diff --git a/interface-definitions/include/firewall/common-rule-inet.xml.i b/interface-definitions/include/firewall/common-rule-inet.xml.i
index 6f56ecc85..85189d975 100644
--- a/interface-definitions/include/firewall/common-rule-inet.xml.i
+++ b/interface-definitions/include/firewall/common-rule-inet.xml.i
@@ -1,259 +1,240 @@
<!-- include start from firewall/common-rule-inet.xml.i -->
#include <include/firewall/action.xml.i>
#include <include/generic-description.xml.i>
#include <include/firewall/dscp.xml.i>
#include <include/firewall/packet-options.xml.i>
#include <include/firewall/firewall-mark.xml.i>
#include <include/firewall/connection-mark.xml.i>
#include <include/firewall/conntrack-helper.xml.i>
#include <include/firewall/nft-queue.xml.i>
<leafNode name="disable">
<properties>
<help>Option to disable firewall rule</help>
<valueless/>
</properties>
</leafNode>
<node name="fragment">
<properties>
<help>IP fragment match</help>
</properties>
<children>
<leafNode name="match-frag">
<properties>
<help>Second and further fragments of fragmented packets</help>
<valueless/>
</properties>
</leafNode>
<leafNode name="match-non-frag">
<properties>
<help>Head fragments or unfragmented packets</help>
<valueless/>
</properties>
</leafNode>
</children>
</node>
-<node name="ipsec">
- <properties>
- <help>Inbound IPsec packets</help>
- </properties>
- <children>
- <leafNode name="match-ipsec">
- <properties>
- <help>Inbound IPsec packets</help>
- <valueless/>
- </properties>
- </leafNode>
- <leafNode name="match-none">
- <properties>
- <help>Inbound non-IPsec packets</help>
- <valueless/>
- </properties>
- </leafNode>
- </children>
-</node>
<node name="limit">
<properties>
<help>Rate limit using a token bucket filter</help>
</properties>
<children>
<leafNode name="burst">
<properties>
<help>Maximum number of packets to allow in excess of rate</help>
<valueHelp>
<format>u32:0-4294967295</format>
<description>Maximum number of packets to allow in excess of rate</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 0-4294967295"/>
</constraint>
</properties>
</leafNode>
<leafNode name="rate">
<properties>
<help>Maximum average matching rate</help>
<valueHelp>
<format>txt</format>
<description>integer/unit (Example: 5/minute)</description>
</valueHelp>
<constraint>
<regex>\d+/(second|minute|hour|day)</regex>
</constraint>
</properties>
</leafNode>
</children>
</node>
#include <include/firewall/log.xml.i>
#include <include/firewall/log-options.xml.i>
<node name="connection-status">
<properties>
<help>Connection status</help>
</properties>
<children>
<leafNode name="nat">
<properties>
<help>NAT connection status</help>
<completionHelp>
<list>destination source</list>
</completionHelp>
<valueHelp>
<format>destination</format>
<description>Match connections that are subject to destination NAT</description>
</valueHelp>
<valueHelp>
<format>source</format>
<description>Match connections that are subject to source NAT</description>
</valueHelp>
<constraint>
<regex>(destination|source)</regex>
</constraint>
</properties>
</leafNode>
</children>
</node>
<leafNode name="protocol">
<properties>
<help>Protocol to match (protocol name, number, or "all")</help>
<completionHelp>
<script>${vyos_completion_dir}/list_protocols.sh</script>
<list>all tcp_udp</list>
</completionHelp>
<valueHelp>
<format>all</format>
<description>All IP protocols</description>
</valueHelp>
<valueHelp>
<format>tcp_udp</format>
<description>Both TCP and UDP</description>
</valueHelp>
<valueHelp>
<format>u32:0-255</format>
<description>IP protocol number</description>
</valueHelp>
<valueHelp>
<format><protocol></format>
<description>IP protocol name</description>
</valueHelp>
<valueHelp>
<format>!<protocol></format>
<description>IP protocol name</description>
</valueHelp>
<constraint>
<validator name="ip-protocol"/>
</constraint>
</properties>
</leafNode>
<node name="recent">
<properties>
<help>Parameters for matching recently seen sources</help>
</properties>
<children>
<leafNode name="count">
<properties>
<help>Source addresses seen more than N times</help>
<valueHelp>
<format>u32:1-255</format>
