From 58355d5aab06d370143e3db09fb6331867cbca42 Mon Sep 17 00:00:00 2001
From: Vadim Kurland <vadim@netcitadel.com>
Date: Sun, 13 Apr 2008 07:06:30 +0000
Subject: [PATCH] ********************************  Merge branch
 inet-addr-changes r61 ********************************

---
 src/cisco_lib/Helper.cpp                      |   30 +-
 src/cisco_lib/Helper.h                        |   12 +-
 src/cisco_lib/PolicyCompiler_cisco.cpp        |    4 +-
 src/fwbedit/fwbedit.cpp                       |   12 +-
 src/fwblookup/fwblookup.cpp                   |    9 +-
 src/gui/AddressRangeDialog.cpp                |    8 +-
 src/gui/DiscoveryDruid.cpp                    |   99 +-
 src/gui/DiscoveryDruid.h                      |   18 +-
 src/gui/IOSImporter.cpp                       |   11 +-
 src/gui/IPTImporter.cpp                       |    8 +-
 src/gui/IPv4Dialog.cpp                        |   12 +-
 src/gui/Importer.cpp                          |   32 +-
 src/gui/InterfaceData.cpp                     |   25 +-
 src/gui/NetworkDialog.cpp                     |   10 +-
 src/gui/fwbuilder_ph.h                        |    3 +-
 src/gui/instDialog.cpp                        |    3 +-
 src/gui/newFirewallDialog.cpp                 |   18 +-
 src/gui/newHostDialog.cpp                     |   21 +-
 src/iosacl/PolicyCompiler_iosacl.cpp          |   18 +-
 src/iosacl/PolicyCompiler_iosacl_writers.cpp  |   20 +-
 src/ipf/ipf.cpp                               |    2 +-
 src/ipfw/ipfw.cpp                             |    2 +-
 src/ipt/NATCompiler_PrintRule.cpp             |   58 +-
 src/ipt/NATCompiler_ipt.cpp                   |   27 +-
 src/ipt/OSConfigurator_linux24.cpp            |   26 +-
 src/ipt/OSConfigurator_linux24.h              |    6 +-
 src/ipt/PolicyCompiler_PrintRule.cpp          |   39 +-
 src/ipt/PolicyCompiler_PrintRuleIptRst.cpp    |    1 -
 .../PolicyCompiler_PrintRuleIptRstEcho.cpp    |    1 -
 src/ipt/PolicyCompiler_ipt.cpp                |   33 +-
 src/ipt/RoutingCompiler_ipt.cpp               |    2 -
 src/ipt/RoutingCompiler_ipt_writers.cpp       |   14 +-
 src/ipt/ipt.cpp                               |    9 +-
 src/pf/pf.cpp                                 |    2 +-
 src/pflib/NATCompiler_ipf_writers.cpp         |   28 +-
 src/pflib/NATCompiler_pf.cpp                  |    2 +-
 src/pflib/NATCompiler_pf_writers.cpp          |   14 +-
 src/pflib/OSConfigurator_freebsd.cpp          |    5 +-
 src/pflib/OSConfigurator_freebsd.h            |    2 +-
 src/pflib/OSConfigurator_macosx.h             |    2 +-
 src/pflib/OSConfigurator_openbsd.cpp          |    5 +-
 src/pflib/OSConfigurator_openbsd.h            |    2 +-
 src/pflib/OSConfigurator_solaris.cpp          |    5 +-
 src/pflib/OSConfigurator_solaris.h            |    4 +-
 src/pflib/PolicyCompiler_ipf_writers.cpp      |   14 +-
 src/pflib/PolicyCompiler_ipfw_writers.cpp     |   13 +-
 src/pflib/PolicyCompiler_pf.cpp               |   12 +-
 src/pflib/PolicyCompiler_pf_writers.cpp       |   22 +-
 src/pflib/TableFactory.cpp                    |    9 +-
 src/pix/NATCompiler_pix.cpp                   |   83 +-
 src/pix/NATCompiler_pix.h                     |    6 +-
 src/pix/NATCompiler_pix_writers.cpp           |    6 +-
 src/pix/OSConfigurator_pix_os.cpp             |    6 +-
 src/pix/PIXObjectGroup.h                      |    2 +-
 src/pix/PolicyCompiler_pix.cpp                |    9 +-
 src/pix/PolicyCompiler_pix_writers.cpp        |   16 +-
 test/ipf/objects-for-regression-tests.fwb     |    2 +-
 test/ipfw/objects-for-regression-tests.fwb    |    2 +-
 test/ipt/objects-for-regression-tests.fwb     |  536 ++---
 test/pf/objects-for-regression-tests.fwb      | 1868 ++++++++---------
 test/pix/quick-cmp.sh                         |    4 +-
 61 files changed, 1657 insertions(+), 1617 deletions(-)

diff --git a/src/cisco_lib/Helper.cpp b/src/cisco_lib/Helper.cpp
index 481314dc9..cd0eaa316 100644
--- a/src/cisco_lib/Helper.cpp
+++ b/src/cisco_lib/Helper.cpp
@@ -28,7 +28,7 @@
 
 #include <fwbuilder/Interface.h>
 #include <fwbuilder/ObjectGroup.h>
-#include <fwbuilder/IPAddress.h>
+#include <fwbuilder/InetAddr.h>
 #include <fwbuilder/FWObjectDatabase.h>
 #include <fwbuilder/RuleElement.h>
 #include <fwbuilder/Rule.h>
@@ -41,21 +41,6 @@ using namespace libfwbuilder;
 using namespace fwcompiler;
 using namespace std;
 
-bool Helper::belongsTo(Address *obj, const IPAddress &a)
-{
-    const IPNetwork n1( obj->getAddress() , 
-       (Interface::cast(obj))?Netmask("255.255.255.255"):obj->getNetmask() );
-
-    return n1.belongs(a);
-}
-
-
-bool Helper::belongsTo(Address *obj, Address *addr)
-{
-    return belongsTo(obj,addr->getAddress());
-}
-
-
 static unsigned long calculateDimension(FWObject* obj)
 {
     if (Group::cast(obj)!=NULL) {
@@ -118,14 +103,13 @@ string  Helper::findInterfaceByAddress(libfwbuilder::Address *obj)
     return findInterfaceByAddress(obj->getAddress());
 }
 
-string  Helper::findInterfaceByAddress(const libfwbuilder::IPAddress &addr)
+string  Helper::findInterfaceByAddress(const libfwbuilder::InetAddr &addr)
 {
     Firewall *fw=compiler->fw;
     list<FWObject*> l2=fw->getByType(Interface::TYPENAME);
     for (list<FWObject*>::iterator i=l2.begin(); i!=l2.end(); ++i) {
 	Interface *iface=Interface::cast(*i);
-	IPNetwork n( iface->getAddress() , iface->getNetmask() );
-	if ( n.belongs( addr ) ) return iface->getId();
+	if ( iface->belongs( addr ) ) return iface->getId();
     }
     return "";
 }
@@ -135,7 +119,7 @@ string  Helper::findInterfaceByNetzone(Address *obj)
     return findInterfaceByNetzone(obj->getAddress());
 }
 
-string  Helper::findInterfaceByNetzone(const IPAddress &addr) throw(string)
+string  Helper::findInterfaceByNetzone(const InetAddr &addr) throw(string)
 {
     Firewall *fw=compiler->fw;
     map<string,FWObject*> zones;
@@ -150,7 +134,7 @@ string  Helper::findInterfaceByNetzone(const IPAddress &addr) throw(string)
                  j!=netzone->end(); ++j)
             {
                 assert(Address::cast(*j)!=NULL);
-                if ( belongsTo( Address::cast(*j) , addr ) )
+                if (Address::cast(*j)->belongs(addr))
                     zones[(*i)->getId()]=netzone;
             }
         }
@@ -249,7 +233,7 @@ list<string>  Helper::findInterfaceByNetzoneOrAll(RuleElement *re)
 
 string triplet::hash()
 {
-    return string(src->getAddress()) + "." +
-        string(dst->getAddress()) + "." +
+    return src->getAddress().toString() + "." +
+        dst->getAddress().toString() + "." +
         srv->getId();
 }
diff --git a/src/cisco_lib/Helper.h b/src/cisco_lib/Helper.h
index 551aececb..85af19513 100644
--- a/src/cisco_lib/Helper.h
+++ b/src/cisco_lib/Helper.h
@@ -40,14 +40,6 @@ namespace fwcompiler {
     {
         fwcompiler::Compiler *compiler;
 
-        /**
-         * this methods checks if object addr belongs to network or address obj
-         */
-        bool belongsTo(libfwbuilder::Address *obj,
-                       const libfwbuilder::IPAddress &a);
-        bool belongsTo(libfwbuilder::Address *obj,
-                       libfwbuilder::Address *addr);
-
         public:
 
         Helper(fwcompiler::Compiler *comp) { compiler=comp; }
@@ -57,14 +49,14 @@ namespace fwcompiler {
          * finds interface of the firewall to whose subnet object
          * 'obj' belongs to.  Returns interface ID
          */
-        std::string  findInterfaceByAddress(const libfwbuilder::IPAddress &a);
+        std::string  findInterfaceByAddress(const libfwbuilder::InetAddr &a);
         std::string  findInterfaceByAddress(libfwbuilder::Address *obj);
 
         /**
          * finds interface of the firewall associated with the netzone
          * that object 'obj' belongs to.  Returns interface ID
          */
-        std::string findInterfaceByNetzone(const libfwbuilder::IPAddress &a)
+        std::string findInterfaceByNetzone(const libfwbuilder::InetAddr &a)
             throw(std::string);
         std::string findInterfaceByNetzone(libfwbuilder::Address *obj);
         std::list<std::string> findInterfaceByNetzoneOrAll(
diff --git a/src/cisco_lib/PolicyCompiler_cisco.cpp b/src/cisco_lib/PolicyCompiler_cisco.cpp
index a666a2c4c..9411f312b 100644
--- a/src/cisco_lib/PolicyCompiler_cisco.cpp
+++ b/src/cisco_lib/PolicyCompiler_cisco.cpp
@@ -409,7 +409,7 @@ bool PolicyCompiler_cisco::splitIfRuleElementMatchesFW::processNext()
         Address *a=Address::cast(obj);
         assert(a!=NULL);
 
-//        IPAddress obj_addr=a->getAddress();
+//        InetAddr obj_addr=a->getAddress();
 
         if (cisco_comp->complexMatch(a,cisco_comp->fw)) {
 
@@ -697,7 +697,7 @@ bool PolicyCompiler_cisco::splitByNetworkZonesForRE::processNext()
         Address *a=Address::cast(obj);
         assert(a!=NULL);
 
-//        IPAddress obj_addr=a->getAddress();
+//        InetAddr obj_addr=a->getAddress();
 
         try
         {
diff --git a/src/fwbedit/fwbedit.cpp b/src/fwbedit/fwbedit.cpp
index 1ff821f2a..736d4cc78 100644
--- a/src/fwbedit/fwbedit.cpp
+++ b/src/fwbedit/fwbedit.cpp
@@ -251,7 +251,7 @@ bool testIPv4(string s)
     bool res=false;
     try
     {
-        IPAddress( s.c_str() );
+        InetAddr( s.c_str() );
         res=true;
     } catch (FWException &ex)
     {    }
@@ -682,7 +682,7 @@ int main(int argc, char * const *argv)
                 {
                     IPv4 *o=IPv4::cast(nobj);
                     o->setName(name);
-                    o->setAddress(addr1);
+                    o->setAddress(InetAddr(addr1));
                 }
                 
             }
@@ -705,8 +705,8 @@ int main(int argc, char * const *argv)
                  FWObject *nobj=createObject(objtype,"/"+lib+"/"+systemGroupPaths[objtype]);
                  AddressRange *o=AddressRange::cast(nobj);
                  o->setName(name);
-                 o->setRangeStart(IPAddress(addr1));
-                 o->setRangeEnd(IPAddress(addr2));
+                 o->setRangeStart(InetAddr(addr1));
+                 o->setRangeEnd(InetAddr(addr2));
 
             }
             else if (objtype==ObjectGroup::TYPENAME)
@@ -723,8 +723,8 @@ int main(int argc, char * const *argv)
                  FWObject *nobj=createObject(objtype,"/"+lib+"/"+systemGroupPaths[objtype]);
                  Network *o=Network::cast(nobj);
                  o->setName(name);
-                 o->setAddress(addr1);
-                 o->setNetmask(addr2);
+                 o->setAddress(InetAddr(addr1));
+                 o->setNetmask(InetNetmask(addr2));
             }
             else if (objtype==Firewall::TYPENAME)
             {
diff --git a/src/fwblookup/fwblookup.cpp b/src/fwblookup/fwblookup.cpp
index f2f74844a..9015575f0 100644
--- a/src/fwblookup/fwblookup.cpp
+++ b/src/fwblookup/fwblookup.cpp
@@ -316,9 +316,12 @@ int main(int argc, char * const *argv)
             {
                 if (Host::isA(obj) || Firewall::isA(obj))
                 {
-                    IPAddress ma=Host::cast(obj)->getManagementAddress();
-                    if (ma!=IPAddress("0.0.0.0")) cout << ma.toString() << endl;
-                    else {
+                    InetAddr ma = Host::cast(obj)->getManagementAddress();
+                    if (ma != InetAddr::getAny())
+                    {
+                        cout << ma.toString() << endl;
+                    } else
+                    {
                         SNPRINTF(errstr,sizeof(errstr),
                             _("Object %s (ID='%s') does not have management interface"),
                              obj->getName().c_str(),
diff --git a/src/gui/AddressRangeDialog.cpp b/src/gui/AddressRangeDialog.cpp
index 572ed927b..d33c75db3 100644
--- a/src/gui/AddressRangeDialog.cpp
+++ b/src/gui/AddressRangeDialog.cpp
@@ -118,7 +118,7 @@ void AddressRangeDialog::validate(bool *res)
     assert(s!=NULL);
     try
     {
-        IPAddress(m_dialog->rangeStart->text().toLatin1().constData());
+        InetAddr(m_dialog->rangeStart->text().toLatin1().constData());
     } catch (FWException &ex)
     {
         *res=false;
@@ -129,7 +129,7 @@ void AddressRangeDialog::validate(bool *res)
     }
     try
     {
-        IPAddress(m_dialog->rangeEnd->text().toLatin1().constData());
+        InetAddr(m_dialog->rangeEnd->text().toLatin1().constData());
     } catch (FWException &ex)
     {
         *res=false;
@@ -161,8 +161,8 @@ void AddressRangeDialog::applyChanges()
     obj->setComment( string(m_dialog->comment->toPlainText().toUtf8().constData()) );
     try
     {
-        s->setRangeStart( IPAddress(m_dialog->rangeStart->text().toLatin1().constData()) );
-        s->setRangeEnd( IPAddress(m_dialog->rangeEnd->text().toLatin1().constData()) );
+        s->setRangeStart( InetAddr(m_dialog->rangeStart->text().toLatin1().constData()) );
+        s->setRangeEnd( InetAddr(m_dialog->rangeEnd->text().toLatin1().constData()) );
     } catch (FWException &ex)
     {
 
diff --git a/src/gui/DiscoveryDruid.cpp b/src/gui/DiscoveryDruid.cpp
index 8d1d3eafb..4001aefb3 100644
--- a/src/gui/DiscoveryDruid.cpp
+++ b/src/gui/DiscoveryDruid.cpp
@@ -64,7 +64,8 @@
 #include "fwbuilder/IPv4.h"
 #include "fwbuilder/Host.h"
 #include "fwbuilder/Network.h"
-#include "fwbuilder/IPAddress.h"
+#include "fwbuilder/InetAddr.h"
+#include "fwbuilder/InetAddrMask.h"
 #include "fwbuilder/Firewall.h"
 
 #include "fwbuilder/dns.h"
@@ -620,7 +621,7 @@ void DiscoveryDruid::updatePrg()
 
 void DiscoveryDruid::getNameServers()
 {
-    multimap<string,libfwbuilder::IPAddress> ns_records;
+    multimap<string,libfwbuilder::InetAddr> ns_records;
 
     string domain_name=m_dialog->domainname->text().toLatin1().constData();
     DNS_getNS_query *dns=new DNS_getNS_query(domain_name);
@@ -642,7 +643,7 @@ void DiscoveryDruid::getNameServers()
         m_dialog->dnscustom->setChecked(true);
         return ;
     }
-    multimap<string,IPAddress>::iterator i;
+    multimap<string,InetAddr>::iterator i;
     m_dialog->nameserverlist->clear();
     NameServers.clear();
 
@@ -653,7 +654,7 @@ void DiscoveryDruid::getNameServers()
         QString qs = s.c_str();
         m_dialog->nameserverlist->addItem(qs);
 
-        IPAddress *na=new IPAddress( (*i).second );
+        InetAddr *na=new InetAddr( (*i).second );
         NameServers[qs] = *na;
     }
 }
@@ -835,7 +836,7 @@ void DiscoveryDruid::startConfigImport()
     }
 }
 
-IPAddress DiscoveryDruid::getNS()
+InetAddr DiscoveryDruid::getNS()
 {
     string ns;
     if (m_dialog->dnscustom->isChecked())
@@ -844,17 +845,17 @@ IPAddress DiscoveryDruid::getNS()
 
         try
         {
-            return IPAddress(ns);
+            return InetAddr(ns);
         } catch (FWException &ex)
         {
         /* perhaps not address but host name */
-            list<IPAddress> addr;
+            list<InetAddr> addr;
             try
             {
                 addr=DNS::getHostByName(ns);
             } catch (FWException &ex)
             {
-                return IPAddress();
+                return InetAddr();
             }
 
             return addr.front();
@@ -866,7 +867,7 @@ IPAddress DiscoveryDruid::getNS()
 
 void DiscoveryDruid::startDNSScan()
 {
-    IPAddress ns=getNS();
+    InetAddr ns=getNS(); 
     string domain_name=m_dialog->domainname->text().toLatin1().constData();
 
     DNS_findA_query *q=new DNS_findA_query();
@@ -893,14 +894,14 @@ void DiscoveryDruid::startDNSScan()
     }
 }
 
-IPAddress DiscoveryDruid::getSeedHostAddress()
+InetAddr DiscoveryDruid::getSeedHostAddress()
 {
-    libfwbuilder::IPAddress   seed_host_addr;
+    libfwbuilder::InetAddr   seed_host_addr;
     if (!m_dialog->seedhostname->text().isEmpty())
     {
         try
         {
-            seed_host_addr=IPAddress(m_dialog->seedhostname->text().toLatin1().constData());
+            seed_host_addr=InetAddr(m_dialog->seedhostname->text().toLatin1().constData());
             return seed_host_addr;
         } catch(const FWException &ex)
         {
@@ -909,9 +910,9 @@ IPAddress DiscoveryDruid::getSeedHostAddress()
         try
         {
             QString a = getAddrByName( m_dialog->seedhostname->text() );
-            return IPAddress( a.toLatin1().constData() );
+            return InetAddr( a.toLatin1().constData() );
 #if 0
-            list<IPAddress> v=DNS::getHostByName( m_dialog->seedhostname->text().toLatin1().constData() );
+            list<InetAddr> v=DNS::getHostByName( m_dialog->seedhostname->text().toLatin1().constData() );
             seed_host_addr = v.front();
             return seed_host_addr;
 #endif
@@ -932,10 +933,10 @@ void DiscoveryDruid::startSNMPScan()
     {
         try
         {
-            IPNetwork in(
-                 IPAddress(m_dialog->snmpinaddr->text().toLatin1().constData()),
-                 Netmask(m_dialog->snmpinmask->text().toLatin1().constData())
-                 );
+            InetAddrMask in(
+                InetAddr(m_dialog->snmpinaddr->text().toLatin1().constData()),
+                InetNetmask(m_dialog->snmpinmask->text().toLatin1().constData()) 
+            );
             include_networks.push_back(in);
         }
         catch (const FWException &ex)
@@ -1013,12 +1014,12 @@ void DiscoveryDruid::changedNameServer()
             return;
         }
 
-        if(isIPAddress(s))
+        if(isInetAddr(s))
         {
             timer->stop();
             m_dialog->DNSprogress_2->hide();
 
-            QString rs=testIPAddress(s);
+            QString rs=testInetAddr(s);
             if (rs.isEmpty())
             {
                 m_dialog->nameserver_error->setText(" ");
@@ -1070,13 +1071,13 @@ void DiscoveryDruid::typedCustomNS()
     }
 }
 
-bool DiscoveryDruid::isIPAddress(const QString s)
+bool DiscoveryDruid::isInetAddr(const QString s)
 {
     QRegExp r=QRegExp("^(\\d|\\.)+$",Qt::CaseInsensitive); //non wildcard
     return r.exactMatch(s);
 }
 
-QString DiscoveryDruid::testIPAddress(const QString s)
+QString DiscoveryDruid::testInetAddr(const QString s)
 {
     QString res;
     QRegExp r=QRegExp("^\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}$",Qt::CaseInsensitive); //non wildcard
@@ -1084,7 +1085,7 @@ QString DiscoveryDruid::testIPAddress(const QString s)
     {
         try
         {
-            IPAddress(s.toLatin1().constData());
+            InetAddr(s.toLatin1().constData());
         } catch(const FWException &ex)
         {
             res=ex.toString().c_str();
@@ -1388,9 +1389,9 @@ void DiscoveryDruid::loadDataFromDNS()
     DNS_findA_query *q=(DNS_findA_query*)bop;
     Objects.clear();
 
-    map<string,set<IPAddress> > t = q->getResult();
+    map<string,set<InetAddr> > t = q->getResult();
 
-    for(map<string,set<IPAddress> >::iterator j = t.begin(); j!=t.end(); ++j)
+    for(map<string,set<InetAddr> >::iterator j = t.begin(); j!=t.end(); ++j)
     {
         ObjectDescriptor od;
         od.addr     = *((*j).second.begin());
@@ -1476,8 +1477,8 @@ void DiscoveryDruid::loadDataFromCrawler()
     Objects.clear();
     Networks.clear();
 
-    set<IPNetwork>::iterator m;
-    set<IPNetwork> s = q->getNetworks();
+    set<InetAddrMask>::iterator m;
+    set<InetAddrMask> s = q->getNetworks();
 
     if (fwbdebug)
         qDebug(QString("got %1 networks").arg(s.size()).toAscii().constData());
@@ -1486,16 +1487,16 @@ void DiscoveryDruid::loadDataFromCrawler()
     {
         ObjectDescriptor od;
 
-        od.sysname=(string)*m;
-        od.addr=m->getAddress();
-        od.netmask=m->getNetmask();
-        od.type=Network::TYPENAME;
-        od.isSelected=false;
+        od.sysname = m->toString();
+        od.addr = m->getAddress();
+        od.netmask = m->getNetmask();
+        od.type = Network::TYPENAME;
+        od.isSelected = false;
 
         Networks[od.sysname.c_str()]= od ;
     }
 
-    map<IPAddress, CrawlerFind>  t = q->getAllIPs();
+    map<InetAddr, CrawlerFind>  t = q->getAllIPs();
 
     if (fwbdebug)
         qDebug(QString("got %1 addresses").arg(t.size()).toAscii().constData());
@@ -1504,7 +1505,7 @@ void DiscoveryDruid::loadDataFromCrawler()
     m_dialog->discoveryprogress->setValue(0);
 
     int cntr = 0;
-    map<IPAddress, CrawlerFind>::iterator j;
+    map<InetAddr, CrawlerFind>::iterator j;
     for(j = t.begin(); j!=t.end(); ++j,++cntr)
     {
         m_dialog->discoveryprogress->setValue( cntr );
@@ -1823,7 +1824,7 @@ void DiscoveryDruid::changedSeedHost()
     }
     else
     {
-        if(isIPAddress(HostName))
+        if(isInetAddr(HostName))
         { // seems to be an IP Address
             m_dialog->DNSprogress->hide();
             timer->stop();
@@ -1832,7 +1833,7 @@ void DiscoveryDruid::changedSeedHost()
             {
                 try
                 {
-                    IPAddress(HostName.toLatin1().constData());
+                    InetAddr(HostName.toLatin1().constData());
 
                     QPalette palette = m_dialog->seedhosterror_message->palette();
                     palette.setColor(m_dialog->seedhosterror_message->foregroundRole(), Qt::darkGreen);
@@ -1894,9 +1895,9 @@ void DiscoveryDruid::changedInclNet()
         try
         {
 
-            IPAddress a(m_dialog->snmpinaddr->text().toLatin1().constData());
-            Netmask n(m_dialog->snmpinmask->text().toLatin1().constData());
-            IPNetwork(a,n);
+            InetAddr a(m_dialog->snmpinaddr->text().toLatin1().constData());
+            InetNetmask n(m_dialog->snmpinmask->text().toLatin1().constData());
+            InetAddrMask(a,n);
 
             m_dialog->confineerror_message->setText(" ");
             isSNMPInclNetOK=true;
@@ -2079,8 +2080,8 @@ void DiscoveryDruid::createRealObjects()
             );
             assert(net!=NULL);
             net->setName(name);
-            net->setAddress(IPAddress(a));
-            net->setNetmask(Netmask(IPAddress(a)));
+            net->setAddress(InetAddr(a));
+            net->setNetmask(InetNetmask(InetAddr(a)));
             mw->moveObject(m_dialog->libs->currentText(), net);
         }
     }
@@ -2114,8 +2115,8 @@ void DiscoveryDruid::createRealObjects()
                     );
 
 
-                    ipv4->setAddress(a);
-                    ipv4->setNetmask("255.255.255.255");
+                    ipv4->setAddress(InetAddr(a));
+                    ipv4->setNetmask(InetNetmask());
                 } else
                 {
                     map<int,Interface>::const_iterator i;
@@ -2162,8 +2163,8 @@ void DiscoveryDruid::createRealObjects()
                 );
                 assert(net!=NULL);
                 net->setName(name);
-                net->setAddress(IPAddress(a));
-                net->setNetmask(Netmask(IPAddress(a)));
+                net->setAddress(InetAddr(a));
+                net->setNetmask(InetNetmask(InetAddr(a)));
                 mw->moveObject(m_dialog->libs->currentText(), net);
             }else if (type==IPv4::TYPENAME)
             {
@@ -2172,8 +2173,8 @@ void DiscoveryDruid::createRealObjects()
                 );
                 assert(obj!=NULL);
                 obj->setName(name);
-                obj->setAddress(IPAddress(a));
-                obj->setNetmask("255.255.255.255");
+                obj->setAddress(InetAddr(a));
+                obj->setNetmask(InetNetmask(InetAddr::getAllOnes()));
                 mw->moveObject(m_dialog->libs->currentText(), obj);
             }
         }
@@ -2343,7 +2344,7 @@ void HostsFileImport::run()
     *Log << "Discovery method:"
          << "Read file in hosts format. \n";
 
-    map<IPAddress, vector<string> > reverse_hosts;
+    map<InetAddr, vector<string> > reverse_hosts;
     HostsFile *hf;
 /*
  *    read hosts file here
@@ -2377,7 +2378,7 @@ void HostsFileImport::run()
     */
         hosts.clear();
 
-        map<IPAddress,vector<string> >::iterator i;
+        map<InetAddr,vector<string> >::iterator i;
         int count=reverse_hosts.size();
         int t=0;
         for (i=reverse_hosts.begin(); i!=reverse_hosts.end(); ++i)
diff --git a/src/gui/DiscoveryDruid.h b/src/gui/DiscoveryDruid.h
index 9a8ebc2bd..b47235bd6 100644
--- a/src/gui/DiscoveryDruid.h
+++ b/src/gui/DiscoveryDruid.h
@@ -38,7 +38,7 @@
 #include "fwbuilder/Interface.h"
 #include "fwbuilder/dns.h"
 #include "fwbuilder/snmp.h"
-#include "fwbuilder/IPAddress.h"
+#include "fwbuilder/InetAddr.h"
 #include "fwbuilder/Logger.h"
 
 #include "FilterDialog.h"
@@ -69,8 +69,8 @@ class ObjectDescriptor
 
     string                          MAC_addr ;
     libfwbuilder::HostEnt           dns_info ;
-    libfwbuilder::IPAddress         addr     ;
-    libfwbuilder::Netmask           netmask  ;
+    libfwbuilder::InetAddr          addr     ;
+    libfwbuilder::InetNetmask       netmask  ;
 
     
     ObjectDescriptor();
@@ -194,8 +194,8 @@ private:
     int FromPage;
     QMap<QString,ObjectDescriptor> Objects;
     QMap<QString,ObjectDescriptor> Networks;
-    QMap<QString,IPAddress> NameServers;
-    vector<libfwbuilder::IPNetwork>  include_networks;
+    QMap<QString,InetAddr> NameServers;
+    vector<libfwbuilder::InetAddrMask>  include_networks;
 
     QTimer* timer;
     QTimer* prg_timer;
@@ -232,10 +232,10 @@ public:
     void createRealObjects();
 //    void stripObjects();
     void getNameServers();
-    IPAddress getNS();
-    IPAddress getSeedHostAddress();
-    bool isIPAddress(const QString s);
-    QString testIPAddress(const QString s);
+    InetAddr getNS();
+    InetAddr getSeedHostAddress();
+    bool isInetAddr(const QString s);
+    QString testInetAddr(const QString s);
 
     virtual void customEvent(QEvent *event);
     
diff --git a/src/gui/IOSImporter.cpp b/src/gui/IOSImporter.cpp
index 1b71f2329..9e08b49c0 100644
--- a/src/gui/IOSImporter.cpp
+++ b/src/gui/IOSImporter.cpp
@@ -40,7 +40,7 @@
 #include "fwbuilder/Resources.h"
 #include "fwbuilder/Network.h"
 #include "fwbuilder/Address.h"
-#include "fwbuilder/IPAddress.h"
+#include "fwbuilder/InetAddr.h"
 #include "fwbuilder/IPService.h"
 #include "fwbuilder/ICMPService.h"
 #include "fwbuilder/TCPService.h"
@@ -195,17 +195,14 @@ FWObject* IOSImporter::createAddress(const std::string &addr,
     // invert netmask (this is IOS)
     try
     {
-        IPAddress orig_nm(netmask);
-        long nm = orig_nm.to32BitInt();
-        struct in_addr na;
-        na.s_addr = ~nm;
-        correct_nm = IPAddress(&na).toString();
+        InetAddr orig_nm(netmask);
+        correct_nm = (~orig_nm).toString();
         return Importer::createAddress(addr, correct_nm);
     } catch (FWException &ex)
     {
         markCurrentRuleBad(
             std::string("Error converting netmask '") + netmask + "' (address " + addr + ")");
-        return Importer::createAddress(addr, "255.255.255.255");
+        return Importer::createAddress(addr, InetAddr::getAllOnes().toString());
     }
 
 }
diff --git a/src/gui/IPTImporter.cpp b/src/gui/IPTImporter.cpp
index 0cdfa4b96..6f3382e87 100644
--- a/src/gui/IPTImporter.cpp
+++ b/src/gui/IPTImporter.cpp
@@ -48,7 +48,7 @@
 #include "fwbuilder/Network.h"
 #include "fwbuilder/Address.h"
 #include "fwbuilder/AddressRange.h"
-#include "fwbuilder/IPAddress.h"
+#include "fwbuilder/InetAddr.h"
 #include "fwbuilder/IPService.h"
 #include "fwbuilder/ICMPService.h"
 #include "fwbuilder/TCPService.h"
@@ -727,9 +727,9 @@ void IPTImporter::pushNATRule()
     addODst();
     addOSrv();
 
-    if (src_nm.empty()) src_nm = "255.255.255.255";
-    if (dst_nm.empty()) dst_nm = "255.255.255.255";
-    if (nat_nm.empty()) nat_nm = "255.255.255.255";
+    if (src_nm.empty()) src_nm = InetAddr::getAllOnes().toString();
+    if (dst_nm.empty()) dst_nm = InetAddr::getAllOnes().toString();
+    if (nat_nm.empty()) nat_nm = InetAddr::getAllOnes().toString();
 
     if (target=="ACCEPT")
     {
diff --git a/src/gui/IPv4Dialog.cpp b/src/gui/IPv4Dialog.cpp
index c30f2553e..20254ef58 100644
--- a/src/gui/IPv4Dialog.cpp
+++ b/src/gui/IPv4Dialog.cpp
@@ -155,7 +155,7 @@ void IPv4Dialog::validate(bool *res)
     assert(s!=NULL);
     try
     {
-        IPAddress( m_dialog->address->text().toLatin1().constData() );
+        InetAddr( m_dialog->address->text().toLatin1().constData() );
     } catch (FWException &ex)
     {
         *res=false;
@@ -169,7 +169,7 @@ void IPv4Dialog::validate(bool *res)
     {
         try
         {
-            Netmask( m_dialog->netmask->text().toLatin1().constData() );
+            InetNetmask( m_dialog->netmask->text().toLatin1().constData() );
         } catch (FWException &ex)
         {
             *res=false;
@@ -203,17 +203,19 @@ void IPv4Dialog::applyChanges()
 
     try
     {
-        s->setAddress( m_dialog->address->text().toLatin1().constData() );
+        s->setAddress(
+            InetAddr(m_dialog->address->text().toLatin1().constData()) );
     } catch (FWException &ex) { }
 
     if ( showNetmask )
     {
         try
         {
-            s->setNetmask( m_dialog->netmask->text().toLatin1().constData() );
+            s->setNetmask(
+                InetNetmask(m_dialog->netmask->text().toLatin1().constData()) );
         } catch (FWException &ex) { }
     } else
-        s->setNetmask( "255.255.255.255" );
+        s->setNetmask(InetNetmask());
 
     mw->updateObjName(obj,QString::fromUtf8(oldname.c_str()));
 
diff --git a/src/gui/Importer.cpp b/src/gui/Importer.cpp
index da8b7080f..e90b2baa1 100644
--- a/src/gui/Importer.cpp
+++ b/src/gui/Importer.cpp
@@ -246,8 +246,8 @@ void Importer::addInterfaceAddress(const std::string &a,
                                       IPv4::TYPENAME,
                                       aname);
         current_interface->setUnnumbered(false);
-        IPv4::cast(nobj)->setAddress( a );
-        IPv4::cast(nobj)->setNetmask( nm );
+        IPv4::cast(nobj)->setAddress( InetAddr(a) );
+        IPv4::cast(nobj)->setNetmask( InetNetmask(nm) );
 
         *logger << "Interface address: " << a << "/" << nm << "\n";
     }
@@ -395,17 +395,21 @@ void Importer::pushRule()
 
 FWObject* Importer::makeSrcObj()
 {
-    if ( (src_a=="" && src_nm=="") || (src_a=="0.0.0.0" && src_nm=="0.0.0.0"))
+    if ( (src_a=="" && src_nm=="") || 
+         (src_a==InetAddr::getAny().toString() &&
+          src_nm==InetAddr::getAny().toString()))
         return NULL;  // this is 'any'
-    if (src_nm=="") src_nm="255.255.255.255";
+    if (src_nm=="") src_nm=InetAddr::getAllOnes().toString();
     return createAddress(src_a, src_nm);
 }
 
 FWObject* Importer::makeDstObj()
 {
-    if ( (dst_a=="" && dst_nm=="") || (dst_a=="0.0.0.0" && dst_nm=="0.0.0.0"))
+    if ( (dst_a=="" && dst_nm=="") || 
+         (dst_a==InetAddr::getAny().toString() &&
+          dst_nm==InetAddr::getAny().toString()))
         return NULL;  // this is 'any'
-    if (dst_nm=="") dst_nm="255.255.255.255";
+    if (dst_nm=="") dst_nm=InetAddr::getAllOnes().toString();
     return createAddress(dst_a, dst_nm);
 }
 
@@ -816,13 +820,13 @@ FWObject* Importer::createAddress(const std::string &addr,
     std::string sig = std::string("addr-") + addr + "/" + netmask;
     if (all_objects.count(sig)!=0) return all_objects[sig];
 
-    if ( netmask == "255.255.255.255" )
+    if ( netmask == InetAddr::getAllOnes().toString() )
     {
         Address *a;
         std::string name = std::string("h-") + addr;
         a = Address::cast(createObject(IPv4::TYPENAME, name));
-        a->setAddress( addr );
-        a->setNetmask( "255.255.255.255" );
+        a->setAddress(InetAddr(addr));
+        a->setNetmask(InetNetmask(InetAddr::getAllOnes()));
         a->setComment(comment);
         all_objects[sig] = a;
         *logger << "Address object: " << name << "\n";
@@ -834,7 +838,7 @@ FWObject* Importer::createAddress(const std::string &addr,
         net = Network::cast(createObject(Network::TYPENAME, name));
         try
         {
-            net->setAddress( addr );
+            net->setAddress( InetAddr(addr) );
         } catch (FWException &ex)
         {
             markCurrentRuleBad(
@@ -843,7 +847,7 @@ FWObject* Importer::createAddress(const std::string &addr,
 
         try
         {
-            net->setNetmask( netmask );
+            net->setNetmask( InetNetmask(netmask) );
         } catch (FWException &ex)
         {
             if (netmask.find('.')!=std::string::npos)
@@ -862,7 +866,7 @@ FWObject* Importer::createAddress(const std::string &addr,
                 try
                 {
                     str >> nm_len;
-                    net->setNetmask( Netmask(nm_len) );
+                    net->setNetmask( InetNetmask(nm_len) );
                 } catch (std::exception& e)
                 {
                     // could not convert netmask as simple integer
@@ -894,7 +898,7 @@ FWObject* Importer::createAddressRange(const std::string &addr1,
 
     try
     {
-        ar->setRangeStart( IPAddress(addr1) );
+        ar->setRangeStart( InetAddr(addr1) );
     } catch (FWException &ex)
     {
         markCurrentRuleBad(
@@ -903,7 +907,7 @@ FWObject* Importer::createAddressRange(const std::string &addr1,
 
     try
     {
-        ar->setRangeEnd( IPAddress(addr2) );
+        ar->setRangeEnd( InetAddr(addr2) );
     } catch (FWException &ex)
     {
         markCurrentRuleBad(
diff --git a/src/gui/InterfaceData.cpp b/src/gui/InterfaceData.cpp
index 7ed5b674b..3d66c23c0 100644
--- a/src/gui/InterfaceData.cpp
+++ b/src/gui/InterfaceData.cpp
@@ -30,7 +30,7 @@
 #include "InterfaceData.h"
 
 #include "fwbuilder/Resources.h"
-#include "fwbuilder/IPAddress.h"
+#include "fwbuilder/InetAddr.h"
 
 using namespace libfwbuilder;
 using namespace std;
@@ -54,16 +54,17 @@ void InterfaceData::guessLabel(const string &platform)
     if (!isDyn &&
         !isUnnumbered &&
         !isBridgePort &&
-        address=="127.0.0.1") label="loopback";
+        address == InetAddr::getLoopbackAddr().toString())
+        label="loopback";
 }
 
 
 
 void InterfaceData::guessSecurityLevel(const string &platform)
 {
-    IPNetwork n10(IPAddress("10.0.0.0"),Netmask("255.0.0.0"));
-    IPNetwork n172(IPAddress("172.16.0.0"),Netmask("255.240.0.0"));
-    IPNetwork n192(IPAddress("192.168.0.0"),Netmask("255.255.0.0"));
+    InetAddrMask n10(InetAddr("10.0.0.0"), InetNetmask("255.0.0.0"));
+    InetAddrMask n172(InetAddr("172.16.0.0"), InetNetmask("255.240.0.0"));
+    InetAddrMask n192(InetAddr("192.168.0.0"), InetNetmask("255.255.0.0"));
 
     securityLevel=-1;
 
@@ -89,14 +90,14 @@ void InterfaceData::guessSecurityLevel(const string &platform)
          llbl=="internal_net" ||
          llbl=="internal net" )      securityLevel=100;
 
