>
+    <constraint>
+      <validator name="numeric" argument="--range 0-255"/>
+    </constraint>
+  </properties>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/mac-address.xml.i b/interface-definitions/include/firewall/mac-address.xml.i
new file mode 100644
index 0000000..db3e1e3
--- /dev/null
+++ b/interface-definitions/include/firewall/mac-address.xml.i
@@ -0,0 +1,19 @@
+<!-- include start from firewall/mac-address.xml.i -->
+<leafNode name="mac-address">
+  <properties>
+    <help>MAC address</help>
+    <valueHelp>
+      <format>macaddr</format>
+      <description>MAC address to match</description>
+    </valueHelp>
+    <valueHelp>
+      <format>!macaddr</format>
+      <description>Match everything except the specified MAC address</description>
+    </valueHelp>
+    <constraint>
+      <validator name="mac-address"/>
+      <validator name="mac-address-exclude"/>
+    </constraint>
+  </properties>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/mac-group.xml.i b/interface-definitions/include/firewall/mac-group.xml.i
new file mode 100644
index 0000000..dbce3fc
--- /dev/null
+++ b/interface-definitions/include/firewall/mac-group.xml.i
@@ -0,0 +1,10 @@
+<!-- include start from firewall/mac-group.xml.i -->
+<leafNode name="mac-group">
+  <properties>
+    <help>Group of MAC addresses</help>
+    <completionHelp>
+      <path>firewall group mac-group</path>
+    </completionHelp>
+  </properties>
+</leafNode>
+<!-- include start from firewall/mac-group.xml.i -->
\ No newline at end of file
diff --git a/interface-definitions/include/firewall/match-ether-type.xml.i b/interface-definitions/include/firewall/match-ether-type.xml.i
new file mode 100644
index 0000000..abfa903
--- /dev/null
+++ b/interface-definitions/include/firewall/match-ether-type.xml.i
@@ -0,0 +1,30 @@
+<!-- include start from firewall/match-ether-type.xml.i -->
+<leafNode name="ethernet-type">
+  <properties>
+    <help>Ethernet type</help>
+    <completionHelp>
+      <list>802.1q 802.1ad arp ipv4 ipv6</list>
+    </completionHelp>
+    <valueHelp>
+      <format>802.1q</format>
+      <description>Customer VLAN tag type</description>
+    </valueHelp>
+    <valueHelp>
+      <format>802.1ad</format>
+      <description>Service VLAN tag type</description>
+    </valueHelp>
+    <valueHelp>
+      <format>arp</format>
+      <description>Adress Resolution Protocol</description>
+    </valueHelp>
+    <valueHelp>
+      <format>_ipv4</format>
+      <description>Internet Protocol version 4</description>
+    </valueHelp>
+    <valueHelp>
+      <format>_ipv6</format>
+      <description>Internet Protocol version 6</description>
+    </valueHelp>
+  </properties>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/match-interface.xml.i b/interface-definitions/include/firewall/match-interface.xml.i
new file mode 100644
index 0000000..f25686e
--- /dev/null
+++ b/interface-definitions/include/firewall/match-interface.xml.i
@@ -0,0 +1,43 @@
+<!-- include start from firewall/match-interface.xml.i -->
+<leafNode name="name">
+  <properties>
+    <help>Match interface</help>
+    <completionHelp>
+      <script>${vyos_completion_dir}/list_interfaces</script>
+      <path>vrf name</path>
+    </completionHelp>
+    <valueHelp>
+      <format>txt</format>
+      <description>Interface name</description>
+    </valueHelp>
+    <valueHelp>
+      <format>txt*</format>
+      <description>Interface name with wildcard</description>
+    </valueHelp>
+    <valueHelp>
+      <format>!txt</format>
+      <description>Inverted interface name to match</description>
+    </valueHelp>
+    <constraint>
+      <regex>(\!?)(bond|br|dum|en|ersp|eth|gnv|ifb|ipoe|lan|l2tp|l2tpeth|macsec|peth|ppp|pppoe|pptp|sstp|tun|veth|vti|vtun|vxlan|wg|wlan|wwan)([0-9]?)(\*?)(.+)?|(\!?)lo</regex>
+      <validator name="vrf-name"/>
+    </constraint>
+  </properties>
+</leafNode>
+<leafNode name="group">
+  <properties>
+    <help>Match interface-group</help>
+    <completionHelp>
+      <path>firewall group interface-group</path>
+    </completionHelp>
+    <valueHelp>
+      <format>txt</format>
+      <description>Interface-group name to match</description>
+    </valueHelp>
+    <valueHelp>
+      <format>!txt</format>
+      <description>Inverted interface-group name to match</description>
+    </valueHelp>
+  </properties>
+</leafNode>
+<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/include/firewall/match-ipsec-in.xml.i b/interface-definitions/include/firewall/match-ipsec-in.xml.i
new file mode 100644
index 0000000..62ed646
--- /dev/null
+++ b/interface-definitions/include/firewall/match-ipsec-in.xml.i
@@ -0,0 +1,21 @@
+<!-- include start from firewall/match-ipsec-in.xml.i -->
+<node name="ipsec">
+  <properties>
+    <help>Inbound IPsec packets</help>
+  </properties>
+  <children>
+    <leafNode name="match-ipsec-in">
+      <properties>
+        <help>Inbound traffic that was IPsec encapsulated</help>
+        <valueless/>
+      </properties>
+    </leafNode>
+    <leafNode name="match-none-in">
+      <properties>
+        <help>Inbound traffic that was not IPsec encapsulated</help>
+        <valueless/>
+      </properties>
+    </leafNode>
+  </children>
+</node>
+<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/include/firewall/match-ipsec-out.xml.i b/interface-definitions/include/firewall/match-ipsec-out.xml.i
new file mode 100644
index 0000000..880fdd4
--- /dev/null
+++ b/interface-definitions/include/firewall/match-ipsec-out.xml.i
@@ -0,0 +1,21 @@
+<!-- include start from firewall/match-ipsec-out.xml.i -->
+<node name="ipsec">
+  <properties>
+    <help>Outbound IPsec packets</help>
+  </properties>
+  <children>
+    <leafNode name="match-ipsec-out">
+      <properties>
+        <help>Outbound traffic to be IPsec encapsulated</help>
+        <valueless/>
+      </properties>
+    </leafNode>
+    <leafNode name="match-none-out">
+      <properties>
+        <help>Outbound traffic that will not be IPsec encapsulated</help>
+        <valueless/>
+      </properties>
+    </leafNode>
+  </children>
+</node>
+<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/include/firewall/match-ipsec.xml.i b/interface-definitions/include/firewall/match-ipsec.xml.i