<description>Source addresses seen more than N times</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 1-255"/>
</constraint>
</properties>
</leafNode>
<leafNode name="time">
<properties>
<help>Source addresses seen in the last second/minute/hour</help>
<completionHelp>
<list>second minute hour</list>
</completionHelp>
<valueHelp>
<format>second</format>
<description>Source addresses seen COUNT times in the last second</description>
</valueHelp>
<valueHelp>
<format>minute</format>
<description>Source addresses seen COUNT times in the last minute</description>
</valueHelp>
<valueHelp>
<format>hour</format>
<description>Source addresses seen COUNT times in the last hour</description>
</valueHelp>
<constraint>
<regex>(second|minute|hour)</regex>
</constraint>
</properties>
</leafNode>
</children>
</node>
#include <include/firewall/synproxy.xml.i>
#include <include/firewall/state.xml.i>
#include <include/firewall/tcp-flags.xml.i>
#include <include/firewall/tcp-mss.xml.i>
<node name="time">
<properties>
<help>Time to match rule</help>
</properties>
<children>
<leafNode name="startdate">
<properties>
<help>Date to start matching rule</help>
<valueHelp>
<format>txt</format>
<description>Enter date using following notation - YYYY-MM-DD</description>
</valueHelp>
<constraint>
<regex>(\d{4}\-\d{2}\-\d{2})</regex>
</constraint>
</properties>
</leafNode>
<leafNode name="starttime">
<properties>
<help>Time of day to start matching rule</help>
<valueHelp>
<format>txt</format>
<description>Enter time using using 24 hour notation - hh:mm:ss</description>
</valueHelp>
<constraint>
<regex>([0-2][0-9](\:[0-5][0-9]){1,2})</regex>
</constraint>
</properties>
</leafNode>
<leafNode name="stopdate">
<properties>
<help>Date to stop matching rule</help>
<valueHelp>
<format>txt</format>
<description>Enter date using following notation - YYYY-MM-DD</description>
</valueHelp>
<constraint>
<regex>(\d{4}\-\d{2}\-\d{2})</regex>
</constraint>
</properties>
</leafNode>
<leafNode name="stoptime">
<properties>
<help>Time of day to stop matching rule</help>
<valueHelp>
<format>txt</format>
<description>Enter time using using 24 hour notation - hh:mm:ss</description>
</valueHelp>
<constraint>
<regex>([0-2][0-9](\:[0-5][0-9]){1,2})</regex>
</constraint>
</properties>
</leafNode>
<leafNode name="weekdays">
<properties>
<help>Comma separated weekdays to match rule on</help>
<valueHelp>
<format>txt</format>
<description>Name of day (Monday, Tuesday, Wednesday, Thursdays, Friday, Saturday, Sunday)</description>
</valueHelp>
<valueHelp>
<format>u32:0-6</format>
<description>Day number (0 = Sunday ... 6 = Saturday)</description>
</valueHelp>
</properties>
</leafNode>
</children>
</node>
<!-- include end -->
diff --git a/interface-definitions/include/firewall/ipv4-custom-name.xml.i b/interface-definitions/include/firewall/ipv4-custom-name.xml.i
index 8199d15fe..8046b2d6c 100644
--- a/interface-definitions/include/firewall/ipv4-custom-name.xml.i
+++ b/interface-definitions/include/firewall/ipv4-custom-name.xml.i
@@ -1,42 +1,43 @@
<!-- include start from firewall/ipv4-custom-name.xml.i -->
<tagNode name="name">
<properties>
<help>IPv4 custom firewall</help>
<constraint>
<regex>[a-zA-Z0-9][\w\-\.]*</regex>
</constraint>
</properties>
<children>
#include <include/firewall/default-action.xml.i>
#include <include/firewall/default-log.xml.i>
#include <include/generic-description.xml.i>
<leafNode name="default-jump-target">
<properties>
<help>Set jump target. Action jump must be defined in default-action to use this setting</help>
<completionHelp>
<path>firewall ipv4 name</path>
</completionHelp>
</properties>
</leafNode>
<tagNode name="rule">
<properties>
<help>IPv4 Firewall custom rule number</help>
<valueHelp>
<format>u32:1-999999</format>
<description>Number for this firewall rule</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 1-999999"/>
</constraint>
<constraintErrorMessage>Firewall rule number must be between 1 and 999999</constraintErrorMessage>
</properties>
<children>
#include <include/firewall/common-rule-ipv4.xml.i>
#include <include/firewall/inbound-interface.xml.i>