-    if ( address=="127.0.0.1") securityLevel=100;
-    if ( name=="Null0" )       securityLevel=100;
+    if ( address==InetAddr::getLoopbackAddr().toString()) securityLevel=100; 
+    if ( name=="Null0" )       securityLevel=100; 
 
     if (securityLevel==-1 && !isDyn && !isUnnumbered && !isBridgePort)
     {
-        if (n10.belongs(  IPAddress( address ) )) securityLevel=100;
-        if (n172.belongs( IPAddress( address ) )) securityLevel=100;
-        if (n192.belongs( IPAddress( address ) )) securityLevel=100;
+        if (n10.belongs(  InetAddr( address ) )) securityLevel=100;
+        if (n172.belongs( InetAddr( address ) )) securityLevel=100;
+        if (n192.belongs( InetAddr( address ) )) securityLevel=100;
     }
 
     if (isDyn || isUnnumbered || isBridgePort) securityLevel=0;
@@ -141,13 +142,13 @@ void  InterfaceData::guessSecurityLevel(const string &platform,
 
     if (ifaces.size()==2)
     {
-        if (ifaces.front().address=="127.0.0.1")
+        if (ifaces.front().address==InetAddr::getLoopbackAddr().toString()) 
         {
             ifaces.front().securityLevel=100;
             ifaces.back().securityLevel=0;
         } else
         {
-            if (ifaces.back().address=="127.0.0.1")
+            if (ifaces.back().address==InetAddr::getLoopbackAddr().toString()) 
             {
                 ifaces.front().securityLevel=0;
                 ifaces.back().securityLevel=100;
diff --git a/src/gui/NetworkDialog.cpp b/src/gui/NetworkDialog.cpp
index af7138ce8..7d5a867b1 100644
--- a/src/gui/NetworkDialog.cpp
+++ b/src/gui/NetworkDialog.cpp
@@ -114,7 +114,7 @@ void NetworkDialog::validate(bool *res)
     assert(s!=NULL);
     try
     {
-        IPAddress( m_dialog->address->text().toLatin1().constData() );
+        InetAddr( m_dialog->address->text().toLatin1().constData() );
     } catch (FWException &ex)
     {
         *res=false;
@@ -125,7 +125,7 @@ void NetworkDialog::validate(bool *res)
     }
     try
     {
-        Netmask( m_dialog->netmask->text().toLatin1().constData() );
+        InetNetmask( m_dialog->netmask->text().toLatin1().constData() );
     } catch (FWException &ex)
     {
         *res=false;
@@ -156,8 +156,10 @@ void NetworkDialog::applyChanges()
     obj->setComment( string(m_dialog->comment->toPlainText().toUtf8().constData()) );
     try
     {
-        s->setAddress( m_dialog->address->text().toLatin1().constData() );
-        s->setNetmask( m_dialog->netmask->text().toLatin1().constData() );
+        s->setAddress(
+            InetAddr(m_dialog->address->text().toLatin1().constData()) );
+        s->setNetmask(
+            InetNetmask(m_dialog->netmask->text().toLatin1().constData()) );
     } catch (FWException &ex)
     {
 /* exception thrown if user types illegal m_dialog->address or m_dialog->netmask */
diff --git a/src/gui/fwbuilder_ph.h b/src/gui/fwbuilder_ph.h
index 96b3881a4..60f749f32 100755
--- a/src/gui/fwbuilder_ph.h
+++ b/src/gui/fwbuilder_ph.h
@@ -2,6 +2,8 @@
 #include "utils.h"
 #include "config.h"
 #include <iostream>
+#include "fwbuilder/InetAddr.h"
+#include "fwbuilder/InetAddrMask.h"
 #include "fwbuilder/Firewall.h"
 #include <qcheckbox.h>
 #include <qcombobox.h>
@@ -104,7 +106,6 @@
 #include <functional>
 #include <qprinter.h>
 #include <qrect.h>
-#include "fwbuilder/IPAddress.h"
 #include <ios>
 #include <qwidget.h>
 #include <qtablewidget.h>
diff --git a/src/gui/instDialog.cpp b/src/gui/instDialog.cpp
index 3e9940c64..4134bbdf1 100644
--- a/src/gui/instDialog.cpp
+++ b/src/gui/instDialog.cpp
@@ -766,7 +766,8 @@ bool instDialog::doInstallPage(Firewall* f)
             .arg(cnf.fwobj->getName().c_str()).toLatin1().constData() );
         return false;
     }
-    if ((cnf.maddr == "" || cnf.maddr == "0.0.0.0"))
+    if (cnf.maddr == "" ||
+        cnf.maddr == QString(InetAddr::getAny().toString().c_str()))
     {
         addToLog(
             QObject::tr("Management interface does not have IP address, can not communicate with the firewall.") );
diff --git a/src/gui/newFirewallDialog.cpp b/src/gui/newFirewallDialog.cpp
index 9ceae1683..8b80f727b 100644
--- a/src/gui/newFirewallDialog.cpp
+++ b/src/gui/newFirewallDialog.cpp
@@ -256,14 +256,14 @@ void newFirewallDialog::getInterfacesViaSNMP()
 
     getInterfacesBusy = true;
 
-    IPAddress addr;
+    InetAddr addr;
     QString name=m_dialog->obj_name->text().toLatin1().constData();
     try
     {
         QApplication::setOverrideCursor( QCursor( Qt::WaitCursor) );
         QString a = getAddrByName(name);
         QApplication::restoreOverrideCursor();
-        addr = a.toAscii().constData();
+        addr = InetAddr(a.toAscii().constData());
     } catch (FWException &ex)
     {
         QMessageBox::warning(
@@ -587,13 +587,15 @@ void newFirewallDialog::addInterface()
         addr = m_dialog->iface_addr->text();
         netm = m_dialog->iface_netmask->text();
 
-        if (addr.isEmpty()) addr="0.0.0.0";
-        if (netm.isEmpty()) netm="0.0.0.0";
+        if (addr.isEmpty())
+            addr = QString(InetAddr::getAny().toString().c_str());
+        if (netm.isEmpty())
+            netm = QString(InetAddr::getAny().toString().c_str());
 
         try
         {
-            IPAddress(addr.toLatin1().constData());
-            Netmask(netm.toLatin1().constData());
+            InetAddr(addr.toLatin1().constData());
+            InetNetmask(netm.toLatin1().constData());
         }
         catch (FWException &ex)
         {
@@ -809,8 +811,8 @@ void newFirewallDialog::finishClicked()
             {
                 QString addrname=QString("%1:%2:ip").arg(m_dialog->obj_name->text()).arg(name);
                 IPv4 *oa = IPv4::cast(mw->createObject(oi, IPv4::TYPENAME,addrname));
-                oa->setAddress( addr.toLatin1().constData()    );
-                oa->setNetmask( netmask.toLatin1().constData() );
+                oa->setAddress( InetAddr(addr.toLatin1().constData()) );
+                oa->setNetmask( InetNetmask(netmask.toLatin1().constData()) );
             }
             // updateObjName has a side effect: it causes redraw of the ruleset
             // views in the main window
diff --git a/src/gui/newHostDialog.cpp b/src/gui/newHostDialog.cpp
index dc56035bb..5a51aa2ae 100644
--- a/src/gui/newHostDialog.cpp
+++ b/src/gui/newHostDialog.cpp
@@ -248,14 +248,14 @@ void newHostDialog::getInterfacesViaSNMP()
 
     getInterfacesBusy = true;
 
-    IPAddress addr;
+    InetAddr addr;
     QString name=m_dialog->obj_name->text().toLatin1().constData();
     try
     {
         QApplication::setOverrideCursor( QCursor( Qt::WaitCursor) );
         QString a = getAddrByName(name);
         QApplication::restoreOverrideCursor();
-        addr = a.toAscii().constData();
+        addr = InetAddr(a.toAscii().constData());
     } catch (FWException &ex)
     {
         QMessageBox::warning(
@@ -489,18 +489,21 @@ void newHostDialog::addInterface()
     QString addr;
     QString netm;
 
-    if (!m_dialog->iface_dyn->isChecked() && !m_dialog->iface_unnum->isChecked())
+    if (!m_dialog->iface_dyn->isChecked() &&
+        !m_dialog->iface_unnum->isChecked())
     {
         addr = m_dialog->iface_addr->text();
         netm = m_dialog->iface_netmask->text();
 
-        if (addr.isEmpty()) addr="0.0.0.0";
-        if (netm.isEmpty()) netm="0.0.0.0";
+        if (addr.isEmpty()) 
+            addr = QString(InetAddr::getAny().toString().c_str());
+        if (netm.isEmpty())
+            netm = QString(InetAddr::getAny().toString().c_str());
 
         try
         {
-            IPAddress(addr.toLatin1().constData());
-            Netmask(netm.toLatin1().constData());
+            InetAddr(addr.toLatin1().constData());
+            InetNetmask(netm.toLatin1().constData());
         }
         catch (FWException &ex)
         {
@@ -628,8 +631,8 @@ void newHostDialog::finishClicked()
                 IPv4 *oa = IPv4::cast(
                     mw->createObject(oi, IPv4::TYPENAME,addrname)
                 );
-                oa->setAddress( addr.toLatin1().constData()    );
-                oa->setNetmask( netmask.toLatin1().constData() );
+                oa->setAddress( InetAddr(addr.toLatin1().constData()) );
+                oa->setNetmask( InetNetmask(netmask.toLatin1().constData()) );
             }
 
             mw->updateObjName(oi,"","",false);
diff --git a/src/iosacl/PolicyCompiler_iosacl.cpp b/src/iosacl/PolicyCompiler_iosacl.cpp
index 8503923bf..bd597dc00 100644
--- a/src/iosacl/PolicyCompiler_iosacl.cpp
+++ b/src/iosacl/PolicyCompiler_iosacl.cpp
@@ -109,14 +109,14 @@ int PolicyCompiler_iosacl::prolog()
             {
                 if (netmask.find(".")!=string::npos)
                 {
-                    Netmask nm(netmask);
-                    nm.to32BitInt(); // to avoid warning abt unused var
+                    InetNetmask nm(netmask);
+                    nm.getLength(); // to avoid warning abt unused var
                 } else
                 {
                     int nm_length;
                     istringstream  str(netmask);
                     str >> nm_length;
-                    Netmask nm(nm_length);
+                    InetNetmask nm(nm_length);
                     netmask = nm.toString();
                 }
             } catch(FWException &ex)
@@ -127,8 +127,8 @@ int PolicyCompiler_iosacl::prolog()
 
         try
         {
-            IPAddress a(addr);
-            a.to32BitInt();
+            InetAddr a(addr);
+            a.isAny();
         } catch(FWException &ex)
         {
             abort("Invalid address for management subnet: '"+addr+"'");
@@ -143,10 +143,10 @@ int PolicyCompiler_iosacl::prolog()
 
         // cisco uses "wildcards" instead of netmasks
 
-        long nm = Netmask(netmask).to32BitInt();
-        struct in_addr na;
-        na.s_addr = ~nm;
-        IPAddress nnm(&na);
+        //long nm = InetNetmask(netmask).to32BitInt();
+        //struct in_addr na;
+        //na.s_addr = ~nm;
+        InetAddr nnm( ~(InetNetmask(netmask)) );
 
         output << clearACLcmd << " " << temp_acl << endl;
         output << "ip access-list extended " << temp_acl << endl;
diff --git a/src/iosacl/PolicyCompiler_iosacl_writers.cpp b/src/iosacl/PolicyCompiler_iosacl_writers.cpp
index 691abed95..3664befb2 100644
--- a/src/iosacl/PolicyCompiler_iosacl_writers.cpp
+++ b/src/iosacl/PolicyCompiler_iosacl_writers.cpp
@@ -371,8 +371,8 @@ string PolicyCompiler_iosacl::PrintRule::_printAddr(libfwbuilder::Address  *o)
 {
     ostringstream  str;
 
-    IPAddress srcaddr=o->getAddress();
-    Netmask   srcmask=o->getNetmask();
+    InetAddr srcaddr=o->getAddress();
+    InetNetmask   srcmask=o->getNetmask();
 
     if (Interface::cast(o)!=NULL)
     {
@@ -382,18 +382,18 @@ string PolicyCompiler_iosacl::PrintRule::_printAddr(libfwbuilder::Address  *o)
 	    return string("interface ") + interface_->getLabel() + " ";
 	}
 
-	srcmask=Netmask("255.255.255.255");
+	srcmask=InetNetmask(InetAddr::getAllOnes());
     }
 
     if (IPv4::cast(o)!=NULL) 
-	srcmask=Netmask("255.255.255.255");
+	srcmask=InetNetmask(InetAddr::getAllOnes());
 
 
-    if (srcaddr.toString()=="0.0.0.0" && srcmask.toString()=="0.0.0.0")
+    if (srcaddr.isAny() && srcmask.isAny())
     {
 	str << "any ";
     } else {
-	if (srcmask.toString()=="255.255.255.255")
+	if (srcmask.isHostMask())
         {
 	    str << "host " << srcaddr.toString() << " ";
 	} else
@@ -402,10 +402,10 @@ string PolicyCompiler_iosacl::PrintRule::_printAddr(libfwbuilder::Address  *o)
 
             // cisco uses "wildcards" instead of netmasks
 
-            long nm = srcmask.to32BitInt();
-            struct in_addr na;
-            na.s_addr = ~nm;
-            IPAddress nnm(&na);
+            //long nm = srcmask.to32BitInt();
+            //struct in_addr na;
+            //na.s_addr = ~nm;
+            InetAddr nnm( ~srcmask );
 
 	    str << nnm.toString() << " ";
 	}
diff --git a/src/ipf/ipf.cpp b/src/ipf/ipf.cpp
index 7a6a24664..a857e7f99 100644
--- a/src/ipf/ipf.cpp
+++ b/src/ipf/ipf.cpp
@@ -319,7 +319,7 @@ int main(int argc, char * const *argv)
                 for (list<FWObject*>::iterator j=la.begin(); j!=la.end(); ++j) 
                 {
                     IPv4 *ipv4 = IPv4::cast(*j);
-                    if ( ipv4->getAddress().toString()=="0.0.0.0")
+                    if ( ipv4->getAddress() == InetAddr::getAny())
                     {
                         char errstr[256];
                         sprintf(errstr,
diff --git a/src/ipfw/ipfw.cpp b/src/ipfw/ipfw.cpp
index 9a7d793b0..6bc4dbfaf 100644
--- a/src/ipfw/ipfw.cpp
+++ b/src/ipfw/ipfw.cpp
@@ -286,7 +286,7 @@ int main(int argc, char * const *argv)
                 for (list<FWObject*>::iterator j=la.begin(); j!=la.end(); ++j) 
                 {
                     IPv4 *ipv4 = IPv4::cast(*j);
-                    if ( ipv4->getAddress().toString()=="0.0.0.0")
+                    if ( ipv4->getAddress() == InetAddr::getAny())
                     {
                         char errstr[256];
                         sprintf(errstr,
diff --git a/src/ipt/NATCompiler_PrintRule.cpp b/src/ipt/NATCompiler_PrintRule.cpp
index 73e1e6dd1..cd1cbbe64 100644
--- a/src/ipt/NATCompiler_PrintRule.cpp
+++ b/src/ipt/NATCompiler_PrintRule.cpp
@@ -453,37 +453,39 @@ string NATCompiler_ipt::PrintRule::_printAddr(Address  *o,bool print_mask,bool p
         assert(atrt==NULL);
     }
 
-    IPAddress addr=o->getAddress();
-    Netmask   mask=o->getNetmask();
-    Interface *iface;
-    if ( (iface=Interface::cast(o))!=NULL ) 
+    if (print_range && AddressRange::cast(o)!=NULL)
     {
-        if (iface->isDyn() && iface->getBool("use_var_address"))
-        {
-            ostr << "$" << ipt_comp->getInterfaceVarName(iface) << " ";
-            return ostr.str();
-        }
-//        if (Interface::cast(o)->isDyn()) return;
-	mask=Netmask("255.255.255.255");
-    }
-
-    if (IPv4::cast(o)!=NULL) 
-    {
-	mask=Netmask("255.255.255.255");
-    }
-
-    if (print_range && AddressRange::cast(o)!=NULL) {
-	IPAddress a1=AddressRange::cast(o)->getRangeStart();
-	IPAddress a2=AddressRange::cast(o)->getRangeEnd();
+	InetAddr a1 = AddressRange::cast(o)->getRangeStart();
+	InetAddr a2 = AddressRange::cast(o)->getRangeEnd();
 	ostr << a1.toString() << "-" << a2.toString();
-    } else {
-	if (addr.toString()=="0.0.0.0" && mask.toString()=="0.0.0.0") {
+    } else
+    {
+        const InetAddr& addr=o->getAddress();
+        const InetNetmask&  mask=o->getNetmask();
+
+	if (addr == InetAddr::getAny() && mask == InetAddr::getAny())
+        {
 	    ostr << "0/0";
-	} else {	
+	} else
+        {	
+            Interface *iface;
+            if ( (iface=Interface::cast(o))!=NULL ) 
+            {
+                if (iface->isDyn() && iface->getBool("use_var_address"))
+                {
+                    ostr << "$" << ipt_comp->getInterfaceVarName(iface) << " ";
+                    return ostr.str();
+                }
+                ostr << addr.toString();
+                return ostr.str();
+            }
+
 	    ostr << addr.toString();
-	    if (print_mask && mask.toString()!="255.255.255.255") {
-		ostr << "/" << mask.getLength();
-	    }
+
+            if (print_mask && IPv4::cast(o)==NULL && !mask.isHostMask())
+            {
+                ostr << "/" << mask.getLength();
+            }
 	}
     }
     return ostr.str();
@@ -571,7 +573,7 @@ bool NATCompiler_ipt::PrintRule::processNext()
  * fool-proof: this is last resort check for situation when user created IPv4 object
  * for the interface but left it with empty address ( 0.0.0.0 ). 
  */
-        if ( ! physaddress.empty() && osrc->getAddress()==IPAddress("0.0.0.0"))
+        if ( ! physaddress.empty() && osrc->getAddress()==InetAddr())
         {
             ;
         } else
diff --git a/src/ipt/NATCompiler_ipt.cpp b/src/ipt/NATCompiler_ipt.cpp
index 91ced98ee..e3d784602 100644
--- a/src/ipt/NATCompiler_ipt.cpp
+++ b/src/ipt/NATCompiler_ipt.cpp
@@ -221,21 +221,21 @@ bool NATCompiler_ipt::ConvertLoadBalancingRules::processNext()
     {
         RuleElementTDst  *tdst=rule->getTDst();  assert(tdst);
 
-        list<IPAddress> al;
+        list<const InetAddr*> al;
         for(list<FWObject*>::iterator i=tdst->begin(); i!=tdst->end(); i++) 
         {
             FWObject *o= *i;
             FWObject *obj = NULL;
             if (FWReference::cast(o)!=NULL) obj=FWReference::cast(o)->getPointer();
-            Address *a=Address::cast(obj);
+            Address *a = Address::cast(obj);
 
-            al.push_back( a->getAddress() );
+            al.push_back( a->getAddressPtr() );
         }
 
         al.sort();
 
-        IPAddress a1=al.front();
-        list<IPAddress>::iterator j=al.begin();
+        const InetAddr* a1 = al.front();
+        list<const InetAddr*>::iterator j=al.begin();
         j++;
 
         for ( ; j!=al.end(); j++)
@@ -244,21 +244,23 @@ bool NATCompiler_ipt::ConvertLoadBalancingRules::processNext()
  * big endian/little endian conversion for me 
  */
             AddressRange tar;
-            tar.setRangeStart( a1 );
-            tar.setRangeEnd( *j );
+            tar.setRangeStart( *a1 );
+            tar.setRangeEnd( *(*j) );
             if ( tar.dimension() != 2 )
             {
                 compiler->abort(
                     string( _("Non-contiguous address range in Translated Destination in load balancing NAT rule ") )+
                     rule->getLabel());
             }
-            a1= *j;
+            a1 = *j;
         }
 
-        AddressRange *ar= AddressRange::cast(compiler->dbcopy->create(AddressRange::TYPENAME) );
-        ar->setRangeStart( al.front() );
-        ar->setRangeEnd( al.back() );
-        ar->setName(string("%")+al.front().toString()+"-"+al.back().toString()+"%" );
+        AddressRange *ar = AddressRange::cast(
+            compiler->dbcopy->create(AddressRange::TYPENAME) );
+        ar->setRangeStart( *(al.front()) );
+        ar->setRangeEnd( *(al.back()) );
+        ar->setName(string("%")+al.front()->toString()
+                    +"-"+al.back()->toString()+"%" );
         compiler->cacheObj(ar); // to keep cache consistent
         compiler->dbcopy->add(ar,false);
         tdst->clearChildren();
@@ -2023,7 +2025,6 @@ bool NATCompiler_ipt::processMultiAddressObjectsInRE::processNext()
         dynamic_cast<OSConfigurator_linux24*>(compiler->osconfigurator);
 
     RuleElement *re=RuleElement::cast( rule->getFirstByType(re_type) );
-    bool neg = re->getNeg();
 
     if (re->size()==1) 
     {
diff --git a/src/ipt/OSConfigurator_linux24.cpp b/src/ipt/OSConfigurator_linux24.cpp
index 9630ecc5a..376c8fb45 100644
--- a/src/ipt/OSConfigurator_linux24.cpp
+++ b/src/ipt/OSConfigurator_linux24.cpp
@@ -28,6 +28,8 @@
 
 #include "OSConfigurator_linux24.h"
 
+#include "fwbuilder/InetAddr.h"
+
 #include "fwbuilder/Firewall.h"
 #include "fwbuilder/FWOptions.h"
 #include "fwbuilder/Interface.h"
@@ -199,29 +201,25 @@ void OSConfigurator_linux24::addVirtualAddressForNAT(const Network *nw)
     if ( options->getBool("manage_virtual_addr") ) 
     {
         if (virtual_addresses.empty() || 
-            find(virtual_addresses.begin(),virtual_addresses.end(),nw->getAddress())==virtual_addresses.end()) 
+            find(virtual_addresses.begin(),virtual_addresses.end(),
+                 nw->getAddress())==virtual_addresses.end()) 
         {
             Interface *iface=findInterfaceFor( nw, fw );
             if (iface!=NULL)
             {
-                IPNetwork n( nw->getAddress() , nw->getNetmask() );
-
-                IPAddress a;
+                const InetAddr& a = nw->getAddress();
                 string str, subnet, first, last;
 
-                a=nw->getAddress() +1;
-                first  = a.toString();
-                        
-                a      = n.getBroadcastAddress() -1;
-                last   = a.toString();
+                first  = (a + 1).toString();
+                last   = (nw->getBroadcastAddress() -1).toString();
 
                 ostr                                       << endl;
 
                 ostr << "a=\"" << first << "\""            << endl;
                 ostr << "while test \"$a\" != \"" << last << "\"; do" << endl;
 
-                ostr << "  add_addr ${a} " << nw->getNetmask().getLength() << " "
-                       << iface->getName() << endl;
+                ostr << "  add_addr ${a} " << nw->getNetmask().getLength()
+                     << " " << iface->getName() << endl;
 
                 ostr                                       << endl;
                 ostr << "  OIFS=$IFS"                      << endl;
@@ -254,7 +252,8 @@ void OSConfigurator_linux24::addVirtualAddressForNAT(const Address *addr)
     if ( options->getBool("manage_virtual_addr") ) 
     {
         if (virtual_addresses.empty() || 
-            find(virtual_addresses.begin(),virtual_addresses.end(),addr->getAddress())==virtual_addresses.end()) 
+            find(virtual_addresses.begin(),virtual_addresses.end(),
+                 addr->getAddress())==virtual_addresses.end()) 
         {
             IPv4 *iaddr=IPv4::cast( findAddressFor(addr, fw ) );
             if (iaddr!=NULL)
@@ -269,7 +268,8 @@ void OSConfigurator_linux24::addVirtualAddressForNAT(const Address *addr)
                 virtual_addresses.push_back(addr->getAddress());
                 registerVirtualAddressForNat();
             } else
-                warning(_("Can not add virtual address ") + addr->getAddress().toString() +
+                warning(_("Can not add virtual address ") + 
+                        addr->getAddress().toString() +
                         _(" (object ") + addr->getName() + ")" );
         }
         commands_to_add_virtual_addresses.push_back(ostr.str());
diff --git a/src/ipt/OSConfigurator_linux24.h b/src/ipt/OSConfigurator_linux24.h
index f22100776..36c88d17f 100644
--- a/src/ipt/OSConfigurator_linux24.h
+++ b/src/ipt/OSConfigurator_linux24.h
@@ -42,9 +42,9 @@ namespace fwcompiler {
     class OSConfigurator_linux24 : public OSConfigurator {
 
         OSData   os_data;
-        std::map<std::string,std::string>    address_table_objects;
-	std::vector<libfwbuilder::IPAddress> virtual_addresses;
-        std::list<std::string>               commands_to_add_virtual_addresses;
+        std::map<std::string,std::string>   address_table_objects;
+	std::vector<libfwbuilder::InetAddr> virtual_addresses;
+        std::list<std::string>              commands_to_add_virtual_addresses;
 
         std::string getInterfaceVarName(libfwbuilder::FWObject *iface);
         
diff --git a/src/ipt/PolicyCompiler_PrintRule.cpp b/src/ipt/PolicyCompiler_PrintRule.cpp
index ec49a60c4..7c625bbdc 100644
--- a/src/ipt/PolicyCompiler_PrintRule.cpp
+++ b/src/ipt/PolicyCompiler_PrintRule.cpp
@@ -906,40 +906,18 @@ string PolicyCompiler_ipt::PrintRule::_printAddr(Address  *o)
         return ostr.str();
     }
 
-    IPAddress addr;
-    Netmask   mask;
-    try {
-        addr=o->getAddress();
+    const InetAddr& addr = o->getAddress();
+    const InetNetmask& mask = o->getNetmask();
 
-        if (Interface::cast(o)!=NULL || IPv4::cast(o)!=NULL) mask=Netmask("255.255.255.255");
-        else            mask=o->getNetmask();
-    }
-    catch (FWException ex)  
-    {
-        FWObject *obj=o;
-/*
- * check if this is object of class Address. since we want to
- * distinguish between Host, Interface and Address, and both Host and
- * Interface are inherited from Address, we can't use cast. Use isA
- * instead
- */
-        while (obj!=NULL && 
-               !Host::isA(obj) && 
-               !Firewall::isA(obj)  && 
-               !Network::isA(obj))  obj=obj->getParent();
-
-        compiler->error(_("Problem with address or netmask in the object or one of its interfaces: '")+obj->getName()+"'");
-        throw;
-    }
-
-
-    if (addr.toString()=="0.0.0.0" && mask.toString()=="0.0.0.0") 
+    if (addr.isAny() && mask.isAny())
     {
         ostr << "0/0 ";
     } else 
     {
         ostr << addr.toString();
-        if (mask.toString()!="255.255.255.255") 
+
+        if (Interface::cast(o)==NULL && IPv4::cast(o)==NULL &&
+            !mask.isHostMask())
         {
             ostr << "/" << mask.getLength();
         }
@@ -1080,7 +1058,6 @@ PolicyCompiler_ipt::PrintRule::PrintRule(const std::string &name) : PolicyRulePr
 
 bool  PolicyCompiler_ipt::PrintRule::processNext()
 {
-    PolicyCompiler_ipt *ipt_comp=dynamic_cast<PolicyCompiler_ipt*>(compiler);
     PolicyRule         *rule    =getNext(); 
     if (rule==NULL) return false;
 
@@ -1147,7 +1124,7 @@ string PolicyCompiler_ipt::PrintRule::PolicyRuleToString(PolicyRule *rule)
  * fool-proof: this is last resort check for situation when user created IPv4 object
  * for the interface but left it with empty address ( 0.0.0.0 ). 
  */
-        if ( ! physaddress.empty() && src->getAddress()==IPAddress("0.0.0.0"))
+        if ( ! physaddress.empty() && src->getAddress()==InetAddr())
         {
             ;
         } else
@@ -1202,7 +1179,7 @@ string PolicyCompiler_ipt::PrintRule::_declareTable()
 
 string PolicyCompiler_ipt::PrintRule::_flushAndSetDefaultPolicy()
 {
-    PolicyCompiler_ipt *ipt_comp = dynamic_cast<PolicyCompiler_ipt*>(compiler);
+//  PolicyCompiler_ipt *ipt_comp = dynamic_cast<PolicyCompiler_ipt*>(compiler);
     FWOptions *fwopt = compiler->getCachedFwOpt();
     ostringstream res;
 
diff --git a/src/ipt/PolicyCompiler_PrintRuleIptRst.cpp b/src/ipt/PolicyCompiler_PrintRuleIptRst.cpp
index 358de9457..40c25f42d 100644
--- a/src/ipt/PolicyCompiler_PrintRuleIptRst.cpp
+++ b/src/ipt/PolicyCompiler_PrintRuleIptRst.cpp
@@ -135,7 +135,6 @@ string PolicyCompiler_ipt::PrintRuleIptRst::_declareTable()
 
 string PolicyCompiler_ipt::PrintRuleIptRst::_flushAndSetDefaultPolicy()
 {
-    PolicyCompiler_ipt *ipt_comp=dynamic_cast<PolicyCompiler_ipt*>(compiler);
     ostringstream res;
 
     res << ":INPUT DROP [0:0]" << endl;
diff --git a/src/ipt/PolicyCompiler_PrintRuleIptRstEcho.cpp b/src/ipt/PolicyCompiler_PrintRuleIptRstEcho.cpp
index 5a37266da..984e5d7af 100644
--- a/src/ipt/PolicyCompiler_PrintRuleIptRstEcho.cpp
+++ b/src/ipt/PolicyCompiler_PrintRuleIptRstEcho.cpp
@@ -101,7 +101,6 @@ string PolicyCompiler_ipt::PrintRuleIptRstEcho::_declareTable()
 
 string PolicyCompiler_ipt::PrintRuleIptRstEcho::_flushAndSetDefaultPolicy()
 {
-    PolicyCompiler_ipt *ipt_comp=dynamic_cast<PolicyCompiler_ipt*>(compiler);
     ostringstream res;
 
     res << "echo :INPUT DROP [0:0]" << endl;
diff --git a/src/ipt/PolicyCompiler_ipt.cpp b/src/ipt/PolicyCompiler_ipt.cpp
index c46de46c6..c3e7f1596 100644
--- a/src/ipt/PolicyCompiler_ipt.cpp
+++ b/src/ipt/PolicyCompiler_ipt.cpp
@@ -340,8 +340,8 @@ int PolicyCompiler_ipt::prolog()
     bcast255=Address::cast(dbcopy->create(IPv4::TYPENAME) );
     bcast255->setId(BCAST_255_OBJ_ID);
     bcast255->setName("Broadcast_addr");
-    bcast255->setAddress("255.255.255.255");
-    bcast255->setNetmask("255.255.255.255");
+    bcast255->setAddress(InetAddr::getAllOnes());
+    bcast255->setNetmask(InetNetmask(InetAddr::getAllOnes()));
     dbcopy->add(bcast255);
     cacheObj(bcast255);
 
@@ -1707,23 +1707,25 @@ bool PolicyCompiler_ipt::splitIfIfaceAndDirectionBoth::processNext()
     return true;
 }
 
-bool PolicyCompiler_ipt::bridgingFw::checkForMatchingBroadcastAndMulticast(Address *addr)
+bool PolicyCompiler_ipt::bridgingFw::checkForMatchingBroadcastAndMulticast(
+    Address *addr)
 {
 
-    IPAddress obj1_addr=addr->getAddress();
-    if (obj1_addr!=IPAddress("0.0.0.0") && 
+    const InetAddr& obj1_addr = addr->getAddress();
+    if (!obj1_addr.isAny() &&
         (obj1_addr.isBroadcast() || obj1_addr.isMulticast())
     ) return true;
 
-    FWObjectTypedChildIterator j=compiler->fw->findByType(Interface::TYPENAME);
-    for ( ; j!=j.end(); ++j ) 
+    FWObjectTypedChildIterator j= compiler->fw->findByType(Interface::TYPENAME);
+    for ( ; j!=j.end(); ++j )
     {
-        Interface *iface=Interface::cast(*j);
+        Interface *iface = Interface::cast(*j);
         if ( iface->isRegular() )
         {
-            FWObjectTypedChildIterator k=iface->findByType(IPv4::TYPENAME);
-            for ( ; k!=k.end(); ++k ) {
-                IPv4 *ipv4=IPv4::cast(*k);
+            FWObjectTypedChildIterator k = iface->findByType(IPv4::TYPENAME);
+            for ( ; k!=k.end(); ++k )
+            {
+                IPv4 *ipv4 = IPv4::cast(*k);
 
 /*
  * bug #780345: if interface has netmask 255.255.255.255, its own
@@ -1736,7 +1738,8 @@ bool PolicyCompiler_ipt::bridgingFw::checkForMatchingBroadcastAndMulticast(Addre
  * interface, and the netmask is 255.255.255.255, then we get positive
  * match because this routine interprets this address as a broadcast.
  */
-                if (ipv4->getNetmask()==Netmask("255.255.255.255")) continue;
+                if (ipv4->getNetmask().isHostMask())
+                    continue;
 /*
  * commented out to fix bug #637694 - "bridge enbaled / management"
  * Rule where firewall was in destination, and bridging option was on,
@@ -1745,9 +1748,8 @@ bool PolicyCompiler_ipt::bridgingFw::checkForMatchingBroadcastAndMulticast(Addre
    if ( ipv4->getAddress()==obj1_addr ) return true;
 
  */
-                IPNetwork n( ipv4->getAddress() , ipv4->getNetmask() );
-                if (n.getAddress()==obj1_addr)  return true; 
-                if (n.getBroadcastAddress()==obj1_addr)  return true;
+                if (ipv4->getNetworkAddress() == obj1_addr)  return true; 
+                if (ipv4->getBroadcastAddress() == obj1_addr)  return true;
            }
         }
     }
@@ -3467,7 +3469,6 @@ bool PolicyCompiler_ipt::processMultiAddressObjectsInRE::processNext()
         dynamic_cast<OSConfigurator_linux24*>(compiler->osconfigurator);
 
     RuleElement *re=RuleElement::cast( rule->getFirstByType(re_type) );
-    bool neg = re->getNeg();
 
     if (re->size()==1) 
     {
diff --git a/src/ipt/RoutingCompiler_ipt.cpp b/src/ipt/RoutingCompiler_ipt.cpp
index 4314bfae0..a2e1ace46 100644
--- a/src/ipt/RoutingCompiler_ipt.cpp
+++ b/src/ipt/RoutingCompiler_ipt.cpp
@@ -56,8 +56,6 @@ using namespace libfwbuilder;
 using namespace fwcompiler;
 using namespace std;
 
-static int chain_no=0;
-
 static std::map<std::string,int> tmp_chain_no;
 
 string RoutingCompiler_ipt::myPlatformName() { return "iptables"; }
diff --git a/src/ipt/RoutingCompiler_ipt_writers.cpp b/src/ipt/RoutingCompiler_ipt_writers.cpp
index 4471f6fa4..9734e89d0 100644
--- a/src/ipt/RoutingCompiler_ipt_writers.cpp
+++ b/src/ipt/RoutingCompiler_ipt_writers.cpp
@@ -78,13 +78,15 @@ string RoutingCompiler_ipt::PrintRule::_printAddr(Address  *o)
         return ostr.str();
     }
 
-    IPAddress addr;
-    Netmask   mask;
+    InetAddr addr;
+    InetNetmask   mask;
     try {
         addr=o->getAddress();
 
-        if (Interface::cast(o)!=NULL || IPv4::cast(o)!=NULL) mask=Netmask("255.255.255.255");
-        else            mask=o->getNetmask();
+        if (Interface::cast(o)!=NULL || IPv4::cast(o)!=NULL)
+            mask = InetNetmask(InetAddr::getAllOnes());
+        else
+            mask = o->getNetmask();
     }
     catch (FWException ex)  
     {
@@ -105,13 +107,13 @@ string RoutingCompiler_ipt::PrintRule::_printAddr(Address  *o)
     }
 
 
-    if (addr.toString()=="0.0.0.0" && mask.toString()=="0.0.0.0") 
+    if (addr == InetAddr::getAny() && mask == InetAddr::getAny()) 
     {
         ostr << "default ";
     } else 
     {
         ostr << addr.toString();
-        if (mask.toString()!="255.255.255.255") 
+        if (!mask.isHostMask())
         {
             ostr << "/" << mask.getLength();
         }
diff --git a/src/ipt/ipt.cpp b/src/ipt/ipt.cpp
index c3b1c0e8b..ff65c66a7 100644
--- a/src/ipt/ipt.cpp
+++ b/src/ipt/ipt.cpp
@@ -361,12 +361,15 @@ _("Dynamic interface %s should not have an IP address object attached to it. Thi
                 for (list<FWObject*>::iterator j=la.begin(); j!=la.end(); ++j) 
                 {
                     IPv4 *ipv4 = IPv4::cast(*j);
-                    if ( ipv4->getAddress().toString()=="0.0.0.0")
+
+                    if ( ipv4->getAddress().isAny())
                     {
                         char errstr[256];
                         sprintf(errstr,
-                      _("Interface %s has IP address \"0.0.0.0\".\n"),
-                                iface->getName().c_str() );
+                                "Interface %s (id=%s) has IP address %s.\n",
+                                iface->getName().c_str(),
+                                iface->getId().c_str(),
+                                ipv4->getAddress().toString().c_str());
                         throw FWException(errstr);
                     }
                 }
diff --git a/src/pf/pf.cpp b/src/pf/pf.cpp
index 6a1bc42fd..18908f5b0 100644
--- a/src/pf/pf.cpp
+++ b/src/pf/pf.cpp
@@ -344,7 +344,7 @@ _("Dynamic interface %s should not have an IP address object attached to it. Thi
                 for (list<FWObject*>::iterator j=la.begin(); j!=la.end(); ++j) 
                 {
                     IPv4 *ipv4 = IPv4::cast(*j);
-                    if ( ipv4->getAddress().toString()=="0.0.0.0")
+                    if ( ipv4->getAddress() == InetAddr::getAny())
                     {
                         char errstr[256];
                         sprintf(errstr,
diff --git a/src/pflib/NATCompiler_ipf_writers.cpp b/src/pflib/NATCompiler_ipf_writers.cpp
index 4db27a39d..664eca162 100644
--- a/src/pflib/NATCompiler_ipf_writers.cpp
+++ b/src/pflib/NATCompiler_ipf_writers.cpp
@@ -73,8 +73,8 @@ void NATCompiler_ipf::PrintRule::_printAddr_L(Address  *o, bool print_netmask)
 {
     FWOptions* options=compiler->fw->getOptionsObject();
 
-    IPAddress addr=o->getAddress();
-    Netmask   mask=o->getNetmask();
+    InetAddr addr=o->getAddress();
+    InetNetmask   mask=o->getNetmask();
 
     if (Interface::cast(o)!=NULL && Interface::cast(o)->isDyn()) 
     {
@@ -87,12 +87,13 @@ void NATCompiler_ipf::PrintRule::_printAddr_L(Address  *o, bool print_netmask)
     }
 
     if (Interface::cast(o)!=NULL && ! Interface::cast(o)->isDyn()) 
-	mask=Netmask("255.255.255.255");
+	mask = InetNetmask(InetAddr::getAllOnes());
 
     if (IPv4::cast(o)!=NULL)
-	mask=Netmask("255.255.255.255");
+	mask = InetNetmask(InetAddr::getAllOnes());
 
-    if (addr.toString()=="0.0.0.0" && mask.toString()=="0.0.0.0") {
+    if (addr.isAny() && mask.isAny())
+    {
         compiler->output << "any ";
     } else {
 
@@ -105,18 +106,19 @@ void NATCompiler_ipf::PrintRule::_printAddr_L(Address  *o, bool print_netmask)
 
 void NATCompiler_ipf::PrintRule::_printAddr_R(Address  *o, bool print_netmask)
 {
-    IPAddress addr=o->getAddress();
-    Netmask   mask=o->getNetmask();
+    InetAddr addr = o->getAddress();
+    InetNetmask mask = o->getNetmask();
 
-    if (Interface::cast(o)!=NULL)
-	mask=Netmask("255.255.255.255");
+    if (Interface::cast(o) != NULL)
+	mask = InetNetmask(InetAddr::getAllOnes());
 
     if (IPv4::cast(o)!=NULL)
-	mask=Netmask("255.255.255.255");
+	mask = InetNetmask(InetAddr::getAllOnes());
 
-    if (addr.toString()=="0.0.0.0" && print_netmask && mask.toString()=="255.255.255.255")
+    if (addr.isAny() && print_netmask &&  mask.isHostMask())
+    {
         compiler->output  << "0/32 ";
-    else
+    } else
     {
         compiler->output << addr.toString();
         if (print_netmask)
@@ -137,7 +139,7 @@ void NATCompiler_ipf::PrintRule::_printAddr_R_LB(RuleElementTDst *tdst)
 
         Address *a=Address::cast(obj);
 
-        IPAddress addr=a->getAddress();
+        InetAddr addr=a->getAddress();
         
         if (!first) compiler->output << ",";
         compiler->output << addr.toString();
diff --git a/src/pflib/NATCompiler_pf.cpp b/src/pflib/NATCompiler_pf.cpp
index 63ad0563e..1ed56bd18 100644
--- a/src/pflib/NATCompiler_pf.cpp
+++ b/src/pflib/NATCompiler_pf.cpp
@@ -90,7 +90,7 @@ int NATCompiler_pf::prolog()
 /* pseudo-host with ip address 127.0.0.1  We'll use it for redirection NAT rules */
     //FWObject    *grp;
     loopback_address=IPv4::cast(dbcopy->create(IPv4::TYPENAME) );
-    loopback_address->setAddress("127.0.0.1");
+    loopback_address->setAddress(InetAddr::getLoopbackAddr());
     loopback_address->setName("__loopback_address__");
     loopback_address->setId("__loopback_address_id__");
     dbcopy->add(loopback_address,false);
diff --git a/src/pflib/NATCompiler_pf_writers.cpp b/src/pflib/NATCompiler_pf_writers.cpp
index 9db2cd49f..9024e7d2e 100644
--- a/src/pflib/NATCompiler_pf_writers.cpp
+++ b/src/pflib/NATCompiler_pf_writers.cpp
@@ -325,8 +325,8 @@ void NATCompiler_pf::PrintRule::_printAddr(FWObject *o)
     }
 
     Address *a = Address::cast(o);
-    IPAddress addr=a->getAddress();
-    Netmask   mask=a->getNetmask();
+    InetAddr addr=a->getAddress();
+    InetNetmask   mask=a->getNetmask();
 
     if (Interface::cast(o)!=NULL)
     {
@@ -337,18 +337,20 @@ void NATCompiler_pf::PrintRule::_printAddr(FWObject *o)
             return;
         }
 
-        mask=Netmask("255.255.255.255");
+        mask = InetNetmask(InetAddr::getAllOnes());
     }
 
     if (IPv4::cast(o)!=NULL) {
-        mask=Netmask("255.255.255.255");
+        mask = InetNetmask(InetAddr::getAllOnes());
     }
 
-    if (addr.toString()=="0.0.0.0" && mask.toString()=="0.0.0.0") {
+    if (addr.isAny() && mask.isAny())
+    {
         compiler->output << "any ";
     } else {
         compiler->output << addr.toString();
-        if (mask.toString()!="255.255.255.255") {
+        if (!mask.isHostMask())
+        {
             compiler->output << "/" << mask.getLength();
         }
         compiler->output  << " ";
diff --git a/src/pflib/OSConfigurator_freebsd.cpp b/src/pflib/OSConfigurator_freebsd.cpp
index ff2286a68..351a7d7b4 100644
--- a/src/pflib/OSConfigurator_freebsd.cpp
+++ b/src/pflib/OSConfigurator_freebsd.cpp
@@ -116,9 +116,8 @@ void OSConfigurator_freebsd::addVirtualAddressForNAT(const Address *addr)
 	    for ( ; j!=j.end(); ++j ) 
             {
 		IPv4 *iaddr=IPv4::cast(*j);
-
-                IPNetwork n( iaddr->getAddress() , iaddr->getNetmask() );
-                if ( n.belongs( addr->getAddress() ) ) {
+                if ( ipv4->belongs( addr->getAddress() ) )
+                {
                     output << "ifconfig " 
                            << iface->getName() << " "
                            << addr->getAddress().toString() << " alias" << endl;
diff --git a/src/pflib/OSConfigurator_freebsd.h b/src/pflib/OSConfigurator_freebsd.h
index 0a3379765..2d7c95000 100644
--- a/src/pflib/OSConfigurator_freebsd.h
+++ b/src/pflib/OSConfigurator_freebsd.h
@@ -38,7 +38,7 @@ namespace fwcompiler {
 