new file mode 100644
index 0000000..d8d31ef
--- /dev/null
+++ b/interface-definitions/include/firewall/match-ipsec.xml.i
@@ -0,0 +1,33 @@
+<!-- include start from firewall/match-ipsec.xml.i -->
+<node name="ipsec">
+  <properties>
+    <help>IPsec encapsulated packets</help>
+  </properties>
+  <children>
+    <leafNode name="match-ipsec-in">
+      <properties>
+        <help>Inbound traffic that was IPsec encapsulated</help>
+        <valueless/>
+      </properties>
+    </leafNode>
+    <leafNode name="match-none-in">
+      <properties>
+        <help>Inbound traffic that was not IPsec encapsulated</help>
+        <valueless/>
+      </properties>
+    </leafNode>
+    <leafNode name="match-ipsec-out">
+      <properties>
+        <help>Outbound traffic to be IPsec encapsulated</help>
+        <valueless/>
+      </properties>
+    </leafNode>
+    <leafNode name="match-none-out">
+      <properties>
+        <help>Outbound traffic that will not be IPsec encapsulated</help>
+        <valueless/>
+      </properties>
+    </leafNode>    
+  </children>
+</node>
+<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/include/firewall/match-vlan.xml.i b/interface-definitions/include/firewall/match-vlan.xml.i
new file mode 100644
index 0000000..d58e843
--- /dev/null
+++ b/interface-definitions/include/firewall/match-vlan.xml.i
@@ -0,0 +1,42 @@
+<!-- include start from firewall/match-vlan.xml.i -->
+<node name="vlan">
+  <properties>
+    <help>VLAN parameters</help>
+  </properties>
+  <children>
+    <leafNode name="id">
+      <properties>
+        <help>Vlan id</help>
+        <valueHelp>
+          <format>u32:0-4096</format>
+          <description>Vlan id</description>
+        </valueHelp>
+        <valueHelp>
+          <format>&lt;start-end&gt;</format>
+          <description>Vlan id range to match</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--allow-range --range 0-4095"/>
+        </constraint>
+      </properties>
+    </leafNode>
+    <leafNode name="priority">
+      <properties>
+        <help>Vlan priority(pcp)</help>
+        <valueHelp>
+          <format>u32:0-7</format>
+          <description>Vlan priority</description>
+        </valueHelp>
+        <valueHelp>
+          <format>&lt;start-end&gt;</format>
+          <description>Vlan priority range to match</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--allow-range --range 0-7"/>
+        </constraint>
+      </properties>
+    </leafNode>
+    #include <include/firewall/match-ether-type.xml.i>
+  </children>
+</node>
+<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/include/firewall/name.xml.i b/interface-definitions/include/firewall/name.xml.i
new file mode 100644
index 0000000..231b9b1
--- /dev/null
+++ b/interface-definitions/include/firewall/name.xml.i
@@ -0,0 +1,18 @@
+<!-- include start from firewall/name.xml.i -->
+<leafNode name="name">
+  <properties>
+    <help>Local IPv4 firewall ruleset name for interface</help>
+    <completionHelp>
+      <path>firewall name</path>
+    </completionHelp>
+  </properties>
+</leafNode>
+<leafNode name="ipv6-name">
+  <properties>
+    <help>Local IPv6 firewall ruleset name for interface</help>
+    <completionHelp>
+      <path>firewall ipv6-name</path>
+    </completionHelp>
+  </properties>
+</leafNode>
+<!-- include end from firewall/name.xml.i -->
\ No newline at end of file
diff --git a/interface-definitions/include/firewall/nat-balance.xml.i b/interface-definitions/include/firewall/nat-balance.xml.i
new file mode 100644
index 0000000..01793f0
--- /dev/null
+++ b/interface-definitions/include/firewall/nat-balance.xml.i
@@ -0,0 +1,28 @@
+<!-- include start from firewall/nat-balance.xml.i -->
+<tagNode name="backend">
+  <properties>
+    <help>Translated IP address</help>
+    <valueHelp>
+      <format>ipv4</format>
+      <description>IPv4 address to match</description>
+    </valueHelp>
+    <constraint>
+      <validator name="ipv4-address"/>
+    </constraint>
+  </properties>
+  <children>
+    <leafNode name="weight">
+      <properties>
+        <help>Set probability for this output value</help>
+        <valueHelp>
+          <format>u32:1-100</format>
+          <description>Set probability for this output value</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--allow-range --range 1-100"/>
+        </constraint>
+      </properties>
+    </leafNode>
+  </children>
+</tagNode>
+<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/include/firewall/nft-queue.xml.i b/interface-definitions/include/firewall/nft-queue.xml.i
new file mode 100644
index 0000000..8799eac
--- /dev/null
+++ b/interface-definitions/include/firewall/nft-queue.xml.i
@@ -0,0 +1,34 @@
+<!-- include start from firewall/nft-queue.xml.i -->
+<leafNode name="queue">
+  <properties>
+    <help>Queue target to use. Action queue must be defined to use this setting</help>
+    <valueHelp>
+      <format>u32:0-65535</format>
+      <description>Queue target</description>
+    </valueHelp>
+    <constraint>
+      <validator name="numeric" argument="--allow-range --range 0-65535"/>
+    </constraint>
+  </properties>
+</leafNode>
+<leafNode name="queue-options">
+  <properties>
+    <help>Options used for queue target. Action queue must be defined to use this setting</help>
+    <completionHelp>
+      <list>bypass fanout</list>
+    </completionHelp>
+    <valueHelp>
+      <format>bypass</format>
+      <description>Let packets go through if userspace application cannot back off</description>
+    </valueHelp>
+    <valueHelp>
+      <format>fanout</format>
+      <description>Distribute packets between several queues</description>
+    </valueHelp>
+    <constraint>
+      <regex>(bypass|fanout)</regex>
+    </constraint>
+    <multi/>
+  </properties>
+</leafNode>
+<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/include/firewall/offload-target.xml.i b/interface-definitions/include/firewall/offload-target.xml.i
new file mode 100644
index 0000000..940ed80
--- /dev/null
+++ b/interface-definitions/include/firewall/offload-target.xml.i
@@ -0,0 +1,10 @@
+<!-- include start from firewall/offload-target.xml.i -->