+ #include <include/firewall/match-ipsec.xml.i>
#include <include/firewall/offload-target.xml.i>
#include <include/firewall/outbound-interface.xml.i>
</children>
</tagNode>
</children>
</tagNode>
<!-- include end -->
diff --git a/interface-definitions/include/firewall/ipv4-hook-forward.xml.i b/interface-definitions/include/firewall/ipv4-hook-forward.xml.i
index de2c70482..b0e240a03 100644
--- a/interface-definitions/include/firewall/ipv4-hook-forward.xml.i
+++ b/interface-definitions/include/firewall/ipv4-hook-forward.xml.i
@@ -1,39 +1,40 @@
<!-- include start from firewall/ipv4-hook-forward.xml.i -->
<node name="forward">
<properties>
<help>IPv4 forward firewall</help>
</properties>
<children>
<node name="filter">
<properties>
<help>IPv4 firewall forward filter</help>
</properties>
<children>
#include <include/firewall/default-action-base-chains.xml.i>
#include <include/firewall/default-log.xml.i>
#include <include/generic-description.xml.i>
<tagNode name="rule">
<properties>
<help>IPv4 Firewall forward filter rule number</help>
<valueHelp>
<format>u32:1-999999</format>
<description>Number for this firewall rule</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 1-999999"/>
</constraint>
<constraintErrorMessage>Firewall rule number must be between 1 and 999999</constraintErrorMessage>
</properties>
<children>
#include <include/firewall/action-forward.xml.i>
#include <include/firewall/common-rule-ipv4.xml.i>
#include <include/firewall/inbound-interface.xml.i>
+ #include <include/firewall/match-ipsec.xml.i>
#include <include/firewall/offload-target.xml.i>
#include <include/firewall/outbound-interface.xml.i>
</children>
</tagNode>
</children>
</node>
</children>
</node>
<!-- include end -->
diff --git a/interface-definitions/include/firewall/ipv4-hook-input.xml.i b/interface-definitions/include/firewall/ipv4-hook-input.xml.i
index 5d32657ea..cefb1ffa7 100644
--- a/interface-definitions/include/firewall/ipv4-hook-input.xml.i
+++ b/interface-definitions/include/firewall/ipv4-hook-input.xml.i
@@ -1,36 +1,37 @@
<!-- include start from firewall/ipv4-hook-input.xml.i -->
<node name="input">
<properties>
<help>IPv4 input firewall</help>
</properties>
<children>
<node name="filter">
<properties>
<help>IPv4 firewall input filter</help>
</properties>
<children>
#include <include/firewall/default-action-base-chains.xml.i>
#include <include/firewall/default-log.xml.i>
#include <include/generic-description.xml.i>
<tagNode name="rule">
<properties>
<help>IPv4 Firewall input filter rule number</help>
<valueHelp>
<format>u32:1-999999</format>
<description>Number for this firewall rule</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 1-999999"/>
</constraint>
<constraintErrorMessage>Firewall rule number must be between 1 and 999999</constraintErrorMessage>
</properties>
<children>
#include <include/firewall/common-rule-ipv4.xml.i>
#include <include/firewall/inbound-interface.xml.i>
+ #include <include/firewall/match-ipsec.xml.i>
</children>
</tagNode>
</children>
</node>
</children>
</node>
<!-- include end -->
diff --git a/interface-definitions/include/firewall/ipv6-custom-name.xml.i b/interface-definitions/include/firewall/ipv6-custom-name.xml.i
index 5748b3927..fb8740c38 100644
--- a/interface-definitions/include/firewall/ipv6-custom-name.xml.i
+++ b/interface-definitions/include/firewall/ipv6-custom-name.xml.i
@@ -1,42 +1,43 @@
<!-- include start from firewall/ipv6-custom-name.xml.i -->
<tagNode name="name">
<properties>
<help>IPv6 custom firewall</help>
<constraint>
<regex>[a-zA-Z0-9][\w\-\.]*</regex>
</constraint>
</properties>
<children>
#include <include/firewall/default-action.xml.i>
#include <include/firewall/default-log.xml.i>
#include <include/generic-description.xml.i>
<leafNode name="default-jump-target">
<properties>
<help>Set jump target. Action jump must be defined in default-action to use this setting</help>
<completionHelp>
<path>firewall ipv6 name</path>
</completionHelp>
</properties>
</leafNode>
<tagNode name="rule">
<properties>
<help>IPv6 Firewall custom rule number</help>
<valueHelp>
<format>u32:1-999999</format>