         OSData   os_data;
 
-	std::vector<libfwbuilder::IPAddress> virtual_addresses;
+	std::vector<libfwbuilder::InetAddr> virtual_addresses;
 
         std::string getInterfaceVarName(libfwbuilder::FWObject *iface);
         
diff --git a/src/pflib/OSConfigurator_macosx.h b/src/pflib/OSConfigurator_macosx.h
index 909c5a9bb..c33be2d02 100644
--- a/src/pflib/OSConfigurator_macosx.h
+++ b/src/pflib/OSConfigurator_macosx.h
@@ -38,7 +38,7 @@ namespace fwcompiler {
 
         OSData   os_data;
 
-	std::vector<libfwbuilder::IPAddress> virtual_addresses;
+	std::vector<libfwbuilder::InetAddr> virtual_addresses;
 
 	public:
 
diff --git a/src/pflib/OSConfigurator_openbsd.cpp b/src/pflib/OSConfigurator_openbsd.cpp
index 56785298c..5fc5af0a0 100644
--- a/src/pflib/OSConfigurator_openbsd.cpp
+++ b/src/pflib/OSConfigurator_openbsd.cpp
@@ -117,9 +117,8 @@ void OSConfigurator_openbsd::addVirtualAddressForNAT(const Address *addr)
 	    FWObjectTypedChildIterator j=iface->findByType(IPv4::TYPENAME);
 	    for ( ; j!=j.end(); ++j ) {
 		IPv4 *iaddr=IPv4::cast(*j);
-
-                IPNetwork n( iaddr->getAddress() , iaddr->getNetmask() );
-                if ( n.belongs( addr->getAddress() ) ) {
+                if ( ipv4->belongs( addr->getAddress() ) )
+                {
                     output << "ifconfig " 
                            << iface->getName() << " "
                            << addr->getAddress().toString() << " alias" << endl;
diff --git a/src/pflib/OSConfigurator_openbsd.h b/src/pflib/OSConfigurator_openbsd.h
index 478bc4226..5d7f50d7d 100644
--- a/src/pflib/OSConfigurator_openbsd.h
+++ b/src/pflib/OSConfigurator_openbsd.h
@@ -38,7 +38,7 @@ namespace fwcompiler {
 
         OSData   os_data;
 
-	std::vector<libfwbuilder::IPAddress> virtual_addresses;
+	std::vector<libfwbuilder::InetAddr> virtual_addresses;
 
 	public:
 
diff --git a/src/pflib/OSConfigurator_solaris.cpp b/src/pflib/OSConfigurator_solaris.cpp
index 89ab9ed41..52145d42a 100644
--- a/src/pflib/OSConfigurator_solaris.cpp
+++ b/src/pflib/OSConfigurator_solaris.cpp
@@ -128,9 +128,8 @@ void OSConfigurator_solaris::addVirtualAddressForNAT(const Address *addr)
 	    for ( ; j!=j.end(); ++j ) 
             {
 		IPv4 *iaddr=IPv4::cast(*j);
-
-                IPNetwork n( iaddr->getAddress() , iaddr->getNetmask() );
-                if ( n.belongs( addr->getAddress() ) ) {
+                if ( ipv4->belongs( addr->getAddress() ) )
+                {
                     output << "ifconfig " 
                            << iface->getName() << " "
                            << addr->getAddress().toString() << " alias" << endl;
diff --git a/src/pflib/OSConfigurator_solaris.h b/src/pflib/OSConfigurator_solaris.h
index 6e3578073..14fea09c8 100644
--- a/src/pflib/OSConfigurator_solaris.h
+++ b/src/pflib/OSConfigurator_solaris.h
@@ -29,7 +29,7 @@
 #include "config.h"
 
 #include "fwcompiler/OSConfigurator.h"
-#include "fwbuilder/IPAddress.h"
+#include "fwbuilder/InetAddr.h"
 
 #include <vector>
 
@@ -41,7 +41,7 @@ namespace fwcompiler {
 
         OSData   os_data;
 
-	std::vector<libfwbuilder::IPAddress> virtual_addresses;
+	std::vector<libfwbuilder::InetAddr> virtual_addresses;
 
 	public:
 
diff --git a/src/pflib/PolicyCompiler_ipf_writers.cpp b/src/pflib/PolicyCompiler_ipf_writers.cpp
index a807eaf98..f07a0c348 100644
--- a/src/pflib/PolicyCompiler_ipf_writers.cpp
+++ b/src/pflib/PolicyCompiler_ipf_writers.cpp
@@ -267,8 +267,8 @@ void PolicyCompiler_ipf::PrintRule::_printAddr(Address  *o,bool neg)
         assert(atrt==NULL);
     }
 
-    IPAddress addr=o->getAddress();
-    Netmask   mask=o->getNetmask();
+    InetAddr addr=o->getAddress();
+    InetNetmask  mask=o->getNetmask();
 
     if (options->getBool("dynAddr") &&
         Interface::cast(o)!=NULL && Interface::cast(o)->isDyn()) 
@@ -279,19 +279,21 @@ void PolicyCompiler_ipf::PrintRule::_printAddr(Address  *o,bool neg)
     }
 
     if (Interface::cast(o)!=NULL) {
-	mask=Netmask("255.255.255.255");
+	mask = InetNetmask(InetAddr::getAllOnes());
     }
 
     if (IPv4::cast(o)!=NULL) {
-	mask=Netmask("255.255.255.255");
+	mask = InetNetmask(InetAddr::getAllOnes());
     }
 
-    if (addr.toString()=="0.0.0.0" && mask.toString()=="0.0.0.0") {
+    if (addr.isAny() && mask.isAny())
+    {
 	compiler->output << "any ";
     } else {	
 	if (neg) compiler->output << "! ";
 	compiler->output << addr.toString();
-	if (mask.toString()!="255.255.255.255") {
+	if (!mask.isHostMask())
+        {
 	    compiler->output << "/" << mask.getLength();
 	}
 	compiler->output << " ";
diff --git a/src/pflib/PolicyCompiler_ipfw_writers.cpp b/src/pflib/PolicyCompiler_ipfw_writers.cpp
index acc5ffaec..a527f1aef 100644
--- a/src/pflib/PolicyCompiler_ipfw_writers.cpp
+++ b/src/pflib/PolicyCompiler_ipfw_writers.cpp
@@ -290,20 +290,21 @@ void PolicyCompiler_ipfw::PrintRule::_printAddr(Address  *o,bool neg)
         assert(atrt==NULL);
     }
 
-    IPAddress addr=o->getAddress();
-    Netmask   mask=o->getNetmask();
+    InetAddr addr=o->getAddress();
+    InetNetmask   mask=o->getNetmask();
 
-    if (Interface::cast(o)!=NULL)  mask=Netmask("255.255.255.255");
-    if (IPv4::cast(o)!=NULL)       mask=Netmask("255.255.255.255");
+    if (Interface::cast(o)!=NULL)  mask = InetNetmask(InetAddr::getAllOnes());
+    if (IPv4::cast(o)!=NULL)       mask = InetNetmask(InetAddr::getAllOnes());
 
-    if (addr.toString()=="0.0.0.0" && mask.toString()=="0.0.0.0") 
+    if (addr.isAny() && mask.isAny()) 
     {
 	compiler->output << "any ";
     } else 
     {
 	if (neg) compiler->output << "not ";
 	compiler->output << addr.toString();
-	if (mask.toString()!="255.255.255.255") {
+	if (!mask.isHostMask())
+        {
 	    compiler->output << "/" << mask.getLength();
 	}
 	compiler->output << " ";
diff --git a/src/pflib/PolicyCompiler_pf.cpp b/src/pflib/PolicyCompiler_pf.cpp
index 0f2408c79..698d82336 100644
--- a/src/pflib/PolicyCompiler_pf.cpp
+++ b/src/pflib/PolicyCompiler_pf.cpp
@@ -388,24 +388,24 @@ void PolicyCompiler_pf::addDefaultPolicyRule()
         cacheObj(ssh); // to keep cache consistent
 
         string mgmt_addr = getCachedFwOpt()->getStr("mgmt_addr");
-        IPAddress  addr;
-        Netmask netmask(32);
+        InetAddr  addr;
+        InetNetmask netmask(InetAddr::getAllOnes());
         try
         {
-            addr = IPAddress(mgmt_addr);
+            addr = InetAddr(mgmt_addr);
             string::size_type sep = mgmt_addr.find("/");
             if (sep != string::npos)
             {
-                addr = IPAddress(mgmt_addr.substr(0,sep));
+                addr = InetAddr(mgmt_addr.substr(0,sep));
                 string nm = mgmt_addr.substr(sep+1);
                 int o1,o2,o3,o4;
                 if(sscanf(nm.c_str(), "%3u.%3u.%3u.%3u", &o1, &o2, &o3, &o4)==4)
                 {
-                    netmask = Netmask(nm);
+                    netmask = InetNetmask(nm);
                 } else
                 {
                     sscanf(nm.c_str(),"%u",&o1);
-                    netmask = Netmask(o1);
+                    netmask = InetNetmask(o1);
                 }
             }
         } catch(FWException &ex)
diff --git a/src/pflib/PolicyCompiler_pf_writers.cpp b/src/pflib/PolicyCompiler_pf_writers.cpp
index 5bc910019..c5c730ec1 100644
--- a/src/pflib/PolicyCompiler_pf_writers.cpp
+++ b/src/pflib/PolicyCompiler_pf_writers.cpp
@@ -187,7 +187,7 @@ void PolicyCompiler_pf::PrintRule::_printRouteOptions(PolicyRule *rule)
                             try 
                             {
                                 string a = roaddr.substr(0,sp);
-                                IPAddress roaddr_addr = IPAddress(a);
+                                InetAddr roaddr_addr = InetAddr(a);
                             } catch (FWException &ex)
                             {
                                 compiler->abort(
@@ -195,14 +195,14 @@ void PolicyCompiler_pf::PrintRule::_printRouteOptions(PolicyRule *rule)
                             }
                             try
                             {
-                                Netmask roaddr_netmask;
+                                InetNetmask roaddr_netmask;
                                 string n = roaddr.substr(sp+1);
                                 if (n.find('.')!=std::string::npos)
                                 {
-                                    roaddr_netmask = n;
+                                    roaddr_netmask = InetNetmask(n);
                                 } else
                                 {
-                                    roaddr_netmask = Netmask(
+                                    roaddr_netmask = InetNetmask(
                                         atoi(n.c_str()));
                                 }
                                 if (roaddr_netmask.getLength()==32)
@@ -224,7 +224,7 @@ void PolicyCompiler_pf::PrintRule::_printRouteOptions(PolicyRule *rule)
                             // roaddr is just an addres
                             try 
                             {
-                                IPAddress roaddr_addr = IPAddress(roaddr);
+                                InetAddr roaddr_addr = InetAddr(roaddr);
                             } catch (FWException &ex)
                             {
                                 compiler->abort(
@@ -596,8 +596,8 @@ void PolicyCompiler_pf::PrintRule::_printAddr(Address  *o,bool neg)
         assert(atrt==NULL);
     }
 
-    IPAddress addr=o->getAddress();
-    Netmask   mask=o->getNetmask();
+    InetAddr addr=o->getAddress();
+    InetNetmask   mask=o->getNetmask();
 
     if (Interface::cast(o)!=NULL)
     {
@@ -608,22 +608,22 @@ void PolicyCompiler_pf::PrintRule::_printAddr(Address  *o,bool neg)
 	    return;
 	}
 
-	mask=Netmask("255.255.255.255");
+	mask = InetNetmask(InetAddr::getAllOnes());
     }
 
     if (IPv4::cast(o)!=NULL) 
     {
-	mask=Netmask("255.255.255.255");
+	mask = InetNetmask(InetAddr::getAllOnes());
     }
 
-    if (addr.toString()=="0.0.0.0" && mask.toString()=="0.0.0.0") 
+    if (addr.isAny() && mask.isAny()) 
     {
 	compiler->output << "any ";
     } else 
     {
 //	if (neg) compiler->output << "! ";
 	compiler->output << addr.toString();
-	if (mask.toString()!="255.255.255.255")
+	if (!mask.isHostMask())
         {
 	    compiler->output << "/" << mask.getLength();
 	}
diff --git a/src/pflib/TableFactory.cpp b/src/pflib/TableFactory.cpp
index fad5fcbeb..2052cc463 100644
--- a/src/pflib/TableFactory.cpp
+++ b/src/pflib/TableFactory.cpp
@@ -212,15 +212,16 @@ string TableFactory::PrintTables()
                     if (A==NULL)
                         throw(FWException("table object must be an address: '"+o->getTypeName()+"'"));
 
-                    IPAddress addr=A->getAddress();
-                    Netmask   mask=A->getNetmask();
+                    InetAddr addr=A->getAddress();
+                    InetNetmask   mask=A->getNetmask();
 
                     if (IPv4::cast(A)!=NULL) {
-                        mask=Netmask("255.255.255.255");
+                        mask = InetNetmask(InetAddr::getAllOnes());
                     }
 
                     output << addr.toString();
-                    if (mask.toString()!="255.255.255.255") {
+                    if (!mask.isHostMask())
+                    {
                         output << "/" << mask.getLength();
                     }
                 }
diff --git a/src/pix/NATCompiler_pix.cpp b/src/pix/NATCompiler_pix.cpp
index 7a5d5170b..5e6477142 100644
--- a/src/pix/NATCompiler_pix.cpp
+++ b/src/pix/NATCompiler_pix.cpp
@@ -36,7 +36,7 @@
 #include "fwbuilder/UDPService.h"
 #include "fwbuilder/Interface.h"
 #include "fwbuilder/IPv4.h"
-#include "fwbuilder/IPAddress.h"
+#include "fwbuilder/InetAddr.h"
 #include "fwbuilder/Network.h"
 #include "fwbuilder/Resources.h"
 #include "fwbuilder/AddressTable.h"
@@ -421,8 +421,8 @@ bool NATCompiler_pix::verifyRuleElements::processNext()
 
 	if (Network::isA(odst) && Network::isA(tdst))
         {
-            Netmask n1=(Interface::cast(odst))?Netmask("255.255.255.255"):odst->getNetmask();
-            Netmask n2=(Interface::cast(tdst))?Netmask("255.255.255.255"):tdst->getNetmask();
+            InetNetmask n1=(Interface::cast(odst))?InetNetmask(InetAddr::getAllOnes()):odst->getNetmask();
+            InetNetmask n2=(Interface::cast(tdst))?InetNetmask(InetAddr::getAllOnes()):tdst->getNetmask();
 
             if ( !(n1==n2) )
                 compiler->abort(
@@ -883,8 +883,8 @@ bool NATCompiler_pix::mergeNATCmd::processNext()
  */
                 if (natcmd==nc) break;
 
-                IPAddress  a1=natcmd->t_addr->getAddress();
-                IPAddress  a2=nc->t_addr->getAddress();
+                InetAddr  a1=natcmd->t_addr->getAddress();
+                InetAddr  a2=nc->t_addr->getAddress();
 
                 Interface *int1=natcmd->t_iface;
                 Interface *int2=nc->t_iface;
@@ -1136,17 +1136,16 @@ NATCompiler_pix::DetectOverlap::~DetectOverlap() {};
 
 bool NATCompiler_pix::DetectOverlap::checkOverlapping(
     const libfwbuilder::Address   &addr1,
-    const libfwbuilder::IPAddress &addr2)
+    const libfwbuilder::InetAddr &addr2)
 {
     if (AddressRange::isA(&addr1))
     {
-        const IPAddress a1=AddressRange::constcast(&addr1)->getRangeStart();
-        const IPAddress a2=AddressRange::constcast(&addr1)->getRangeEnd();
+        const InetAddr a1=AddressRange::constcast(&addr1)->getRangeStart();
+        const InetAddr a2=AddressRange::constcast(&addr1)->getRangeEnd();
         return (addr2==a1 || addr2==a2 || (addr2>a1 && addr2<a2));
     } else
     {
-        return addr1.getAddress() == addr2 || 
-            IPNetwork(addr1.getAddress(),addr1.getNetmask()).belongs(addr2);
+        return addr1.getAddress() == addr2 || addr1.belongs(addr2);
     }
 }
 
@@ -1154,8 +1153,8 @@ string NATCompiler_pix::DetectOverlap::printGlobalPoolAddress(const Address &poo
 {
     if (AddressRange::isA(&pool))
     {
-        const IPAddress a1=AddressRange::constcast(&pool)->getRangeStart();
-        const IPAddress a2=AddressRange::constcast(&pool)->getRangeEnd();
+        const InetAddr a1=AddressRange::constcast(&pool)->getRangeStart();
+        const InetAddr a2=AddressRange::constcast(&pool)->getRangeEnd();
         return a1.toString()+"-"+a2.toString();
     } else
     {
@@ -1183,14 +1182,11 @@ bool  NATCompiler_pix::DetectGlobalPoolProblems::processNext()
                                 +printGlobalPoolAddress(*(natcmd->t_addr)) 
                                 +" overlaps with interface address. Rule "
                                 +rule->getLabel());
-            
-            IPNetwork iface_net(natcmd->t_iface->getAddress(),
-                                natcmd->t_iface->getNetmask());
 
             if (checkOverlapping(*(natcmd->t_addr),
-                                 iface_net.getBroadcastAddress()) ||
+                                 natcmd->t_iface->getBroadcastAddress()) ||
                 checkOverlapping(*(natcmd->t_addr),
-                                 iface_net.getAddress()) )
+                                 natcmd->t_iface->getAddress()) )
                 compiler->warning("Global pool "
                                   +printGlobalPoolAddress(*(natcmd->t_addr)) 
                                   +" overlaps with broadcast address. Rule "
@@ -1273,7 +1269,7 @@ bool  NATCompiler_pix::DetectOverlappingGlobalPoolsAndStaticRules::processNext()
 
             if (natcmd->type== INTERFACE) 
             {
-                addr.setNetmask("255.255.255.255");
+                addr.setNetmask(InetNetmask(InetAddr::getAllOnes()));
             }
 
             if ( checkOverlapping(  addr, outa->getAddress()) ||
@@ -1314,11 +1310,11 @@ bool  NATCompiler_pix::DetectDuplicateNAT::processNext()
             Interface *int1=natcmd->t_iface;
             Interface *int2=nc->t_iface;
 
-//            IPAddress a1=natcmd->o_addr->getAddress();
-//            IPAddress a2=nc->o_addr->getAddress();
+//            InetAddr a1=natcmd->o_addr->getAddress();
+//            InetAddr a2=nc->o_addr->getAddress();
 //
-//            Netmask   m1=natcmd->o_addr->getNetmask();
-//            Netmask   m2=nc->o_addr->getNetmask();
+//            InetNetmask   m1=natcmd->o_addr->getInetNetmask();
+//            InetNetmask   m2=nc->o_addr->getNetmask();
 
             if ( int1->getId()==int2->getId() &&
                  natcmd->o_src==nc->o_src &&
@@ -1357,9 +1353,6 @@ bool  NATCompiler_pix::DetectOverlappingStatics::processNext()
     {
         StaticCmd *scmd=pix_comp->static_commands[ rule->getInt("sc_cmd") ];
 
-        IPNetwork nn1( scmd->iaddr->getAddress(), scmd->iaddr->getNetmask() );
-        IPNetwork nn2( scmd->oaddr->getAddress(), scmd->oaddr->getNetmask() );
-
         for (map<int,StaticCmd*>::iterator i1=pix_comp->static_commands.begin();
              i1!=pix_comp->static_commands.end();  i1++ )
         {
@@ -1374,32 +1367,30 @@ bool  NATCompiler_pix::DetectOverlappingStatics::processNext()
                      *(sc->tsrv) == *(scmd->tsrv) && 
                      *(sc->osrc) == *(scmd->osrc) &&
                      sc->oaddr->getId() == scmd->oaddr->getId())
-                    compiler->abort("Static NAT rules overlap or are redundant : rules "+
-                                    sc->rule+" and "+scmd->rule+" : "+
-                                    "outside address: "+
-                                    "interface "+Interface::cast(scmd->oaddr)->getLabel()+
-                                    " inside address: "+
-                                    scmd->iaddr->getAddress().toString()+"/"+
-                                    scmd->iaddr->getNetmask().toString());
-
-
+                    compiler->abort(
+                        "Static NAT rules overlap or are redundant : rules "+
+                        sc->rule+" and "+scmd->rule+" : "+
+                        "outside address: "+
+                        "interface "+Interface::cast(scmd->oaddr)->getLabel()+
+                        " inside address: "+
+                        scmd->iaddr->getAddress().toString()+"/"+
+                        scmd->iaddr->getNetmask().toString());
             } else
             {
-                IPNetwork n1( sc->iaddr->getAddress(), sc->iaddr->getNetmask() );
-                IPNetwork n2( sc->oaddr->getAddress(), sc->oaddr->getNetmask() );
-
                 if ( *(sc->osrv) == *(scmd->osrv) && 
                      *(sc->tsrv) == *(scmd->tsrv) && 
                      *(sc->osrc) == *(scmd->osrc) &&
-                     ( ! getOverlap(nn1,n1).empty() || ! getOverlap(nn2,n2).empty() ) )
-                    compiler->abort("Static NAT rules overlap or are redundant : rules "+
-                                    sc->rule+" and "+scmd->rule+" : "+
-                                    "outside address: "+
-                                    scmd->oaddr->getAddress().toString()+"/"+
-                                    scmd->oaddr->getNetmask().toString()+
-                                    " inside address: "+
-                                    scmd->iaddr->getAddress().toString()+"/"+
-                                    scmd->iaddr->getNetmask().toString());
+                     ( ! getOverlap(*(scmd->iaddr), *(sc->iaddr)).empty() ||
+                       ! getOverlap(*(scmd->oaddr), *(sc->oaddr)).empty() ) )
+                    compiler->abort(
+                        "Static NAT rules overlap or are redundant : rules "+
+                        sc->rule+" and "+scmd->rule+" : "+
+                        "outside address: "+
+                        scmd->oaddr->getAddress().toString()+"/"+
+                        scmd->oaddr->getNetmask().toString()+
+                        " inside address: "+
+                        scmd->iaddr->getAddress().toString()+"/"+
+                        scmd->iaddr->getNetmask().toString());
             }
         }
     }
diff --git a/src/pix/NATCompiler_pix.h b/src/pix/NATCompiler_pix.h
index e0df5e362..f2c9b32be 100644
--- a/src/pix/NATCompiler_pix.h
+++ b/src/pix/NATCompiler_pix.h
@@ -373,7 +373,7 @@ namespace fwcompiler {
         {
             protected:
             bool checkOverlapping(const libfwbuilder::Address   &a1,
-                                  const libfwbuilder::IPAddress &a2);
+                                  const libfwbuilder::InetAddr &a2);
             std::string printGlobalPoolAddress(const libfwbuilder::Address &pool);
             public:
             DetectOverlap(const std::string &n) : NATRuleProcessor(n){}
@@ -419,8 +419,8 @@ namespace fwcompiler {
             protected:
             typedef struct {
                 std::string             iface1, iface2;
-                libfwbuilder::IPAddress addr;
-                libfwbuilder::Netmask   mask;
+                libfwbuilder::InetAddr addr;
+                libfwbuilder::InetNetmask   mask;
             } nonat_static_parameters;
             std::deque<nonat_static_parameters> all_nonat_statics;
             public:
diff --git a/src/pix/NATCompiler_pix_writers.cpp b/src/pix/NATCompiler_pix_writers.cpp
index f5678beca..d2535215d 100644
--- a/src/pix/NATCompiler_pix_writers.cpp
+++ b/src/pix/NATCompiler_pix_writers.cpp
@@ -449,9 +449,9 @@ bool NATCompiler_pix::PrintRule::processNext()
     {
         StaticCmd *scmd=pix_comp->static_commands[ rule->getInt("sc_cmd") ];
 
-        IPAddress outa=scmd->oaddr->getAddress();
-        Netmask   outm=scmd->oaddr->getNetmask();
-        IPAddress insa=scmd->iaddr->getAddress();
+        InetAddr outa=scmd->oaddr->getAddress();
+        InetNetmask outm=scmd->oaddr->getNetmask();
+        InetAddr insa=scmd->iaddr->getAddress();
 /*
  * we verify that odst and tdst have the same size in verifyRuleElements,
  * so we can rely on that now.
diff --git a/src/pix/OSConfigurator_pix_os.cpp b/src/pix/OSConfigurator_pix_os.cpp
index 977020c86..6307dd130 100644
--- a/src/pix/OSConfigurator_pix_os.cpp
+++ b/src/pix/OSConfigurator_pix_os.cpp
@@ -193,7 +193,7 @@ string OSConfigurator_pix_os::_printLogging()
 
     if ( ! syslog_host.empty() )
     {
-        string iface_id=helper.findInterfaceByNetzone(IPAddress(syslog_host));
+        string iface_id=helper.findInterfaceByNetzone(InetAddr(syslog_host));
         if (iface_id.empty()) abort("Log server "+syslog_host+" does not belong to any known network zone");
         Interface  *syslog_iface = getCachedFwInterface(iface_id);
 
@@ -257,7 +257,7 @@ string  OSConfigurator_pix_os::_printSNMPServer(const std::string &srv,int poll_
 
     ostringstream  str;
 
-    string iface_id=helper.findInterfaceByNetzone( IPAddress(srv) );
+    string iface_id=helper.findInterfaceByNetzone( InetAddr(srv) );
     if (iface_id.empty())
         abort(string("SNMP server ")+srv+" does not belong to any known network zone");
     Interface  *snmp_iface = getCachedFwInterface(iface_id);
@@ -335,7 +335,7 @@ string  OSConfigurator_pix_os::_printNTPServer(const std::string &srv,bool pref)
 
     ostringstream  str;
 
-    string iface_id=helper.findInterfaceByNetzone( IPAddress(srv) );
+    string iface_id=helper.findInterfaceByNetzone( InetAddr(srv) );
     if (iface_id.empty()) abort("NTP server "+srv+" does not belong to any known network zone");
     Interface  *ntp_iface = getCachedFwInterface(iface_id);
     str << "ntp server " << srv << " source " << ntp_iface->getLabel();
diff --git a/src/pix/PIXObjectGroup.h b/src/pix/PIXObjectGroup.h
index 60f2c9074..f74c5021a 100644
--- a/src/pix/PIXObjectGroup.h
+++ b/src/pix/PIXObjectGroup.h
@@ -50,7 +50,7 @@ class PIXGroup : public libfwbuilder::Group {
     virtual ~PIXGroup() {};
     DECLARE_FWOBJECT_SUBTYPE(PIXGroup);
 
-    virtual bool  validateChild(FWObject *o) { return true; }
+    virtual bool  validateChild(FWObject*) { return true; }
 
     void setPIXGroupType(pix_group_type _gt) { gt=_gt; }
     pix_group_type getPIXGroupType() { return gt; }
diff --git a/src/pix/PolicyCompiler_pix.cpp b/src/pix/PolicyCompiler_pix.cpp
index f19f25a1d..4f5042c8b 100644
--- a/src/pix/PolicyCompiler_pix.cpp
+++ b/src/pix/PolicyCompiler_pix.cpp
@@ -123,14 +123,14 @@ int PolicyCompiler_pix::prolog()
             {
                 if (netmask.find(".")!=string::npos)
                 {
-                    Netmask nm(netmask);
-                    nm.to32BitInt(); // to avoid warning abt unused var
+                    InetNetmask nm(netmask);
+                    nm.isAny(); // to avoid warning abt unused var
                 } else
                 {
                     int nm_length;
                     istringstream  str(netmask);
                     str >> nm_length;
-                    Netmask nm(nm_length);
+                    InetNetmask nm(nm_length);
                     netmask = nm.toString();
                 }
             } catch(FWException &ex)
@@ -141,8 +141,7 @@ int PolicyCompiler_pix::prolog()
 
         try
         {
-            IPAddress a(addr);
-            a.to32BitInt();
+            InetAddr(addr);
         } catch(FWException &ex)
         {
             abort("Invalid address for management subnet: '"+addr+"'");
diff --git a/src/pix/PolicyCompiler_pix_writers.cpp b/src/pix/PolicyCompiler_pix_writers.cpp
index 1b7a31d63..e7405f717 100644
--- a/src/pix/PolicyCompiler_pix_writers.cpp
+++ b/src/pix/PolicyCompiler_pix_writers.cpp
@@ -161,10 +161,10 @@ bool PolicyCompiler_pix::PrintObjectGroupsAndClearCommands::processNext()
             {
                 Address *a=Address::cast(obj);
                 assert(a!=NULL);
-                IPAddress addr=a->getAddress();
+                InetAddr addr=a->getAddress();
                 pix_comp->output << " network-object ";
                 if (Network::cast(obj)!=NULL) {
-                    Netmask   mask=a->getNetmask();
+                    InetNetmask   mask=a->getNetmask();
                     pix_comp->output << addr.toString() << " ";
                     pix_comp->output << mask.toString() << " ";
                 } else {
@@ -352,8 +352,8 @@ string PolicyCompiler_pix::PrintRule::_printAddr(libfwbuilder::Address  *o)
 {
     ostringstream  str;
 
-    IPAddress srcaddr=o->getAddress();
-    Netmask   srcmask=o->getNetmask();
+    InetAddr srcaddr=o->getAddress();
+    InetNetmask   srcmask=o->getNetmask();
 
     if (Interface::cast(o)!=NULL)
     {
@@ -363,18 +363,18 @@ string PolicyCompiler_pix::PrintRule::_printAddr(libfwbuilder::Address  *o)
 	    return string("interface ") + interface_->getLabel() + " ";
 	}
 
-	srcmask=Netmask("255.255.255.255");
+	srcmask=InetNetmask(InetAddr::getAllOnes());
     }
 
     if (IPv4::cast(o)!=NULL) 
-	srcmask=Netmask("255.255.255.255");
+	srcmask=InetNetmask(InetAddr::getAllOnes());
 