+<leafNode name="offload-target">
+  <properties>
+    <help>Set flowtable offload target. Action offload must be defined to use this setting</help>
+    <completionHelp>
+      <path>firewall flowtable</path>
+    </completionHelp>
+  </properties>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/outbound-interface-no-group.xml.i b/interface-definitions/include/firewall/outbound-interface-no-group.xml.i
new file mode 100644
index 0000000..e3bace4
--- /dev/null
+++ b/interface-definitions/include/firewall/outbound-interface-no-group.xml.i
@@ -0,0 +1,34 @@
+<!-- include start from firewall/outbound-interface-no-group.xml.i -->
+<node name="outbound-interface">
+  <properties>
+    <help>Match outbound-interface</help>
+  </properties>
+  <children>
+    <leafNode name="name">
+      <properties>
+        <help>Match interface</help>
+        <completionHelp>
+          <script>${vyos_completion_dir}/list_interfaces</script>
+          <path>vrf name</path>
+        </completionHelp>
+        <valueHelp>
+          <format>txt</format>
+          <description>Interface name</description>
+        </valueHelp>
+        <valueHelp>
+          <format>txt*</format>
+          <description>Interface name with wildcard</description>
+        </valueHelp>
+        <valueHelp>
+          <format>!txt</format>
+          <description>Inverted interface name to match</description>
+        </valueHelp>
+        <constraint>
+          <regex>(\!?)(bond|br|dum|en|ersp|eth|gnv|ifb|lan|l2tp|l2tpeth|macsec|peth|ppp|pppoe|pptp|sstp|tun|veth|vti|vtun|vxlan|wg|wlan|wwan)([0-9]?)(\*?)(.+)?|(\!?)lo</regex>
+          <validator name="vrf-name"/>
+        </constraint>
+      </properties>
+    </leafNode>
+  </children>
+</node>
+<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/include/firewall/outbound-interface.xml.i b/interface-definitions/include/firewall/outbound-interface.xml.i
new file mode 100644
index 0000000..8654dfd
--- /dev/null
+++ b/interface-definitions/include/firewall/outbound-interface.xml.i
@@ -0,0 +1,10 @@
+<!-- include start from firewall/outbound-interface.xml.i -->
+<node name="outbound-interface">
+  <properties>
+    <help>Match outbound-interface</help>
+  </properties>
+  <children>
+    #include <include/firewall/match-interface.xml.i>
+  </children>
+</node>
+<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/include/firewall/packet-options.xml.i b/interface-definitions/include/firewall/packet-options.xml.i
new file mode 100644
index 0000000..cd94e69
--- /dev/null
+++ b/interface-definitions/include/firewall/packet-options.xml.i
@@ -0,0 +1,63 @@
+<!-- include start from firewall/packet-options.xml.i -->
+<leafNode name="packet-length">
+  <properties>
+    <help>Payload size in bytes, including header and data to match</help>
+    <valueHelp>
+      <format>u32:1-65535</format>
+      <description>Packet length to match</description>
+    </valueHelp>
+    <valueHelp>
+      <format>&lt;start-end&gt;</format>
+      <description>Packet length range to match</description>
+    </valueHelp>
+    <constraint>
+      <validator name="numeric" argument="--allow-range --range 1-65535"/>
+    </constraint>
+    <multi/>
+  </properties>
+</leafNode>
+<leafNode name="packet-length-exclude">
+  <properties>
+    <help>Payload size in bytes, including header and data not to match</help>
+    <valueHelp>
+      <format>u32:1-65535</format>
+      <description>Packet length not to match</description>
+    </valueHelp>
+    <valueHelp>
+      <format>&lt;start-end&gt;</format>
+      <description>Packet length range not to match</description>
+    </valueHelp>
+    <constraint>
+      <validator name="numeric" argument="--allow-range --range 1-65535"/>
+    </constraint>
+    <multi/>
+  </properties>
+</leafNode>
+<leafNode name="packet-type">
+  <properties>
+    <help>Packet type</help>
+    <completionHelp>
+      <list>broadcast host multicast other</list>
+    </completionHelp>
+    <valueHelp>
+      <format>broadcast</format>
+      <description>Match broadcast packet type</description>
+    </valueHelp>
+    <valueHelp>
+      <format>host</format>
+      <description>Match host packet type, addressed to local host</description>
+    </valueHelp>
+    <valueHelp>
+      <format>multicast</format>
+      <description>Match multicast packet type</description>
+    </valueHelp>
+    <valueHelp>
+      <format>other</format>
+      <description>Match packet addressed to another host</description>
+    </valueHelp>
+    <constraint>
+      <regex>(broadcast|host|multicast|other)</regex>
+    </constraint>
+  </properties>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/port.xml.i b/interface-definitions/include/firewall/port.xml.i
new file mode 100644
index 0000000..3bacaff
--- /dev/null
+++ b/interface-definitions/include/firewall/port.xml.i
@@ -0,0 +1,26 @@
+<!-- include start from firewall/port.xml.i -->
+<leafNode name="port">
+  <properties>
+    <help>Port</help>
+    <valueHelp>
+      <format>txt</format>
+      <description>Named port (any name in /etc/services, e.g., http)</description>
+    </valueHelp>
+    <valueHelp>
+      <format>u32:1-65535</format>
+      <description>Numbered port</description>
+    </valueHelp>
+    <valueHelp>
+      <format>&lt;start-end&gt;</format>
+      <description>Numbered port range (e.g. 1001-1005)</description>
+    </valueHelp>
+    <valueHelp>
+      <format> </format>
+      <description>\n\n  Multiple destination ports can be specified as a comma-separated list.\n  For example: 'telnet,http,123,1001-1005'</description>
+    </valueHelp>
+    <constraint>
+      <validator name="port-multi"/>
+    </constraint>
+  </properties>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/protocol.xml.i b/interface-definitions/include/firewall/protocol.xml.i
new file mode 100644
index 0000000..e391cae
--- /dev/null
+++ b/interface-definitions/include/firewall/protocol.xml.i
@@ -0,0 +1,34 @@
+<!-- include start from firewall/protocol.xml.i -->
+<leafNode name="protocol">
+  <properties>
+    <help>Protocol to match (protocol name, number, or "all")</help>
+    <completionHelp>