<description>Number for this firewall rule</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 1-999999"/>
</constraint>
<constraintErrorMessage>Firewall rule number must be between 1 and 999999</constraintErrorMessage>
</properties>
<children>
#include <include/firewall/common-rule-ipv6.xml.i>
#include <include/firewall/inbound-interface.xml.i>
+ #include <include/firewall/match-ipsec.xml.i>
#include <include/firewall/offload-target.xml.i>
#include <include/firewall/outbound-interface.xml.i>
</children>
</tagNode>
</children>
</tagNode>
<!-- include end -->
diff --git a/interface-definitions/include/firewall/ipv6-hook-forward.xml.i b/interface-definitions/include/firewall/ipv6-hook-forward.xml.i
index b53f09f59..7efc2614e 100644
--- a/interface-definitions/include/firewall/ipv6-hook-forward.xml.i
+++ b/interface-definitions/include/firewall/ipv6-hook-forward.xml.i
@@ -1,39 +1,40 @@
<!-- include start from firewall/ipv6-hook-forward.xml.i -->
<node name="forward">
<properties>
<help>IPv6 forward firewall</help>
</properties>
<children>
<node name="filter">
<properties>
<help>IPv6 firewall forward filter</help>
</properties>
<children>
#include <include/firewall/default-action-base-chains.xml.i>
#include <include/firewall/default-log.xml.i>
#include <include/generic-description.xml.i>
<tagNode name="rule">
<properties>
<help>IPv6 Firewall forward filter rule number</help>
<valueHelp>
<format>u32:1-999999</format>
<description>Number for this firewall rule</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 1-999999"/>
</constraint>
<constraintErrorMessage>Firewall rule number must be between 1 and 999999</constraintErrorMessage>
</properties>
<children>
#include <include/firewall/action-forward.xml.i>
#include <include/firewall/common-rule-ipv6.xml.i>
#include <include/firewall/inbound-interface.xml.i>
+ #include <include/firewall/match-ipsec.xml.i>
#include <include/firewall/offload-target.xml.i>
#include <include/firewall/outbound-interface.xml.i>
</children>
</tagNode>
</children>
</node>
</children>
</node>
<!-- include end -->
diff --git a/interface-definitions/include/firewall/ipv6-hook-input.xml.i b/interface-definitions/include/firewall/ipv6-hook-input.xml.i
index 493611fb1..e1f41e64c 100644
--- a/interface-definitions/include/firewall/ipv6-hook-input.xml.i
+++ b/interface-definitions/include/firewall/ipv6-hook-input.xml.i
@@ -1,36 +1,37 @@
<!-- include start from firewall/ipv6-hook-input.xml.i -->
<node name="input">
<properties>
<help>IPv6 input firewall</help>
</properties>
<children>
<node name="filter">
<properties>
<help>IPv6 firewall input filter</help>
</properties>
<children>
#include <include/firewall/default-action-base-chains.xml.i>
#include <include/firewall/default-log.xml.i>
#include <include/generic-description.xml.i>
<tagNode name="rule">
<properties>
<help>IPv6 Firewall input filter rule number</help>
<valueHelp>
<format>u32:1-999999</format>
<description>Number for this firewall rule</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 1-999999"/>
</constraint>
<constraintErrorMessage>Firewall rule number must be between 1 and 999999</constraintErrorMessage>
</properties>
<children>
#include <include/firewall/common-rule-ipv6.xml.i>
#include <include/firewall/inbound-interface.xml.i>
+ #include <include/firewall/match-ipsec.xml.i>
</children>
</tagNode>
</children>
</node>
</children>
</node>
<!-- include end -->
diff --git a/interface-definitions/include/firewall/match-ipsec.xml.i b/interface-definitions/include/firewall/match-ipsec.xml.i
new file mode 100644
index 000000000..82c2b324d
--- /dev/null
+++ b/interface-definitions/include/firewall/match-ipsec.xml.i
@@ -0,0 +1,21 @@
+<!-- include start from firewall/match-ipsec.xml.i -->
+<node name="ipsec">
+ <properties>
+ <help>Inbound IPsec packets</help>
+ </properties>
+ <children>
+ <leafNode name="match-ipsec">
+ <properties>
+ <help>Inbound IPsec packets</help>
+ <valueless/>
+ </properties>
+ </leafNode>
+ <leafNode name="match-none">
+ <properties>
+ <help>Inbound non-IPsec packets</help>
+ <valueless/>
+ </properties>
+ </leafNode>
+ </children>
+</node>
+<!-- include end -->
\ No newline at end of file