 
-    if (srcaddr.toString()=="0.0.0.0" && srcmask.toString()=="0.0.0.0")
+    if (srcaddr.isAny() && srcmask.isAny())
     {
 	str << "any ";
     } else {
-	if (srcmask.toString()=="255.255.255.255")
+	if (srcmask.isHostMask())
         {
 	    str << "host " << srcaddr.toString() << " ";
 	} else
diff --git a/test/ipf/objects-for-regression-tests.fwb b/test/ipf/objects-for-regression-tests.fwb
index d183f9a8e..44e11ff92 100644
--- a/test/ipf/objects-for-regression-tests.fwb
+++ b/test/ipf/objects-for-regression-tests.fwb
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="utf-8"?>
 <!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
-<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="2.1.15" id="root">
+<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="4" id="root">
   <Library color="#FFFFFF" comment="" id="id40D07E7A" name="LAX" ro="True">
     <ObjectGroup id="id40D07E7B" name="Objects">
       <ObjectGroup id="id40D07E7B_og_ats_1" name="Address Tables"/>
diff --git a/test/ipfw/objects-for-regression-tests.fwb b/test/ipfw/objects-for-regression-tests.fwb
index 4fcacad74..01084e8d1 100644
--- a/test/ipfw/objects-for-regression-tests.fwb
+++ b/test/ipfw/objects-for-regression-tests.fwb
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="utf-8"?>
 <!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
-<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="2.1.15" id="root">
+<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="4" id="root">
   <Library color="#FFFFFF" comment="" id="id40D07E7A" name="LAX" ro="False">
     <ObjectGroup id="id40D07E7B" name="Objects">
       <ObjectGroup id="id40D07E7B_og_ats_1" name="Address Tables"/>
diff --git a/test/ipt/objects-for-regression-tests.fwb b/test/ipt/objects-for-regression-tests.fwb
index d1e0f0ad4..c7fa2ba5c 100644
--- a/test/ipt/objects-for-regression-tests.fwb
+++ b/test/ipt/objects-for-regression-tests.fwb
@@ -1,14 +1,14 @@
 <?xml version="1.0" encoding="utf-8"?>
 <!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
-<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="2.1.15" lastModified="1196093903" id="root">
+<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="4" lastModified="1206322269" id="root">
   <Library color="#d2ffd0" comment="User defined objects" id="syslib001" name="User">
     <ObjectGroup id="stdid01_1" name="Objects">
       <ObjectGroup id="stdid01_1_og_ats_1" name="Address Tables">
-        <AddressTable comment="" filename="/home/vadim/Projects/fwb2.1/fwb2/fwbuilder2/test/ipt/addr-table-1.tbl" id="id4385C1081434" name="addrtbl 1" run_time="False"/>
+        <AddressTable comment="" filename="addr-table-1.tbl" id="id4385C1081434" name="addrtbl 1" run_time="False"/>
         <AddressTable comment="" filename="addr-table-1.tbl" id="id4389EE9018346" name="addr-table-1" run_time="False"/>
         <AddressTable comment="this is run-time table" filename="block-hosts.tbl" id="id4389EE9118346" name="block these" run_time="True"/>
         <AddressTable comment="the name contains character that is special to shell" filename="/home/vadim/tmp/bug-1544488/addr-table-1.tbl" id="id44F7056328576" name="atbl.1" run_time="True"/>
-        <AddressTable comment="" filename="/home/vadim/Projects/fwb2.1/fwb2/fwbuilder2/test/ipt/emtpy-table.tbl" id="id459673BE7794" name="empty table" run_time="False"/>
+        <AddressTable comment="" filename="emtpy-table.tbl" id="id459673BE7794" name="empty table" run_time="False"/>
       </ObjectGroup>
       <ObjectGroup id="stdid01_1_og_dnsn_1" name="DNS Names">
         <DNSName comment="" dnsrec="www.cnn.com" id="id43869E8C18346" name="cnn (ct)" run_time="False"/>
@@ -20,11 +20,11 @@
         <DNSName comment="" dnsrec="www.heise.de" id="id44EC181D8791" name="heise" run_time="True"/>
       </ObjectGroup>
       <ObjectGroup id="stdid16_1" name="Addresses">
-        <IPv4 address="192.168.1.0" comment="" id="id417B3641" name="net_address" netmask="255.255.255.255"/>
-        <IPv4 address="61.150.47.112" comment="" id="id4388C37D674" name="sapmhost1" netmask="255.255.255.255"/>
-        <IPv4 address="0.0.0.0" comment="" id="id44C0695713221" name="this_host" netmask="255.255.255.255"/>
-        <IPv4 address="1.1.1.1" comment="" id="id44F7082928576" name="some address" netmask="255.255.255.255"/>
-        <IPv4 address="224.0.0.18" comment="" id="id45D61A0923626" name="VRRP" netmask="255.255.255.255"/>
+        <IPv4 comment="" id="id417B3641" name="net_address" address="192.168.1.0" netmask="255.255.255.255"/>
+        <IPv4 comment="" id="id4388C37D674" name="sapmhost1" address="61.150.47.112" netmask="255.255.255.255"/>
+        <IPv4 comment="" id="id44C0695713221" name="this_host" address="0.0.0.0" netmask="255.255.255.255"/>
+        <IPv4 comment="" id="id44F7082928576" name="some address" address="1.1.1.1" netmask="255.255.255.255"/>
+        <IPv4 comment="" id="id45D61A0923626" name="VRRP" address="224.0.0.18" netmask="255.255.255.255"/>
       </ObjectGroup>
       <ObjectGroup id="stdid04_1" name="Groups">
         <ObjectGroup id="id3B4572AF" name="group1">
@@ -103,11 +103,15 @@
           <ObjectRef ref="id3AFB6706"/>
           <ObjectRef ref="id3AFB68D2"/>
         </ObjectGroup>
+        <ObjectGroup comment="a group of run-time dns objects" id="id47CBF5D129252" name="DNS objects">
+          <ObjectRef ref="id43869E8D18346"/>
+          <ObjectRef ref="id4387287A18346"/>
+        </ObjectGroup>
       </ObjectGroup>
       <ObjectGroup id="stdid02_1" name="Hosts">
         <Host comment="multicast address which is _not_ local link multicast&#10;" id="id3A84EECE" name="DHCP-Servers (multicast)">
           <Interface bridgeport="False" dyn="False" id="id3D84EED2" name="interface1" security_level="0" unnum="False" unprotected="False">
-            <IPv4 address="224.0.1.141" id="id3D84EEDA" name="DHCP-Servers (multicast)" netmask="255.255.255.0"/>
+            <IPv4 id="id3D84EEDA" name="DHCP-Servers (multicast)" address="224.0.1.141" netmask="255.255.255.0"/>
           </Interface>
           <Management address="224.0.1.141">
             <SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
@@ -124,7 +128,7 @@
         </Host>
         <Host comment="" id="id3CFBE20C" name="broadcast">
           <Interface bridgeport="False" dyn="False" id="id3CFBE20C-i" name="interface-1" security_level="0" unnum="False" unprotected="False">
-            <IPv4 address="255.255.255.255" comment="" id="id3CFBE20C-i-1-addr" name="broadcast:address" netmask="255.255.255.255"/>
+            <IPv4 comment="" id="id3CFBE20C-i-1-addr" name="broadcast:address" address="255.255.255.255" netmask="255.255.255.255"/>
           </Interface>
           <Management address="255.255.255.255">
             <SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
@@ -141,7 +145,7 @@
         </Host>
         <Host comment="" id="id3D151943" name="dmzhost1">
           <Interface bridgeport="False" dyn="False" id="id3D151943-i" name="interface-1" security_level="0" unnum="False" unprotected="False">
-            <IPv4 address="192.168.2.10" id="id3D151943-i-1-addr" name="address" netmask="255.255.255.255"/>
+            <IPv4 id="id3D151943-i-1-addr" name="address" address="192.168.2.10" netmask="255.255.255.255"/>
           </Interface>
           <Management address="192.168.2.10">
             <SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
@@ -158,7 +162,7 @@
         </Host>
         <Host comment="" id="id3D151947" name="dmzhost2">
           <Interface bridgeport="False" dyn="False" id="id3D151947-i" name="interface-1" security_level="0" unnum="False" unprotected="False">
-            <IPv4 address="192.168.2.11" id="id3D151947-i-1-addr" name="address" netmask="255.255.255.255"/>
+            <IPv4 id="id3D151947-i-1-addr" name="address" address="192.168.2.11" netmask="255.255.255.255"/>
           </Interface>
           <Management address="192.168.2.11">
             <SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
@@ -175,7 +179,7 @@
         </Host>
         <Host comment="this host is used in firewall14" id="id3DE7223E" name="h-fw14-eth1-1">
           <Interface bridgeport="False" dyn="False" id="id3DE72244" name="interface1" security_level="0" unnum="False" unprotected="False">
-            <IPv4 address="22.22.23.22" comment="" id="id3DE72245" name="h-fw14-eth1-1" netmask="255.255.255.255"/>
+            <IPv4 comment="" id="id3DE72245" name="h-fw14-eth1-1" address="22.22.23.22" netmask="255.255.255.255"/>
           </Interface>
           <Management address="22.22.23.160">
             <SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
@@ -192,7 +196,7 @@
         </Host>
         <Host comment="this host is used in firewall14" id="id3DE72236" name="h-fw14-eth1-2">
           <Interface bridgeport="False" dyn="False" id="id3DE7223A" name="interface1" security_level="0" unnum="False" unprotected="False">
-            <IPv4 address="22.22.23.160" comment="" id="id3DE7223B" name="h-fw14-eth1-2" netmask="255.255.255.255"/>
+            <IPv4 comment="" id="id3DE7223B" name="h-fw14-eth1-2" address="22.22.23.160" netmask="255.255.255.255"/>
           </Interface>
           <Management address="22.22.23.160">
             <SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
@@ -209,7 +213,7 @@
         </Host>
         <Host comment="this host is used in firewall14" id="id3DE722F1" name="h-fw14-eth1-N">
           <Interface bridgeport="False" dyn="False" id="id3DE722F7" name="interface1" security_level="0" unnum="False" unprotected="False">
-            <IPv4 address="22.22.23.40" comment="" id="id3DE722F8" name="h-fw14-eth1-1" netmask="255.255.255.255"/>
+            <IPv4 comment="" id="id3DE722F8" name="h-fw14-eth1-1" address="22.22.23.40" netmask="255.255.255.255"/>
           </Interface>
           <Management address="22.22.23.22">
             <SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
@@ -226,7 +230,7 @@
         </Host>
         <Host comment="this host has the same IP address as firewall1 and firewall2" id="id3AFC0F70" name="host-fw2">
           <Interface bridgeport="False" dyn="False" id="id3AFC0F70-i" name="unknown" security_level="100" unnum="False" unprotected="False">
-            <IPv4 address="22.22.22.22" id="id3AFC0F70-i-ipv4" name="address" netmask="255.255.255.255"/>
+            <IPv4 id="id3AFC0F70-i-ipv4" name="address" address="22.22.22.22" netmask="255.255.255.255"/>
           </Interface>
           <Management address="0.0.0.0">
             <SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
@@ -239,7 +243,7 @@
         </Host>
         <Host comment="" id="id3BF1B3E1" name="host-with-mac-1">
           <Interface bridgeport="False" comment="" dyn="False" id="id3BF1B3E2" label="" mgmt="False" name="host-with-mac-1:1" security_level="100" unnum="False" unprotected="False">
-            <IPv4 address="192.168.1.10" comment="" id="id3BF1B3E2-ipv4" name="host-with-mac-1/addr" netmask="255.255.255.0"/>
+            <IPv4 comment="" id="id3BF1B3E2-ipv4" name="host-with-mac-1/addr" address="192.168.1.10" netmask="255.255.255.0"/>
             <physAddress address="00:10:4b:de:e9:6f" id="id3BF1B3E2-pa" name="host-with-mac-1:1-pa"/>
           </Interface>
           <Management address="192.168.1.10">
@@ -304,7 +308,7 @@
         </Host>
         <Host comment="this host has an interface with both IP address and MAC address chld objects,&#10;but option &quot;turn on MAC address matching&quot; is NOT activated" id="id3E0F3FC8" name="host-with-mac-5">
           <Interface bridgeport="False" comment="" dyn="False" id="id3E0F3FC9" label="" mgmt="False" name="host-with-mac-5:1" security_level="100" unnum="False" unprotected="False">
-            <IPv4 address="192.168.1.15" comment="" id="id3E0F3FCA" name="host-with-mac-5/addr" netmask="255.255.255.0"/>
+            <IPv4 comment="" id="id3E0F3FCA" name="host-with-mac-5/addr" address="192.168.1.15" netmask="255.255.255.0"/>
             <physAddress address="aa:bb:cc:dd:ee:ff" comment="" id="id3E0F3FCB" name="host-with-mac-5:1-pa"/>
           </Interface>
           <Management address="192.168.1.15">
@@ -321,7 +325,7 @@
         </Host>
         <Host comment="" id="host-hostA" name="hostA">
           <Interface bridgeport="False" dyn="False" id="host-hostA-i" name="unknown" security_level="100" unnum="False" unprotected="False">
-            <IPv4 address="192.168.1.10" id="host-hostA-i-ipv4" name="address" netmask="255.255.255.255"/>
+            <IPv4 id="host-hostA-i-ipv4" name="address" address="192.168.1.10" netmask="255.255.255.255"/>
           </Interface>
           <Management address="192.168.1.10">
             <SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
@@ -334,7 +338,7 @@
         </Host>
         <Host comment="translated address for hostA" id="id3AFADBF9" name="hostA-NAT">
           <Interface bridgeport="False" dyn="False" id="id3AFADBF9-i" name="unknown" security_level="100" unnum="False" unprotected="False">
-            <IPv4 address="22.22.22.23" id="id3AFADBF9-i-ipv4" name="address" netmask="255.255.255.255"/>
+            <IPv4 id="id3AFADBF9-i-ipv4" name="address" address="22.22.22.23" netmask="255.255.255.255"/>
           </Interface>
           <Management address="0.0.0.0">
             <SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
@@ -347,7 +351,7 @@
         </Host>
         <Host comment="" id="host-hostB" name="hostB">
           <Interface bridgeport="False" dyn="False" id="host-hostB-i" name="unknown" security_level="100" unnum="False" unprotected="False">
-            <IPv4 address="192.168.1.20" id="host-hostB-i-ipv4" name="address" netmask="255.255.255.255"/>
+            <IPv4 id="host-hostB-i-ipv4" name="address" address="192.168.1.20" netmask="255.255.255.255"/>
           </Interface>
           <Management address="192.168.1.20">
             <SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
@@ -360,7 +364,7 @@
         </Host>
         <Host comment="" id="id3BD6736B" name="hostB-NAT">
           <Interface bridgeport="False" dyn="False" id="id3BD6736B-i" name="unknown" security_level="100" unnum="False" unprotected="False">
-            <IPv4 address="22.22.23.24" id="id3BD6736B-i-ipv4" name="address" netmask="255.255.255.255"/>
+            <IPv4 id="id3BD6736B-i-ipv4" name="address" address="22.22.23.24" netmask="255.255.255.255"/>
           </Interface>
           <HostOptions>
             <Option name="use_mac_addr_filter">false</Option>
@@ -368,7 +372,7 @@
         </Host>
         <Host comment="the same address as internal iface of firewall1" id="id3AFC191C" name="hostF-int">
           <Interface bridgeport="False" dyn="False" id="id3AFC191C-i" name="unknown" security_level="100" unnum="False" unprotected="False">
-            <IPv4 address="192.168.1.1" id="id3AFC191C-i-ipv4" name="address" netmask="255.255.255.255"/>
+            <IPv4 id="id3AFC191C-i-ipv4" name="address" address="192.168.1.1" netmask="255.255.255.255"/>
           </Interface>
           <Management address="0.0.0.0">
             <SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
@@ -381,8 +385,8 @@
         </Host>
         <Host comment="this host has multiple interfaces" id="id3DECF4EB" name="hostM-outside">
           <Interface bridgeport="False" comment="" dyn="False" id="id3DECF4EC" label="" mgmt="False" name="hostM-iface" security_level="100" unnum="False" unprotected="False">
-            <IPv4 address="222.222.222.40" comment="" id="id3DECF4ED" name="address" netmask="255.255.255.0"/>
-            <IPv4 address="222.222.222.41" comment="" id="id3DECF62C" name="hostM-outside" netmask="255.255.255.0"/>
+            <IPv4 comment="" id="id3DECF4ED" name="address" address="222.222.222.40" netmask="255.255.255.0"/>
+            <IPv4 comment="" id="id3DECF62C" name="hostM-outside" address="222.222.222.41" netmask="255.255.255.0"/>
           </Interface>
           <Management address="22.22.22.23">
             <SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
@@ -398,10 +402,10 @@
         </Host>
         <Host comment="this host has multiple interfaces" id="id3DECF622" name="hostN-outside">
           <Interface bridgeport="False" dyn="False" id="id3DECF623" name="unknown" security_level="100" unnum="False" unprotected="False">
-            <IPv4 address="222.222.222.40" comment="" id="id3DECF624" name="address" netmask="255.255.255.0"/>
+            <IPv4 comment="" id="id3DECF624" name="address" address="222.222.222.40" netmask="255.255.255.0"/>
           </Interface>
           <Interface bridgeport="False" dyn="False" id="id3DECF62A" name="unknown" security_level="0" unnum="False" unprotected="False">
-            <IPv4 address="222.222.222.41" comment="" id="id3DECF62B" name="hostM-outside" netmask="255.255.255.0"/>
+            <IPv4 comment="" id="id3DECF62B" name="hostM-outside" address="222.222.222.41" netmask="255.255.255.0"/>
           </Interface>
           <Management address="222.222.222.41">
             <SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
@@ -417,13 +421,13 @@
         </Host>
         <Host comment="host on subnet 22.22.22.0 with several addresses" id="id3DE47B6C" name="hostZ-outside">
           <Interface bridgeport="False" comment="" dyn="False" id="id3DE47B6D" label="" mgmt="False" name="eth0" security_level="100" unnum="False" unprotected="False">
-            <IPv4 address="22.22.22.23" comment="" id="id3DE47B6E" name="hZ-eth0" netmask="255.255.255.255"/>
+            <IPv4 comment="" id="id3DE47B6E" name="hZ-eth0" address="22.22.22.23" netmask="255.255.255.255"/>
           </Interface>
           <Interface bridgeport="False" comment="" dyn="False" id="id3DE47B76" label="" mgmt="False" name="eth1" security_level="100" unnum="False" unprotected="False">
-            <IPv4 address="22.22.22.24" comment="" id="id3DE47B77" name="hZ-eth1" netmask="255.255.255.255"/>
+            <IPv4 comment="" id="id3DE47B77" name="hZ-eth1" address="22.22.22.24" netmask="255.255.255.255"/>
           </Interface>
           <Interface bridgeport="False" comment="" dyn="False" id="id3DE47B78" label="" mgmt="False" name="eth2" security_level="100" unnum="False" unprotected="False">
-            <IPv4 address="22.22.22.25" comment="" id="id3DE47B79" name="hZ-eth2" netmask="255.255.255.255"/>
+            <IPv4 comment="" id="id3DE47B79" name="hZ-eth2" address="22.22.22.25" netmask="255.255.255.255"/>
           </Interface>
           <Management address="22.22.22.23">
             <SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
@@ -439,7 +443,7 @@
         </Host>
         <Host comment="broadcast on internal subnet" id="id3B64FFAC" name="local-bcast">
           <Interface bridgeport="False" dyn="False" id="id3B64FFAC-i" name="unknown" security_level="100" unnum="False" unprotected="False">
-            <IPv4 address="192.168.1.255" comment="" id="id3B64FFAC-i-ipv4" name="local-bcast:addess" netmask="255.255.255.255"/>
+            <IPv4 comment="" id="id3B64FFAC-i-ipv4" name="local-bcast:addess" address="192.168.1.255" netmask="255.255.255.255"/>
           </Interface>
           <Management address="192.168.1.255">
             <SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
@@ -455,7 +459,7 @@
         </Host>
         <Host comment="" id="id3CD87A53" name="h192.168.1.11">
           <Interface bridgeport="False" dyn="False" id="id3CD87A53-i" name="interface-1" security_level="0" unnum="False" unprotected="False">
-            <IPv4 address="192.168.1.11" id="id3CD87A53-i-1-addr" name="address" netmask="255.255.255.255"/>
+            <IPv4 id="id3CD87A53-i-1-addr" name="address" address="192.168.1.11" netmask="255.255.255.255"/>
           </Interface>
           <Management address="192.168.1.11">
             <SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
@@ -472,7 +476,7 @@
         </Host>
         <Host comment="" id="id3CD87A5E" name="h192.168.1.12">
           <Interface bridgeport="False" dyn="False" id="id3CD87A5E-i" name="interface-1" security_level="0" unnum="False" unprotected="False">
-            <IPv4 address="192.168.1.12" id="id3CD87A5E-i-1-addr" name="address" netmask="255.255.255.255"/>
+            <IPv4 id="id3CD87A5E-i-1-addr" name="address" address="192.168.1.12" netmask="255.255.255.255"/>
           </Interface>
           <Management address="192.168.1.12">
             <SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
@@ -489,7 +493,7 @@
         </Host>
         <Host comment="" id="id3CD87A6D" name="h192.168.1.13">
           <Interface bridgeport="False" dyn="False" id="id3CD87A6D-i" name="interface-1" security_level="0" unnum="False" unprotected="False">
-            <IPv4 address="192.168.1.13" id="id3CD87A6D-i-1-addr" name="address" netmask="255.255.255.255"/>
+            <IPv4 id="id3CD87A6D-i-1-addr" name="address" address="192.168.1.13" netmask="255.255.255.255"/>
           </Interface>
           <Management address="192.168.1.13">
             <SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
@@ -506,7 +510,7 @@
         </Host>
         <Host comment="" id="id3CD87A7C" name="h192.168.1.14">
           <Interface bridgeport="False" dyn="False" id="id3CD87A7C-i" name="interface-1" security_level="0" unnum="False" unprotected="False">
-            <IPv4 address="192.168.1.14" id="id3CD87A7C-i-1-addr" name="address" netmask="255.255.255.255"/>
+            <IPv4 id="id3CD87A7C-i-1-addr" name="address" address="192.168.1.14" netmask="255.255.255.255"/>
           </Interface>
           <Management address="192.168.1.14">
             <SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
@@ -523,7 +527,7 @@
         </Host>
         <Host comment="" id="id3CD87A8B" name="h192.168.1.15">
           <Interface bridgeport="False" dyn="False" id="id3CD87A8B-i" name="interface-1" security_level="0" unnum="False" unprotected="False">
-            <IPv4 address="192.168.1.15" id="id3CD87A8B-i-1-addr" name="address" netmask="255.255.255.255"/>
+            <IPv4 id="id3CD87A8B-i-1-addr" name="address" address="192.168.1.15" netmask="255.255.255.255"/>
           </Interface>
           <Management address="192.168.1.15">
             <SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
@@ -540,7 +544,7 @@
         </Host>
         <Host comment="local link multicast address" id="id3D84EEC8" name="ospf routers (multicast)">
           <Interface bridgeport="False" dyn="False" id="id3D84EECC" name="interface1" security_level="0" unnum="False" unprotected="False">
-            <IPv4 address="224.0.0.5" id="id3D84EECD" name="ospf routers (multicast)" netmask="255.255.255.0"/>
+            <IPv4 id="id3D84EECD" name="ospf routers (multicast)" address="224.0.0.5" netmask="255.255.255.0"/>
           </Interface>
           <Management address="224.0.0.5">
             <SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
@@ -557,7 +561,7 @@
         </Host>
         <Host comment="some host outside our network" id="id3B19C5EB" name="outside-host">
           <Interface bridgeport="False" dyn="False" id="id3B19C5EB-i" name="unknown" security_level="100" unnum="False" unprotected="False">
-            <IPv4 address="200.200.200.200" id="id3B19C5EB-i-ipv4" name="address" netmask="255.255.255.255"/>
+            <IPv4 id="id3B19C5EB-i-ipv4" name="address" address="200.200.200.200" netmask="255.255.255.255"/>
           </Interface>
           <HostOptions>
             <Option name="use_mac_addr_filter">false</Option>
@@ -565,7 +569,7 @@
         </Host>
         <Host comment="" id="host-secondary1-com" name="secondary1.com">
           <Interface bridgeport="False" dyn="False" id="host-secondary1-com-i" name="unknown" security_level="100" unnum="False" unprotected="False">
-            <IPv4 address="211.11.11.11" id="host-secondary1-com-i-ipv4" name="address" netmask="255.255.255.255"/>
+            <IPv4 id="host-secondary1-com-i-ipv4" name="address" address="211.11.11.11" netmask="255.255.255.255"/>
           </Interface>
           <Management address="211.11.11.11">
             <SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
@@ -578,7 +582,7 @@
         </Host>
         <Host comment="" id="host-secondary2-com" name="secondary2.com">
           <Interface bridgeport="False" dyn="False" id="host-secondary2-com-i" name="unknown" security_level="100" unnum="False" unprotected="False">
-            <IPv4 address="211.22.22.22" id="host-secondary2-com-i-ipv4" name="address" netmask="255.255.255.255"/>
+            <IPv4 id="host-secondary2-com-i-ipv4" name="address" address="211.22.22.22" netmask="255.255.255.255"/>
           </Interface>
           <Management address="211.22.22.22">
             <SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
@@ -591,7 +595,7 @@
         </Host>
         <Host comment="" id="id3BF23930" name="z-host">
           <Interface bridgeport="False" dyn="False" id="id3BF23931" name="unknown" security_level="100" unnum="False" unprotected="False">
-            <IPv4 address="0.0.0.0" id="id3BF23931-ipv4" name="address" netmask=""/>
+            <IPv4 id="id3BF23931-ipv4" name="address" address="0.0.0.0" netmask="0.0.0.0"/>
             <physAddress address="00:a0:24:53:06:8c" id="id3BF23931-pa" name="unknown-pa"/>
           </Interface>
           <Management address="0.0.0.0">
@@ -605,7 +609,7 @@
         </Host>
         <Host comment="" id="id3D84F6D7" name="zero address">
           <Interface bridgeport="False" dyn="False" id="id3D84F6DB" name="interface1" security_level="0" unnum="False" unprotected="False">
-            <IPv4 address="0.0.0.0" comment="" id="id3D84F6DC" name="zero addr(ip)" netmask="0.0.0.0"/>
+            <IPv4 comment="" id="id3D84F6DC" name="zero addr(ip)" address="0.0.0.0" netmask="0.0.0.0"/>
             <physAddress address="00:00:00:00:00:00" comment="" id="id3E192A36" name="zero addr(MAC)"/>
           </Interface>
           <Management address="0.0.0.0">
@@ -623,10 +627,10 @@
         </Host>
         <Host id="id3E9870D1" name="like fw5">
           <Interface bridgeport="False" dyn="False" id="id3E9870D7" name="eth0" security_level="0" unnum="False" unprotected="False">
-            <IPv4 address="192.168.1.1" id="id3E9870D8" name="like fw5:eth0(ip)" netmask="255.255.255.0"/>
+            <IPv4 id="id3E9870D8" name="like fw5:eth0(ip)" address="192.168.1.1" netmask="255.255.255.0"/>
           </Interface>
           <Interface bridgeport="False" dyn="False" id="id3E9870D9" name="eth1" security_level="0" unnum="False" unprotected="False">
-            <IPv4 address="192.168.2.1" id="id3E9870DA" name="like fw5:eth1(ip)" netmask="255.255.255.0"/>
+            <IPv4 id="id3E9870DA" name="like fw5:eth1(ip)" address="192.168.2.1" netmask="255.255.255.0"/>
           </Interface>
           <Management address="0.0.0.0">
             <SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
@@ -639,7 +643,7 @@
         </Host>
         <Host id="id3E9BC536" name="squid-box">
           <Interface bridgeport="False" dyn="False" id="id3E9BC538" name="interface1" security_level="0" unnum="False" unprotected="False">
-            <IPv4 address="192.168.1.100" id="id3E9BC539" name="squid-box:interface1(ip)" netmask="255.255.255.255"/>
+            <IPv4 id="id3E9BC539" name="squid-box:interface1(ip)" address="192.168.1.100" netmask="255.255.255.255"/>
           </Interface>
           <Management address="0.0.0.0">
             <SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
@@ -652,7 +656,7 @@
         </Host>
         <Host id="id3EE4CC6E" name="like fw18(eth1)">
           <Interface bridgeport="False" dyn="False" id="id3EE4CC70" name="interface1" security_level="0" unnum="False" unprotected="False">
-            <IPv4 address="66.66.66.130" id="id3EE4CC71" name="like fw18(eth1):interface1(ip)" netmask="255.255.255.255"/>
+            <IPv4 id="id3EE4CC71" name="like fw18(eth1):interface1(ip)" address="66.66.66.130" netmask="255.255.255.255"/>
           </Interface>
           <Management address="0.0.0.0">
             <SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
@@ -665,7 +669,7 @@
         </Host>
         <Host comment="this host has the same IP address as firewall 'firewall', plus it has MAC address.&#10;Testing for a combination of &quot;--mac --source-mac&quot; in the OUTPUT chain.&#10;" id="id3F14DFB8" name="fw-with-mac-1">
           <Interface bridgeport="False" comment="" dyn="False" id="id3F14DFB9" label="" mgmt="False" name="host-with-mac-1:1" security_level="100" unnum="False" unprotected="False">
-            <IPv4 address="192.168.1.1" comment="" id="id3F14DFBA" name="host-with-mac-1/addr" netmask="255.255.255.0"/>
+            <IPv4 comment="" id="id3F14DFBA" name="host-with-mac-1/addr" address="192.168.1.1" netmask="255.255.255.0"/>
             <physAddress address="00:10:4b:de:e9:6f" id="id3F14DFBB" name="host-with-mac-1:1-pa"/>
           </Interface>
           <Management address="192.168.1.10">
@@ -682,7 +686,7 @@
         </Host>
         <Host comment="this host has the same IP address as firewall 'firewall', plus it has MAC address.&#10;Testing for a combination of &quot;--mac --source-mac&quot; in the OUTPUT chain.&#10;" id="id3F14E244" name="fw-with-mac-2">
           <Interface bridgeport="False" comment="" dyn="False" id="id3F14E245" label="" mgmt="False" name="host-with-mac-1:1" security_level="100" unnum="False" unprotected="False">
-            <IPv4 address="192.168.1.1" comment="" id="id3F14E246" name="host-with-mac-1/addr" netmask="255.255.255.0"/>
+            <IPv4 comment="" id="id3F14E246" name="host-with-mac-1/addr" address="192.168.1.1" netmask="255.255.255.0"/>
             <physAddress address="00:10:4b:de:e9:6f" id="id3F14E247" name="host-with-mac-1:1-pa"/>
           </Interface>
           <Management address="192.168.1.1">
@@ -699,7 +703,7 @@
         </Host>
         <Host comment="usef in fw7&#10;" id="id40236C4D" name="dhcpserver">
           <Interface bridgeport="False" dyn="False" id="id40236C4F" name="interface1" security_level="0" unnum="False" unprotected="False">
-            <IPv4 address="192.168.2.10" id="id40236C50" name="dhcpserver:interface1(ip)" netmask="255.255.255.255"/>
+            <IPv4 id="id40236C50" name="dhcpserver:interface1(ip)" address="192.168.2.10" netmask="255.255.255.255"/>
           </Interface>
           <Management address="192.168.2.10">
             <SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
@@ -716,7 +720,7 @@
         </Host>
         <Host id="id40236C9A" name="unknown">
           <Interface bridgeport="False" dyn="False" id="id40236C9C" name="interface1" security_level="0" unnum="False" unprotected="False">
-            <IPv4 address="0.0.0.0" id="id40236C9D" name="unknown:interface1(ip)" netmask="255.255.255.255"/>
+            <IPv4 id="id40236C9D" name="unknown:interface1(ip)" address="0.0.0.0" netmask="255.255.255.255"/>
           </Interface>
           <Management address="0.0.0.0">
             <SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
@@ -729,7 +733,7 @@
         </Host>
         <Host id="id40F195D2" name="hostC">
           <Interface bridgeport="False" dyn="False" id="id40F195D4" label="" name="eth0" security_level="0" unnum="False" unprotected="False">
-            <IPv4 address="192.168.1.50" id="id40F195D6" name="hostC:eth0:ip" netmask="255.255.255.0"/>
+            <IPv4 id="id40F195D6" name="hostC:eth0:ip" address="192.168.1.50" netmask="255.255.255.0"/>
           </Interface>
           <Management address="0.0.0.0">
             <SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
@@ -740,7 +744,7 @@
         </Host>
         <Host comment="" id="id43913DCB25682" name="hostAt">
           <Interface bridgeport="False" dyn="False" id="id43913DCD25682" label="" name="hostA_eth0" security_level="100" unnum="False" unprotected="False">
-            <IPv4 address="192.168.1.10" id="id43913DCE25682" name="hostAt:hostA_eth0:ip" netmask="255.255.255.255"/>
+            <IPv4 id="id43913DCE25682" name="hostAt:hostA_eth0:ip" address="192.168.1.10" netmask="255.255.255.255"/>
           </Interface>
           <Management address="192.168.1.10">
             <SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
@@ -755,8 +759,8 @@
           </HostOptions>
         </Host>
         <Host comment="This object represents a PC with a single network interface" id="id445F59D831658" name="exthost223">
-          <Interface bridgeport="False" dyn="False" id="id445F59DA31658" label="" name="eth0" security_level="0" unnum="False" unprotected="False">
-            <IPv4 address="223.223.223.223" comment="" id="id445F59DB31658" name="exthost223:eth0:ip" netmask="255.255.255.0"/>
+          <Interface bridgeport="False" comment="" dyn="False" id="id445F59DA31658" label="" name="eth0" security_level="0" unnum="False" unprotected="False">
+            <IPv4 comment="" id="id445F59DB31658" name="exthost223:eth0:ip" address="223.223.223.223" netmask="255.255.255.0"/>
           </Interface>
           <Management address="0.0.0.0">
             <SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
@@ -767,6 +771,26 @@
             <Option name="use_mac_addr_filter">False</Option>
           </HostOptions>
         </Host>
+        <Host comment="" id="id47CD183A7550" name="host with multiple interfaces">
+          <Interface bridgeport="False" dyn="False" id="id47CD183C7550" name="eth0" security_level="0" unnum="False" unprotected="False">
+            <IPv4 id="id47CD183D7550" name="host with multiple interfaces:eth0:ip" address="192.168.1.1" netmask="255.255.255.0"/>
+          </Interface>
+          <Interface bridgeport="False" dyn="False" id="id47CD183E7550" name="eth1" security_level="0" unnum="False" unprotected="False">
+            <IPv4 id="id47CD183F7550" name="host with multiple interfaces:eth1:ip" address="192.168.2.1" netmask="255.255.255.0"/>
+          </Interface>
+          <Interface bridgeport="False" comment="" dyn="False" id="id47CD49057550" label="" name="eth2" security_level="0" unnum="False" unprotected="False">
+            <IPv4 comment="" id="id47CD49067550" name="host with multiple interfaces:eth2:ip" address="77.77.77.77" netmask="255.255.255.0"/>
+          </Interface>
+          <Management address="0.0.0.0">
+            <SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
+            <FWBDManagement enabled="False" identity="" port="-1"/>
+            <PolicyInstallScript arguments="" command="" enabled="False"/>
+          </Management>
+          <HostOptions>
+            <Option name="use_mac_addr">false</Option>
+            <Option name="use_mac_addr_filter">False</Option>
+          </HostOptions>
+        </Host>
       </ObjectGroup>
       <ObjectGroup id="stdid03_1" name="Networks">
         <Network comment="" id="net-Internal_net" name="Internal_net" address="192.168.1.0" netmask="255.255.255.0"/>
@@ -964,7 +988,7 @@
       </ServiceGroup>
     </ServiceGroup>
     <ObjectGroup id="stdid12_1" name="Firewalls">
-      <Firewall comment="this is simple firewall with two interfaces. Test regular policy rules, including IP_fragments rule" host_OS="linux24" id="fw-firewall2" inactive="False" lastCompiled="1188096924" lastInstalled="1142003872" lastModified="1184809081" name="firewall" platform="iptables" ro="False" version="">
+      <Firewall comment="this is simple firewall with two interfaces. Test regular policy rules, including IP_fragments rule&#10;" host_OS="linux24" id="fw-firewall2" inactive="False" lastCompiled="1188096924" lastInstalled="1142003872" lastModified="1206322269" name="firewall" platform="iptables" ro="False" version="">
         <NAT id="nat-firewall2">
           <NATRule comment="" disabled="False" id="nat-firewall2-0" position="0">
             <OSrc neg="False">
@@ -2615,10 +2639,10 @@
         </Policy>
         <Routing id="fw-firewall2-routing"/>
         <Interface bridgeport="False" comment="" dyn="False" id="if-FW-firewall2-eth1" label="" mgmt="False" name="eth1" security_level="0" unnum="False" unprotected="False">
-          <IPv4 address="222.222.222.222" id="if-FW-firewall2-eth1-ipv4" name="address" netmask="255.255.255.0"/>
+          <IPv4 id="if-FW-firewall2-eth1-ipv4" name="address" address="222.222.222.222" netmask="255.255.255.0"/>
         </Interface>
         <Interface bridgeport="False" comment="" dyn="False" id="if-FW-firewall2-eth0" label="" mgmt="True" name="eth0" security_level="100" unnum="False" unprotected="False">
-          <IPv4 address="192.168.1.1" id="if-FW-firewall2-eth0-ipv4" name="address" netmask="255.255.255.0"/>
+          <IPv4 id="if-FW-firewall2-eth0-ipv4" name="address" address="192.168.1.1" netmask="255.255.255.0"/>
         </Interface>
         <Management address="192.168.1.1">
           <SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
@@ -3989,19 +4013,19 @@
         </Policy>
         <Routing id="id3AF5AA0A-routing"/>
         <Interface bridgeport="False" comment="" dyn="False" id="id3AF5AA96" label="" mgmt="True" name="eth0" security_level="100" unnum="False" unprotected="False">
-          <IPv4 address="192.168.1.1" id="id3AF5AA96-ipv4" name="address" netmask="255.255.255.0"/>
+          <IPv4 id="id3AF5AA96-ipv4" name="address" address="192.168.1.1" netmask="255.255.255.0"/>
         </Interface>
         <Interface bridgeport="False" dyn="False" id="id3AF5AA99" name="eth1" security_level="0" unnum="False" unprotected="False">
-          <IPv4 address="22.22.22.22" id="id3AF5AA99-ipv4" name="address" netmask="255.255.255.0"/>
+          <IPv4 id="id3AF5AA99-ipv4" name="address" address="22.22.22.22" netmask="255.255.255.0"/>
         </Interface>
         <Interface bridgeport="False" dyn="False" id="id3B0B4BC8" name="eth2" security_level="100" unnum="False" unprotected="False">
-          <IPv4 address="192.168.2.1" id="id3B0B4BC8-ipv4" name="address" netmask="255.255.255.0"/>
+          <IPv4 id="id3B0B4BC8-ipv4" name="address" address="192.168.2.1" netmask="255.255.255.0"/>
         </Interface>
         <Interface bridgeport="False" dyn="False" id="id3B0B4D35" name="lo" security_level="100" unnum="False" unprotected="False">
-          <IPv4 address="127.0.0.1" id="id3B0B4D35-ipv4" name="address" netmask="255.0.0.0"/>
+          <IPv4 id="id3B0B4D35-ipv4" name="address" address="127.0.0.1" netmask="255.0.0.0"/>
         </Interface>
         <Interface bridgeport="False" dyn="False" id="id3B11F434" name="eth3" security_level="0" unnum="False" unprotected="False">
-          <IPv4 address="22.22.23.23" id="id3B11F434-ipv4" name="address" netmask="255.255.255.0"/>
+          <IPv4 id="id3B11F434-ipv4" name="address" address="22.22.23.23" netmask="255.255.255.0"/>
         </Interface>
         <Management address="192.168.1.1">
           <SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
@@ -4093,7 +4117,7 @@
           <Option name="verify_interfaces">False</Option>
         </FirewallOptions>
       </Firewall>
-      <Firewall comment="this object has several interfaces and shows different rules for NAT. Also testing policy rule options " host_OS="linux24" id="id3AFB66C6" inactive="False" lastCompiled="1188315148" lastInstalled="1142003872" lastModified="1188315856" name="firewall2" platform="iptables" ro="False" version="">
+      <Firewall comment="this object has several interfaces and shows different rules for NAT. Also testing policy rule options " host_OS="linux24" id="id3AFB66C6" inactive="False" lastCompiled="1188315148" lastInstalled="1142003872" lastModified="1197388709" name="firewall2" platform="iptables" ro="False" version="">
         <NAT id="id3AFB66C7">
           <NATRule disabled="False" id="id3AFB66C8" position="0">
             <OSrc neg="False">
@@ -5554,21 +5578,21 @@
         </Policy>
         <Routing id="id3AFB66C6-routing"/>
         <Interface bridgeport="False" comment="" dyn="False" id="id3AFB6703" label="" mgmt="True" name="eth0" security_level="100" unnum="False" unprotected="False">
-          <IPv4 address="192.168.1.1" comment="" id="id3AFB6703-ipv4" name="fw2:eth0:ip - internal" netmask="255.255.255.0"/>
+          <IPv4 comment="" id="id3AFB6703-ipv4" name="fw2:eth0:ip - internal" address="192.168.1.1" netmask="255.255.255.0"/>
         </Interface>
         <Interface bridgeport="False" dyn="False" id="id3AFB6706" name="eth1" security_level="0" unnum="False" unprotected="False">
-          <IPv4 address="22.22.22.22" comment="" id="id3AFB6706-ipv4" name="fw2:eth1:ip - external" netmask="255.255.255.0"/>
+          <IPv4 comment="" id="id3AFB6706-ipv4" name="fw2:eth1:ip - external" address="22.22.22.22" netmask="255.255.255.0"/>
         </Interface>
         <Interface bridgeport="False" comment="" dyn="False" id="id3AFB68D2" label="" mgmt="False" name="eth3" security_level="0" unnum="False" unprotected="False">
-          <IPv4 address="22.22.23.23" comment="" id="id3AFB68D2-ipv4" name="fw2:eth3:0" netmask="255.255.255.0"/>
-          <IPv4 address="22.22.25.50" comment="" id="id3D5DEADC" name="fw2:eth3:1" netmask="255.255.255.0"/>
+          <IPv4 comment="" id="id3AFB68D2-ipv4" name="fw2:eth3:0" address="22.22.23.23" netmask="255.255.255.0"/>
+          <IPv4 comment="" id="id3D5DEADC" name="fw2:eth3:1" address="22.22.25.50" netmask="255.255.255.0"/>
         </Interface>
         <Interface bridgeport="False" dyn="False" id="id3B0221F1" name="eth2" security_level="100" unnum="False" unprotected="False">