+      <script>${vyos_completion_dir}/list_protocols.sh</script>
+      <list>all tcp_udp</list>
+    </completionHelp>
+    <valueHelp>
+      <format>all</format>
+      <description>All IP protocols</description>
+    </valueHelp>
+    <valueHelp>
+      <format>tcp_udp</format>
+      <description>Both TCP and UDP</description>
+    </valueHelp>
+    <valueHelp>
+      <format>u32:0-255</format>
+      <description>IP protocol number</description>
+    </valueHelp>
+    <valueHelp>
+      <format>&lt;protocol&gt;</format>
+      <description>IP protocol name</description>
+    </valueHelp>
+    <valueHelp>
+      <format>!&lt;protocol&gt;</format>
+      <description>IP protocol name</description>
+    </valueHelp>
+    <constraint>
+      <validator name="ip-protocol"/>
+    </constraint>
+  </properties>
+</leafNode>
+<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/include/firewall/recent.xml.i b/interface-definitions/include/firewall/recent.xml.i
new file mode 100644
index 0000000..38f40b9
--- /dev/null
+++ b/interface-definitions/include/firewall/recent.xml.i
@@ -0,0 +1,44 @@
+<!-- include start from firewall/recent.xml.i -->
+<node name="recent">
+  <properties>
+    <help>Parameters for matching recently seen sources</help>
+  </properties>
+  <children>
+    <leafNode name="count">
+      <properties>
+        <help>Source addresses seen more than N times</help>
+        <valueHelp>
+          <format>u32:1-255</format>
+          <description>Source addresses seen more than N times</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 1-255"/>
+        </constraint>
+      </properties>
+    </leafNode>
+    <leafNode name="time">
+      <properties>
+        <help>Source addresses seen in the last second/minute/hour</help>
+        <completionHelp>
+          <list>second minute hour</list>
+        </completionHelp>
+        <valueHelp>
+          <format>second</format>
+          <description>Source addresses seen COUNT times in the last second</description>
+        </valueHelp>
+        <valueHelp>
+          <format>minute</format>
+          <description>Source addresses seen COUNT times in the last minute</description>
+        </valueHelp>
+        <valueHelp>
+          <format>hour</format>
+          <description>Source addresses seen COUNT times in the last hour</description>
+        </valueHelp>
+        <constraint>
+          <regex>(second|minute|hour)</regex>
+        </constraint>
+      </properties>
+    </leafNode>
+  </children>
+</node>
+<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/include/firewall/rule-log-level.xml.i b/interface-definitions/include/firewall/rule-log-level.xml.i
new file mode 100644
index 0000000..3ac4738
--- /dev/null
+++ b/interface-definitions/include/firewall/rule-log-level.xml.i
@@ -0,0 +1,45 @@
+<!-- include start from firewall/rule-log-level.xml.i -->
+<leafNode name="log-level">
+  <properties>
+    <help>Set log-level. Log must be enable.</help>
+    <completionHelp>
+      <list>emerg alert crit err warn notice info debug</list>
+    </completionHelp>
+    <valueHelp>
+      <format>emerg</format>
+      <description>Emerg log level</description>
+    </valueHelp>
+    <valueHelp>
+      <format>alert</format>
+      <description>Alert log level</description>
+    </valueHelp>
+    <valueHelp>
+      <format>crit</format>
+      <description>Critical log level</description>
+    </valueHelp>
+    <valueHelp>
+      <format>err</format>
+      <description>Error log level</description>
+    </valueHelp>
+    <valueHelp>
+      <format>warn</format>
+      <description>Warning log level</description>
+    </valueHelp>
+    <valueHelp>
+      <format>notice</format>
+      <description>Notice log level</description>
+    </valueHelp>
+    <valueHelp>
+      <format>info</format>
+      <description>Info log level</description>
+    </valueHelp>
+    <valueHelp>
+      <format>debug</format>
+      <description>Debug log level</description>
+    </valueHelp>
+    <constraint>
+      <regex>(emerg|alert|crit|err|warn|notice|info|debug)</regex>
+    </constraint>
+  </properties>
+</leafNode>
+<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/include/firewall/set-packet-modifications.xml.i b/interface-definitions/include/firewall/set-packet-modifications.xml.i
new file mode 100644
index 0000000..ee019b6
--- /dev/null
+++ b/interface-definitions/include/firewall/set-packet-modifications.xml.i
@@ -0,0 +1,96 @@
+<!-- include start from firewall/set-packet-modifications.xml.i -->
+<node name="set">
+  <properties>
+    <help>Packet modifications</help>
+  </properties>
+  <children>
+    <leafNode name="connection-mark">
+      <properties>
+        <help>Set connection mark</help>
+        <valueHelp>
+          <format>u32:0-2147483647</format>
+          <description>Connection mark</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 0-2147483647"/>
+        </constraint>
+      </properties>
+    </leafNode>
+    <leafNode name="dscp">
+      <properties>
+        <help>Set DSCP (Packet Differentiated Services Codepoint) bits</help>
+        <valueHelp>
+          <format>u32:0-63</format>
+          <description>DSCP number</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 0-63"/>
+        </constraint>
+      </properties>
+    </leafNode>
+    <leafNode name="mark">
+      <properties>
+        <help>Set packet mark</help>
+        <valueHelp>
+          <format>u32:1-2147483647</format>
+          <description>Packet mark</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 1-2147483647"/>
+        </constraint>
+      </properties>
+    </leafNode>
+    <leafNode name="table">
+      <properties>
+        <help>Set the routing table for matched packets</help>
+        <valueHelp>
+          <format>u32:1-200</format>
+          <description>Table number</description>
+        </valueHelp>
+        <valueHelp>
+          <format>main</format>
+          <description>Main table</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 1-200"/>
+          <regex>(main)</regex>
+        </constraint>
+        <completionHelp>
+          <list>main</list>
+          <path>protocols static table</path>
+        </completionHelp>
+      </properties>
+    </leafNode>
+    <leafNode name="vrf">
+      <properties>
+        <help>VRF to forward packet with</help>
+        <valueHelp>
+          <format>txt</format>
+          <description>VRF instance name</description>
+        </valueHelp>
+        <valueHelp>
+          <format>default</format>
+          <description>Forward into default global VRF</description>
+        </valueHelp>
+        <completionHelp>
+          <list>default</list>
+          <path>vrf name</path>
+        </completionHelp>
+        #include <include/constraint/vrf.xml.i>
+      </properties>
+    </leafNode>
+    <leafNode name="tcp-mss">
+      <properties>
+        <help>Set TCP Maximum Segment Size</help>
+        <valueHelp>
+          <format>u32:500-1460</format>
+          <description>Explicitly set TCP MSS value</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 500-1460"/>
+        </constraint>
+      </properties>
+    </leafNode>
+  </children>
+</node>
+<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/include/firewall/source-destination-dynamic-group-ipv6.xml.i b/interface-definitions/include/firewall/source-destination-dynamic-group-ipv6.xml.i
new file mode 100644
index 0000000..845f8fe
--- /dev/null
+++ b/interface-definitions/include/firewall/source-destination-dynamic-group-ipv6.xml.i
@@ -0,0 +1,17 @@
+<!-- include start from firewall/source-destination-dynamic-group-ipv6.xml.i -->
+<node name="group">
+  <properties>
+    <help>Group</help>
+  </properties>
+  <children>
+    <leafNode name="dynamic-address-group">
+      <properties>
+        <help>Group of dynamic ipv6 addresses</help>
+        <completionHelp>
+          <path>firewall group dynamic-group ipv6-address-group</path>
+        </completionHelp>
+      </properties>
+    </leafNode>
+  </children>
+</node>
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/source-destination-dynamic-group.xml.i b/interface-definitions/include/firewall/source-destination-dynamic-group.xml.i
new file mode 100644
index 0000000..29ab98c
--- /dev/null
+++ b/interface-definitions/include/firewall/source-destination-dynamic-group.xml.i
@@ -0,0 +1,17 @@
+<!-- include start from firewall/source-destination-dynamic-group.xml.i -->
+<node name="group">
+  <properties>
+    <help>Group</help>
+  </properties>
+  <children>
+    <leafNode name="dynamic-address-group">
+      <properties>
+        <help>Group of dynamic addresses</help>
+        <completionHelp>
+          <path>firewall group dynamic-group address-group</path>
+        </completionHelp>
+      </properties>
+    </leafNode>
+  </children>
+</node>
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/source-destination-group-inet.xml.i b/interface-definitions/include/firewall/source-destination-group-inet.xml.i
new file mode 100644
index 0000000..1740516
--- /dev/null
+++ b/interface-definitions/include/firewall/source-destination-group-inet.xml.i
@@ -0,0 +1,50 @@
+<!-- include start from firewall/source-destination-group-inet.xml.i -->
+<node name="group">
+  <properties>
+    <help>Group</help>
+  </properties>
+  <children>
+    <leafNode name="ipv4-address-group">
+      <properties>
+        <help>Group of IPv4 addresses</help>
+        <completionHelp>
+          <path>firewall group address-group</path>
+        </completionHelp>
+      </properties>
+    </leafNode>
+    <leafNode name="ipv6-address-group">
+      <properties>
+        <help>Group of IPv6 addresses</help>
+        <completionHelp>
+          <path>firewall group ipv6-address-group</path>
+        </completionHelp>
+      </properties>
+    </leafNode>
+    #include <include/firewall/mac-group.xml.i>
+    <leafNode name="ipv4-network-group">
+      <properties>
+        <help>Group of IPv4 networks</help>
+        <completionHelp>
+          <path>firewall group network-group</path>
+        </completionHelp>
+      </properties>
+    </leafNode>
+    <leafNode name="ipv6-network-group">
+      <properties>
+        <help>Group of IPv6 networks</help>
+        <completionHelp>
+          <path>firewall group ipv6-network-group</path>
+        </completionHelp>
+      </properties>
+    </leafNode>
+    <leafNode name="port-group">
+      <properties>
+        <help>Group of ports</help>
+        <completionHelp>
+          <path>firewall group port-group</path>
+        </completionHelp>
+      </properties>
+    </leafNode>
+  </children>
+</node>
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/source-destination-group-ipv4.xml.i b/interface-definitions/include/firewall/source-destination-group-ipv4.xml.i
new file mode 100644
index 0000000..8c34fb9
--- /dev/null
+++ b/interface-definitions/include/firewall/source-destination-group-ipv4.xml.i
@@ -0,0 +1,41 @@
+<!-- include start from firewall/source-destination-group-ipv4.xml.i -->
+<node name="group">
+  <properties>
+    <help>Group</help>
+  </properties>
+  <children>
+    <leafNode name="address-group">
+      <properties>
+        <help>Group of addresses</help>
+        <completionHelp>
+          <path>firewall group address-group</path>
+        </completionHelp>
+      </properties>
+    </leafNode>
+    <leafNode name="domain-group">
+      <properties>
+        <help>Group of domains</help>
+        <completionHelp>
+          <path>firewall group domain-group</path>
+        </completionHelp>
+      </properties>
+    </leafNode>
+    <leafNode name="network-group">
+      <properties>
+        <help>Group of networks</help>
+        <completionHelp>
+          <path>firewall group network-group</path>
+        </completionHelp>
+      </properties>
+    </leafNode>
+    <leafNode name="port-group">
+      <properties>
+        <help>Group of ports</help>
+        <completionHelp>
+          <path>firewall group port-group</path>
+        </completionHelp>
+      </properties>
+    </leafNode>
+  </children>
+</node>
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/source-destination-group-ipv6.xml.i b/interface-definitions/include/firewall/source-destination-group-ipv6.xml.i
new file mode 100644
index 0000000..2a42d23
--- /dev/null
+++ b/interface-definitions/include/firewall/source-destination-group-ipv6.xml.i