-          <IPv4 address="192.168.2.1" comment="" id="id3B0221F1-ipv4" name="fw2:eth2:1" netmask="255.255.255.0"/>
-          <IPv4 address="192.168.2.40" comment="" id="id3DD1E161" name="fw2:eth2:2" netmask="255.255.255.0"/>
+          <IPv4 comment="" id="id3B0221F1-ipv4" name="fw2:eth2:1" address="192.168.2.1" netmask="255.255.255.0"/>
+          <IPv4 comment="" id="id3DD1E161" name="fw2:eth2:2" address="192.168.2.40" netmask="255.255.255.0"/>
         </Interface>
         <Interface bridgeport="False" dyn="False" id="id3CD2449F" label="" name="lo" security_level="100" unnum="False" unprotected="False">
-          <IPv4 address="127.0.0.1" id="id3CD2449F-ipv4" name="address" netmask="255.0.0.0"/>
+          <IPv4 id="id3CD2449F-ipv4" name="address" address="127.0.0.1" netmask="255.0.0.0"/>
         </Interface>
         <Management address="192.168.1.1">
           <SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
@@ -5585,6 +5609,7 @@
           <Option name="bridging_fw">False</Option>
           <Option name="check_shading">False</Option>
           <Option name="clamp_mss_to_mtu">True</Option>
+          <Option name="classify_mark_terminating">False</Option>
           <Option name="cmdline"></Option>
           <Option name="compiler"></Option>
           <Option name="configure_interfaces">True</Option>
@@ -5640,6 +5665,7 @@
           <Option name="mgmt_addr"></Option>
           <Option name="mgmt_ssh">False</Option>
           <Option name="no_iochains_for_any">False</Option>
+          <Option name="no_ipv6_default_policy">False</Option>
           <Option name="no_optimisation">False</Option>
           <Option name="output_file"></Option>
           <Option name="platform">iptables</Option>
@@ -5655,7 +5681,7 @@
           <Option name="ulog_nlgroup">1</Option>
           <Option name="ulog_qthreshold">1</Option>
           <Option name="useULOG">False</Option>
-          <Option name="use_ULOG">False</Option>
+          <Option name="use_ULOG">True</Option>
           <Option name="use_ip_tool">True</Option>
           <Option name="use_iptables_restore">False</Option>
           <Option name="use_numeric_log_levels">False</Option>
@@ -6214,16 +6240,16 @@
         </Policy>
         <Routing id="id3B0226B6-routing"/>
         <Interface bridgeport="False" comment="" dyn="False" id="id3B02270A" label="" mgmt="True" name="eth0" security_level="100" unnum="False" unprotected="False">
-          <IPv4 address="192.168.1.1" id="id3B02270A-ipv4" name="address" netmask="255.255.255.0"/>
+          <IPv4 id="id3B02270A-ipv4" name="address" address="192.168.1.1" netmask="255.255.255.0"/>
         </Interface>
         <Interface bridgeport="False" dyn="False" id="id3B02270C" name="eth1" security_level="0" unnum="False" unprotected="False">
-          <IPv4 address="22.22.22.22" id="id3B02270C-ipv4" name="address" netmask="255.255.255.0"/>
+          <IPv4 id="id3B02270C-ipv4" name="address" address="22.22.22.22" netmask="255.255.255.0"/>
         </Interface>
         <Interface bridgeport="False" dyn="False" id="id3B0B57D2" name="eth2" security_level="100" unnum="False" unprotected="False">
-          <IPv4 address="192.168.2.1" id="id3B0B57D2-ipv4" name="address" netmask="255.255.255.0"/>
+          <IPv4 id="id3B0B57D2-ipv4" name="address" address="192.168.2.1" netmask="255.255.255.0"/>
         </Interface>
         <Interface bridgeport="False" comment="" dyn="False" id="id465D5AF12072" label="" mgmt="False" name="lo" security_level="100" unnum="False" unprotected="False">
-          <IPv4 address="127.0.0.1" comment="" id="id465D89B62072" name="firewall3:lo:ip" netmask="255.0.0.0"/>
+          <IPv4 comment="" id="id465D89B62072" name="firewall3:lo:ip" address="127.0.0.1" netmask="255.0.0.0"/>
         </Interface>
         <Management address="192.168.1.1">
           <SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
@@ -6996,19 +7022,19 @@
         </Policy>
         <Routing id="id3B0C6380-routing"/>
         <Interface bridgeport="False" comment="" dyn="False" id="id3B0C63DF" label="" mgmt="True" name="eth0" security_level="100" unnum="False" unprotected="False">
-          <IPv4 address="192.168.1.1" id="id3B0C63DF-ipv4" name="address" netmask="255.255.255.0"/>
+          <IPv4 id="id3B0C63DF-ipv4" name="address" address="192.168.1.1" netmask="255.255.255.0"/>
         </Interface>
         <Interface bridgeport="False" dyn="True" id="id3B0C63E1" label="" name="eth1" security_level="0" unnum="False" unprotected="False">
-          <IPv4 address="0.0.0.0" id="id3B0C63E1-ipv4" name="address" netmask="0.0.0.0"/>
+          <IPv4 id="id3B0C63E1-ipv4" name="address" address="0.0.0.0" netmask="0.0.0.0"/>
         </Interface>
         <Interface bridgeport="False" dyn="False" id="id3B0C63F3" name="eth2" security_level="100" unnum="False" unprotected="False">
-          <IPv4 address="192.168.2.1" id="id3B0C63F3-ipv4" name="address" netmask="255.255.255.0"/>
+          <IPv4 id="id3B0C63F3-ipv4" name="address" address="192.168.2.1" netmask="255.255.255.0"/>
         </Interface>
         <Interface bridgeport="False" dyn="False" id="id3B0C63F5" name="lo" security_level="100" unnum="False" unprotected="False">
-          <IPv4 address="127.0.0.1" id="id3B0C63F5-ipv4" name="address" netmask="255.0.0.0"/>
+          <IPv4 id="id3B0C63F5-ipv4" name="address" address="127.0.0.1" netmask="255.0.0.0"/>
         </Interface>
         <Interface bridgeport="False" dyn="False" id="id3CD88A77" label="" name="eth3" security_level="0" unnum="False" unprotected="False">
-          <IPv4 address="222.222.222.222" id="id3CD88A77-ipv4" name="address" netmask="255.255.255.0"/>
+          <IPv4 id="id3CD88A77-ipv4" name="address" address="222.222.222.222" netmask="255.255.255.0"/>
         </Interface>
         <Management address="192.168.1.1">
           <SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
@@ -7102,7 +7128,7 @@
           <Option name="verify_interfaces">False</Option>
         </FirewallOptions>
       </Firewall>
-      <Firewall comment="testing firewall_is_part_of_any_and_networks&#10;also testing SNAT and DNAT rules when external interface&#10;has dynamic address&#10;&#10;dynamic interface ppp0 has an address object attached to it&#10;(interface used to be static and had an address, then got&#10;converted to dynamic but address object is still there). Compiler&#10;should ignore this address object and issue a warning.&#10;" host_OS="linux24" id="id3B19BEE6" lastCompiled="1188097203" lastInstalled="1142003872" lastModified="1142003913" name="firewall5" platform="iptables" ro="False">
+      <Firewall comment="testing firewall_is_part_of_any_and_networks&#10;also testing SNAT and DNAT rules when external interface&#10;has dynamic address&#10;&#10;dynamic interface ppp0 has an address object attached to it&#10;(interface used to be static and had an address, then got&#10;converted to dynamic but address object is still there). Compiler&#10;should ignore this address object and issue a warning.&#10;" host_OS="linux24" id="id3B19BEE6" lastCompiled="1204560061" lastInstalled="1142003872" lastModified="1204560033" name="firewall5" platform="iptables" ro="False">
         <NAT id="id3B19BEE7">
           <NATRule disabled="False" id="id3CFD9EE2" position="0">
             <OSrc neg="False">
@@ -7146,7 +7172,28 @@
             </TSrv>
             <NATRuleOptions/>
           </NATRule>
-          <NATRule comment="" disabled="False" id="id3CF5B9DB" position="2">
+          <NATRule comment="" disabled="False" id="id47CC86147550" position="2">
+            <OSrc neg="False">
+              <ObjectRef ref="id47CD183A7550"/>
+            </OSrc>
+            <ODst neg="False">
+              <ObjectRef ref="sysid0"/>
+            </ODst>
+            <OSrv neg="False">
+              <ServiceRef ref="sysid1"/>
+            </OSrv>
+            <TSrc neg="False">
+              <ObjectRef ref="id3AFADBF9"/>
+            </TSrc>
+            <TDst neg="False">
+              <ObjectRef ref="sysid0"/>
+            </TDst>
+            <TSrv neg="False">
+              <ServiceRef ref="sysid1"/>
+            </TSrv>
+            <NATRuleOptions/>
+          </NATRule>
+          <NATRule comment="" disabled="False" id="id3CF5B9DB" position="3">
             <OSrc neg="False">
               <ObjectRef ref="sysid0"/>
             </OSrc>
@@ -7309,7 +7356,7 @@
               <ObjectRef ref="sysid0"/>
             </Src>
             <Dst neg="False">
-              <ObjectRef ref="id3E9870D1"/>
+              <ObjectRef ref="id47CD183A7550"/>
             </Dst>
             <Srv neg="False">
               <ServiceRef ref="tcp-SSH"/>
@@ -7328,7 +7375,7 @@
               <ObjectRef ref="sysid0"/>
             </Src>
             <Dst neg="False">
-              <ObjectRef ref="id3E9870D1"/>
+              <ObjectRef ref="id47CD183A7550"/>
             </Dst>
             <Srv neg="False">
               <ServiceRef ref="tcp-SSH"/>
@@ -7443,13 +7490,13 @@
         </Policy>
         <Routing id="id3B19BEE6-routing"/>
         <Interface bridgeport="False" comment="" dyn="True" id="id3B19BF3A" label="" mgmt="False" name="ppp0" security_level="0" unnum="False" unprotected="False">
-          <IPv4 address="192.168.1.1" comment="" id="id3EF959F7" name="firewall5:ppp0(ip)" netmask="255.255.255.0"/>
+          <IPv4 comment="" id="id3EF959F7" name="firewall5:ppp0(ip)" address="192.168.1.1" netmask="255.255.255.0"/>
         </Interface>
         <Interface bridgeport="False" comment="" dyn="False" id="id3B19BF58" label="" mgmt="True" name="eth0" security_level="100" unnum="False" unprotected="False">
-          <IPv4 address="192.168.1.1" id="id3B19BF58-ipv4" name="address" netmask="255.255.255.0"/>
+          <IPv4 id="id3B19BF58-ipv4" name="address" address="192.168.1.1" netmask="255.255.255.0"/>
         </Interface>
         <Interface bridgeport="False" dyn="False" id="id3B19C51D" name="eth2" security_level="0" unnum="False" unprotected="False">
-          <IPv4 address="192.168.2.1" id="id3B19C51D-ipv4" name="address" netmask="255.255.255.0"/>
+          <IPv4 id="id3B19C51D-ipv4" name="address" address="192.168.2.1" netmask="255.255.255.0"/>
         </Interface>
         <Interface bridgeport="False" comment="" dyn="True" id="id3E8F5B6F" label="" mgmt="False" name="ppp1" security_level="0" unnum="False" unprotected="False"/>
         <Management address="192.168.1.1">
@@ -7711,10 +7758,10 @@
         </Policy>
         <Routing id="id3AF5A2BA-routing"/>
         <Interface bridgeport="False" dyn="False" id="id3AF5A2CB" name="eth0" security_level="0" unnum="False" unprotected="False">
-          <IPv4 address="22.22.22.22" id="id3AF5A2CB-ipv4" name="address" netmask="255.255.255.0"/>
+          <IPv4 id="id3AF5A2CB-ipv4" name="address" address="22.22.22.22" netmask="255.255.255.0"/>
         </Interface>
         <Interface bridgeport="False" dyn="False" id="id3AFB7090" name="lo" security_level="100" unnum="False" unprotected="False">
-          <IPv4 address="127.0.0.1" id="id3AFB7090-ipv4" name="address" netmask="255.0.0.0"/>
+          <IPv4 id="id3AFB7090-ipv4" name="address" address="127.0.0.1" netmask="255.0.0.0"/>
         </Interface>
         <Management address="127.0.0.1">
           <SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
@@ -8087,19 +8134,19 @@
         </Policy>
         <Routing id="id3C698F1D-routing"/>
         <Interface bridgeport="False" comment="" dyn="False" id="id3C699013" label="" mgmt="True" name="eth0" security_level="100" unnum="False" unprotected="False">
-          <IPv4 address="192.168.1.1" id="id3C699013-ipv4" name="address" netmask="255.255.255.0"/>
+          <IPv4 id="id3C699013-ipv4" name="address" address="192.168.1.1" netmask="255.255.255.0"/>
         </Interface>
         <Interface bridgeport="False" dyn="False" id="id3C69901D" name="eth1" security_level="0" unnum="False" unprotected="False">
-          <IPv4 address="22.22.22.22" id="id3C69901D-ipv4" name="address" netmask="255.255.255.0"/>
+          <IPv4 id="id3C69901D-ipv4" name="address" address="22.22.22.22" netmask="255.255.255.0"/>
         </Interface>
         <Interface bridgeport="False" dyn="False" id="id3C699030" name="eth2" security_level="100" unnum="False" unprotected="False">
-          <IPv4 address="192.168.2.1" comment="" id="id3C699030-ipv4" name="address" netmask="255.255.255.0"/>
+          <IPv4 comment="" id="id3C699030-ipv4" name="address" address="192.168.2.1" netmask="255.255.255.0"/>
         </Interface>
         <Interface bridgeport="False" dyn="False" id="id3C699032" name="lo" security_level="100" unnum="False" unprotected="False">
-          <IPv4 address="127.0.0.1" id="id3C699032-ipv4" name="address" netmask="255.0.0.0"/>
+          <IPv4 id="id3C699032-ipv4" name="address" address="127.0.0.1" netmask="255.0.0.0"/>
         </Interface>
         <Interface bridgeport="False" dyn="False" id="id3C699034" name="eth3" security_level="0" unnum="False" unprotected="False">
-          <IPv4 address="22.22.23.23" id="id3C699034-ipv4" name="address" netmask="255.255.255.0"/>
+          <IPv4 id="id3C699034-ipv4" name="address" address="22.22.23.23" netmask="255.255.255.0"/>
         </Interface>
         <Management address="192.168.1.1">
           <SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
@@ -8497,19 +8544,19 @@
         </Policy>
         <Routing id="id3C69BD4F-routing"/>
         <Interface bridgeport="False" comment="" dyn="False" id="id3C69BD5C" label="" mgmt="True" name="eth0" security_level="100" unnum="False" unprotected="False">
-          <IPv4 address="192.168.1.1" id="id3C69BD5C-ipv4" name="address" netmask="255.255.255.0"/>
+          <IPv4 id="id3C69BD5C-ipv4" name="address" address="192.168.1.1" netmask="255.255.255.0"/>
         </Interface>
         <Interface bridgeport="False" dyn="False" id="id3C69BD5E" name="eth1" security_level="0" unnum="False" unprotected="False">
-          <IPv4 address="22.22.22.22" id="id3C69BD5E-ipv4" name="address" netmask="255.255.255.0"/>
+          <IPv4 id="id3C69BD5E-ipv4" name="address" address="22.22.22.22" netmask="255.255.255.0"/>
         </Interface>
         <Interface bridgeport="False" dyn="False" id="id3C69BD68" name="eth2" security_level="100" unnum="False" unprotected="False">
-          <IPv4 address="192.168.2.1" id="id3C69BD68-ipv4" name="address" netmask="255.255.255.0"/>
+          <IPv4 id="id3C69BD68-ipv4" name="address" address="192.168.2.1" netmask="255.255.255.0"/>
         </Interface>
         <Interface bridgeport="False" dyn="False" id="id3C69BD6A" name="lo" security_level="100" unnum="False" unprotected="False">
-          <IPv4 address="127.0.0.1" id="id3C69BD6A-ipv4" name="address" netmask="255.0.0.0"/>
+          <IPv4 id="id3C69BD6A-ipv4" name="address" address="127.0.0.1" netmask="255.0.0.0"/>
         </Interface>
         <Interface bridgeport="False" dyn="False" id="id3C69BD6C" name="eth3" security_level="0" unnum="False" unprotected="False">
-          <IPv4 address="22.22.23.23" id="id3C69BD6C-ipv4" name="address" netmask="255.255.255.0"/>
+          <IPv4 id="id3C69BD6C-ipv4" name="address" address="22.22.23.23" netmask="255.255.255.0"/>
         </Interface>
         <Management address="192.168.1.1">
           <SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
@@ -8592,13 +8639,13 @@
         <Policy id="id3D0C1E71"/>
         <Routing id="id3D0C1E6E-routing"/>
         <Interface bridgeport="False" comment="" dyn="False" id="id3D0C1E77" label="fw8:eth0" mgmt="False" name="eth0" security_level="0" unnum="False" unprotected="False">
-          <IPv4 address="33.33.33.33" id="id3D0C1E77-ipv4" name="address" netmask="255.255.255.0"/>
+          <IPv4 id="id3D0C1E77-ipv4" name="address" address="33.33.33.33" netmask="255.255.255.0"/>
         </Interface>
         <Interface bridgeport="False" comment="" dyn="False" id="id3D0C1E7A" label="fw8:eth1" mgmt="False" name="eth1" security_level="100" unnum="False" unprotected="False">
-          <IPv4 address="172.16.1.1" id="id3D0C1E7A-ipv4" name="address" netmask="255.255.255.0"/>
+          <IPv4 id="id3D0C1E7A-ipv4" name="address" address="172.16.1.1" netmask="255.255.255.0"/>
         </Interface>
         <Interface bridgeport="False" comment="" dyn="False" id="id3D0C1E7D" label="fw8:eth2" mgmt="True" name="eth2" security_level="100" unnum="False" unprotected="False">
-          <IPv4 address="192.168.100.1" id="id3D0C1E7D-ipv4" name="address" netmask="255.255.255.0"/>
+          <IPv4 id="id3D0C1E7D-ipv4" name="address" address="192.168.100.1" netmask="255.255.255.0"/>
         </Interface>
         <Interface bridgeport="False" comment="" dyn="True" id="id3EE24D62" label="fw8:ppp0" mgmt="False" name="ppp0" security_level="0" unnum="False" unprotected="False"/>
         <Management address="192.168.100.1">
@@ -8990,13 +9037,13 @@
         </Policy>
         <Routing id="id3D4DF34B-routing"/>
         <Interface bridgeport="False" comment="" dyn="False" id="id3D4DF3B2" label="" mgmt="True" name="eth0" security_level="100" unnum="False" unprotected="False">
-          <IPv4 address="192.168.1.1" id="id3D4DF3B2-ipv4" name="address" netmask="255.255.255.0"/>
+          <IPv4 id="id3D4DF3B2-ipv4" name="address" address="192.168.1.1" netmask="255.255.255.0"/>
         </Interface>
         <Interface bridgeport="False" dyn="False" id="id3D4DF3C8" name="eth1" security_level="0" unnum="False" unprotected="False">
-          <IPv4 address="22.22.22.22" id="id3D4DF3C8-ipv4" name="address" netmask="255.255.255.0"/>
+          <IPv4 id="id3D4DF3C8-ipv4" name="address" address="22.22.22.22" netmask="255.255.255.0"/>
         </Interface>
         <Interface bridgeport="False" dyn="False" id="id3D4DF3CC" name="lo" security_level="100" unnum="False" unprotected="False">
-          <IPv4 address="127.0.0.1" id="id3D4DF3CC-ipv4" name="address" netmask="255.0.0.0"/>
+          <IPv4 id="id3D4DF3CC-ipv4" name="address" address="127.0.0.1" netmask="255.0.0.0"/>
         </Interface>
         <Management address="192.168.1.1">
           <SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
@@ -9282,13 +9329,13 @@
         </Policy>
         <Routing id="id3D4F0A55-routing"/>
         <Interface bridgeport="False" comment="" dyn="False" id="id3D4F0AA8" label="" mgmt="True" name="eth0" security_level="100" unnum="False" unprotected="False">
-          <IPv4 address="192.168.1.1" id="id3D4F0AA8-ipv4" name="address" netmask="255.255.255.0"/>
+          <IPv4 id="id3D4F0AA8-ipv4" name="address" address="192.168.1.1" netmask="255.255.255.0"/>
         </Interface>
         <Interface bridgeport="False" dyn="False" id="id3D4F0AAA" name="eth1" security_level="0" unnum="False" unprotected="False">
-          <IPv4 address="22.22.22.22" id="id3D4F0AAA-ipv4" name="address" netmask="255.255.255.0"/>
+          <IPv4 id="id3D4F0AAA-ipv4" name="address" address="22.22.22.22" netmask="255.255.255.0"/>
         </Interface>
         <Interface bridgeport="False" dyn="False" id="id3D4F0AAC" name="lo" security_level="100" unnum="False" unprotected="False">
-          <IPv4 address="127.0.0.1" id="id3D4F0AAC-ipv4" name="address" netmask="255.0.0.0"/>
+          <IPv4 id="id3D4F0AAC-ipv4" name="address" address="127.0.0.1" netmask="255.0.0.0"/>
         </Interface>
         <Management address="192.168.1.1">
           <SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
@@ -9803,11 +9850,11 @@
         <Interface bridgeport="False" comment="this interface is part of the bridge" dyn="False" id="id3D94D531" label="" mgmt="False" name="eth0" security_level="100" unnum="True" unprotected="False"/>
         <Interface bridgeport="False" comment="" dyn="True" id="id3D94D552" label="" mgmt="False" name="eth2" security_level="0" unnum="False" unprotected="False"/>
         <Interface bridgeport="False" dyn="False" id="id3D94D558" name="lo" security_level="100" unnum="False" unprotected="False">
-          <IPv4 address="127.0.0.1" id="id3D94D559" name="address" netmask="255.0.0.0"/>
+          <IPv4 id="id3D94D559" name="address" address="127.0.0.1" netmask="255.0.0.0"/>
         </Interface>
         <Interface bridgeport="False" comment="" dyn="True" id="id3E21FC66" label="" mgmt="False" name="br0" security_level="100" unnum="False" unprotected="False"/>
         <Interface bridgeport="False" comment="this interface has netmask 255.255.255.255, which is an error&#10;but compiler should handle it properly anyway.&#10;One typical mistake is to put rules that have fw or its interface&#10;in DST into FORWARD chain (shouldbe INPUT chain)&#10;&#10;This is the management interface of the bridging fw. This interface is connected to&#10;the protected subnet. There may be another interface connected to the same&#10;subnet, but that interface would be a bridging interface and have no address.&#10;" dyn="False" id="id3F28B886" label="" mgmt="True" name="eth3" security_level="100" unnum="False" unprotected="False">
-          <IPv4 address="10.1.1.1" comment="" id="id3F28B88A" name="firewall11:eth3(ip)" netmask="255.255.255.255"/>
+          <IPv4 comment="" id="id3F28B88A" name="firewall11:eth3(ip)" address="10.1.1.1" netmask="255.255.255.255"/>
         </Interface>
         <Interface bridgeport="False" comment="this interface is also a part of the bridge" dyn="False" id="id3F77AFD4" label="" mgmt="False" name="eth1" security_level="100" unnum="True" unprotected="False"/>
         <Management address="10.1.1.1">
@@ -10155,10 +10202,10 @@
         </Policy>
         <Routing id="id3DDDE6C3-routing"/>
         <Interface bridgeport="False" comment="" dyn="False" id="id3DDDE6CE" label="" mgmt="True" name="eth0" security_level="100" unnum="False" unprotected="False">
-          <IPv4 address="22.22.22.22" id="id3DDDE6D0" name="firewall12" netmask="255.255.255.0"/>
+          <IPv4 id="id3DDDE6D0" name="firewall12" address="22.22.22.22" netmask="255.255.255.0"/>
         </Interface>
         <Interface bridgeport="False" comment="" dyn="False" id="id3DDDE6D1" label="" mgmt="False" name="eth1" security_level="0" unnum="False" unprotected="False">
-          <IPv4 address="22.22.23.22" id="id3DDDE6D3" name="firewall12" netmask="255.255.255.0"/>
+          <IPv4 id="id3DDDE6D3" name="firewall12" address="22.22.23.22" netmask="255.255.255.0"/>
         </Interface>
         <Management address="22.22.22.22">
           <SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
@@ -10329,10 +10376,10 @@
         </Policy>
         <Routing id="id3DE68A18-routing"/>
         <Interface bridgeport="False" comment="" dyn="False" id="id3DE68A83" label="" mgmt="True" name="eth0" security_level="100" unnum="False" unprotected="False">
-          <IPv4 address="22.22.22.22" id="id3DE68A84" name="firewall12" netmask="255.255.255.0"/>
+          <IPv4 id="id3DE68A84" name="firewall12" address="22.22.22.22" netmask="255.255.255.0"/>
         </Interface>
         <Interface bridgeport="False" comment="" dyn="False" id="id3DE68A86" label="" mgmt="False" name="eth1" security_level="0" unnum="False" unprotected="False">
-          <IPv4 address="22.22.23.22" id="id3DE68A87" name="firewall12" netmask="255.255.255.0"/>
+          <IPv4 id="id3DE68A87" name="firewall12" address="22.22.23.22" netmask="255.255.255.0"/>
         </Interface>
         <Management address="22.22.22.22">
           <SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
@@ -10551,14 +10598,14 @@
         <Policy id="id3DE71233"/>
         <Routing id="id3DE71215-routing"/>
         <Interface bridgeport="False" comment="" dyn="False" id="id3DE71252" label="" mgmt="True" name="eth0" security_level="100" unnum="False" unprotected="False">
-          <IPv4 address="192.168.1.22" comment="" id="id3DE71253" name="fe14:eth0" netmask="255.255.255.0"/>
+          <IPv4 comment="" id="id3DE71253" name="fe14:eth0" address="192.168.1.22" netmask="255.255.255.0"/>
         </Interface>
         <Interface bridgeport="False" comment="" dyn="False" id="id3DE71255" label="eth1(outside)" mgmt="False" name="eth1" security_level="0" unnum="False" unprotected="False">
-          <IPv4 address="22.22.23.22" comment="" id="id3DE71256" name="fw14:eth1:1" netmask="255.255.255.0"/>
-          <IPv4 address="22.22.23.160" comment="this address belongs to subnets of both interfaces - eth1 and eth2" id="id3DE71282" name="fw14:eth1:2" netmask="255.255.255.0"/>
+          <IPv4 comment="" id="id3DE71256" name="fw14:eth1:1" address="22.22.23.22" netmask="255.255.255.0"/>
+          <IPv4 comment="this address belongs to subnets of both interfaces - eth1 and eth2" id="id3DE71282" name="fw14:eth1:2" address="22.22.23.160" netmask="255.255.255.0"/>
         </Interface>
         <Interface bridgeport="False" comment="" dyn="False" id="id3DE7127D" label="eth2(dmz)" mgmt="False" name="eth2" security_level="0" unnum="False" unprotected="False">
-          <IPv4 address="22.22.23.132" comment="this interface is on the subnet that overlaps with eth1" id="id3DE7127F" name="fw14:eth2" netmask="255.255.255.128"/>
+          <IPv4 comment="this interface is on the subnet that overlaps with eth1" id="id3DE7127F" name="fw14:eth2" address="22.22.23.132" netmask="255.255.255.128"/>
         </Interface>
         <Management address="192.168.1.22">
           <SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
@@ -10668,13 +10715,13 @@
         </Policy>
         <Routing id="id3DE9128A-routing"/>
         <Interface bridgeport="False" comment="" dyn="False" id="id3DE912F5" label="" mgmt="True" name="eth0" security_level="100" unnum="False" unprotected="False">
-          <IPv4 address="22.22.22.22" id="id3DE912F6" name="firewall12" netmask="255.255.255.0"/>
+          <IPv4 id="id3DE912F6" name="firewall12" address="22.22.22.22" netmask="255.255.255.0"/>
         </Interface>
         <Interface bridgeport="False" comment="" dyn="False" id="id3DE912F8" label="" mgmt="False" name="eth1" security_level="0" unnum="False" unprotected="False">
-          <IPv4 address="22.22.23.22" id="id3DE912F9" name="firewall12" netmask="255.255.255.0"/>
+          <IPv4 id="id3DE912F9" name="firewall12" address="22.22.23.22" netmask="255.255.255.0"/>
         </Interface>
         <Interface bridgeport="False" comment="" dyn="False" id="id3E587D10" label="" mgmt="False" name="lo" security_level="0" unnum="False" unprotected="False">
-          <IPv4 address="127.0.0.1" comment="" id="id3E587D14" name="firewall15:lo(ip)" netmask="255.0.0.0"/>
+          <IPv4 comment="" id="id3E587D14" name="firewall15:lo(ip)" address="127.0.0.1" netmask="255.0.0.0"/>
         </Interface>
         <Management address="22.22.22.22">
           <SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
@@ -11082,13 +11129,13 @@
         </Policy>
         <Routing id="id3E189481-routing"/>
         <Interface bridgeport="False" comment="" dyn="False" id="id3E1894E6" label="" mgmt="True" name="eth0" security_level="100" unnum="False" unprotected="False">
-          <IPv4 address="192.168.1.22" comment="" id="id3E1894E7" name="firewall16:eth0:ip" netmask="255.255.255.0"/>
+          <IPv4 comment="" id="id3E1894E7" name="firewall16:eth0:ip" address="192.168.1.22" netmask="255.255.255.0"/>
         </Interface>
         <Interface bridgeport="False" comment="" dyn="False" id="id3E1894E9" label="eth1(outside)" mgmt="False" name="eth1" security_level="0" unnum="False" unprotected="False">
-          <IPv4 address="22.22.23.22" comment="" id="id3E1894EA" name="firewall16:eth1:ip" netmask="255.255.255.0"/>
+          <IPv4 comment="" id="id3E1894EA" name="firewall16:eth1:ip" address="22.22.23.22" netmask="255.255.255.0"/>
         </Interface>
         <Interface bridgeport="False" comment="" dyn="False" id="id3E1894ED" label="eth2(dmz)" mgmt="False" name="eth2" security_level="0" unnum="False" unprotected="False">
-          <IPv4 address="192.168.2.1" comment="this interface is on the subnet that overlaps with eth1" id="id3E1894EE" name="firewall16:eth2:ip" netmask="255.255.255.0"/>
+          <IPv4 comment="this interface is on the subnet that overlaps with eth1" id="id3E1894EE" name="firewall16:eth2:ip" address="192.168.2.1" netmask="255.255.255.0"/>
         </Interface>
         <Management address="192.168.1.22">
           <SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
@@ -11382,21 +11429,21 @@
         </Policy>
         <Routing id="id3E1C6B9C-routing"/>
         <Interface bridgeport="False" comment="" dyn="False" id="id3E1C6BDD" label="" mgmt="True" name="eth0" security_level="100" unnum="False" unprotected="False">
-          <IPv4 address="192.168.1.1" id="id3E1C6BDE" name="address" netmask="255.255.255.0"/>
+          <IPv4 id="id3E1C6BDE" name="address" address="192.168.1.1" netmask="255.255.255.0"/>
         </Interface>
         <Interface bridgeport="False" dyn="False" id="id3E1C6BE0" name="eth1" security_level="0" unnum="False" unprotected="False">
-          <IPv4 address="22.22.22.22" id="id3E1C6BE1" name="address" netmask="255.255.255.0"/>
-          <IPv4 address="33.33.33.33" comment="" id="id3E1C6BFB" name="firewall17:eth1(ip)" netmask="255.255.255.0"/>
+          <IPv4 id="id3E1C6BE1" name="address" address="22.22.22.22" netmask="255.255.255.0"/>
+          <IPv4 comment="" id="id3E1C6BFB" name="firewall17:eth1(ip)" address="33.33.33.33" netmask="255.255.255.0"/>
         </Interface>
         <Interface bridgeport="False" dyn="False" id="id3E1C6BEB" name="eth2" security_level="100" unnum="False" unprotected="False">
-          <IPv4 address="192.168.2.1" comment="" id="id3E1C6BEC" name="address" netmask="255.255.255.0"/>
+          <IPv4 comment="" id="id3E1C6BEC" name="address" address="192.168.2.1" netmask="255.255.255.0"/>
         </Interface>
         <Interface bridgeport="False" dyn="False" id="id3E1C6BEE" name="lo" security_level="100" unnum="False" unprotected="False">
-          <IPv4 address="127.0.0.1" id="id3E1C6BEF" name="address" netmask="255.0.0.0"/>
+          <IPv4 id="id3E1C6BEF" name="address" address="127.0.0.1" netmask="255.0.0.0"/>
         </Interface>
         <Interface bridgeport="False" dyn="False" id="id3E1C6BF1" name="eth3" security_level="0" unnum="False" unprotected="False">
-          <IPv4 address="22.22.23.23" id="id3E1C6BF2" name="address" netmask="255.255.255.0"/>
-          <IPv4 address="44.44.44.44" comment="" id="id3E1C6BFC" name="firewall17:eth3(ip)" netmask="255.255.255.0"/>
+          <IPv4 id="id3E1C6BF2" name="address" address="22.22.23.23" netmask="255.255.255.0"/>
+          <IPv4 comment="" id="id3E1C6BFC" name="firewall17:eth3(ip)" address="44.44.44.44" netmask="255.255.255.0"/>
         </Interface>
         <Management address="192.168.1.1">
           <SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
@@ -11724,16 +11771,16 @@
         </Policy>
         <Routing id="id3EE4CB81-routing"/>
         <Interface bridgeport="False" dyn="False" id="id3EE4CB88" label="" name="eth2" security_level="0" unnum="False" unprotected="False">
-          <IPv4 address="66.66.66.1" comment="" id="id3EE4CB8A" name="firewall18:eth2(ip)" netmask="255.255.255.128"/>
+          <IPv4 comment="" id="id3EE4CB8A" name="firewall18:eth2(ip)" address="66.66.66.1" netmask="255.255.255.128"/>
         </Interface>
         <Interface bridgeport="False" dyn="False" id="id3EE4CB8B" label="" name="eth0" security_level="33" unnum="False" unprotected="False">
-          <IPv4 address="192.168.1.1" id="id3EE4CB8D" name="firewall18:eth0(ip)" netmask="255.255.255.0"/>
+          <IPv4 id="id3EE4CB8D" name="firewall18:eth0(ip)" address="192.168.1.1" netmask="255.255.255.0"/>
         </Interface>
         <Interface bridgeport="False" dyn="False" id="id3EE4CB8E" label="" name="eth1" security_level="66" unnum="False" unprotected="False">
-          <IPv4 address="66.66.66.130" comment="" id="id3EE4CB90" name="firewall18:eth1(ip)" netmask="255.255.255.128"/>
+          <IPv4 comment="" id="id3EE4CB90" name="firewall18:eth1(ip)" address="66.66.66.130" netmask="255.255.255.128"/>
         </Interface>
         <Interface bridgeport="False" dyn="False" id="id3EE4CB91" label="" name="lo" security_level="99" unnum="False" unprotected="False">
-          <IPv4 address="127.0.0.1" id="id3EE4CB93" name="firewall18:lo(ip)" netmask="255.0.0.0"/>
+          <IPv4 id="id3EE4CB93" name="firewall18:lo(ip)" address="127.0.0.1" netmask="255.0.0.0"/>
         </Interface>
         <Interface bridgeport="False" comment="" dyn="True" id="id3EE4CD4C" label="" mgmt="False" name="ppp0" security_level="0" unnum="False" unprotected="False"/>
         <Management address="0.0.0.0">
@@ -12102,16 +12149,16 @@
         </Policy>
         <Routing id="id3EF7F809-routing"/>
         <Interface bridgeport="False" dyn="False" id="id3EF7F86E" label="" name="eth2" security_level="0" unnum="False" unprotected="False">
-          <IPv4 address="66.66.66.1" comment="" id="id3EF7F86F" name="firewall18:eth2(ip)" netmask="255.255.255.128"/>
+          <IPv4 comment="" id="id3EF7F86F" name="firewall18:eth2(ip)" address="66.66.66.1" netmask="255.255.255.128"/>
         </Interface>
         <Interface bridgeport="False" dyn="False" id="id3EF7F871" label="" name="eth0" security_level="33" unnum="False" unprotected="False">
-          <IPv4 address="192.168.1.1" id="id3EF7F872" name="firewall18:eth0(ip)" netmask="255.255.255.0"/>
+          <IPv4 id="id3EF7F872" name="firewall18:eth0(ip)" address="192.168.1.1" netmask="255.255.255.0"/>
         </Interface>
         <Interface bridgeport="False" dyn="False" id="id3EF7F87E" label="" name="eth1" security_level="66" unnum="False" unprotected="False">
-          <IPv4 address="66.66.66.130" comment="" id="id3EF7F87F" name="firewall18:eth1(ip)" netmask="255.255.255.128"/>
+          <IPv4 comment="" id="id3EF7F87F" name="firewall18:eth1(ip)" address="66.66.66.130" netmask="255.255.255.128"/>
         </Interface>
         <Interface bridgeport="False" dyn="False" id="id3EF7F881" label="" name="lo" security_level="99" unnum="False" unprotected="False">
-          <IPv4 address="127.0.0.1" id="id3EF7F882" name="firewall18:lo(ip)" netmask="255.0.0.0"/>
+          <IPv4 id="id3EF7F882" name="firewall18:lo(ip)" address="127.0.0.1" netmask="255.0.0.0"/>
         </Interface>
         <Interface bridgeport="False" comment="" dyn="True" id="id3EF7F8B0" label="" mgmt="False" name="ppp0" security_level="0" unnum="False" unprotected="False"/>
         <Management address="0.0.0.0">
@@ -12636,13 +12683,13 @@
         </Policy>
         <Routing id="id3EFBC648-routing"/>
         <Interface bridgeport="False" comment="" dyn="True" id="id3EFBC6F1" label="" mgmt="False" name="ppp*" security_level="0" unnum="False" unprotected="False">
-          <IPv4 address="192.168.1.1" comment="" id="id3EFBC6F2" name="firewall5:ppp0(ip)" netmask="255.255.255.0"/>
+          <IPv4 comment="" id="id3EFBC6F2" name="firewall5:ppp0(ip)" address="192.168.1.1" netmask="255.255.255.0"/>
         </Interface>
         <Interface bridgeport="False" comment="" dyn="False" id="id3EFBC6FF" label="" mgmt="True" name="eth0" security_level="100" unnum="False" unprotected="False">
-          <IPv4 address="192.168.1.1" id="id3EFBC700" name="address" netmask="255.255.255.0"/>
+          <IPv4 id="id3EFBC700" name="address" address="192.168.1.1" netmask="255.255.255.0"/>
         </Interface>
         <Interface bridgeport="False" dyn="False" id="id3EFBC702" name="eth2" security_level="0" unnum="False" unprotected="False">
-          <IPv4 address="192.168.2.1" id="id3EFBC703" name="address" netmask="255.255.255.0"/>
+          <IPv4 id="id3EFBC703" name="address" address="192.168.2.1" netmask="255.255.255.0"/>
         </Interface>
         <Management address="192.168.1.1">
           <SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
@@ -12825,10 +12872,10 @@
         <Interface bridgeport="False" comment="" dyn="True" id="id3F29FAF4" label="" mgmt="False" name="eth0" security_level="0" unnum="False" unprotected="False"/>
         <Interface bridgeport="False" comment="" dyn="True" id="id3F29FAF7" label="" mgmt="False" name="eth1" security_level="0" unnum="False" unprotected="False"/>
         <Interface bridgeport="False" dyn="False" id="id3F29FB06" name="lo" security_level="100" unnum="False" unprotected="False">
-          <IPv4 address="127.0.0.1" id="id3F29FB07" name="address" netmask="255.0.0.0"/>
+          <IPv4 id="id3F29FB07" name="address" address="127.0.0.1" netmask="255.0.0.0"/>
         </Interface>
         <Interface bridgeport="False" comment="" dyn="False" id="id3F29FB90" label="" mgmt="True" name="eth2" security_level="100" unnum="False" unprotected="False">
-          <IPv4 address="192.168.1.100" comment="" id="id3F29FB92" name="firewall21:eth2(ip)" netmask="255.255.255.0"/>
+          <IPv4 comment="" id="id3F29FB92" name="firewall21:eth2(ip)" address="192.168.1.100" netmask="255.255.255.0"/>
         </Interface>
         <Management address="192.168.1.100">
           <SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
@@ -13024,10 +13071,10 @@
         </Policy>
         <Routing id="id3FADB89A-routing"/>
         <Interface bridgeport="False" comment="" dyn="False" id="id3FADB988" label="" mgmt="True" name="eth0" security_level="100" unnum="False" unprotected="False">
-          <IPv4 address="192.168.1.1" id="id3FADB989" name="address" netmask="255.255.255.0"/>
+          <IPv4 id="id3FADB989" name="address" address="192.168.1.1" netmask="255.255.255.0"/>
         </Interface>
         <Interface bridgeport="False" comment="" dyn="False" id="id3FADB98B" label="" mgmt="False" name="eth1" security_level="0" unnum="False" unprotected="False">
-          <IPv4 address="192.168.2.1" id="id3FADB98C" name="address" netmask="255.255.255.0"/>
+          <IPv4 id="id3FADB98C" name="address" address="192.168.2.1" netmask="255.255.255.0"/>
         </Interface>
         <Management address="192.168.1.1">
           <SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
@@ -13419,10 +13466,10 @@
         <Routing id="id3FB32E8E-routing"/>
         <Interface bridgeport="False" comment="this interface is part of the bridge" dyn="False" id="id3FB32F13" label="" mgmt="False" name="eth*" security_level="100" unnum="True" unprotected="False"/>
         <Interface bridgeport="False" dyn="False" id="id3FB32F49" name="lo" security_level="100" unnum="False" unprotected="False">
-          <IPv4 address="127.0.0.1" id="id3FB32F4A" name="address" netmask="255.0.0.0"/>
+          <IPv4 id="id3FB32F4A" name="address" address="127.0.0.1" netmask="255.0.0.0"/>
         </Interface>
         <Interface bridgeport="False" comment="c" dyn="False" id="id3FB32F4C" label="" mgmt="False" name="br0" security_level="100" unnum="False" unprotected="False">
-          <IPv4 address="192.168.1.1" comment="" id="id3FB331CD" name="firewall23:br0(ip)" netmask="255.255.255.0"/>
+          <IPv4 comment="" id="id3FB331CD" name="firewall23:br0(ip)" address="192.168.1.1" netmask="255.255.255.0"/>
         </Interface>
         <Management address="192.168.1.1">
           <SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
@@ -13889,10 +13936,10 @@
         <Routing id="id402B23A8-routing"/>
         <Interface bridgeport="False" comment="this interface is part of the bridge" dyn="False" id="id402B2411" label="" mgmt="False" name="tun*" security_level="100" unnum="True" unprotected="False"/>
         <Interface bridgeport="False" dyn="False" id="id402B2459" name="lo" security_level="100" unnum="False" unprotected="False">
-          <IPv4 address="127.0.0.1" id="id402B245A" name="address" netmask="255.0.0.0"/>
+          <IPv4 id="id402B245A" name="address" address="127.0.0.1" netmask="255.0.0.0"/>
         </Interface>
         <Interface bridgeport="False" comment="" dyn="False" id="id402B245C" label="" mgmt="False" name="eth0" security_level="100" unnum="False" unprotected="False">
-          <IPv4 address="192.168.1.1" comment="" id="id402B245D" name="firewall23:eth0(ip)" netmask="255.255.255.0"/>
+          <IPv4 comment="" id="id402B245D" name="firewall23:eth0(ip)" address="192.168.1.1" netmask="255.255.255.0"/>
         </Interface>
         <Management address="192.168.1.1">
           <SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
@@ -14072,10 +14119,10 @@
         </Policy>
         <Routing id="id41528C2C-routing"/>
         <Interface bridgeport="False" comment="" dyn="False" id="id41528C53" label="outside" mgmt="True" name="eth0" security_level="0" unnum="False" unprotected="False">
-          <IPv4 address="10.3.14.58" comment="" id="id41528C88" name="rh90:eth0:ip" netmask="255.255.255.0"/>
+          <IPv4 comment="" id="id41528C88" name="rh90:eth0:ip" address="10.3.14.58" netmask="255.255.255.0"/>
         </Interface>
         <Interface bridgeport="False" comment="" dyn="False" id="id41528C6A" label="loopback" mgmt="False" name="lo" security_level="100" unnum="False" unprotected="False">
-          <IPv4 address="127.0.0.1" comment="" id="id41528C82" name="rh90:lo:ip" netmask="255.0.0.0"/>
+          <IPv4 comment="" id="id41528C82" name="rh90:lo:ip" address="127.0.0.1" netmask="255.0.0.0"/>
         </Interface>
         <Management address="0.0.0.0">
           <SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
@@ -14094,10 +14141,10 @@ cat &gt; %FWDIR%/%FWSCRIPT%;
 