@@ -0,0 +1,42 @@
+<!-- include start from firewall/source-destination-group-ipv6.xml.i -->
+<node name="group">
+  <properties>
+    <help>Group</help>
+  </properties>
+  <children>
+    <leafNode name="address-group">
+      <properties>
+        <help>Group of addresses</help>
+        <completionHelp>
+          <path>firewall group ipv6-address-group</path>
+        </completionHelp>
+      </properties>
+    </leafNode>
+    <leafNode name="domain-group">
+      <properties>
+        <help>Group of domains</help>
+        <completionHelp>
+          <path>firewall group domain-group</path>
+        </completionHelp>
+      </properties>
+    </leafNode>
+    #include <include/firewall/mac-group.xml.i>
+    <leafNode name="network-group">
+      <properties>
+        <help>Group of networks</help>
+        <completionHelp>
+          <path>firewall group ipv6-network-group</path>
+        </completionHelp>
+      </properties>
+    </leafNode>
+    <leafNode name="port-group">
+      <properties>
+        <help>Group of ports</help>
+        <completionHelp>
+          <path>firewall group port-group</path>
+        </completionHelp>
+      </properties>
+    </leafNode>
+  </children>
+</node>
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/source-destination-group.xml.i b/interface-definitions/include/firewall/source-destination-group.xml.i
new file mode 100644
index 0000000..6ebee35
--- /dev/null
+++ b/interface-definitions/include/firewall/source-destination-group.xml.i
@@ -0,0 +1,42 @@
+<!-- include start from firewall/source-destination-group.xml.i -->
+<node name="group">
+  <properties>
+    <help>Group</help>
+  </properties>
+  <children>
+    <leafNode name="address-group">
+      <properties>
+        <help>Group of addresses</help>
+        <completionHelp>
+          <path>firewall group address-group</path>
+        </completionHelp>
+      </properties>
+    </leafNode>
+    <leafNode name="domain-group">
+      <properties>
+        <help>Group of domains</help>
+        <completionHelp>
+          <path>firewall group domain-group</path>
+        </completionHelp>
+      </properties>
+    </leafNode>
+    #include <include/firewall/mac-group.xml.i>
+    <leafNode name="network-group">
+      <properties>
+        <help>Group of networks</help>
+        <completionHelp>
+          <path>firewall group network-group</path>
+        </completionHelp>
+      </properties>
+    </leafNode>
+    <leafNode name="port-group">
+      <properties>
+        <help>Group of ports</help>
+        <completionHelp>
+          <path>firewall group port-group</path>
+        </completionHelp>
+      </properties>
+    </leafNode>
+  </children>
+</node>
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/state.xml.i b/interface-definitions/include/firewall/state.xml.i
new file mode 100644
index 0000000..dee9722
--- /dev/null
+++ b/interface-definitions/include/firewall/state.xml.i
@@ -0,0 +1,30 @@
+<!-- include start from firewall/state.xml.i -->
+<leafNode name="state">
+  <properties>
+    <help>Session state</help>
+    <completionHelp>
+      <list>established invalid new related</list>
+    </completionHelp>
+    <valueHelp>
+      <format>established</format>
+      <description>Established state</description>
+    </valueHelp>
+    <valueHelp>
+      <format>invalid</format>
+      <description>Invalid state</description>
+    </valueHelp>
+    <valueHelp>
+      <format>new</format>
+      <description>New state</description>
+    </valueHelp>
+    <valueHelp>
+      <format>related</format>
+      <description>Related state</description>
+    </valueHelp>
+    <constraint>
+      <regex>(established|invalid|new|related)</regex>
+    </constraint>
+    <multi/>
+  </properties>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/synproxy.xml.i b/interface-definitions/include/firewall/synproxy.xml.i
new file mode 100644
index 0000000..a65126e
--- /dev/null
+++ b/interface-definitions/include/firewall/synproxy.xml.i
@@ -0,0 +1,40 @@
+<!-- include start from firewall/synproxy.xml.i -->
+<node name="synproxy">
+  <properties>
+    <help>Synproxy options</help>
+  </properties>
+  <children>
+    <node name="tcp">
+      <properties>
+        <help>TCP synproxy options</help>
+      </properties>
+      <children>
+        <leafNode name="mss">
+          <properties>
+            <help>TCP Maximum segment size</help>
+            <valueHelp>
+              <format>u32:501-65535</format>
+              <description>Maximum segment size for synproxy connections</description>
+            </valueHelp>
+            <constraint>
+              <validator name="numeric" argument="--range 501-65535"/>
+            </constraint>
+          </properties>
+        </leafNode>
+        <leafNode name="window-scale">
+          <properties>
+            <help>TCP window scale for synproxy connections</help>
+            <valueHelp>
+              <format>u32:1-14</format>
+              <description>TCP window scale</description>
+            </valueHelp>
+            <constraint>
+              <validator name="numeric" argument="--range 1-14"/>
+            </constraint>
+          </properties>
+        </leafNode>
+      </children>
+    </node>
+  </children>
+</node>
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/tcp-flags.xml.i b/interface-definitions/include/firewall/tcp-flags.xml.i
new file mode 100644
index 0000000..36546c2
--- /dev/null
+++ b/interface-definitions/include/firewall/tcp-flags.xml.i
@@ -0,0 +1,119 @@
+<!-- include start from firewall/tcp-flags.xml.i -->
+<node name="tcp">
+  <properties>
+    <help>TCP options to match</help>
+  </properties>
+  <children>
+    <node name="flags">
+      <properties>
+        <help>TCP flags to match</help>
+      </properties>
+      <children>
+        <leafNode name="syn">
+          <properties>
+            <help>Synchronise flag</help>
+            <valueless/>
+          </properties>
+        </leafNode>
+        <leafNode name="ack">
+          <properties>
+            <help>Acknowledge flag</help>
+            <valueless/>
+          </properties>
+        </leafNode>
+        <leafNode name="fin">
+          <properties>
+            <help>Finish flag</help>
+            <valueless/>
+          </properties>
+        </leafNode>
+        <leafNode name="rst">
+          <properties>
+            <help>Reset flag</help>
+            <valueless/>
+          </properties>
+        </leafNode>
+        <leafNode name="urg">
+          <properties>
+            <help>Urgent flag</help>
+            <valueless/>
+          </properties>
+        </leafNode>
+        <leafNode name="psh">
+          <properties>
+            <help>Push flag</help>
+            <valueless/>
+          </properties>
+        </leafNode>
+        <leafNode name="ecn">
+          <properties>
+            <help>Explicit Congestion Notification flag</help>
+            <valueless/>
+          </properties>
+        </leafNode>
+        <leafNode name="cwr">
+          <properties>
+            <help>Congestion Window Reduced flag</help>
+            <valueless/>
+          </properties>
+        </leafNode>
+        <node name="not">
+          <properties>
+            <help>Match flags not set</help>
+          </properties>
+          <children>
+            <leafNode name="syn">
+              <properties>
+                <help>Synchronise flag</help>
+                <valueless/>
+              </properties>
+            </leafNode>
+            <leafNode name="ack">
+              <properties>
+                <help>Acknowledge flag</help>
+                <valueless/>
+              </properties>
+            </leafNode>
+            <leafNode name="fin">
+              <properties>
+                <help>Finish flag</help>
+                <valueless/>
+              </properties>
+            </leafNode>
+            <leafNode name="rst">
+              <properties>
+                <help>Reset flag</help>
+                <valueless/>
+              </properties>
+            </leafNode>
+            <leafNode name="urg">
+              <properties>
+                <help>Urgent flag</help>
+                <valueless/>
+              </properties>
+            </leafNode>
+            <leafNode name="psh">
+              <properties>
+                <help>Push flag</help>
+                <valueless/>
+              </properties>
+            </leafNode>
+            <leafNode name="ecn">
+              <properties>
+                <help>Explicit Congestion Notification flag</help>
+                <valueless/>
+              </properties>
+            </leafNode>
+            <leafNode name="cwr">
+              <properties>
+                <help>Congestion Window Reduced flag</help>
+                <valueless/>
+              </properties>
+            </leafNode>
+          </children>
+        </node>
+      </children>
+    </node>
+  </children>
+</node>
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/tcp-mss.xml.i b/interface-definitions/include/firewall/tcp-mss.xml.i
new file mode 100644
index 0000000..dc49b42
--- /dev/null
+++ b/interface-definitions/include/firewall/tcp-mss.xml.i
@@ -0,0 +1,25 @@
+<!-- include start from firewall/tcp-mss.xml.i -->
+<node name="tcp">
+  <properties>
+    <help>TCP options to match</help>
+  </properties>
+  <children>
+    <leafNode name="mss">
+      <properties>
+        <help>Maximum segment size (MSS)</help>
+        <valueHelp>
+          <format>u32:1-16384</format>
+          <description>Maximum segment size</description>
+        </valueHelp>
+        <valueHelp>
+          <format>&lt;min&gt;-&lt;max&gt;</format>
+          <description>TCP MSS range (use '-' as delimiter)</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--allow-range --range 1-16384"/>
+        </constraint>
+      </properties>
+    </leafNode>
+  </children>
+</node>
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/time.xml.i b/interface-definitions/include/firewall/time.xml.i
new file mode 100644
index 0000000..7bd7374
--- /dev/null
+++ b/interface-definitions/include/firewall/time.xml.i
@@ -0,0 +1,70 @@
+<!-- include start from firewall/time.xml.i -->
+<node name="time">
+  <properties>
+    <help>Time to match rule</help>
+  </properties>
+  <children>
+    <leafNode name="startdate">
+      <properties>
+        <help>Date to start matching rule</help>
+        <valueHelp>
+          <format>txt</format>
+          <description>Enter date using following notation - YYYY-MM-DD</description>
+        </valueHelp>
+        <constraint>
+          <regex>(\d{4}\-\d{2}\-\d{2})</regex>
+        </constraint>
+      </properties>
+    </leafNode>
+    <leafNode name="starttime">
+      <properties>
+        <help>Time of day to start matching rule</help>
+        <valueHelp>
+          <format>txt</format>
+          <description>Enter time using using 24 hour notation - hh:mm:ss</description>
+        </valueHelp>
+        <constraint>
+          <regex>([0-2][0-9](\:[0-5][0-9]){1,2})</regex>
+        </constraint>
+      </properties>
+    </leafNode>
+    <leafNode name="stopdate">
+      <properties>
+        <help>Date to stop matching rule</help>
+        <valueHelp>
+          <format>txt</format>
+          <description>Enter date using following notation - YYYY-MM-DD</description>
+        </valueHelp>
+        <constraint>
+          <regex>(\d{4}\-\d{2}\-\d{2})</regex>
+        </constraint>
+      </properties>
+    </leafNode>
+    <leafNode name="stoptime">
+      <properties>
+        <help>Time of day to stop matching rule</help>
+        <valueHelp>
+          <format>txt</format>
+          <description>Enter time using using 24 hour notation - hh:mm:ss</description>
+        </valueHelp>
+        <constraint>
+          <regex>([0-2][0-9](\:[0-5][0-9]){1,2})</regex>
+        </constraint>
+      </properties>
+    </leafNode>
+    <leafNode name="weekdays">
+      <properties>
+        <help>Comma separated weekdays to match rule on</help>
+        <valueHelp>
+          <format>txt</format>
+          <description>Name of day (Monday, Tuesday, Wednesday, Thursdays, Friday, Saturday, Sunday)</description>
+        </valueHelp>
+        <valueHelp>
+          <format>u32:0-6</format>