               
                 
-echo '%FWBPROMPT%'; chmod +x %FWDIR%/%FWSCRIPT%; sudo -S %FWDIR%/%FWSCRIPT%; sudo -S ps ax|awk '/shutdown/ {printf &quot;kill %d\n&quot;,$1;}'|sh
+echo '%FWBPROMPT%'; chmod +x %FWDIR%/%FWSCRIPT%; sudo -S %FWDIR%/%FWSCRIPT%; sudo -S ps ax|awk '/shutdown/ {printf "kill %d\n",$1;}'|sh
                 
                 
-echo '%FWBPROMPT%'; chmod +x %FWDIR%/%FWSCRIPT%; sudo -S %FWDIR%/%FWSCRIPT%; sudo -S ps ax|awk '/shutdown/ {printf &quot;kill %d\n&quot;,$1;}'|sh
+echo '%FWBPROMPT%'; chmod +x %FWDIR%/%FWSCRIPT%; sudo -S %FWDIR%/%FWSCRIPT%; sudo -S ps ax|awk '/shutdown/ {printf "kill %d\n",$1;}'|sh
                 
               
 
@@ -14119,10 +14166,10 @@ cat &gt; %FWDIR%/%FWSCRIPT%;
 
               
                 
-echo '%FWBPROMPT%'; sh %FWDIR%/%FWSCRIPT%; ps ax|awk '/shutdown/ {printf &quot;kill %d\n&quot;,$1;}'|sh
+echo '%FWBPROMPT%'; sh %FWDIR%/%FWSCRIPT%; ps ax|awk '/shutdown/ {printf "kill %d\n",$1;}'|sh
                 
                 
-echo '%FWBPROMPT%'; sh %FWDIR%/%FWSCRIPT%; ps ax|awk '/shutdown/ {printf &quot;kill %d\n&quot;,$1;}'|sh
+echo '%FWBPROMPT%'; sh %FWDIR%/%FWSCRIPT%; ps ax|awk '/shutdown/ {printf "kill %d\n",$1;}'|sh
                 
               
 