+          <description>Day number (0 = Sunday ... 6 = Saturday)</description>
+        </valueHelp>
+      </properties>
+    </leafNode>
+  </children>
+</node>
+<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/include/firewall/timeout-common-protocols.xml.i b/interface-definitions/include/firewall/timeout-common-protocols.xml.i
new file mode 100644
index 0000000..037d7d2
--- /dev/null
+++ b/interface-definitions/include/firewall/timeout-common-protocols.xml.i
@@ -0,0 +1,171 @@
+<!-- include start from firewall/timeout-common-protocols.xml.i -->
+<leafNode name="icmp">
+  <properties>
+    <help>ICMP timeout in seconds</help>
+    <valueHelp>
+      <format>u32:1-21474836</format>
+      <description>ICMP timeout in seconds</description>
+    </valueHelp>
+    <constraint>
+      <validator name="numeric" argument="--range 1-21474836"/>
+    </constraint>
+  </properties>
+  <defaultValue>30</defaultValue>
+</leafNode>
+<leafNode name="other">
+  <properties>
+    <help>Generic connection timeout in seconds</help>
+    <valueHelp>
+      <format>u32:1-21474836</format>
+      <description>Generic connection timeout in seconds</description>
+    </valueHelp>
+    <constraint>
+      <validator name="numeric" argument="--range 1-21474836"/>
+    </constraint>
+  </properties>
+  <defaultValue>600</defaultValue>
+</leafNode>
+<node name="tcp">
+  <properties>
+    <help>TCP connection timeout options</help>
+  </properties>
+  <children>
+    <leafNode name="close-wait">
+      <properties>
+        <help>TCP CLOSE-WAIT timeout in seconds</help>
+        <valueHelp>
+          <format>u32:1-21474836</format>
+          <description>TCP CLOSE-WAIT timeout in seconds</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 1-21474836"/>
+        </constraint>
+      </properties>
+      <defaultValue>60</defaultValue>
+    </leafNode>
+    <leafNode name="close">
+      <properties>
+        <help>TCP CLOSE timeout in seconds</help>
+        <valueHelp>
+          <format>u32:1-21474836</format>
+          <description>TCP CLOSE timeout in seconds</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 1-21474836"/>
+        </constraint>
+      </properties>
+      <defaultValue>10</defaultValue>
+    </leafNode>
+    <leafNode name="established">
+      <properties>
+        <help>TCP ESTABLISHED timeout in seconds</help>
+        <valueHelp>
+          <format>u32:1-21474836</format>
+          <description>TCP ESTABLISHED timeout in seconds</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 1-21474836"/>
+        </constraint>
+      </properties>
+      <defaultValue>432000</defaultValue>
+    </leafNode>
+    <leafNode name="fin-wait">
+      <properties>
+        <help>TCP FIN-WAIT timeout in seconds</help>
+        <valueHelp>
+          <format>u32:1-21474836</format>
+          <description>TCP FIN-WAIT timeout in seconds</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 1-21474836"/>
+        </constraint>
+      </properties>
+      <defaultValue>120</defaultValue>
+    </leafNode>
+    <leafNode name="last-ack">
+      <properties>
+        <help>TCP LAST-ACK timeout in seconds</help>
+        <valueHelp>
+          <format>u32:1-21474836</format>
+          <description>TCP LAST-ACK timeout in seconds</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 1-21474836"/>
+        </constraint>
+      </properties>
+      <defaultValue>30</defaultValue>
+    </leafNode>
+    <leafNode name="syn-recv">
+      <properties>
+        <help>TCP SYN-RECEIVED timeout in seconds</help>
+        <valueHelp>
+          <format>u32:1-21474836</format>
+          <description>TCP SYN-RECEIVED timeout in seconds</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 1-21474836"/>
+        </constraint>
+      </properties>
+      <defaultValue>60</defaultValue>
+    </leafNode>
+    <leafNode name="syn-sent">
+      <properties>
+        <help>TCP SYN-SENT timeout in seconds</help>
+        <valueHelp>
+          <format>u32:1-21474836</format>
+          <description>TCP SYN-SENT timeout in seconds</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 1-21474836"/>
+        </constraint>
+      </properties>
+      <defaultValue>120</defaultValue>
+    </leafNode>
+    <leafNode name="time-wait">
+      <properties>
+        <help>TCP TIME-WAIT timeout in seconds</help>
+        <valueHelp>
+          <format>u32:1-21474836</format>
+          <description>TCP TIME-WAIT timeout in seconds</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 1-21474836"/>
+        </constraint>
+      </properties>
+      <defaultValue>120</defaultValue>
+    </leafNode>
+  </children>
+</node>
+<node name="udp">
+  <properties>
+    <help>UDP timeout options</help>
+  </properties>
+  <children>
+    <leafNode name="other">
+      <properties>
+        <help>UDP generic timeout in seconds</help>
+        <valueHelp>
+          <format>u32:1-21474836</format>
+          <description>UDP generic timeout in seconds</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 1-21474836"/>
+        </constraint>
+      </properties>
+      <defaultValue>30</defaultValue>
+    </leafNode>
+    <leafNode name="stream">
+      <properties>
+        <help>UDP stream timeout in seconds</help>
+        <valueHelp>
+          <format>u32:1-21474836</format>
+          <description>UDP stream timeout in seconds</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 1-21474836"/>
+        </constraint>
+      </properties>
+      <defaultValue>180</defaultValue>
+    </leafNode>
+  </children>
+</node>
diff --git a/interface-definitions/include/firewall/ttl.xml.i b/interface-definitions/include/firewall/ttl.xml.i
new file mode 100644
index 0000000..9c782a9
--- /dev/null
+++ b/interface-definitions/include/firewall/ttl.xml.i
@@ -0,0 +1,12 @@
+<!-- include start from firewall/ttl.xml.i -->
+<node name="ttl">
+  <properties>
+    <help>Time to live limit</help>
+  </properties>
+  <children>
+    #include <include/firewall/eq.xml.i>
+    #include <include/firewall/gt.xml.i>
+    #include <include/firewall/lt.xml.i>
+  </children>
+</node>
+<!-- include end -->
\ No newline at end of file
-- 
cgit v1.2.3