@@ -14622,13 +14669,13 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
         </Policy>
         <Routing id="id417C680B-routing"/>
         <Interface bridgeport="False" comment="" dyn="True" id="id417C68C6" label="" mgmt="False" name="ppp*" security_level="0" unnum="False" unprotected="False">
-          <IPv4 address="192.168.1.1" comment="" id="id417C6932" name="firewall25:ppp*:ip" netmask="255.255.255.0"/>
+          <IPv4 comment="" id="id417C6932" name="firewall25:ppp*:ip" address="192.168.1.1" netmask="255.255.255.0"/>
         </Interface>
         <Interface bridgeport="False" comment="" dyn="False" id="id417C6933" label="" mgmt="True" name="eth0" security_level="100" unnum="False" unprotected="False">
-          <IPv4 address="192.168.1.1" id="id417C6937" name="firewall25:eth0:ip" netmask="255.255.255.0"/>
+          <IPv4 id="id417C6937" name="firewall25:eth0:ip" address="192.168.1.1" netmask="255.255.255.0"/>
         </Interface>
         <Interface bridgeport="False" dyn="False" id="id417C6938" name="eth2" security_level="0" unnum="False" unprotected="False">
-          <IPv4 address="192.168.2.1" id="id417C6950" name="firewall25:eth2:ip" netmask="255.255.255.0"/>
+          <IPv4 id="id417C6950" name="firewall25:eth2:ip" address="192.168.2.1" netmask="255.255.255.0"/>
         </Interface>
         <Management address="192.168.1.1">
           <SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
@@ -15156,10 +15203,10 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
         <Routing id="id418C4609-routing"/>
         <Interface bridgeport="False" comment="" dyn="True" id="id418C46C4" label="" mgmt="False" name="ppp" security_level="0" unnum="False" unprotected="False"/>
         <Interface bridgeport="False" comment="" dyn="False" id="id418C4731" label="" mgmt="True" name="eth0" security_level="100" unnum="False" unprotected="False">
-          <IPv4 address="192.168.1.1" id="id418C4735" name="firewall26:eth0:ip" netmask="255.255.255.0"/>
+          <IPv4 id="id418C4735" name="firewall26:eth0:ip" address="192.168.1.1" netmask="255.255.255.0"/>
         </Interface>
         <Interface bridgeport="False" dyn="False" id="id418C4736" name="eth2" security_level="0" unnum="False" unprotected="False">
-          <IPv4 address="192.168.2.1" id="id418C474E" name="firewall26:eth2:ip" netmask="255.255.255.0"/>
+          <IPv4 id="id418C474E" name="firewall26:eth2:ip" address="192.168.2.1" netmask="255.255.255.0"/>
         </Interface>
         <Management address="192.168.1.1">
           <SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
@@ -15246,7 +15293,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
           <Option name="verify_interfaces">True</Option>
         </FirewallOptions>
       </Firewall>
-      <Firewall comment="this firewall uses iptables-restore format&#10;all interfaces have static addresses, script pipes iptables commands straight to iptables-restore" host_OS="linux24" id="id4183D041" lastCompiled="1188097071" lastInstalled="1142003872" lastModified="1142003913" name="firewall27" platform="iptables" ro="False" version="">
+      <Firewall comment="this firewall uses iptables-restore format&#10;all interfaces have static addresses, script pipes iptables commands straight to iptables-restore" host_OS="linux24" id="id4183D041" inactive="False" lastCompiled="1197477543" lastInstalled="1142003872" lastModified="1197477519" name="firewall27" platform="iptables" ro="False" version="">
         <NAT id="id4183D0C3">
           <NATRule disabled="False" id="id4183D0C4" position="0">
             <OSrc neg="False">
@@ -15686,13 +15733,13 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
         </Policy>
         <Routing id="id4183D041-routing"/>
         <Interface bridgeport="False" comment="" dyn="False" id="id4183D0FC" label="" mgmt="False" name="ppp" security_level="0" unnum="False" unprotected="False">
-          <IPv4 address="192.0.2.1" comment="" id="id4183D18A" name="firewall27:ppp:ip" netmask="255.255.255.0"/>
+          <IPv4 comment="" id="id4183D18A" name="firewall27:ppp:ip" address="192.0.2.1" netmask="255.255.255.0"/>
         </Interface>
         <Interface bridgeport="False" comment="" dyn="False" id="id4183D167" label="" mgmt="True" name="eth0" security_level="100" unnum="False" unprotected="False">
-          <IPv4 address="192.168.1.1" id="id4183D16B" name="firewall27:eth0:ip" netmask="255.255.255.0"/>
+          <IPv4 id="id4183D16B" name="firewall27:eth0:ip" address="192.168.1.1" netmask="255.255.255.0"/>
         </Interface>
         <Interface bridgeport="False" dyn="False" id="id4183D16C" name="eth2" security_level="0" unnum="False" unprotected="False">
-          <IPv4 address="192.168.2.1" id="id4183D184" name="firewall27:eth2:ip" netmask="255.255.255.0"/>
+          <IPv4 id="id4183D184" name="firewall27:eth2:ip" address="192.168.2.1" netmask="255.255.255.0"/>
         </Interface>
         <Management address="192.168.1.1">
           <SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
@@ -15883,10 +15930,10 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
         </Policy>
         <Routing id="id419DC88E-routing"/>
         <Interface bridgeport="False" comment="" dyn="False" id="id419DC8CF" label="" mgmt="True" name="eth0" security_level="100" unnum="False" unprotected="False">
-          <IPv4 address="192.168.1.0" comment="" id="id419DC8D3" name="firewall28:eth0:ip" netmask="255.255.255.0"/>
+          <IPv4 comment="" id="id419DC8D3" name="firewall28:eth0:ip" address="192.168.1.0" netmask="255.255.255.0"/>
         </Interface>
         <Interface bridgeport="False" comment="" dyn="False" id="id419DC8D4" label="" mgmt="False" name="eth1" security_level="0" unnum="False" unprotected="False">
-          <IPv4 address="22.22.23.22" id="id419DC8D8" name="firewall28:eth1:ip" netmask="255.255.255.0"/>
+          <IPv4 id="id419DC8D8" name="firewall28:eth1:ip" address="22.22.23.22" netmask="255.255.255.0"/>
         </Interface>
         <Management address="22.22.22.22">
           <SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
@@ -16073,10 +16120,10 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
         <Interface bridgeport="False" comment="VLAN interface" dyn="True" id="id41D29492" label="" mgmt="False" name="eth0.200" security_level="0" unnum="False" unprotected="False"/>
         <Interface bridgeport="False" comment="VLAN interface" dyn="True" id="id41D294A9" label="" mgmt="False" name="eth0.100" security_level="0" unnum="False" unprotected="False"/>
         <Interface bridgeport="False" dyn="False" id="id41D294AC" name="lo" security_level="100" unnum="False" unprotected="False">
-          <IPv4 address="127.0.0.1" id="id41D294B0" name="firewall29:lo:ip" netmask="255.0.0.0"/>
+          <IPv4 id="id41D294B0" name="firewall29:lo:ip" address="127.0.0.1" netmask="255.0.0.0"/>
         </Interface>
         <Interface bridgeport="False" comment="" dyn="False" id="id41D294B1" label="" mgmt="True" name="eth1" security_level="100" unnum="False" unprotected="False">
-          <IPv4 address="192.168.1.100" comment="" id="id41D294B5" name="firewall29:eth1:ip" netmask="255.255.255.0"/>
+          <IPv4 comment="" id="id41D294B5" name="firewall29:eth1:ip" address="192.168.1.100" netmask="255.255.255.0"/>
         </Interface>
         <Management address="192.168.1.100">
           <SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
@@ -16216,13 +16263,13 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
         </Policy>
         <Routing id="id41F62B80-routing"/>
         <Interface bridgeport="False" comment="" dyn="False" id="id41F62C34" label="" mgmt="True" name="eth0" security_level="100" unnum="False" unprotected="False">
-          <IPv4 address="192.168.1.1" id="id41F62C38" name="firewall30:eth0:ip" netmask="255.255.255.0"/>
+          <IPv4 id="id41F62C38" name="firewall30:eth0:ip" address="192.168.1.1" netmask="255.255.255.0"/>
         </Interface>
         <Interface bridgeport="False" dyn="False" id="id41F62C39" name="eth1" security_level="0" unnum="False" unprotected="False">
-          <IPv4 address="22.22.22.22" id="id41F62C51" name="firewall30:eth1:ip" netmask="255.255.255.0"/>
+          <IPv4 id="id41F62C51" name="firewall30:eth1:ip" address="22.22.22.22" netmask="255.255.255.0"/>
         </Interface>
         <Interface bridgeport="False" dyn="False" id="id41F62C57" name="lo" security_level="100" unnum="False" unprotected="False">
-          <IPv4 address="127.0.0.1" id="id41F62C5B" name="firewall30:lo:ip" netmask="255.0.0.0"/>
+          <IPv4 id="id41F62C5B" name="firewall30:lo:ip" address="127.0.0.1" netmask="255.0.0.0"/>
         </Interface>
         <Management address="192.168.1.1">
           <SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
@@ -16437,10 +16484,10 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
         </Policy>
         <Routing id="id429910D5-routing"/>
         <Interface bridgeport="False" comment="" dyn="False" id="id429910DC" label="" mgmt="False" name="eth0" security_level="0" unnum="False" unprotected="False">
-          <IPv4 address="33.33.33.33" id="id429910E0" name="firewall31:eth0:ip" netmask="255.255.255.0"/>
+          <IPv4 id="id429910E0" name="firewall31:eth0:ip" address="33.33.33.33" netmask="255.255.255.0"/>
         </Interface>
         <Interface bridgeport="False" comment="" dyn="False" id="id429910E1" label="" mgmt="False" name="eth1" security_level="100" unnum="False" unprotected="False">
-          <IPv4 address="192.168.1.1" comment="" id="id429910E5" name="firewall31:eth1:ip" netmask="255.255.255.0"/>
+          <IPv4 comment="" id="id429910E5" name="firewall31:eth1:ip" address="192.168.1.1" netmask="255.255.255.0"/>
         </Interface>
         <Interface bridgeport="False" comment="" dyn="True" id="id429910EB" label="" mgmt="False" name="ppp0" security_level="0" unnum="False" unprotected="False"/>
         <Management address="0.0.0.0">
@@ -16523,7 +16570,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
           <Option name="verify_interfaces">False</Option>
         </FirewallOptions>
       </Firewall>
-      <Firewall comment="testing AddressTable" host_OS="linux24" id="id43868A331434" lastCompiled="1188097112" lastInstalled="1142003872" lastModified="0" name="firewall32" platform="iptables" ro="False" version="">
+      <Firewall comment="testing AddressTable" host_OS="linux24" id="id43868A331434" lastCompiled="1188097112" lastInstalled="1142003872" lastModified="1205611789" name="firewall32" platform="iptables" ro="False" version="">
         <NAT id="id43868A6D1434">
           <NATRule disabled="False" id="id43868A6E1434" position="0">
             <OSrc neg="False">
@@ -16629,10 +16676,10 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
         <Routing id="id43868A7D1434"/>
         <Interface bridgeport="False" comment="VLAN interface" dyn="True" id="id43868A7F1434" label="" mgmt="False" name="eth0.100" security_level="0" unnum="False" unprotected="False"/>
         <Interface bridgeport="False" dyn="False" id="id43868A801434" name="lo" security_level="100" unnum="False" unprotected="False">
-          <IPv4 address="127.0.0.1" id="id43868A821434" name="firewall32:lo:ip" netmask="255.0.0.0"/>
+          <IPv4 id="id43868A821434" name="firewall32:lo:ip" address="127.0.0.1" netmask="255.0.0.0"/>
         </Interface>
         <Interface bridgeport="False" comment="" dyn="False" id="id43868A831434" label="" mgmt="True" name="eth1" security_level="100" unnum="False" unprotected="False">
-          <IPv4 address="192.168.1.100" comment="" id="id43868A851434" name="firewall32:eth1:ip" netmask="255.255.255.0"/>
+          <IPv4 comment="" id="id43868A851434" name="firewall32:eth1:ip" address="192.168.1.100" netmask="255.255.255.0"/>
         </Interface>
         <Management address="192.168.1.100">
           <SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
@@ -16724,7 +16771,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
           <Option name="verify_interfaces">False</Option>
         </FirewallOptions>
       </Firewall>
-      <Firewall comment="testing DNSName object" host_OS="linux24" id="id43867C1018346" lastCompiled="1188097121" lastInstalled="1142003872" lastModified="0" name="firewall33" platform="iptables" ro="False" version="">
+      <Firewall comment="testing DNSName object" host_OS="linux24" id="id43867C1018346" lastCompiled="1188097121" lastInstalled="1142003872" lastModified="1205119254" name="firewall33" platform="iptables" ro="False" version="">
         <NAT id="id43867C4818346">
           <NATRule disabled="False" id="id43867C4918346" position="0">
             <OSrc neg="False">
@@ -17061,7 +17108,28 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
             </When>
             <PolicyRuleOptions/>
           </PolicyRule>
-          <PolicyRule action="Deny" direction="Both" disabled="False" id="id43867C3C18346" log="True" position="12">
+          <PolicyRule action="Accept" comment="test for bug #1905718&#10;Group of DNS Name objects considered empty&#10;" direction="Both" disabled="False" id="id47CBF5D429252" log="False" position="12">
+            <Src neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Src>
+            <Dst neg="False">
+              <ObjectRef ref="id47CBF5D129252"/>
+            </Dst>
+            <Srv neg="False">
+              <ServiceRef ref="sysid1"/>
+            </Srv>
+            <Itf neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Itf>
+            <When neg="False">
+              <IntervalRef ref="sysid2"/>
+            </When>
+            <PolicyRuleOptions>
+              <Option name="color">#C0BA44</Option>
+              <Option name="stateless">False</Option>
+            </PolicyRuleOptions>
+          </PolicyRule>
+          <PolicyRule action="Deny" direction="Both" disabled="False" id="id43867C3C18346" log="True" position="13">
             <Src neg="False">
               <ObjectRef ref="sysid0"/>
             </Src>
@@ -17085,10 +17153,10 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
         <Routing id="id43867C5718346"/>
         <Interface bridgeport="False" comment="VLAN interface" dyn="True" id="id43867C5818346" label="" mgmt="False" name="eth0.100" security_level="0" unnum="False" unprotected="False"/>
         <Interface bridgeport="False" dyn="False" id="id43867C5918346" name="lo" security_level="100" unnum="False" unprotected="False">
-          <IPv4 address="127.0.0.1" id="id43867C5B18346" name="firewall33:lo:ip" netmask="255.0.0.0"/>
+          <IPv4 id="id43867C5B18346" name="firewall33:lo:ip" address="127.0.0.1" netmask="255.0.0.0"/>
         </Interface>
         <Interface bridgeport="False" comment="" dyn="False" id="id43867C5C18346" label="" mgmt="True" name="eth1" security_level="100" unnum="False" unprotected="False">
-          <IPv4 address="192.168.1.100" comment="" id="id43867C5E18346" name="firewall33:eth1:ip" netmask="255.255.255.0"/>
+          <IPv4 comment="" id="id43867C5E18346" name="firewall33:eth1:ip" address="192.168.1.100" netmask="255.255.255.0"/>
         </Interface>
         <Management address="192.168.1.100">
           <SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
@@ -17180,7 +17248,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
           <Option name="verify_interfaces">False</Option>
         </FirewallOptions>
       </Firewall>
-      <Firewall comment="testing AddressTable object" host_OS="linux24" id="id4389EDAE18346" inactive="False" lastCompiled="1188097128" lastInstalled="1142003872" lastModified="1167289689" name="firewall34" platform="iptables" ro="False" version="">
+      <Firewall comment="testing AddressTable object" host_OS="linux24" id="id4389EDAE18346" inactive="False" lastCompiled="1188097128" lastInstalled="1142003872" lastModified="1205611807" name="firewall34" platform="iptables" ro="False" version="">
         <NAT id="id4389EE4818346">
           <NATRule disabled="False" id="id4389EEB018346" position="0">
             <OSrc neg="True">
@@ -17555,10 +17623,10 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
         <Routing id="id4389EE8318346"/>
         <Interface bridgeport="False" comment="VLAN interface" dyn="True" id="id4389EE8418346" label="" mgmt="False" name="eth0.100" security_level="0" unnum="False" unprotected="False"/>
         <Interface bridgeport="False" dyn="False" id="id4389EE8518346" name="lo" security_level="100" unnum="False" unprotected="False">
-          <IPv4 address="127.0.0.1" id="id4389EE8718346" name="firewall34:lo:ip" netmask="255.0.0.0"/>
+          <IPv4 id="id4389EE8718346" name="firewall34:lo:ip" address="127.0.0.1" netmask="255.0.0.0"/>
         </Interface>
         <Interface bridgeport="False" comment="" dyn="False" id="id4389EE8818346" label="" mgmt="True" name="eth1" security_level="100" unnum="False" unprotected="False">
-          <IPv4 address="192.168.1.100" comment="" id="id4389EE8A18346" name="firewall34:eth1:ip" netmask="255.255.255.0"/>
+          <IPv4 comment="" id="id4389EE8A18346" name="firewall34:eth1:ip" address="192.168.1.100" netmask="255.255.255.0"/>
         </Interface>
         <Management address="192.168.1.100">
           <SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
@@ -17935,10 +18003,10 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
         <Routing id="id439255AB25682"/>
         <Interface bridgeport="False" comment="VLAN interface" dyn="True" id="id439255AC25682" label="" mgmt="False" name="eth0.100" security_level="0" unnum="False" unprotected="False"/>
         <Interface bridgeport="False" dyn="False" id="id439255AD25682" name="lo" security_level="100" unnum="False" unprotected="False">
-          <IPv4 address="127.0.0.1" id="id439255AF25682" name="firewall35:lo:ip" netmask="255.0.0.0"/>
+          <IPv4 id="id439255AF25682" name="firewall35:lo:ip" address="127.0.0.1" netmask="255.0.0.0"/>
         </Interface>
         <Interface bridgeport="False" comment="" dyn="False" id="id439255B025682" label="" mgmt="True" name="eth1" security_level="100" unnum="False" unprotected="False">
-          <IPv4 address="192.168.1.100" comment="" id="id439255B225682" name="firewall35:eth1:ip" netmask="255.255.255.0"/>
+          <IPv4 comment="" id="id439255B225682" name="firewall35:eth1:ip" address="192.168.1.100" netmask="255.255.255.0"/>
         </Interface>
         <Management address="192.168.1.100">
           <SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
@@ -18331,16 +18399,16 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
           </RoutingRule>
         </Routing>
         <Interface bridgeport="False" comment="" dyn="False" id="id43A2C03B16451" label="" mgmt="False" name="eth0" security_level="0" unnum="False" unprotected="False">
-          <IPv4 address="192.0.2.1" comment="This is a test address, change it to your real one" id="id43A2C03D16451" name="firewall36:eth0:ip" netmask="255.255.255.0"/>
+          <IPv4 comment="This is a test address, change it to your real one" id="id43A2C03D16451" name="firewall36:eth0:ip" address="192.0.2.1" netmask="255.255.255.0"/>
         </Interface>
         <Interface bridgeport="False" comment="" dyn="False" id="id43A2C03E16451" label="" mgmt="True" name="eth1" security_level="100" unnum="False" unprotected="False">
-          <IPv4 address="192.168.1.1" comment="" id="id43A2C04016451" name="firewall36:eth1:ip" netmask="255.255.255.0"/>
+          <IPv4 comment="" id="id43A2C04016451" name="firewall36:eth1:ip" address="192.168.1.1" netmask="255.255.255.0"/>
         </Interface>
         <Interface bridgeport="False" comment="" dyn="False" id="id43A2C04116451" label="loopback" mgmt="False" name="lo" security_level="100" unnum="False" unprotected="False">
-          <IPv4 address="127.0.0.1" comment="" id="id43A2C04316451" name="firewall36:lo:ip" netmask="255.0.0.0"/>
+          <IPv4 comment="" id="id43A2C04316451" name="firewall36:lo:ip" address="127.0.0.1" netmask="255.0.0.0"/>
         </Interface>
         <Interface bridgeport="False" comment="" dyn="False" id="id43A2C04416451" label="" mgmt="False" name="eth2" security_level="0" unnum="False" unprotected="False">
-          <IPv4 address="192.0.100.1" comment="" id="id43A2C04616451" name="firewall36:eth2:ip" netmask="255.255.255.0"/>
+          <IPv4 comment="" id="id43A2C04616451" name="firewall36:eth2:ip" address="192.0.100.1" netmask="255.255.255.0"/>
         </Interface>
         <Management address="192.168.1.1">
           <SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
@@ -19299,13 +19367,13 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
         </Policy>
         <Routing id="id43BB81789745"/>
         <Interface bridgeport="False" comment="" dyn="False" id="id43BB81799745" label="" mgmt="True" name="eth0" security_level="100" unnum="False" unprotected="False">
-          <IPv4 address="192.168.1.22" comment="" id="id43BB817B9745" name="firewall37:eth0:ip" netmask="255.255.255.0"/>
+          <IPv4 comment="" id="id43BB817B9745" name="firewall37:eth0:ip" address="192.168.1.22" netmask="255.255.255.0"/>
         </Interface>
         <Interface bridgeport="False" comment="" dyn="False" id="id43BB817C9745" label="eth1(outside)" mgmt="False" name="eth1" security_level="0" unnum="False" unprotected="False">
-          <IPv4 address="22.22.23.22" comment="" id="id43BB817E9745" name="firewall37:eth1:ip" netmask="255.255.255.0"/>
+          <IPv4 comment="" id="id43BB817E9745" name="firewall37:eth1:ip" address="22.22.23.22" netmask="255.255.255.0"/>
         </Interface>
         <Interface bridgeport="False" comment="" dyn="False" id="id43BB817F9745" label="eth2(dmz)" mgmt="False" name="eth2" security_level="0" unnum="False" unprotected="False">
-          <IPv4 address="192.168.2.1" comment="this interface is on the subnet that overlaps with eth1" id="id43BB81819745" name="firewall37:eth2:ip" netmask="255.255.255.0"/>
+          <IPv4 comment="this interface is on the subnet that overlaps with eth1" id="id43BB81819745" name="firewall37:eth2:ip" address="192.168.2.1" netmask="255.255.255.0"/>
         </Interface>
         <Management address="192.168.1.22">
           <SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
@@ -19859,13 +19927,13 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
         </Policy>
         <Routing id="id43BBF1F99745"/>
         <Interface bridgeport="False" comment="" dyn="False" id="id43BBF1FA9745" label="" mgmt="True" name="eth0" security_level="100" unnum="False" unprotected="False">
-          <IPv4 address="192.168.1.22" comment="" id="id43BBF1FC9745" name="firewall38:eth0:ip" netmask="255.255.255.0"/>
+          <IPv4 comment="" id="id43BBF1FC9745" name="firewall38:eth0:ip" address="192.168.1.22" netmask="255.255.255.0"/>
         </Interface>
         <Interface bridgeport="False" comment="" dyn="False" id="id43BBF1FD9745" label="eth1(outside)" mgmt="False" name="eth1" security_level="0" unnum="False" unprotected="False">
-          <IPv4 address="22.22.23.22" comment="" id="id43BBF1FF9745" name="firewall38:eth1:ip" netmask="255.255.255.0"/>
+          <IPv4 comment="" id="id43BBF1FF9745" name="firewall38:eth1:ip" address="22.22.23.22" netmask="255.255.255.0"/>
         </Interface>
         <Interface bridgeport="False" comment="" dyn="False" id="id43BBF2009745" label="eth2(dmz)" mgmt="False" name="eth2" security_level="0" unnum="False" unprotected="False">
-          <IPv4 address="192.168.2.1" comment="this interface is on the subnet that overlaps with eth1" id="id43BBF2029745" name="firewall38:eth2:ip" netmask="255.255.255.0"/>
+          <IPv4 comment="this interface is on the subnet that overlaps with eth1" id="id43BBF2029745" name="firewall38:eth2:ip" address="192.168.2.1" netmask="255.255.255.0"/>
         </Interface>
         <Management address="192.168.1.22">
           <SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
@@ -20412,10 +20480,10 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
         <Routing id="id440C062C14846"/>
         <Interface bridgeport="True" comment="this interface is part of the bridge" dyn="False" id="id440C062D14846" label="" mgmt="False" name="eth2" security_level="100" unnum="False" unprotected="False"/>
         <Interface bridgeport="False" dyn="False" id="id440C062E14846" name="lo" security_level="100" unnum="False" unprotected="False">
-          <IPv4 address="127.0.0.1" id="id440C063014846" name="firewall23-1:lo:ip" netmask="255.0.0.0"/>
+          <IPv4 id="id440C063014846" name="firewall23-1:lo:ip" address="127.0.0.1" netmask="255.0.0.0"/>
         </Interface>
         <Interface bridgeport="False" comment="" dyn="False" id="id440C063114846" label="" mgmt="False" name="br0" security_level="100" unnum="False" unprotected="False">
-          <IPv4 address="192.168.1.1" comment="" id="id440C063314846" name="firewall23-1:br0:ip" netmask="255.255.255.0"/>
+          <IPv4 comment="" id="id440C063314846" name="firewall23-1:br0:ip" address="192.168.1.1" netmask="255.255.255.0"/>
         </Interface>
         <Interface bridgeport="True" comment="" dyn="False" id="id440C063914846" label="" mgmt="False" name="eth3" security_level="100" unnum="False" unprotected="False"/>
         <Management address="192.168.1.1">
@@ -21494,13 +21562,13 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
         </Policy>
         <Routing id="id445DA36A30753"/>
         <Interface bridgeport="False" comment="" dyn="False" id="id445DA36B30753" label="" mgmt="True" name="eth0" security_level="100" unnum="False" unprotected="False">
-          <IPv4 address="192.168.1.22" comment="" id="id445DA36D30753" name="firewall39:eth0:ip" netmask="255.255.255.0"/>
+          <IPv4 comment="" id="id445DA36D30753" name="firewall39:eth0:ip" address="192.168.1.22" netmask="255.255.255.0"/>
         </Interface>
         <Interface bridgeport="False" comment="" dyn="False" id="id445DA36E30753" label="eth1(outside)" mgmt="False" name="eth1" security_level="0" unnum="False" unprotected="False">
-          <IPv4 address="22.22.23.22" comment="" id="id445DA37030753" name="firewall39:eth1:ip" netmask="255.255.255.0"/>
+          <IPv4 comment="" id="id445DA37030753" name="firewall39:eth1:ip" address="22.22.23.22" netmask="255.255.255.0"/>
         </Interface>
         <Interface bridgeport="False" comment="" dyn="False" id="id445DA37130753" label="eth2(dmz)" mgmt="False" name="eth2" security_level="0" unnum="False" unprotected="False">
-          <IPv4 address="192.168.2.1" comment="this interface is on the subnet that overlaps with eth1" id="id445DA37330753" name="firewall39:eth2:ip" netmask="255.255.255.0"/>
+          <IPv4 comment="this interface is on the subnet that overlaps with eth1" id="id445DA37330753" name="firewall39:eth2:ip" address="192.168.2.1" netmask="255.255.255.0"/>
         </Interface>
         <Management address="192.168.1.22">
           <SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
@@ -21813,16 +21881,16 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
         </Policy>
         <Routing id="id4492FF3D24380"/>
         <Interface bridgeport="False" comment="" dyn="False" id="id4492FF4E24380" label="" mgmt="False" name="eth0" security_level="0" unnum="False" unprotected="False">
-          <IPv4 address="192.0.2.1" comment="This is a test address, change it to your real one" id="id4492FF5024380" name="firewall40:eth0:ip" netmask="255.255.255.0"/>
+          <IPv4 comment="This is a test address, change it to your real one" id="id4492FF5024380" name="firewall40:eth0:ip" address="192.0.2.1" netmask="255.255.255.0"/>
         </Interface>
         <Interface bridgeport="False" comment="" dyn="False" id="id4492FF5424380" label="loopback" mgmt="False" name="lo" security_level="100" unnum="False" unprotected="False">
-          <IPv4 address="127.0.0.1" comment="" id="id4492FF5624380" name="firewall40:lo:ip" netmask="255.0.0.0"/>
+          <IPv4 comment="" id="id4492FF5624380" name="firewall40:lo:ip" address="127.0.0.1" netmask="255.0.0.0"/>
         </Interface>
         <Interface bridgeport="False" comment="" dyn="False" id="id4492FF5724380" label="" mgmt="False" name="eth2" security_level="0" unnum="False" unprotected="False">
-          <IPv4 address="192.0.100.1" comment="" id="id4492FF5924380" name="firewall40:eth2:ip" netmask="255.255.255.0"/>
+          <IPv4 comment="" id="id4492FF5924380" name="firewall40:eth2:ip" address="192.0.100.1" netmask="255.255.255.0"/>
         </Interface>
         <Interface bridgeport="False" comment="" dyn="False" id="id4492FF6024380" label="" mgmt="True" name="eth1" security_level="100" unnum="False" unprotected="False">
-          <IPv4 address="192.168.1.1" comment="" id="id4492FF6124380" name="firewall40:eth1:ip" netmask="255.255.255.0"/>
+          <IPv4 comment="" id="id4492FF6124380" name="firewall40:eth1:ip" address="192.168.1.1" netmask="255.255.255.0"/>
         </Interface>
         <Management address="192.168.1.1">
           <SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
@@ -21963,10 +22031,10 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
         </Policy>
         <Routing id="id44EC18178791"/>
         <Interface bridgeport="False" dyn="False" id="id44EC18188791" label="ext" name="eth0" security_level="0" unnum="False" unprotected="False">
-          <IPv4 address="1.1.1.1" id="id44EC18198791" name="firewall41:eth0:ip" netmask="255.255.255.0"/>
+          <IPv4 id="id44EC18198791" name="firewall41:eth0:ip" address="1.1.1.1" netmask="255.255.255.0"/>
         </Interface>
         <Interface bridgeport="False" dyn="False" id="id44EC181A8791" label="int" name="eth1" security_level="50" unnum="False" unprotected="False">
-          <IPv4 address="2.2.2.2" id="id44EC181B8791" name="firewall41:eth1:ip" netmask="255.255.255.0"/>
+          <IPv4 id="id44EC181B8791" name="firewall41:eth1:ip" address="2.2.2.2" netmask="255.255.255.0"/>
         </Interface>
         <Management address="0.0.0.0">
           <SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
@@ -22214,13 +22282,13 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
         </Policy>
         <Routing id="id4513DEAB2143"/>
         <Interface bridgeport="False" dyn="False" id="id4513DEAC2143" label="" name="eth0" security_level="50" unnum="False" unprotected="False">
-          <IPv4 address="22.22.22.22" id="id4513DEAD2143" name="test-shadowing-1:eth0:ip" netmask="255.255.255.0"/>
+          <IPv4 id="id4513DEAD2143" name="test-shadowing-1:eth0:ip" address="22.22.22.22" netmask="255.255.255.0"/>
         </Interface>
         <Interface bridgeport="False" dyn="False" id="id4513DEAE2143" label="" name="eth1" security_level="100" unnum="False" unprotected="False">
-          <IPv4 address="192.168.1.1" id="id4513DEAF2143" name="test-shadowing-1:eth1:ip" netmask="255.255.255.0"/>
+          <IPv4 id="id4513DEAF2143" name="test-shadowing-1:eth1:ip" address="192.168.1.1" netmask="255.255.255.0"/>
         </Interface>
         <Interface bridgeport="False" dyn="False" id="id4513DEB02143" label="" name="eth2" security_level="100" unnum="False" unprotected="False">
-          <IPv4 address="192.168.2.1" id="id4513DEB12143" name="test-shadowing-1:eth2:ip" netmask="255.255.255.0"/>
+          <IPv4 id="id4513DEB12143" name="test-shadowing-1:eth2:ip" address="192.168.2.1" netmask="255.255.255.0"/>
         </Interface>
         <Management address="192.168.2.1">
           <SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
@@ -22457,13 +22525,13 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
         </Policy>
         <Routing id="id451489082143"/>
         <Interface bridgeport="False" dyn="False" id="id451489092143" label="" name="eth0" security_level="50" unnum="False" unprotected="False">
-          <IPv4 address="22.22.22.22" id="id4514890B2143" name="test-shadowing-2:eth0:ip" netmask="255.255.255.0"/>
+          <IPv4 id="id4514890B2143" name="test-shadowing-2:eth0:ip" address="22.22.22.22" netmask="255.255.255.0"/>
         </Interface>
         <Interface bridgeport="False" dyn="False" id="id4514890C2143" label="" name="eth1" security_level="100" unnum="False" unprotected="False">
-          <IPv4 address="192.168.1.1" id="id4514890E2143" name="test-shadowing-2:eth1:ip" netmask="255.255.255.0"/>
+          <IPv4 id="id4514890E2143" name="test-shadowing-2:eth1:ip" address="192.168.1.1" netmask="255.255.255.0"/>
         </Interface>
         <Interface bridgeport="False" dyn="False" id="id4514890F2143" label="" name="eth2" security_level="100" unnum="False" unprotected="False">
-          <IPv4 address="192.168.2.1" id="id451489112143" name="test-shadowing-2:eth2:ip" netmask="255.255.255.0"/>
+          <IPv4 id="id451489112143" name="test-shadowing-2:eth2:ip" address="192.168.2.1" netmask="255.255.255.0"/>
         </Interface>
         <Management address="192.168.2.1">
           <SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
@@ -23678,13 +23746,13 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
         </Policy>
         <Routing id="id45AB5C6225451"/>
         <Interface bridgeport="False" comment="" dyn="False" id="id45AB5C6325451" label="" mgmt="True" name="eth0" security_level="100" unnum="False" unprotected="False">
-          <IPv4 address="192.168.1.22" comment="" id="id45AB5C6525451" name="firewall37-1:eth0:ip" netmask="255.255.255.0"/>
+          <IPv4 comment="" id="id45AB5C6525451" name="firewall37-1:eth0:ip" address="192.168.1.22" netmask="255.255.255.0"/>
         </Interface>
         <Interface bridgeport="False" comment="" dyn="False" id="id45AB5C6625451" label="eth1(outside)" mgmt="False" name="eth1" security_level="0" unnum="False" unprotected="False">
-          <IPv4 address="22.22.23.22" comment="" id="id45AB5C6825451" name="firewall37-1:eth1:ip" netmask="255.255.255.0"/>
+          <IPv4 comment="" id="id45AB5C6825451" name="firewall37-1:eth1:ip" address="22.22.23.22" netmask="255.255.255.0"/>
         </Interface>
         <Interface bridgeport="False" comment="" dyn="False" id="id45AB5C6925451" label="eth2(dmz)" mgmt="False" name="eth2" security_level="0" unnum="False" unprotected="False">
-          <IPv4 address="192.168.2.1" comment="this interface is on the subnet that overlaps with eth1" id="id45AB5C6B25451" name="firewall37-1:eth2:ip" netmask="255.255.255.0"/>
+          <IPv4 comment="this interface is on the subnet that overlaps with eth1" id="id45AB5C6B25451" name="firewall37-1:eth2:ip" address="192.168.2.1" netmask="255.255.255.0"/>
         </Interface>
         <Management address="192.168.1.22">
           <SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
@@ -23862,11 +23930,11 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
         <Routing id="id46EFBE4631183"/>
         <Interface bridgeport="False" comment="" dyn="True" id="id46EFBE4731183" label="" mgmt="True" name="eth0" security_level="100" unnum="False" unprotected="False"/>
         <Interface bridgeport="False" dyn="False" id="id46EFBE4A31183" name="eth1" security_level="0" unnum="False" unprotected="False">
-          <IPv4 address="22.22.22.22" id="id46EFBE4C31183" name="firewall42:eth1:ip" netmask="255.255.255.0"/>
+          <IPv4 id="id46EFBE4C31183" name="firewall42:eth1:ip" address="22.22.22.22" netmask="255.255.255.0"/>
         </Interface>
         <Interface bridgeport="False" dyn="False" id="id46EFBE5031183" name="lo" security_level="100" unnum="False" unprotected="False">
-          <IPv4 address="127.0.0.1" id="id46EFBE5231183" name="firewall42:lo:ip" netmask="255.0.0.0"/>
-          <IPv4 address="192.168.1.1" comment="" id="id46EFBE5B31183" name="firewall42:lo:ip-1" netmask="255.255.255.0"/>
+          <IPv4 id="id46EFBE5231183" name="firewall42:lo:ip" address="127.0.0.1" netmask="255.0.0.0"/>
+          <IPv4 comment="" id="id46EFBE5B31183" name="firewall42:lo:ip-1" address="192.168.1.1" netmask="255.255.255.0"/>
         </Interface>
         <Management address="0.0.0.0">
           <SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
@@ -24095,14 +24163,14 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
         </Policy>
         <Routing id="id47339EDD19714"/>
         <Interface bridgeport="False" comment="" dyn="False" id="id47339EDE19714" label="" mgmt="True" name="eth0" security_level="100" unnum="False" unprotected="False">
-          <IPv4 address="192.168.1.1" comment="" id="id47339EF819714" name="firewall50:eth0:ip" netmask="255.255.255.0"/>
+          <IPv4 comment="" id="id47339EF819714" name="firewall50:eth0:ip" address="192.168.1.1" netmask="255.255.255.0"/>
         </Interface>
         <Interface bridgeport="False" dyn="False" id="id47339EDF19714" name="eth1" security_level="0" unnum="False" unprotected="False">
-          <IPv4 address="22.22.22.22" id="id47339EE119714" name="firewall50:eth1:ip" netmask="255.255.255.0"/>
+          <IPv4 id="id47339EE119714" name="firewall50:eth1:ip" address="22.22.22.22" netmask="255.255.255.0"/>
         </Interface>
         <Interface bridgeport="False" dyn="False" id="id47339EE219714" name="lo" security_level="100" unnum="False" unprotected="False">
-          <IPv4 address="127.0.0.1" id="id47339EE519714" name="firewall50:lo:ip1" netmask="255.0.0.0"/>
-          <IPv4 address="192.168.1.1" comment="" id="id47339EE619714" name="firewall50:lo:ip2" netmask="255.255.255.0"/>
+          <IPv4 id="id47339EE519714" name="firewall50:lo:ip1" address="127.0.0.1" netmask="255.0.0.0"/>
+          <IPv4 comment="" id="id47339EE619714" name="firewall50:lo:ip2" address="192.168.1.1" netmask="255.255.255.0"/>
         </Interface>
         <Management address="0.0.0.0">
           <SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
@@ -24204,7 +24272,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
   </Library>
   <Library id="sysid99" name="Deleted Objects" ro="False">
     <ObjectRef ref="sysid0"/>
-    <IPv4 address="192.168.1.1" comment="" id="id41D295E2" name="firewall30:ppp.200*:ip" netmask="255.255.255.0"/>
+    <IPv4 comment="" id="id41D295E2" name="firewall30:ppp.200*:ip" address="192.168.1.1" netmask="255.255.255.0"/>
     <Firewall comment="dynamic wildcard interface with a dot in the name" host_OS="linux24" id="id41D294BB" lastCompiled="0" lastInstalled="0" lastModified="0" name="firewall30" platform="iptables" ro="False" version="">
       <NAT id="id41D2953D">
         <NATRule disabled="False" id="id41D2953E" position="0">
@@ -24646,10 +24714,10 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
       <Routing id="id41D294BB-routing"/>
       <Interface bridgeport="False" comment="" dyn="True" id="id41D29576" label="" mgmt="False" name="ppp.200*" security_level="0" unnum="False" unprotected="False"/>
       <Interface bridgeport="False" comment="" dyn="False" id="id41D295E3" label="" mgmt="True" name="eth0" security_level="100" unnum="False" unprotected="False">
-        <IPv4 address="192.168.1.1" id="id41D295E7" name="firewall30:eth0:ip" netmask="255.255.255.0"/>
+        <IPv4 id="id41D295E7" name="firewall30:eth0:ip" address="192.168.1.1" netmask="255.255.255.0"/>
       </Interface>
       <Interface bridgeport="False" dyn="False" id="id41D295E8" name="eth2" security_level="0" unnum="False" unprotected="False">
-        <IPv4 address="192.168.2.1" id="id41D29600" name="firewall30:eth2:ip" netmask="255.255.255.0"/>
+        <IPv4 id="id41D29600" name="firewall30:eth2:ip" address="192.168.2.1" netmask="255.255.255.0"/>
       </Interface>
       <Management address="192.168.1.1">
         <SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
@@ -24738,19 +24806,19 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
       </FirewallOptions>
     </Firewall>
     <Interface bridgeport="False" dyn="False" id="id41F62C5C" name="eth3" security_level="0" unnum="False" unprotected="False">
-      <IPv4 address="22.22.23.23" id="id41F62C60" name="firewall30:eth3:ip" netmask="255.255.255.0"/>
+      <IPv4 id="id41F62C60" name="firewall30:eth3:ip" address="22.22.23.23" netmask="255.255.255.0"/>
     </Interface>
     <Interface bridgeport="False" dyn="False" id="id41F62C52" name="eth2" security_level="100" unnum="False" unprotected="False">
-      <IPv4 address="192.168.2.1" comment="" id="id41F62C56" name="firewall30:eth2:ip" netmask="255.255.255.0"/>
+      <IPv4 comment="" id="id41F62C56" name="firewall30:eth2:ip" address="192.168.2.1" netmask="255.255.255.0"/>
     </Interface>
     <Interface bridgeport="False" comment="" dyn="False" id="id429910E6" label="fw8:eth2" mgmt="True" name="eth2" security_level="100" unnum="False" unprotected="False">
-      <IPv4 address="192.168.100.1" id="id429910EA" name="firewall31:eth2:ip" netmask="255.255.255.0"/>
+      <IPv4 id="id429910EA" name="firewall31:eth2:ip" address="192.168.100.1" netmask="255.255.255.0"/>
     </Interface>
     <Interface bridgeport="False" comment="VLAN interface" dyn="True" id="id43868A7E1434" label="" mgmt="False" name="eth0.200" security_level="0" unnum="False" unprotected="False"/>
     <Interface bridgeport="False" comment="" dyn="False" id="id4492FF5124380" label="" mgmt="True" name="eth1" security_level="100" unnum="False" unprotected="False">
-      <IPv4 address="192.168.1.1" comment="" id="id4492FF5324380" name="firewall40:eth1:ip" netmask="255.255.255.0"/>
+      <IPv4 comment="" id="id4492FF5324380" name="firewall40:eth1:ip" address="192.168.1.1" netmask="255.255.255.0"/>
     </Interface>
-    <IPv4 address="0.0.0.0" id="id4492FF5F24380" name="firewall40:eth0:ip-1" netmask="0.0.0.0"/>
+    <IPv4 id="id4492FF5F24380" name="firewall40:eth0:ip-1" address="0.0.0.0" netmask="0.0.0.0"/>
     <Library color="#d2ffd0" comment="" id="id44EC13FB8791" name="tmp" ro="False">
       <ObjectGroup id="id44EC13FC8791" name="Objects">
         <ObjectGroup id="id44EC13FD8791" name="Addresses"/>
@@ -24774,12 +24842,12 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
       <IntervalGroup id="id44EC140D8791" name="Time"/>
     </Library>
     <Interface bridgeport="False" dyn="False" id="id46EFBE4D31183" name="eth2" security_level="100" unnum="False" unprotected="False">
-      <IPv4 address="192.168.2.1" id="id46EFBE4F31183" name="firewall42:eth2:ip" netmask="255.255.255.0"/>
+      <IPv4 id="id46EFBE4F31183" name="firewall42:eth2:ip" address="192.168.2.1" netmask="255.255.255.0"/>
     </Interface>
     <Interface bridgeport="False" dyn="False" id="id46EFBE5331183" name="eth3" security_level="0" unnum="False" unprotected="False">
-      <IPv4 address="22.22.23.23" id="id46EFBE5531183" name="firewall42:eth3:ip" netmask="255.255.255.0"/>
+      <IPv4 id="id46EFBE5531183" name="firewall42:eth3:ip" address="22.22.23.23" netmask="255.255.255.0"/>
     </Interface>
-    <IPv4 address="192.168.1.1" id="id46EFBE4931183" name="firewall42:eth0:ip" netmask="255.255.255.0"/>
+    <IPv4 id="id46EFBE4931183" name="firewall42:eth0:ip" address="192.168.1.1" netmask="255.255.255.0"/>
   </Library>
   <Library color="#FFFFFF" comment="" id="id4387B43718346" name="transfer" ro="False">
     <ObjectGroup id="id4387B43818346" name="Objects">
diff --git a/test/pf/objects-for-regression-tests.fwb b/test/pf/objects-for-regression-tests.fwb
index 4ecab5228..0d1d60559 100644
--- a/test/pf/objects-for-regression-tests.fwb
+++ b/test/pf/objects-for-regression-tests.fwb
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="utf-8"?>
 <!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
-<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="2.1.17" lastModified="1202686020" id="root">
+<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="4" id="root">
   <Library color="#d2ffd0" comment="User defined objects" id="syslib001" name="User" ro="False">
     <ObjectGroup id="stdid01_1" name="Objects">
       <ObjectGroup id="stdid01_1_og_ats_1" name="Address Tables">
@@ -76,9 +76,9 @@
             <PolicyInstallScript arguments="" command="" enabled="False"/>
           </Management>
           <HostOptions>
-            <Option name="snmp_contact"></Option>
-            <Option name="snmp_description"></Option>
-            <Option name="snmp_location"></Option>
+            <Option name="snmp_contact"/>
+            <Option name="snmp_description"/>
+            <Option name="snmp_location"/>
             <Option name="use_mac_addr_filter">False</Option>
           </HostOptions>
         </Host>
@@ -92,9 +92,9 @@
             <PolicyInstallScript arguments="" command="" enabled="False"/>
           </Management>
           <HostOptions>
-            <Option name="snmp_contact"></Option>
-            <Option name="snmp_description"></Option>
-            <Option name="snmp_location"></Option>
+            <Option name="snmp_contact"/>
+            <Option name="snmp_description"/>
+            <Option name="snmp_location"/>
             <Option name="use_mac_addr_filter">False</Option>
           </HostOptions>
         </Host>
@@ -202,9 +202,9 @@
             <PolicyInstallScript arguments="" command="" enabled="False"/>
           </Management>
           <HostOptions>
-            <Option name="snmp_contact"></Option>
-            <Option name="snmp_description"></Option>
-            <Option name="snmp_location"></Option>
+            <Option name="snmp_contact"/>
+            <Option name="snmp_description"/>
+            <Option name="snmp_location"/>
             <Option name="use_mac_addr_filter">True</Option>
           </HostOptions>
         </Host>
@@ -219,9 +219,9 @@
             <PolicyInstallScript arguments="" command="" enabled="False"/>
           </Management>
           <HostOptions>
-            <Option name="snmp_contact"></Option>
-            <Option name="snmp_description"></Option>
-            <Option name="snmp_location"></Option>
+            <Option name="snmp_contact"/>
+            <Option name="snmp_description"/>
+            <Option name="snmp_location"/>
             <Option name="use_mac_addr_filter">False</Option>
           </HostOptions>
         </Host>
@@ -235,9 +235,9 @@
             <PolicyInstallScript arguments="" command="" enabled="False"/>
           </Management>
           <HostOptions>
-            <Option name="snmp_contact"></Option>
-            <Option name="snmp_description"></Option>
-            <Option name="snmp_location"></Option>
+            <Option name="snmp_contact"/>
+            <Option name="snmp_description"/>
+            <Option name="snmp_location"/>
             <Option name="use_mac_addr">False</Option>
             <Option name="use_mac_addr_filter">False</Option>
           </HostOptions>
@@ -252,9 +252,9 @@
             <PolicyInstallScript arguments="" command="" enabled="False"/>
           </Management>
           <HostOptions>
-            <Option name="snmp_contact"></Option>
-            <Option name="snmp_description"></Option>
-            <Option name="snmp_location"></Option>
+            <Option name="snmp_contact"/>
+            <Option name="snmp_description"/>
+            <Option name="snmp_location"/>
             <Option name="use_mac_addr">False</Option>
             <Option name="use_mac_addr_filter">False</Option>
           </HostOptions>
@@ -269,9 +269,9 @@
             <PolicyInstallScript arguments="" command="" enabled="False"/>
           </Management>
           <HostOptions>
-            <Option name="snmp_contact"></Option>
-            <Option name="snmp_description"></Option>
-            <Option name="snmp_location"></Option>
+            <Option name="snmp_contact"/>
+            <Option name="snmp_description"/>
+            <Option name="snmp_location"/>
             <Option name="use_mac_addr">False</Option>
             <Option name="use_mac_addr_filter">False</Option>
           </HostOptions>
@@ -286,9 +286,9 @@
             <PolicyInstallScript arguments="" command="" enabled="False"/>
           </Management>
           <HostOptions>
-            <Option name="snmp_contact"></Option>
-            <Option name="snmp_description"></Option>
-            <Option name="snmp_location"></Option>
+            <Option name="snmp_contact"/>
+            <Option name="snmp_description"/>
+            <Option name="snmp_location"/>
             <Option name="use_mac_addr">False</Option>
             <Option name="use_mac_addr_filter">False</Option>
           </HostOptions>
@@ -303,9 +303,9 @@
             <PolicyInstallScript arguments="" command="" enabled="False"/>
           </Management>
           <HostOptions>
-            <Option name="snmp_contact"></Option>
-            <Option name="snmp_description"></Option>
-            <Option name="snmp_location"></Option>
+            <Option name="snmp_contact"/>
+            <Option name="snmp_description"/>
+            <Option name="snmp_location"/>
             <Option name="use_mac_addr">False</Option>
             <Option name="use_mac_addr_filter">False</Option>
           </HostOptions>
@@ -320,9 +320,9 @@
             <PolicyInstallScript arguments="" command="" enabled="False"/>
           </Management>
           <HostOptions>
-            <Option name="snmp_contact"></Option>
-            <Option name="snmp_description"></Option>
-            <Option name="snmp_location"></Option>
+            <Option name="snmp_contact"/>
+            <Option name="snmp_description"/>
+            <Option name="snmp_location"/>
             <Option name="use_mac_addr">false</Option>
             <Option name="use_mac_addr_filter">False</Option>
           </HostOptions>
@@ -337,9 +337,9 @@
             <PolicyInstallScript arguments="" command="" enabled="False"/>
           </Management>
           <HostOptions>
-            <Option name="snmp_contact"></Option>
-            <Option name="snmp_description"></Option>
-            <Option name="snmp_location"></Option>
+            <Option name="snmp_contact"/>
+            <Option name="snmp_description"/>
+            <Option name="snmp_location"/>
             <Option name="use_mac_addr">false</Option>
             <Option name="use_mac_addr_filter">False</Option>
           </HostOptions>
@@ -483,17 +483,17 @@
       <ServiceGroup id="stdid08_1" name="UDP"/>
       <ServiceGroup id="stdid13_1" name="Custom">
         <CustomService comment="Talk support" id="id3B64FE22" name="talk">
-          <CustomServiceCommand platform="Undefined"></CustomServiceCommand>
-          <CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
+          <CustomServiceCommand platform="Undefined"/>
+          <CustomServiceCommand platform="ipfilter"/>
           <CustomServiceCommand platform="iptables">-m ip_conntrack_talk -m ip_nat_talk</CustomServiceCommand>
         </CustomService>
         <CustomService comment="" id="id41F9FFBA" name="natproto">
-          <CustomServiceCommand platform="ipf"></CustomServiceCommand>
-          <CustomServiceCommand platform="ipfw"></CustomServiceCommand>
-          <CustomServiceCommand platform="iptables"></CustomServiceCommand>
+          <CustomServiceCommand platform="ipf"/>
+          <CustomServiceCommand platform="ipfw"/>
+          <CustomServiceCommand platform="iptables"/>
           <CustomServiceCommand platform="pf">proto {tcp udp icmp gre}</CustomServiceCommand>
-          <CustomServiceCommand platform="pix"></CustomServiceCommand>
-          <CustomServiceCommand platform="unknown"></CustomServiceCommand>
+          <CustomServiceCommand platform="pix"/>
+          <CustomServiceCommand platform="unknown"/>
         </CustomService>
       </ServiceGroup>
     </ServiceGroup>
@@ -694,9 +694,9 @@
               <IntervalRef ref="sysid2"/>
             </When>
             <PolicyRuleOptions>
-              <Option name="action_on_reject"></Option>
+              <Option name="action_on_reject"/>
               <Option name="limit_value">0</Option>
-              <Option name="log_limit_suffix"></Option>
+              <Option name="log_limit_suffix"/>
               <Option name="log_prefix">** RULE %N</Option>
               <Option name="stateless">True</Option>
             </PolicyRuleOptions>
@@ -740,10 +740,10 @@
               <IntervalRef ref="sysid2"/>
             </When>
             <PolicyRuleOptions>
-              <Option name="action_on_reject"></Option>
-              <Option name="limit_suffix"></Option>
+              <Option name="action_on_reject"/>
+              <Option name="limit_suffix"/>
               <Option name="limit_value">0</Option>
-              <Option name="log_prefix"></Option>
+              <Option name="log_prefix"/>
             </PolicyRuleOptions>
           </PolicyRule>
           <PolicyRule action="Accept" direction="Both" disabled="True" id="id3BF1B44E" log="False" position="8">
@@ -763,10 +763,10 @@
               <IntervalRef ref="sysid2"/>
             </When>
             <PolicyRuleOptions>
-              <Option name="action_on_reject"></Option>
-              <Option name="limit_suffix"></Option>
+              <Option name="action_on_reject"/>
+              <Option name="limit_suffix"/>
               <Option name="limit_value">0</Option>
-              <Option name="log_prefix"></Option>
+              <Option name="log_prefix"/>
             </PolicyRuleOptions>
           </PolicyRule>
           <PolicyRule action="Accept" comment="this rule is limited to 4 simultaneous&#10;connections by rule options" direction="Both" disabled="False" id="pol-firewall2-3" log="False" position="9">
@@ -789,10 +789,10 @@
               <IntervalRef ref="id3C63479E"/>
             </When>
             <PolicyRuleOptions>
-              <Option name="action_on_reject"></Option>
-              <Option name="limit_suffix"></Option>
+              <Option name="action_on_reject"/>
+              <Option name="limit_suffix"/>
               <Option name="limit_value">0</Option>
-              <Option name="log_prefix"></Option>
+              <Option name="log_prefix"/>
               <Option name="pf_rule_max_state">4</Option>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
@@ -815,10 +815,10 @@
               <IntervalRef ref="sysid2"/>
             </When>
             <PolicyRuleOptions>
-              <Option name="action_on_reject"></Option>
-              <Option name="limit_suffix"></Option>
+              <Option name="action_on_reject"/>
+              <Option name="limit_suffix"/>
               <Option name="limit_value">0</Option>
-              <Option name="log_prefix"></Option>
+              <Option name="log_prefix"/>
               <Option name="pf_max_src_nodes">10</Option>
               <Option name="pf_max_src_states">10</Option>
               <Option name="pf_rule_max_state">0</Option>
@@ -843,18 +843,18 @@
               <IntervalRef ref="sysid2"/>
             </When>
             <PolicyRuleOptions>
-              <Option name="action_on_reject"></Option>
-              <Option name="limit_suffix"></Option>
+              <Option name="action_on_reject"/>
+              <Option name="limit_suffix"/>
               <Option name="limit_value">0</Option>
-              <Option name="log_prefix"></Option>
+              <Option name="log_prefix"/>
               <Option name="pf_max_src_conn">0</Option>
               <Option name="pf_max_src_conn_flush">False</Option>
               <Option name="pf_max_src_conn_global">False</Option>
-              <Option name="pf_max_src_conn_overload_table"></Option>
+              <Option name="pf_max_src_conn_overload_table"/>
               <Option name="pf_max_src_conn_rate_flush">False</Option>
               <Option name="pf_max_src_conn_rate_global">False</Option>
               <Option name="pf_max_src_conn_rate_num">3</Option>
-              <Option name="pf_max_src_conn_rate_overload_table"></Option>
+              <Option name="pf_max_src_conn_rate_overload_table"/>
               <Option name="pf_max_src_conn_rate_seconds">15</Option>
               <Option name="pf_max_src_nodes">10</Option>
               <Option name="pf_max_src_states">10</Option>
@@ -881,10 +881,10 @@
               <IntervalRef ref="sysid2"/>
             </When>
             <PolicyRuleOptions>
-              <Option name="action_on_reject"></Option>
-              <Option name="limit_suffix"></Option>
+              <Option name="action_on_reject"/>
+              <Option name="limit_suffix"/>
               <Option name="limit_value">0</Option>
-              <Option name="log_prefix"></Option>
+              <Option name="log_prefix"/>
               <Option name="pf_max_src_nodes">75</Option>
               <Option name="pf_max_src_states">2</Option>
               <Option name="pf_rule_max_state">10</Option>
@@ -910,10 +910,10 @@
               <IntervalRef ref="sysid2"/>
             </When>
             <PolicyRuleOptions>
-              <Option name="action_on_reject"></Option>
-              <Option name="limit_suffix"></Option>
+              <Option name="action_on_reject"/>
+              <Option name="limit_suffix"/>
               <Option name="limit_value">0</Option>
-              <Option name="log_prefix"></Option>
+              <Option name="log_prefix"/>
             </PolicyRuleOptions>
           </PolicyRule>
           <PolicyRule action="Accept" comment="" direction="Both" disabled="False" id="pol-firewall2-4" log="False" position="14">
@@ -934,10 +934,10 @@
               <IntervalRef ref="sysid2"/>
             </When>
             <PolicyRuleOptions>
-              <Option name="action_on_reject"></Option>
-              <Option name="limit_suffix"></Option>
+              <Option name="action_on_reject"/>
+              <Option name="limit_suffix"/>
               <Option name="limit_value">0</Option>
-              <Option name="log_prefix"></Option>
+              <Option name="log_prefix"/>
             </PolicyRuleOptions>
           </PolicyRule>
           <PolicyRule action="Accept" comment="this rule and the next one can be&#10;used to test shading" direction="Both" disabled="True" id="id3CE597E3" log="False" position="15">
@@ -957,10 +957,10 @@
               <IntervalRef ref="sysid2"/>
             </When>
             <PolicyRuleOptions>
-              <Option name="action_on_reject"></Option>
-              <Option name="limit_suffix"></Option>
+              <Option name="action_on_reject"/>
+              <Option name="limit_suffix"/>
               <Option name="limit_value">0</Option>
-              <Option name="log_prefix"></Option>
+              <Option name="log_prefix"/>
             </PolicyRuleOptions>
           </PolicyRule>
           <PolicyRule action="Accept" comment="" direction="Both" disabled="False" id="id3CE591F6" log="False" position="16">
@@ -980,10 +980,10 @@
               <IntervalRef ref="sysid2"/>
             </When>
             <PolicyRuleOptions>
-              <Option name="action_on_reject"></Option>
-              <Option name="limit_suffix"></Option>
+              <Option name="action_on_reject"/>
+              <Option name="limit_suffix"/>
               <Option name="limit_value">0</Option>
-              <Option name="log_prefix"></Option>
+              <Option name="log_prefix"/>
             </PolicyRuleOptions>
           </PolicyRule>
           <PolicyRule action="Accept" comment="illegal rule - object firewall8 has&#10;dynamic interface" direction="Both" disabled="True" id="id3EE2579E" log="False" position="17">
@@ -1024,10 +1024,10 @@
               <IntervalRef ref="sysid2"/>
             </When>
             <PolicyRuleOptions>
-              <Option name="action_on_reject"></Option>
-              <Option name="limit_suffix"></Option>
+              <Option name="action_on_reject"/>
+              <Option name="limit_suffix"/>
               <Option name="limit_value">0</Option>
-              <Option name="log_prefix"></Option>
+              <Option name="log_prefix"/>
             </PolicyRuleOptions>
           </PolicyRule>
           <PolicyRule action="Deny" comment="Automatically generated 'catch all' rule" direction="Both" disabled="False" id="pol-firewall2-7" log="True" position="19">
@@ -1047,11 +1047,11 @@
               <IntervalRef ref="sysid2"/>
             </When>
             <PolicyRuleOptions>
-              <Option name="action_on_reject"></Option>
-              <Option name="limit_suffix"></Option>
+              <Option name="action_on_reject"/>
+              <Option name="limit_suffix"/>
               <Option name="limit_value">0</Option>
-              <Option name="log_limit_suffix"></Option>
-              <Option name="log_prefix"></Option>
+              <Option name="log_limit_suffix"/>
+              <Option name="log_prefix"/>
               <Option name="stateless">True</Option>
             </PolicyRuleOptions>
           </PolicyRule>
@@ -1075,26 +1075,26 @@
           <Option name="accept_established">False</Option>
           <Option name="accept_new_tcp_with_no_syn">False</Option>
           <Option name="action_on_reject">ICMP net unreachable</Option>
-          <Option name="activationCmd"></Option>
-          <Option name="admUser"></Option>
-          <Option name="altAddress"></Option>
+          <Option name="activationCmd"/>
+          <Option name="admUser"/>
+          <Option name="altAddress"/>
           <Option name="check_shading">True</Option>
           <Option name="clamp_mss_to_mtu">False</Option>
-          <Option name="cmdline"></Option>
-          <Option name="compiler"></Option>
+          <Option name="cmdline"/>
+          <Option name="compiler"/>
           <Option name="configure_interfaces">True</Option>
           <Option name="debug">False</Option>
           <Option name="dyn_addr">False</Option>
-          <Option name="epilog_script"></Option>
+          <Option name="epilog_script"/>
           <Option name="fallback_log">True</Option>
-          <Option name="firewall_dir"></Option>
+          <Option name="firewall_dir"/>
           <Option name="firewall_is_part_of_any">True</Option>
           <Option name="firewall_is_part_of_any_and_networks">True</Option>
           <Option name="ignore_empty_groups">False</Option>
           <Option name="in_out_code">True</Option>
-          <Option name="inst_cmdline"></Option>
-          <Option name="inst_script"></Option>
-          <Option name="install_script"></Option>
+          <Option name="inst_cmdline"/>
+          <Option name="inst_script"/>
+          <Option name="install_script"/>
           <Option name="limit_suffix">/second</Option>
           <Option name="limit_value">0</Option>
           <Option name="linux24_ip_forward">0</Option>
@@ -1119,9 +1119,9 @@
           <Option name="openbsd_ip_forward">1</Option>
           <Option name="openbsd_ip_redirect">0</Option>
           <Option name="openbsd_ip_sourceroute">0</Option>
-          <Option name="openbsd_path_pfctl"></Option>
-          <Option name="openbsd_path_sysctl"></Option>
-          <Option name="output_file"></Option>
+          <Option name="openbsd_path_pfctl"/>
+          <Option name="openbsd_path_sysctl"/>
+          <Option name="output_file"/>
           <Option name="pass_all_out">False</Option>
           <Option name="pf_adaptive_end">12000</Option>
           <Option name="pf_adaptive_start">6000</Option>
@@ -1140,7 +1140,7 @@
           <Option name="pf_limit_states">10000</Option>
           <Option name="pf_limit_table_entries">1000000</Option>
           <Option name="pf_limit_tables">1000</Option>
-          <Option name="pf_optimization"></Option>
+          <Option name="pf_optimization"/>
           <Option name="pf_other_first">10</Option>
           <Option name="pf_other_multiple">10</Option>
           <Option name="pf_other_single">10</Option>
@@ -1183,11 +1183,11 @@
           <Option name="prolog_place">fw_file</Option>
           <Option name="prolog_script">echo 'This is prolog script'
 </Option>
-          <Option name="script_env_path"></Option>
-          <Option name="snmp_contact"></Option>
-          <Option name="snmp_description"></Option>
-          <Option name="snmp_location"></Option>
-          <Option name="sshArgs"></Option>
+          <Option name="script_env_path"/>
+          <Option name="snmp_contact"/>
+          <Option name="snmp_description"/>
+          <Option name="snmp_location"/>
+          <Option name="sshArgs"/>
           <Option name="use_numeric_log_levels">False</Option>
           <Option name="use_tables">True</Option>
         </FirewallOptions>
@@ -1679,10 +1679,10 @@
               <IntervalRef ref="sysid2"/>
             </When>
             <PolicyRuleOptions>
-              <Option name="action_on_reject"></Option>
+              <Option name="action_on_reject"/>
               <Option name="limit_suffix">/minute</Option>
               <Option name="limit_value">10</Option>
-              <Option name="log_prefix"></Option>
+              <Option name="log_prefix"/>
               <Option name="stateless">True</Option>
             </PolicyRuleOptions>
           </PolicyRule>
@@ -1704,10 +1704,10 @@
               <IntervalRef ref="sysid2"/>
             </When>
             <PolicyRuleOptions>
-              <Option name="action_on_reject"></Option>
+              <Option name="action_on_reject"/>
               <Option name="limit_suffix">/minute</Option>
               <Option name="limit_value">10</Option>
-              <Option name="log_prefix"></Option>
+              <Option name="log_prefix"/>
               <Option name="stateless">True</Option>
             </PolicyRuleOptions>
           </PolicyRule>
@@ -1792,10 +1792,10 @@
               <IntervalRef ref="sysid2"/>
             </When>
             <PolicyRuleOptions>
-              <Option name="action_on_reject"></Option>
+              <Option name="action_on_reject"/>
               <Option name="limit_suffix">/minute</Option>
               <Option name="limit_value">10</Option>
-              <Option name="log_prefix"></Option>
+              <Option name="log_prefix"/>
               <Option name="stateless">True</Option>
             </PolicyRuleOptions>
           </PolicyRule>
@@ -1925,26 +1925,26 @@
           <Option name="accept_established">True</Option>
           <Option name="accept_new_tcp_with_no_syn">True</Option>
           <Option name="action_on_reject">ICMP net unreachable</Option>
-          <Option name="activationCmd"></Option>
-          <Option name="admUser"></Option>
-          <Option name="altAddress"></Option>
+          <Option name="activationCmd"/>
+          <Option name="admUser"/>
+          <Option name="altAddress"/>
           <Option name="check_shading">True</Option>
           <Option name="clamp_mss_to_mtu">False</Option>
-          <Option name="cmdline"></Option>
-          <Option name="compiler"></Option>
+          <Option name="cmdline"/>
+          <Option name="compiler"/>
           <Option name="configure_interfaces">False</Option>
           <Option name="debug">False</Option>
           <Option name="dyn_addr">False</Option>
-          <Option name="epilog_script"></Option>
+          <Option name="epilog_script"/>
           <Option name="fallback_log">False</Option>
-          <Option name="firewall_dir"></Option>
+          <Option name="firewall_dir"/>
           <Option name="firewall_is_part_of_any">True</Option>
           <Option name="firewall_is_part_of_any_and_networks">True</Option>
           <Option name="ignore_empty_groups">False</Option>
           <Option name="in_out_code">True</Option>
-          <Option name="inst_cmdline"></Option>
-          <Option name="inst_script"></Option>
-          <Option name="install_script"></Option>
+          <Option name="inst_cmdline"/>
+          <Option name="inst_script"/>
+          <Option name="install_script"/>
           <Option name="limit_suffix">/day</Option>
           <Option name="limit_value">0</Option>
           <Option name="linux24_ip_forward">0</Option>
@@ -1956,18 +1956,18 @@
           <Option name="log_level">debug</Option>
           <Option name="log_limit_suffix">/second</Option>
           <Option name="log_limit_value">0</Option>
-          <Option name="log_prefix"></Option>
+          <Option name="log_prefix"/>
           <Option name="log_tcp_opt">False</Option>
           <Option name="log_tcp_seq">False</Option>
           <Option name="manage_virtual_addr">True</Option>
-          <Option name="mgmt_addr"></Option>
+          <Option name="mgmt_addr"/>
           <Option name="mgmt_ssh">False</Option>
           <Option name="modulate_state">False</Option>
           <Option name="no_iochains_for_any">False</Option>
           <Option name="no_optimisation">False</Option>
-          <Option name="openbsd_path_pfctl"></Option>
-          <Option name="openbsd_path_sysctl"></Option>
-          <Option name="output_file"></Option>
+          <Option name="openbsd_path_pfctl"/>
+          <Option name="openbsd_path_sysctl"/>
+          <Option name="output_file"/>
           <Option name="pass_all_out">False</Option>
           <Option name="pf_adaptive_end">0</Option>
           <Option name="pf_adaptive_start">0</Option>
@@ -1980,7 +1980,7 @@
           <Option name="pf_icmp_first">0</Option>
           <Option name="pf_limit_frags">5000</Option>
           <Option name="pf_limit_states">1000</Option>
-          <Option name="pf_optimization"></Option>
+          <Option name="pf_optimization"/>
           <Option name="pf_other_first">0</Option>
           <Option name="pf_other_multiple">0</Option>
           <Option name="pf_other_single">0</Option>
@@ -2029,11 +2029,11 @@
 
 </Option>
           <Option name="proxy_arp">False</Option>
-          <Option name="script_env_path"></Option>
-          <Option name="snmp_contact"></Option>
-          <Option name="snmp_description"></Option>
-          <Option name="snmp_location"></Option>
-          <Option name="sshArgs"></Option>
+          <Option name="script_env_path"/>
+          <Option name="snmp_contact"/>
+          <Option name="snmp_description"/>
+          <Option name="snmp_location"/>
+          <Option name="sshArgs"/>
           <Option name="use_ip_tool">False</Option>
           <Option name="use_numeric_log_levels">False</Option>
           <Option name="use_tables">True</Option>
@@ -2183,19 +2183,19 @@
           <Option name="action_on_reject">ICMP net unreachable</Option>
           <Option name="check_shading">True</Option>
           <Option name="clamp_mss_to_mtu">False</Option>
-          <Option name="cmdline"></Option>
-          <Option name="compiler"></Option>
+          <Option name="cmdline"/>
+          <Option name="compiler"/>
           <Option name="configure_interfaces">False</Option>
           <Option name="debug">False</Option>
           <Option name="dyn_addr">False</Option>
-          <Option name="firewall_dir"></Option>
+          <Option name="firewall_dir"/>
           <Option name="firewall_is_part_of_any">True</Option>
           <Option name="firewall_is_part_of_any_and_networks">True</Option>
           <Option name="ignore_empty_groups">True</Option>
           <Option name="in_out_code">True</Option>
-          <Option name="inst_cmdline"></Option>
-          <Option name="inst_script"></Option>
-          <Option name="install_script"></Option>
+          <Option name="inst_cmdline"/>
+          <Option name="inst_script"/>
+          <Option name="install_script"/>
           <Option name="limit_suffix">/second</Option>
           <Option name="limit_value">0</Option>
           <Option name="linux24_ip_forward">0</Option>
@@ -2207,7 +2207,7 @@
           <Option name="log_level">debug</Option>
           <Option name="log_limit_suffix">/second</Option>
           <Option name="log_limit_value">0</Option>
-          <Option name="log_prefix"></Option>
+          <Option name="log_prefix"/>
           <Option name="log_tcp_opt">False</Option>
           <Option name="log_tcp_seq">False</Option>
           <Option name="manage_virtual_addr">True</Option>
@@ -2218,13 +2218,13 @@
           <Option name="openbsd_ip_forward">1</Option>
           <Option name="openbsd_ip_redirect">0</Option>
           <Option name="openbsd_ip_sourceroute">0</Option>
-          <Option name="openbsd_path_pfctl"></Option>
-          <Option name="openbsd_path_sysctl"></Option>
+          <Option name="openbsd_path_pfctl"/>
+          <Option name="openbsd_path_sysctl"/>
           <Option name="pass_all_out">False</Option>
           <Option name="pf_do_scrub">True</Option>
           <Option name="pf_limit_frags">5000</Option>
           <Option name="pf_limit_states">10000</Option>
-          <Option name="pf_optimization"></Option>
+          <Option name="pf_optimization"/>
           <Option name="pf_scrub_fragm_crop">False</Option>
           <Option name="pf_scrub_fragm_drop_ovl">False</Option>
           <Option name="pf_scrub_maxmss">1460</Option>
@@ -2236,10 +2236,10 @@
           <Option name="pf_timeout_frag">30</Option>
           <Option name="pf_timeout_interval">10</Option>
           <Option name="platform">iptables</Option>
-          <Option name="script_env_path"></Option>
-          <Option name="snmp_contact"></Option>
-          <Option name="snmp_description"></Option>
-          <Option name="snmp_location"></Option>
+          <Option name="script_env_path"/>
+          <Option name="snmp_contact"/>
+          <Option name="snmp_description"/>
+          <Option name="snmp_location"/>
           <Option name="use_numeric_log_levels">False</Option>
           <Option name="use_tables">True</Option>
         </FirewallOptions>
@@ -2267,7 +2267,7 @@
             </TSrv>
             <NATRuleOptions>
               <Option name="color">#C0BA44</Option>
-              <Option name="id"></Option>
+              <Option name="id"/>
             </NATRuleOptions>
           </NATRule>
           <NATRule disabled="False" id="id3AFB66D6" position="1">
@@ -2292,7 +2292,7 @@
             </TSrv>
             <NATRuleOptions>
               <Option name="color">#C0BA44</Option>
-              <Option name="id"></Option>
+              <Option name="id"/>
             </NATRuleOptions>
           </NATRule>
           <NATRule disabled="False" id="id3CABE6DF" position="2">
@@ -2340,7 +2340,7 @@
             </TSrv>
             <NATRuleOptions>
               <Option name="color">#C0BA44</Option>
-              <Option name="id"></Option>
+              <Option name="id"/>
             </NATRuleOptions>
           </NATRule>
           <NATRule comment="" disabled="False" id="id40E9A83B" position="4">
@@ -2365,7 +2365,7 @@
             </TSrv>
             <NATRuleOptions>
               <Option name="color">#C0BA44</Option>
-              <Option name="id"></Option>
+              <Option name="id"/>
             </NATRuleOptions>
           </NATRule>
           <NATRule comment="" disabled="False" id="id40E9A850" position="5">
@@ -2413,7 +2413,7 @@
             </TSrv>
             <NATRuleOptions>
               <Option name="color">#C0BA44</Option>
-              <Option name="id"></Option>
+              <Option name="id"/>
             </NATRuleOptions>
           </NATRule>
           <NATRule comment="" disabled="False" id="id40E9A8F2" position="7">
@@ -2438,7 +2438,7 @@
             </TSrv>
             <NATRuleOptions>
               <Option name="color">#C0BA44</Option>
-              <Option name="id"></Option>
+              <Option name="id"/>
             </NATRuleOptions>
           </NATRule>
           <NATRule comment="" disabled="False" id="id40E9A907" position="8">
@@ -2549,7 +2549,7 @@
               <ServiceRef ref="sysid1"/>
             </TSrv>
             <NATRuleOptions>
-              <Option name="id"></Option>
+              <Option name="id"/>
             </NATRuleOptions>
           </NATRule>
           <NATRule disabled="True" id="id3BD6757E" position="13">
@@ -2928,8 +2928,8 @@
               <ObjectRef ref="id3AFB6706"/>
             </Itf>
             <PolicyRuleOptions>
-              <Option name="action_on_reject"></Option>
-              <Option name="limit_suffix"></Option>
+              <Option name="action_on_reject"/>
+              <Option name="limit_suffix"/>
               <Option name="limit_value">0</Option>
               <Option name="log_prefix">Iface: %I RULE %N -- %A **</Option>
               <Option name="stateless">True</Option>
@@ -2953,8 +2953,8 @@
               <IntervalRef ref="sysid2"/>
             </When>
             <PolicyRuleOptions>
-              <Option name="action_on_reject"></Option>
-              <Option name="limit_suffix"></Option>
+              <Option name="action_on_reject"/>
+              <Option name="limit_suffix"/>
               <Option name="limit_value">0</Option>
               <Option name="log_prefix">Iface: %I RULE %N -- %A **</Option>
               <Option name="stateless">True</Option>
@@ -2979,8 +2979,8 @@
               <IntervalRef ref="sysid2"/>
             </When>
             <PolicyRuleOptions>
-              <Option name="action_on_reject"></Option>
-              <Option name="limit_suffix"></Option>
+              <Option name="action_on_reject"/>
+              <Option name="limit_suffix"/>
               <Option name="limit_value">0</Option>
               <Option name="log_prefix">Iface: %I RULE %N -- %A **</Option>
               <Option name="stateless">True</Option>
@@ -3005,8 +3005,8 @@
               <IntervalRef ref="sysid2"/>
             </When>
             <PolicyRuleOptions>
-              <Option name="action_on_reject"></Option>
-              <Option name="limit_suffix"></Option>
+              <Option name="action_on_reject"/>
+              <Option name="limit_suffix"/>
               <Option name="limit_value">0</Option>
               <Option name="log_prefix">Iface: %I RULE %N -- %A **</Option>
               <Option name="stateless">True</Option>
@@ -3027,8 +3027,8 @@
               <ObjectRef ref="id3AFB6706"/>
             </Itf>
             <PolicyRuleOptions>
-              <Option name="action_on_reject"></Option>
-              <Option name="limit_suffix"></Option>
+              <Option name="action_on_reject"/>
+              <Option name="limit_suffix"/>
               <Option name="limit_value">0</Option>
               <Option name="log_prefix">Iface: %I RULE %N -- %A **</Option>
               <Option name="stateless">True</Option>
@@ -3051,7 +3051,7 @@
               <IntervalRef ref="sysid2"/>
             </When>
             <PolicyRuleOptions>
-              <Option name="id"></Option>
+              <Option name="id"/>
               <Option name="stateless">True</Option>
             </PolicyRuleOptions>
           </PolicyRule>
@@ -3073,7 +3073,7 @@
             </When>
             <PolicyRuleOptions>
               <Option name="action_on_reject">TCP RST</Option>
-              <Option name="limit_suffix"></Option>
+              <Option name="limit_suffix"/>
               <Option name="limit_value">0</Option>
               <Option name="log_prefix">IDENT</Option>
               <Option name="stateless">True</Option>
@@ -3134,7 +3134,7 @@
               <IntervalRef ref="sysid2"/>
             </When>
             <PolicyRuleOptions>
-              <Option name="id"></Option>
+              <Option name="id"/>
             </PolicyRuleOptions>
           </PolicyRule>
           <PolicyRule action="Accept" comment="host-fw2 has the same address as &#10;        one of the firewall's interfaces" direction="Both" disabled="True" id="id3C447B8D" log="True" position="11">
@@ -3193,7 +3193,7 @@
               <IntervalRef ref="sysid2"/>
             </When>
             <PolicyRuleOptions>
-              <Option name="id"></Option>
+              <Option name="id"/>
               <Option name="stateless">True</Option>
             </PolicyRuleOptions>
           </PolicyRule>
@@ -3223,27 +3223,27 @@
           <Option name="accept_established">True</Option>
           <Option name="accept_new_tcp_with_no_syn">True</Option>
           <Option name="action_on_reject">ICMP net unreachable</Option>
-          <Option name="activationCmd"></Option>
-          <Option name="admUser"></Option>
-          <Option name="altAddress"></Option>
+          <Option name="activationCmd"/>
+          <Option name="admUser"/>
+          <Option name="altAddress"/>
           <Option name="check_shading">False</Option>
           <Option name="clamp_mss_to_mtu">False</Option>
-          <Option name="cmdline"></Option>
-          <Option name="compiler"></Option>
+          <Option name="cmdline"/>
+          <Option name="compiler"/>
           <Option name="configure_interfaces">False</Option>
           <Option name="debug">False</Option>
           <Option name="dyn_addr">False</Option>
-          <Option name="epilog_script"></Option>
+          <Option name="epilog_script"/>
           <Option name="fallback_log">False</Option>
-          <Option name="firewall_dir"></Option>
+          <Option name="firewall_dir"/>
           <Option name="firewall_is_part_of_any">True</Option>
           <Option name="firewall_is_part_of_any_and_networks">True</Option>
-          <Option name="id"></Option>
+          <Option name="id"/>
           <Option name="ignore_empty_groups">False</Option>
           <Option name="in_out_code">True</Option>
-          <Option name="inst_cmdline"></Option>
-          <Option name="inst_script"></Option>
-          <Option name="install_script"></Option>
+          <Option name="inst_cmdline"/>
+          <Option name="inst_script"/>
+          <Option name="install_script"/>
           <Option name="limit_suffix">/second</Option>
           <Option name="limit_value">0</Option>
           <Option name="linux24_accept_redirects">0</Option>
@@ -3270,9 +3270,9 @@
           <Option name="modulate_state">False</Option>
           <Option name="no_iochains_for_any">False</Option>
           <Option name="no_optimisation">False</Option>
-          <Option name="openbsd_path_pfctl"></Option>
-          <Option name="openbsd_path_sysctl"></Option>
-          <Option name="output_file"></Option>
+          <Option name="openbsd_path_pfctl"/>
+          <Option name="openbsd_path_sysctl"/>
+          <Option name="output_file"/>
           <Option name="pass_all_out">False</Option>
           <Option name="pf_adaptive_end">0</Option>
           <Option name="pf_adaptive_start">0</Option>
@@ -3336,11 +3336,11 @@
 # prolog commands go after set commands
 </Option>
           <Option name="proxy_arp">True</Option>
-          <Option name="script_env_path"></Option>
-          <Option name="snmp_contact"></Option>
-          <Option name="snmp_description"></Option>
-          <Option name="snmp_location"></Option>
-          <Option name="sshArgs"></Option>
+          <Option name="script_env_path"/>
+          <Option name="snmp_contact"/>
+          <Option name="snmp_description"/>
+          <Option name="snmp_location"/>
+          <Option name="sshArgs"/>
           <Option name="use_ip_tool">True</Option>
           <Option name="use_numeric_log_levels">False</Option>
           <Option name="use_tables">True</Option>
@@ -3368,7 +3368,7 @@
               <ServiceRef ref="sysid1"/>
             </TSrv>
             <NATRuleOptions>
-              <Option name="id"></Option>
+              <Option name="id"/>
             </NATRuleOptions>
           </NATRule>
           <NATRule disabled="False" id="id3B0C6390" position="1">
@@ -3391,7 +3391,7 @@
               <ServiceRef ref="sysid1"/>
             </TSrv>
             <NATRuleOptions>
-              <Option name="id"></Option>
+              <Option name="id"/>
             </NATRuleOptions>
           </NATRule>
           <NATRule disabled="False" id="id3B202AFF" position="2">
@@ -3508,7 +3508,7 @@
               <IntervalRef ref="sysid2"/>
             </When>
             <PolicyRuleOptions>
-              <Option name="id"></Option>
+              <Option name="id"/>
             </PolicyRuleOptions>
           </PolicyRule>
           <PolicyRule action="Deny" comment="" direction="Both" disabled="False" id="id3B0C63B4" log="True" position="4">
@@ -3529,7 +3529,7 @@
               <IntervalRef ref="sysid2"/>
             </When>
             <PolicyRuleOptions>
-              <Option name="id"></Option>
+              <Option name="id"/>
               <Option name="stateless">True</Option>
             </PolicyRuleOptions>
           </PolicyRule>
@@ -3551,7 +3551,7 @@
               <IntervalRef ref="sysid2"/>
             </When>
             <PolicyRuleOptions>
-              <Option name="id"></Option>
+              <Option name="id"/>
               <Option name="stateless">True</Option>
             </PolicyRuleOptions>
           </PolicyRule>
@@ -3574,7 +3574,7 @@
               <IntervalRef ref="sysid2"/>
             </When>
             <PolicyRuleOptions>
-              <Option name="id"></Option>
+              <Option name="id"/>
               <Option name="stateless">True</Option>
             </PolicyRuleOptions>
           </PolicyRule>
@@ -3595,7 +3595,7 @@
               <IntervalRef ref="sysid2"/>
             </When>
             <PolicyRuleOptions>
-              <Option name="id"></Option>
+              <Option name="id"/>
             </PolicyRuleOptions>
           </PolicyRule>
           <PolicyRule action="Deny" comment="'catch all' rule" direction="Both" disabled="False" id="id3B0C63D5" log="True" position="8">
@@ -3615,7 +3615,7 @@
               <IntervalRef ref="sysid2"/>
             </When>
             <PolicyRuleOptions>
-              <Option name="id"></Option>
+              <Option name="id"/>
               <Option name="stateless">True</Option>
             </PolicyRuleOptions>
           </PolicyRule>
@@ -3645,27 +3645,27 @@
           <Option name="accept_established">False</Option>
           <Option name="accept_new_tcp_with_no_syn">True</Option>
           <Option name="action_on_reject">ICMP net unreachable</Option>
-          <Option name="activationCmd"></Option>
-          <Option name="admUser"></Option>
-          <Option name="altAddress"></Option>
+          <Option name="activationCmd"/>
+          <Option name="admUser"/>
+          <Option name="altAddress"/>
           <Option name="check_shading">True</Option>
           <Option name="clamp_mss_to_mtu">False</Option>
-          <Option name="cmdline"></Option>
-          <Option name="compiler"></Option>
+          <Option name="cmdline"/>
+          <Option name="compiler"/>
           <Option name="configure_interfaces">False</Option>
           <Option name="debug">False</Option>
           <Option name="dyn_addr">False</Option>
-          <Option name="epilog_script"></Option>
+          <Option name="epilog_script"/>
           <Option name="fallback_log">False</Option>
-          <Option name="firewall_dir"></Option>
+          <Option name="firewall_dir"/>
           <Option name="firewall_is_part_of_any">True</Option>
           <Option name="firewall_is_part_of_any_and_networks">True</Option>
-          <Option name="id"></Option>
+          <Option name="id"/>
           <Option name="ignore_empty_groups">False</Option>
           <Option name="in_out_code">True</Option>
-          <Option name="inst_cmdline"></Option>
-          <Option name="inst_script"></Option>
-          <Option name="install_script"></Option>
+          <Option name="inst_cmdline"/>
+          <Option name="inst_script"/>
+          <Option name="install_script"/>
           <Option name="limit_suffix">/day</Option>
           <Option name="limit_value">0</Option>
           <Option name="linux24_ip_forward">0</Option>
@@ -3677,18 +3677,18 @@
           <Option name="log_level">debug</Option>
           <Option name="log_limit_suffix">/second</Option>
           <Option name="log_limit_value">0</Option>
-          <Option name="log_prefix"></Option>
+          <Option name="log_prefix"/>
           <Option name="log_tcp_opt">False</Option>
           <Option name="log_tcp_seq">False</Option>
           <Option name="manage_virtual_addr">True</Option>
-          <Option name="mgmt_addr"></Option>
+          <Option name="mgmt_addr"/>
           <Option name="mgmt_ssh">False</Option>
           <Option name="modulate_state">False</Option>
           <Option name="no_iochains_for_any">False</Option>
           <Option name="no_optimisation">False</Option>
-          <Option name="openbsd_path_pfctl"></Option>
-          <Option name="openbsd_path_sysctl"></Option>
-          <Option name="output_file"></Option>
+          <Option name="openbsd_path_pfctl"/>
+          <Option name="openbsd_path_sysctl"/>
+          <Option name="output_file"/>
           <Option name="pass_all_out">False</Option>
           <Option name="pf_adaptive_end">0</Option>
           <Option name="pf_adaptive_start">0</Option>
@@ -3701,7 +3701,7 @@
           <Option name="pf_icmp_first">0</Option>
           <Option name="pf_limit_frags">5000</Option>
           <Option name="pf_limit_states">10000</Option>
-          <Option name="pf_optimization"></Option>
+          <Option name="pf_optimization"/>
           <Option name="pf_other_first">0</Option>
           <Option name="pf_other_multiple">0</Option>
           <Option name="pf_other_single">0</Option>
@@ -3745,11 +3745,11 @@
           <Option name="prolog_script"># prolog commands go after table definitions
 </Option>
           <Option name="proxy_arp">False</Option>
-          <Option name="script_env_path"></Option>
-          <Option name="snmp_contact"></Option>
-          <Option name="snmp_description"></Option>
-          <Option name="snmp_location"></Option>
-          <Option name="sshArgs"></Option>
+          <Option name="script_env_path"/>
+          <Option name="snmp_contact"/>
+          <Option name="snmp_description"/>
+          <Option name="snmp_location"/>
+          <Option name="sshArgs"/>
           <Option name="use_numeric_log_levels">False</Option>
           <Option name="use_tables">False</Option>
         </FirewallOptions>
@@ -3797,10 +3797,10 @@
               <IntervalRef ref="sysid2"/>
             </When>
             <PolicyRuleOptions>
-              <Option name="action_on_reject"></Option>
+              <Option name="action_on_reject"/>
               <Option name="limit_value">0</Option>
-              <Option name="log_limit_suffix"></Option>
-              <Option name="log_prefix"></Option>
+              <Option name="log_limit_suffix"/>
+              <Option name="log_prefix"/>
               <Option name="stateless">True</Option>
             </PolicyRuleOptions>
           </PolicyRule>
@@ -3822,10 +3822,10 @@
               <IntervalRef ref="sysid2"/>
             </When>
             <PolicyRuleOptions>
-              <Option name="action_on_reject"></Option>
+              <Option name="action_on_reject"/>
               <Option name="limit_value">0</Option>
-              <Option name="log_limit_suffix"></Option>
-              <Option name="log_prefix"></Option>
+              <Option name="log_limit_suffix"/>
+              <Option name="log_prefix"/>
               <Option name="stateless">True</Option>
             </PolicyRuleOptions>
           </PolicyRule>
@@ -3869,23 +3869,23 @@
           <Option name="accept_established">False</Option>
           <Option name="accept_new_tcp_with_no_syn">False</Option>
           <Option name="action_on_reject">ICMP net unreachable</Option>
-          <Option name="admUser"></Option>
-          <Option name="altAddress"></Option>
+          <Option name="admUser"/>
+          <Option name="altAddress"/>
           <Option name="check_shading">False</Option>
           <Option name="clamp_mss_to_mtu">False</Option>
-          <Option name="cmdline"></Option>
-          <Option name="compiler"></Option>
+          <Option name="cmdline"/>
+          <Option name="compiler"/>
           <Option name="configure_interfaces">False</Option>
           <Option name="debug">False</Option>
           <Option name="dyn_addr">False</Option>
-          <Option name="firewall_dir"></Option>
+          <Option name="firewall_dir"/>
           <Option name="firewall_is_part_of_any">True</Option>
           <Option name="firewall_is_part_of_any_and_networks">True</Option>
           <Option name="ignore_empty_groups">True</Option>
           <Option name="in_out_code">True</Option>
-          <Option name="inst_cmdline"></Option>
-          <Option name="inst_script"></Option>
-          <Option name="install_script"></Option>
+          <Option name="inst_cmdline"/>
+          <Option name="inst_script"/>
+          <Option name="install_script"/>
           <Option name="limit_suffix">/second</Option>
           <Option name="limit_value">0</Option>
           <Option name="linux24_ip_forward">0</Option>
@@ -3897,7 +3897,7 @@
           <Option name="log_level">debug</Option>
           <Option name="log_limit_suffix">/second</Option>
           <Option name="log_limit_value">0</Option>
-          <Option name="log_prefix"></Option>
+          <Option name="log_prefix"/>
           <Option name="log_tcp_opt">False</Option>
           <Option name="log_tcp_seq">False</Option>
           <Option name="manage_virtual_addr">True</Option>
@@ -3908,13 +3908,13 @@
           <Option name="openbsd_ip_forward">1</Option>
           <Option name="openbsd_ip_redirect">0</Option>
           <Option name="openbsd_ip_sourceroute">0</Option>
-          <Option name="openbsd_path_pfctl"></Option>
-          <Option name="openbsd_path_sysctl"></Option>
+          <Option name="openbsd_path_pfctl"/>
+          <Option name="openbsd_path_sysctl"/>
           <Option name="pass_all_out">False</Option>
           <Option name="pf_do_scrub">False</Option>
           <Option name="pf_limit_frags">5000</Option>
           <Option name="pf_limit_states">10000</Option>
-          <Option name="pf_optimization"></Option>
+          <Option name="pf_optimization"/>
           <Option name="pf_scrub_fragm_crop">False</Option>
           <Option name="pf_scrub_fragm_drop_ovl">False</Option>
           <Option name="pf_scrub_maxmss">1460</Option>
@@ -3927,10 +3927,10 @@
           <Option name="pf_timeout_frag">30</Option>
           <Option name="pf_timeout_interval">10</Option>
           <Option name="platform">iptables</Option>
-          <Option name="script_env_path"></Option>
-          <Option name="snmp_contact"></Option>
-          <Option name="snmp_description"></Option>
-          <Option name="snmp_location"></Option>
+          <Option name="script_env_path"/>
+          <Option name="snmp_contact"/>
+          <Option name="snmp_description"/>
+          <Option name="snmp_location"/>
           <Option name="use_numeric_log_levels">False</Option>
           <Option name="use_tables">True</Option>
         </FirewallOptions>
@@ -4003,19 +4003,19 @@
           <Option name="action_on_reject">ICMP net unreachable</Option>
           <Option name="check_shading">True</Option>
           <Option name="clamp_mss_to_mtu">False</Option>
-          <Option name="cmdline"></Option>
-          <Option name="compiler"></Option>
+          <Option name="cmdline"/>
+          <Option name="compiler"/>
           <Option name="configure_interfaces">False</Option>
           <Option name="debug">False</Option>
           <Option name="dyn_addr">False</Option>
-          <Option name="firewall_dir"></Option>
+          <Option name="firewall_dir"/>
           <Option name="firewall_is_part_of_any">True</Option>
           <Option name="firewall_is_part_of_any_and_networks">True</Option>
           <Option name="ignore_empty_groups">False</Option>
           <Option name="in_out_code">True</Option>
-          <Option name="inst_cmdline"></Option>
-          <Option name="inst_script"></Option>
-          <Option name="install_script"></Option>
+          <Option name="inst_cmdline"/>
+          <Option name="inst_script"/>
+          <Option name="install_script"/>
           <Option name="limit_suffix">/day</Option>
           <Option name="limit_value">0</Option>
           <Option name="linux24_ip_forward">0</Option>
@@ -4027,20 +4027,20 @@
           <Option name="log_level">debug</Option>
           <Option name="log_limit_suffix">/second</Option>
           <Option name="log_limit_value">0</Option>
-          <Option name="log_prefix"></Option>
+          <Option name="log_prefix"/>
           <Option name="log_tcp_opt">False</Option>
           <Option name="log_tcp_seq">False</Option>
           <Option name="manage_virtual_addr">True</Option>
           <Option name="modulate_state">False</Option>
           <Option name="no_iochains_for_any">False</Option>
           <Option name="no_optimisation">False</Option>
-          <Option name="openbsd_path_pfctl"></Option>
-          <Option name="openbsd_path_sysctl"></Option>
+          <Option name="openbsd_path_pfctl"/>
+          <Option name="openbsd_path_sysctl"/>
           <Option name="pass_all_out">False</Option>
           <Option name="pf_do_scrub">True</Option>
           <Option name="pf_limit_frags">5000</Option>
           <Option name="pf_limit_states">10000</Option>
-          <Option name="pf_optimization"></Option>
+          <Option name="pf_optimization"/>
           <Option name="pf_scrub_fragm_crop">False</Option>
           <Option name="pf_scrub_fragm_drop_ovl">False</Option>
           <Option name="pf_scrub_maxmss">1460</Option>
@@ -4053,10 +4053,10 @@
           <Option name="pf_timeout_interval">10</Option>
           <Option name="platform">iptables</Option>
           <Option name="proxy_arp">False</Option>
-          <Option name="script_env_path"></Option>
-          <Option name="snmp_contact"></Option>
-          <Option name="snmp_description"></Option>
-          <Option name="snmp_location"></Option>
+          <Option name="script_env_path"/>
+          <Option name="snmp_contact"/>
+          <Option name="snmp_description"/>
+          <Option name="snmp_location"/>
           <Option name="use_ip_tool">False</Option>
           <Option name="use_numeric_log_levels">False</Option>
           <Option name="use_tables">True</Option>
@@ -4131,19 +4131,19 @@
           <Option name="action_on_reject">ICMP net unreachable</Option>
           <Option name="check_shading">True</Option>
           <Option name="clamp_mss_to_mtu">False</Option>
-          <Option name="cmdline"></Option>
-          <Option name="compiler"></Option>
+          <Option name="cmdline"/>
+          <Option name="compiler"/>
           <Option name="configure_interfaces">False</Option>
           <Option name="debug">False</Option>
           <Option name="dyn_addr">False</Option>
-          <Option name="firewall_dir"></Option>
+          <Option name="firewall_dir"/>
           <Option name="firewall_is_part_of_any">True</Option>
           <Option name="firewall_is_part_of_any_and_networks">True</Option>
           <Option name="ignore_empty_groups">False</Option>
           <Option name="in_out_code">True</Option>
-          <Option name="inst_cmdline"></Option>
-          <Option name="inst_script"></Option>
-          <Option name="install_script"></Option>
+          <Option name="inst_cmdline"/>
+          <Option name="inst_script"/>
+          <Option name="install_script"/>
           <Option name="limit_suffix">/day</Option>
           <Option name="limit_value">0</Option>
           <Option name="linux24_ip_forward">0</Option>
@@ -4155,20 +4155,20 @@
           <Option name="log_level">debug</Option>
           <Option name="log_limit_suffix">/second</Option>
           <Option name="log_limit_value">0</Option>
-          <Option name="log_prefix"></Option>
+          <Option name="log_prefix"/>
           <Option name="log_tcp_opt">False</Option>
           <Option name="log_tcp_seq">False</Option>
           <Option name="manage_virtual_addr">True</Option>
           <Option name="modulate_state">False</Option>
           <Option name="no_iochains_for_any">False</Option>
           <Option name="no_optimisation">False</Option>
-          <Option name="openbsd_path_pfctl"></Option>
-          <Option name="openbsd_path_sysctl"></Option>
+          <Option name="openbsd_path_pfctl"/>
+          <Option name="openbsd_path_sysctl"/>
           <Option name="pass_all_out">False</Option>
           <Option name="pf_do_scrub">True</Option>
           <Option name="pf_limit_frags">5000</Option>
           <Option name="pf_limit_states">10000</Option>
-          <Option name="pf_optimization"></Option>
+          <Option name="pf_optimization"/>
           <Option name="pf_scrub_fragm_crop">False</Option>
           <Option name="pf_scrub_fragm_drop_ovl">False</Option>
           <Option name="pf_scrub_maxmss">1460</Option>
@@ -4181,10 +4181,10 @@
           <Option name="pf_timeout_interval">10</Option>
           <Option name="platform">iptables</Option>
           <Option name="proxy_arp">False</Option>
-          <Option name="script_env_path"></Option>
-          <Option name="snmp_contact"></Option>
-          <Option name="snmp_description"></Option>
-          <Option name="snmp_location"></Option>
+          <Option name="script_env_path"/>
+          <Option name="snmp_contact"/>
+          <Option name="snmp_description"/>
+          <Option name="snmp_location"/>
           <Option name="use_ip_tool">False</Option>
           <Option name="use_numeric_log_levels">False</Option>
           <Option name="use_tables">True</Option>
@@ -4517,14 +4517,14 @@
         </Management>
         <FirewallOptions>
           <Option name="check_shading">False</Option>
-          <Option name="cmdline"></Option>
-          <Option name="compiler"></Option>
+          <Option name="cmdline"/>
+          <Option name="compiler"/>
           <Option name="configure_interfaces">False</Option>
           <Option name="debug">False</Option>
           <Option name="firewall_dir">/etc</Option>
           <Option name="ignore_empty_groups">False</Option>
           <Option name="in_out_code">True</Option>
-          <Option name="log_prefix"></Option>
+          <Option name="log_prefix"/>
           <Option name="manage_virtual_addr">False</Option>
           <Option name="modulate_state">False</Option>
           <Option name="no_optimisation">False</Option>
@@ -4535,7 +4535,7 @@
           <Option name="pf_do_scrub">True</Option>
           <Option name="pf_limit_frags">5000</Option>
           <Option name="pf_limit_states">10000</Option>
-          <Option name="pf_optimization"></Option>
+          <Option name="pf_optimization"/>
           <Option name="pf_scrub_fragm_crop">False</Option>
           <Option name="pf_scrub_fragm_drop_ovl">False</Option>
           <Option name="pf_scrub_maxmss">1460</Option>
@@ -4546,9 +4546,9 @@
           <Option name="pf_scrub_use_minttl">False</Option>
           <Option name="pf_timeout_frag">30</Option>
           <Option name="pf_timeout_interval">10</Option>
-          <Option name="snmp_contact"></Option>
-          <Option name="snmp_description"></Option>
-          <Option name="snmp_location"></Option>
+          <Option name="snmp_contact"/>
+          <Option name="snmp_description"/>
+          <Option name="snmp_location"/>
           <Option name="use_tables">True</Option>
         </FirewallOptions>
       </Firewall>
@@ -4712,22 +4712,22 @@
           <Option name="action_on_reject">ICMP net unreachable</Option>
           <Option name="check_shading">True</Option>
           <Option name="clamp_mss_to_mtu">False</Option>
-          <Option name="cmdline"></Option>
-          <Option name="compiler"></Option>
+          <Option name="cmdline"/>
+          <Option name="compiler"/>
           <Option name="configure_interfaces">False</Option>
           <Option name="debug">False</Option>
           <Option name="dyn_addr">False</Option>
-          <Option name="firewall_dir"></Option>
+          <Option name="firewall_dir"/>
           <Option name="firewall_is_part_of_any">True</Option>
           <Option name="firewall_is_part_of_any_and_networks">True</Option>
-          <Option name="freebsd_path_ipf"></Option>
-          <Option name="freebsd_path_ipnat"></Option>
-          <Option name="freebsd_path_sysctl"></Option>
+          <Option name="freebsd_path_ipf"/>
+          <Option name="freebsd_path_ipnat"/>
+          <Option name="freebsd_path_sysctl"/>
           <Option name="ignore_empty_groups">False</Option>
           <Option name="in_out_code">True</Option>
-          <Option name="inst_cmdline"></Option>
-          <Option name="inst_script"></Option>
-          <Option name="install_script"></Option>
+          <Option name="inst_cmdline"/>
+          <Option name="inst_script"/>
+          <Option name="install_script"/>
           <Option name="limit_suffix">/day</Option>
           <Option name="limit_value">0</Option>
           <Option name="linux24_ip_forward">0</Option>
@@ -4739,20 +4739,20 @@
           <Option name="log_level">debug</Option>
           <Option name="log_limit_suffix">/second</Option>
           <Option name="log_limit_value">0</Option>
-          <Option name="log_prefix"></Option>
+          <Option name="log_prefix"/>
           <Option name="log_tcp_opt">False</Option>
           <Option name="log_tcp_seq">False</Option>
           <Option name="manage_virtual_addr">True</Option>
           <Option name="modulate_state">False</Option>
           <Option name="no_iochains_for_any">False</Option>
           <Option name="no_optimisation">False</Option>
-          <Option name="openbsd_path_pfctl"></Option>
-          <Option name="openbsd_path_sysctl"></Option>
+          <Option name="openbsd_path_pfctl"/>
+          <Option name="openbsd_path_sysctl"/>
           <Option name="pass_all_out">False</Option>
           <Option name="pf_do_scrub">True</Option>
           <Option name="pf_limit_frags">5000</Option>
           <Option name="pf_limit_states">10000</Option>
-          <Option name="pf_optimization"></Option>
+          <Option name="pf_optimization"/>
           <Option name="pf_scrub_fragm_crop">False</Option>
           <Option name="pf_scrub_fragm_drop_ovl">False</Option>
           <Option name="pf_scrub_maxmss">1460</Option>
@@ -4765,10 +4765,10 @@
           <Option name="pf_timeout_interval">10</Option>
           <Option name="platform">iptables</Option>
           <Option name="proxy_arp">False</Option>
-          <Option name="script_env_path"></Option>
-          <Option name="snmp_contact"></Option>
-          <Option name="snmp_description"></Option>
-          <Option name="snmp_location"></Option>
+          <Option name="script_env_path"/>
+          <Option name="snmp_contact"/>
+          <Option name="snmp_description"/>
+          <Option name="snmp_location"/>
           <Option name="use_ip_tool">False</Option>
           <Option name="use_numeric_log_levels">False</Option>
           <Option name="use_tables">True</Option>
@@ -5107,50 +5107,50 @@
           <Option name="accept_established">True</Option>
           <Option name="accept_new_tcp_with_no_syn">True</Option>
           <Option name="action_on_reject">ICMP net unreachable</Option>
-          <Option name="activationCmd"></Option>
-          <Option name="admUser"></Option>
-          <Option name="altAddress"></Option>
+          <Option name="activationCmd"/>
+          <Option name="admUser"/>
+          <Option name="altAddress"/>
           <Option name="bridging_fw">False</Option>
           <Option name="check_shading">False</Option>
           <Option name="clamp_mss_to_mtu">False</Option>
-          <Option name="cmdline"></Option>
-          <Option name="compiler"></Option>
+          <Option name="cmdline"/>
+          <Option name="compiler"/>
           <Option name="configure_interfaces">True</Option>
           <Option name="debug">False</Option>
           <Option name="drop_invalid">False</Option>
           <Option name="dyn_addr">False</Option>
-          <Option name="epilog_script"></Option>
-          <Option name="firewall_dir"></Option>
+          <Option name="epilog_script"/>
+          <Option name="firewall_dir"/>
           <Option name="firewall_is_part_of_any">True</Option>
           <Option name="firewall_is_part_of_any_and_networks">True</Option>
           <Option name="ignore_empty_groups">False</Option>
-          <Option name="inst_cmdline"></Option>
-          <Option name="inst_script"></Option>
-          <Option name="install_script"></Option>
+          <Option name="inst_cmdline"/>
+          <Option name="inst_script"/>
+          <Option name="install_script"/>
           <Option name="limit_suffix">/day</Option>
           <Option name="limit_value">0</Option>
-          <Option name="linux24_accept_redirects"></Option>
-          <Option name="linux24_accept_source_route"></Option>
-          <Option name="linux24_icmp_echo_ignore_all"></Option>
-          <Option name="linux24_icmp_echo_ignore_broadcasts"></Option>
-          <Option name="linux24_icmp_ignore_bogus_error_responses"></Option>
-          <Option name="linux24_ip_dynaddr"></Option>
-          <Option name="linux24_ip_forward"></Option>
-          <Option name="linux24_log_martians"></Option>
-          <Option name="linux24_path_ip"></Option>
-          <Option name="linux24_path_iptables"></Option>
-          <Option name="linux24_path_logger"></Option>
-          <Option name="linux24_path_lsmod"></Option>
-          <Option name="linux24_path_modprobe"></Option>
-          <Option name="linux24_rp_filter"></Option>
-          <Option name="linux24_tcp_ecn"></Option>
-          <Option name="linux24_tcp_fack"></Option>
+          <Option name="linux24_accept_redirects"/>
+          <Option name="linux24_accept_source_route"/>
+          <Option name="linux24_icmp_echo_ignore_all"/>
+          <Option name="linux24_icmp_echo_ignore_broadcasts"/>
+          <Option name="linux24_icmp_ignore_bogus_error_responses"/>
+          <Option name="linux24_ip_dynaddr"/>
+          <Option name="linux24_ip_forward"/>
+          <Option name="linux24_log_martians"/>
+          <Option name="linux24_path_ip"/>
+          <Option name="linux24_path_iptables"/>
+          <Option name="linux24_path_logger"/>
+          <Option name="linux24_path_lsmod"/>
+          <Option name="linux24_path_modprobe"/>
+          <Option name="linux24_rp_filter"/>
+          <Option name="linux24_tcp_ecn"/>
+          <Option name="linux24_tcp_fack"/>
           <Option name="linux24_tcp_fin_timeout">30</Option>
           <Option name="linux24_tcp_keepalive_interval">1800</Option>
-          <Option name="linux24_tcp_sack"></Option>
-          <Option name="linux24_tcp_syncookies"></Option>
-          <Option name="linux24_tcp_timestamps"></Option>
-          <Option name="linux24_tcp_window_scaling"></Option>
+          <Option name="linux24_tcp_sack"/>
+          <Option name="linux24_tcp_syncookies"/>
+          <Option name="linux24_tcp_timestamps"/>
+          <Option name="linux24_tcp_window_scaling"/>
           <Option name="load_modules">False</Option>
           <Option name="local_nat">False</Option>
           <Option name="log_all">False</Option>
@@ -5164,20 +5164,20 @@
           <Option name="log_tcp_opt">False</Option>
           <Option name="log_tcp_seq">False</Option>
           <Option name="manage_virtual_addr">True</Option>
-          <Option name="mgmt_addr"></Option>
+          <Option name="mgmt_addr"/>
           <Option name="mgmt_ssh">False</Option>
           <Option name="no_iochains_for_any">False</Option>
           <Option name="no_optimisation">False</Option>
-          <Option name="output_file"></Option>
+          <Option name="output_file"/>
           <Option name="platform">iptables</Option>
           <Option name="prolog_place">top</Option>
-          <Option name="prolog_script"></Option>
+          <Option name="prolog_script"/>
           <Option name="proxy_arp">False</Option>
-          <Option name="script_env_path"></Option>
-          <Option name="snmp_contact"></Option>
-          <Option name="snmp_description"></Option>
-          <Option name="snmp_location"></Option>
-          <Option name="sshArgs"></Option>
+          <Option name="script_env_path"/>
+          <Option name="snmp_contact"/>
+          <Option name="snmp_description"/>
+          <Option name="snmp_location"/>
+          <Option name="sshArgs"/>
           <Option name="ulog_cprange">0</Option>
           <Option name="ulog_nlgroup">1</Option>
           <Option name="ulog_qthreshold">1</Option>
@@ -5535,7 +5535,7 @@
               <IntervalRef ref="sysid2"/>
             </When>
             <PolicyRuleOptions>
-              <Option name="log_prefix"></Option>
+              <Option name="log_prefix"/>
               <Option name="pf_max_src_conn">5</Option>
               <Option name="pf_max_src_conn_flush">True</Option>
               <Option name="pf_max_src_conn_global">True</Option>
@@ -5543,7 +5543,7 @@
               <Option name="pf_max_src_conn_rate_flush">False</Option>
               <Option name="pf_max_src_conn_rate_global">False</Option>
               <Option name="pf_max_src_conn_rate_num">0</Option>
-              <Option name="pf_max_src_conn_rate_overload_table"></Option>
+              <Option name="pf_max_src_conn_rate_overload_table"/>
               <Option name="pf_max_src_conn_rate_seconds">0</Option>
               <Option name="pf_max_src_nodes">0</Option>
               <Option name="pf_max_src_states">0</Option>
@@ -5608,50 +5608,50 @@
           <Option name="accept_established">True</Option>
           <Option name="accept_new_tcp_with_no_syn">True</Option>
           <Option name="action_on_reject">ICMP net unreachable</Option>
-          <Option name="activationCmd"></Option>
-          <Option name="admUser"></Option>
-          <Option name="altAddress"></Option>
+          <Option name="activationCmd"/>
+          <Option name="admUser"/>
+          <Option name="altAddress"/>
           <Option name="bridging_fw">False</Option>
           <Option name="check_shading">False</Option>
           <Option name="clamp_mss_to_mtu">False</Option>
-          <Option name="cmdline"></Option>
-          <Option name="compiler"></Option>
+          <Option name="cmdline"/>
+          <Option name="compiler"/>
           <Option name="configure_interfaces">True</Option>
           <Option name="debug">False</Option>
           <Option name="drop_invalid">False</Option>
           <Option name="dyn_addr">False</Option>
-          <Option name="epilog_script"></Option>
-          <Option name="firewall_dir"></Option>
+          <Option name="epilog_script"/>
+          <Option name="firewall_dir"/>
           <Option name="firewall_is_part_of_any">True</Option>
           <Option name="firewall_is_part_of_any_and_networks">True</Option>
           <Option name="ignore_empty_groups">False</Option>
-          <Option name="inst_cmdline"></Option>
-          <Option name="inst_script"></Option>
-          <Option name="install_script"></Option>
+          <Option name="inst_cmdline"/>
+          <Option name="inst_script"/>
+          <Option name="install_script"/>
           <Option name="limit_suffix">/day</Option>
           <Option name="limit_value">0</Option>
-          <Option name="linux24_accept_redirects"></Option>
-          <Option name="linux24_accept_source_route"></Option>
-          <Option name="linux24_icmp_echo_ignore_all"></Option>
-          <Option name="linux24_icmp_echo_ignore_broadcasts"></Option>
-          <Option name="linux24_icmp_ignore_bogus_error_responses"></Option>
-          <Option name="linux24_ip_dynaddr"></Option>
-          <Option name="linux24_ip_forward"></Option>
-          <Option name="linux24_log_martians"></Option>
-          <Option name="linux24_path_ip"></Option>
-          <Option name="linux24_path_iptables"></Option>
-          <Option name="linux24_path_logger"></Option>
-          <Option name="linux24_path_lsmod"></Option>
-          <Option name="linux24_path_modprobe"></Option>
-          <Option name="linux24_rp_filter"></Option>
-          <Option name="linux24_tcp_ecn"></Option>
-          <Option name="linux24_tcp_fack"></Option>
+          <Option name="linux24_accept_redirects"/>
+          <Option name="linux24_accept_source_route"/>
+          <Option name="linux24_icmp_echo_ignore_all"/>
+          <Option name="linux24_icmp_echo_ignore_broadcasts"/>
+          <Option name="linux24_icmp_ignore_bogus_error_responses"/>
+          <Option name="linux24_ip_dynaddr"/>
+          <Option name="linux24_ip_forward"/>
+          <Option name="linux24_log_martians"/>
+          <Option name="linux24_path_ip"/>
+          <Option name="linux24_path_iptables"/>
+          <Option name="linux24_path_logger"/>
+          <Option name="linux24_path_lsmod"/>
+          <Option name="linux24_path_modprobe"/>
+          <Option name="linux24_rp_filter"/>
+          <Option name="linux24_tcp_ecn"/>
+          <Option name="linux24_tcp_fack"/>
           <Option name="linux24_tcp_fin_timeout">30</Option>
           <Option name="linux24_tcp_keepalive_interval">1800</Option>
-          <Option name="linux24_tcp_sack"></Option>
-          <Option name="linux24_tcp_syncookies"></Option>
-          <Option name="linux24_tcp_timestamps"></Option>
-          <Option name="linux24_tcp_window_scaling"></Option>
+          <Option name="linux24_tcp_sack"/>
+          <Option name="linux24_tcp_syncookies"/>
+          <Option name="linux24_tcp_timestamps"/>
+          <Option name="linux24_tcp_window_scaling"/>
           <Option name="load_modules">False</Option>
           <Option name="local_nat">False</Option>
           <Option name="log_all">False</Option>
@@ -5665,20 +5665,20 @@
           <Option name="log_tcp_opt">False</Option>
           <Option name="log_tcp_seq">False</Option>
           <Option name="manage_virtual_addr">True</Option>
-          <Option name="mgmt_addr"></Option>
+          <Option name="mgmt_addr"/>
           <Option name="mgmt_ssh">False</Option>
           <Option name="no_iochains_for_any">False</Option>
           <Option name="no_optimisation">False</Option>
-          <Option name="output_file"></Option>
+          <Option name="output_file"/>
           <Option name="platform">iptables</Option>
           <Option name="prolog_place">top</Option>
-          <Option name="prolog_script"></Option>
+          <Option name="prolog_script"/>
           <Option name="proxy_arp">False</Option>
-          <Option name="script_env_path"></Option>
-          <Option name="snmp_contact"></Option>
-          <Option name="snmp_description"></Option>
-          <Option name="snmp_location"></Option>
-          <Option name="sshArgs"></Option>
+          <Option name="script_env_path"/>
+          <Option name="snmp_contact"/>
+          <Option name="snmp_description"/>
+          <Option name="snmp_location"/>
+          <Option name="sshArgs"/>
           <Option name="ulog_cprange">0</Option>
           <Option name="ulog_nlgroup">1</Option>
           <Option name="ulog_qthreshold">1</Option>
@@ -5752,12 +5752,12 @@
               <IntervalRef ref="sysid2"/>
             </When>
             <PolicyRuleOptions>
-              <Option name="action_on_reject"></Option>
-              <Option name="classify_str"></Option>
-              <Option name="custom_str"></Option>
+              <Option name="action_on_reject"/>
+              <Option name="classify_str"/>
+              <Option name="custom_str"/>
               <Option name="ipfw_pipe_method">0</Option>
               <Option name="ipfw_pipe_port_num">0</Option>
-              <Option name="rule_name_accounting"></Option>
+              <Option name="rule_name_accounting"/>
               <Option name="tagvalue">INTNET</Option>
             </PolicyRuleOptions>
           </PolicyRule>
@@ -5924,14 +5924,14 @@
               <IntervalRef ref="sysid2"/>
             </When>
             <PolicyRuleOptions>
-              <Option name="action_on_reject"></Option>
+              <Option name="action_on_reject"/>
               <Option name="classify_str">mail</Option>
-              <Option name="custom_str"></Option>
+              <Option name="custom_str"/>
               <Option name="ipfw_pipe_method">0</Option>
               <Option name="ipfw_pipe_port_num">0</Option>
-              <Option name="rule_name_accounting"></Option>
+              <Option name="rule_name_accounting"/>
               <Option name="stateless">True</Option>
-              <Option name="tagvalue"></Option>
+              <Option name="tagvalue"/>
             </PolicyRuleOptions>
           </PolicyRule>
           <PolicyRule action="Deny" direction="Both" disabled="False" id="id43EC5E132355" log="True" position="10">
@@ -5975,29 +5975,29 @@
           <Option name="accept_established">True</Option>
           <Option name="accept_new_tcp_with_no_syn">True</Option>
           <Option name="action_on_reject">ICMP net unreachable</Option>
-          <Option name="activationCmd"></Option>
-          <Option name="admUser"></Option>
-          <Option name="altAddress"></Option>
+          <Option name="activationCmd"/>
+          <Option name="admUser"/>
+          <Option name="altAddress"/>
           <Option name="check_shading">False</Option>
           <Option name="clamp_mss_to_mtu">False</Option>
-          <Option name="cmdline"></Option>
-          <Option name="compiler"></Option>
+          <Option name="cmdline"/>
+          <Option name="compiler"/>
           <Option name="configure_interfaces">False</Option>
           <Option name="debug">False</Option>
           <Option name="dyn_addr">False</Option>
-          <Option name="epilog_script"></Option>
+          <Option name="epilog_script"/>
           <Option name="fallback_log">False</Option>
-          <Option name="firewall_dir"></Option>
+          <Option name="firewall_dir"/>
           <Option name="firewall_is_part_of_any">True</Option>
           <Option name="firewall_is_part_of_any_and_networks">True</Option>
-          <Option name="freebsd_path_ipf"></Option>
-          <Option name="freebsd_path_ipnat"></Option>
-          <Option name="freebsd_path_sysctl"></Option>
+          <Option name="freebsd_path_ipf"/>
+          <Option name="freebsd_path_ipnat"/>
+          <Option name="freebsd_path_sysctl"/>
           <Option name="ignore_empty_groups">False</Option>
           <Option name="in_out_code">True</Option>
-          <Option name="inst_cmdline"></Option>
-          <Option name="inst_script"></Option>
-          <Option name="install_script"></Option>
+          <Option name="inst_cmdline"/>
+          <Option name="inst_script"/>
+          <Option name="install_script"/>
           <Option name="limit_suffix">/day</Option>
           <Option name="limit_value">0</Option>
           <Option name="linux24_ip_forward">0</Option>
@@ -6009,18 +6009,18 @@
           <Option name="log_level">debug</Option>
           <Option name="log_limit_suffix">/second</Option>
           <Option name="log_limit_value">0</Option>
-          <Option name="log_prefix"></Option>
+          <Option name="log_prefix"/>
           <Option name="log_tcp_opt">False</Option>
           <Option name="log_tcp_seq">False</Option>
           <Option name="manage_virtual_addr">True</Option>
-          <Option name="mgmt_addr"></Option>
+          <Option name="mgmt_addr"/>
           <Option name="mgmt_ssh">False</Option>
           <Option name="modulate_state">False</Option>
           <Option name="no_iochains_for_any">False</Option>
           <Option name="no_optimisation">False</Option>
-          <Option name="openbsd_path_pfctl"></Option>
-          <Option name="openbsd_path_sysctl"></Option>
-          <Option name="output_file"></Option>
+          <Option name="openbsd_path_pfctl"/>
+          <Option name="openbsd_path_sysctl"/>
+          <Option name="output_file"/>
           <Option name="pass_all_out">False</Option>
           <Option name="pf_adaptive_end">0</Option>
           <Option name="pf_adaptive_start">0</Option>
@@ -6033,7 +6033,7 @@
           <Option name="pf_icmp_first">0</Option>
           <Option name="pf_limit_frags">5000</Option>
           <Option name="pf_limit_states">10000</Option>
-          <Option name="pf_optimization"></Option>
+          <Option name="pf_optimization"/>
           <Option name="pf_other_first">0</Option>
           <Option name="pf_other_multiple">0</Option>
           <Option name="pf_other_single">0</Option>
@@ -6073,13 +6073,13 @@
           <Option name="pf_udp_multiple">0</Option>
           <Option name="pf_udp_single">0</Option>
           <Option name="platform">iptables</Option>
-          <Option name="prolog_script"></Option>
+          <Option name="prolog_script"/>
           <Option name="proxy_arp">False</Option>
-          <Option name="script_env_path"></Option>
-          <Option name="snmp_contact"></Option>
-          <Option name="snmp_description"></Option>
-          <Option name="snmp_location"></Option>
-          <Option name="sshArgs"></Option>
+          <Option name="script_env_path"/>
+          <Option name="snmp_contact"/>
+          <Option name="snmp_description"/>
+          <Option name="snmp_location"/>
+          <Option name="sshArgs"/>
           <Option name="use_ip_tool">False</Option>
           <Option name="use_numeric_log_levels">False</Option>
           <Option name="use_tables">True</Option>
@@ -6272,7 +6272,7 @@
               <IntervalRef ref="sysid2"/>
             </When>
             <PolicyRuleOptions>
-              <Option name="log_prefix"></Option>
+              <Option name="log_prefix"/>
               <Option name="pf_max_src_nodes">0</Option>
               <Option name="pf_max_src_states">0</Option>
               <Option name="pf_rule_max_state">1000</Option>
@@ -6300,16 +6300,16 @@
         <FirewallOptions>
           <Option name="accept_established">true</Option>
           <Option name="accept_new_tcp_with_no_syn">True</Option>
-          <Option name="activationCmd"></Option>
-          <Option name="admUser"></Option>
-          <Option name="altAddress"></Option>
+          <Option name="activationCmd"/>
+          <Option name="admUser"/>
+          <Option name="altAddress"/>
           <Option name="check_shading">True</Option>
-          <Option name="cmdline"></Option>
-          <Option name="compiler"></Option>
+          <Option name="cmdline"/>
+          <Option name="compiler"/>
           <Option name="configure_interfaces">True</Option>
           <Option name="debug">False</Option>
           <Option name="eliminate_duplicates">true</Option>
-          <Option name="epilog_script"></Option>
+          <Option name="epilog_script"/>
           <Option name="fallback_log">False</Option>
           <Option name="firewall_dir">/etc</Option>
           <Option name="firewall_is_part_of_any_and_networks">true</Option>
@@ -6325,11 +6325,11 @@
           <Option name="loopback_interface">lo0</Option>
           <Option name="macosx_ip_forward">1</Option>
           <Option name="manage_virtual_addr">True</Option>
-          <Option name="mgmt_addr"></Option>
+          <Option name="mgmt_addr"/>
           <Option name="mgmt_ssh">False</Option>
           <Option name="modulate_state">False</Option>
           <Option name="openbsd_ip_forward">1</Option>
-          <Option name="output_file"></Option>
+          <Option name="output_file"/>
           <Option name="pass_all_out">False</Option>
           <Option name="pf_adaptive_end">0</Option>
           <Option name="pf_adaptive_start">0</Option>
@@ -6342,7 +6342,7 @@
           <Option name="pf_icmp_first">0</Option>
           <Option name="pf_limit_frags">5000</Option>
           <Option name="pf_limit_states">10000</Option>
-          <Option name="pf_optimization"></Option>
+          <Option name="pf_optimization"/>
           <Option name="pf_other_first">0</Option>
           <Option name="pf_other_multiple">0</Option>
           <Option name="pf_other_single">0</Option>
@@ -6400,7 +6400,7 @@
           <Option name="prompt1">$ </Option>
           <Option name="prompt2"> # </Option>
           <Option name="solaris_ip_forward">1</Option>
-          <Option name="sshArgs"></Option>
+          <Option name="sshArgs"/>
           <Option name="ulog_nlgroup">1</Option>
           <Option name="verify_interfaces">true</Option>
         </FirewallOptions>
@@ -6468,12 +6468,12 @@
               <IntervalRef ref="sysid2"/>
             </When>
             <PolicyRuleOptions>
-              <Option name="action_on_reject"></Option>
-              <Option name="classify_str"></Option>
-              <Option name="custom_str"></Option>
+              <Option name="action_on_reject"/>
+              <Option name="classify_str"/>
+              <Option name="custom_str"/>
               <Option name="ipfw_pipe_method">0</Option>
               <Option name="ipfw_pipe_port_num">0</Option>
-              <Option name="rule_name_accounting"></Option>
+              <Option name="rule_name_accounting"/>
               <Option name="tagvalue">INTNET</Option>
             </PolicyRuleOptions>
           </PolicyRule>
@@ -6749,14 +6749,14 @@
               <IntervalRef ref="sysid2"/>
             </When>
             <PolicyRuleOptions>
-              <Option name="action_on_reject"></Option>
+              <Option name="action_on_reject"/>
               <Option name="classify_str">mail</Option>
-              <Option name="custom_str"></Option>
+              <Option name="custom_str"/>
               <Option name="ipfw_pipe_method">0</Option>
               <Option name="ipfw_pipe_port_num">0</Option>
-              <Option name="rule_name_accounting"></Option>
+              <Option name="rule_name_accounting"/>
               <Option name="stateless">True</Option>
-              <Option name="tagvalue"></Option>
+              <Option name="tagvalue"/>
             </PolicyRuleOptions>
           </PolicyRule>
           <PolicyRule action="Deny" direction="Both" disabled="False" id="id445DB3C332739" log="True" position="10">
@@ -6800,29 +6800,29 @@
           <Option name="accept_established">True</Option>
           <Option name="accept_new_tcp_with_no_syn">True</Option>
           <Option name="action_on_reject">ICMP net unreachable</Option>
-          <Option name="activationCmd"></Option>
-          <Option name="admUser"></Option>
-          <Option name="altAddress"></Option>
+          <Option name="activationCmd"/>
+          <Option name="admUser"/>
+          <Option name="altAddress"/>
           <Option name="check_shading">False</Option>
           <Option name="clamp_mss_to_mtu">False</Option>
-          <Option name="cmdline"></Option>
-          <Option name="compiler"></Option>
+          <Option name="cmdline"/>
+          <Option name="compiler"/>
           <Option name="configure_interfaces">False</Option>
           <Option name="debug">False</Option>
           <Option name="dyn_addr">False</Option>
-          <Option name="epilog_script"></Option>
+          <Option name="epilog_script"/>
           <Option name="fallback_log">False</Option>
-          <Option name="firewall_dir"></Option>
+          <Option name="firewall_dir"/>
           <Option name="firewall_is_part_of_any">True</Option>
           <Option name="firewall_is_part_of_any_and_networks">True</Option>
-          <Option name="freebsd_path_ipf"></Option>
-          <Option name="freebsd_path_ipnat"></Option>
-          <Option name="freebsd_path_sysctl"></Option>
+          <Option name="freebsd_path_ipf"/>
+          <Option name="freebsd_path_ipnat"/>
+          <Option name="freebsd_path_sysctl"/>
           <Option name="ignore_empty_groups">False</Option>
           <Option name="in_out_code">True</Option>
-          <Option name="inst_cmdline"></Option>
-          <Option name="inst_script"></Option>
-          <Option name="install_script"></Option>
+          <Option name="inst_cmdline"/>
+          <Option name="inst_script"/>
+          <Option name="install_script"/>
           <Option name="limit_suffix">/day</Option>
           <Option name="limit_value">0</Option>
           <Option name="linux24_ip_forward">0</Option>
@@ -6834,18 +6834,18 @@
           <Option name="log_level">debug</Option>
           <Option name="log_limit_suffix">/second</Option>
           <Option name="log_limit_value">0</Option>
-          <Option name="log_prefix"></Option>
+          <Option name="log_prefix"/>
           <Option name="log_tcp_opt">False</Option>
           <Option name="log_tcp_seq">False</Option>
           <Option name="manage_virtual_addr">True</Option>
-          <Option name="mgmt_addr"></Option>
+          <Option name="mgmt_addr"/>
           <Option name="mgmt_ssh">False</Option>
           <Option name="modulate_state">False</Option>
           <Option name="no_iochains_for_any">False</Option>
           <Option name="no_optimisation">False</Option>
-          <Option name="openbsd_path_pfctl"></Option>
-          <Option name="openbsd_path_sysctl"></Option>
-          <Option name="output_file"></Option>
+          <Option name="openbsd_path_pfctl"/>
+          <Option name="openbsd_path_sysctl"/>
+          <Option name="output_file"/>
           <Option name="pass_all_out">False</Option>
           <Option name="pf_adaptive_end">0</Option>
           <Option name="pf_adaptive_start">0</Option>
@@ -6858,7 +6858,7 @@
           <Option name="pf_icmp_first">0</Option>
           <Option name="pf_limit_frags">5000</Option>
           <Option name="pf_limit_states">10000</Option>
-          <Option name="pf_optimization"></Option>
+          <Option name="pf_optimization"/>
           <Option name="pf_other_first">0</Option>
           <Option name="pf_other_multiple">0</Option>
           <Option name="pf_other_single">0</Option>
@@ -6898,13 +6898,13 @@
           <Option name="pf_udp_multiple">0</Option>
           <Option name="pf_udp_single">0</Option>
           <Option name="platform">iptables</Option>
-          <Option name="prolog_script"></Option>
+          <Option name="prolog_script"/>
           <Option name="proxy_arp">False</Option>
-          <Option name="script_env_path"></Option>
-          <Option name="snmp_contact"></Option>
-          <Option name="snmp_description"></Option>
-          <Option name="snmp_location"></Option>
-          <Option name="sshArgs"></Option>
+          <Option name="script_env_path"/>
+          <Option name="snmp_contact"/>
+          <Option name="snmp_description"/>
+          <Option name="snmp_location"/>
+          <Option name="sshArgs"/>
           <Option name="use_ip_tool">False</Option>
           <Option name="use_numeric_log_levels">False</Option>
           <Option name="use_tables">True</Option>
@@ -6973,7 +6973,7 @@
               <IntervalRef ref="sysid2"/>
             </When>
             <PolicyRuleOptions>
-              <Option name="log_prefix"></Option>
+              <Option name="log_prefix"/>
               <Option name="pf_max_src_nodes">0</Option>
               <Option name="pf_max_src_states">0</Option>
               <Option name="pf_rule_max_state">0</Option>
@@ -6998,7 +6998,7 @@
               <IntervalRef ref="sysid2"/>
             </When>
             <PolicyRuleOptions>
-              <Option name="log_prefix"></Option>
+              <Option name="log_prefix"/>
               <Option name="pf_max_src_nodes">0</Option>
               <Option name="pf_max_src_states">0</Option>
               <Option name="pf_rule_max_state">0</Option>
@@ -7024,28 +7024,28 @@
               <IntervalRef ref="sysid2"/>
             </When>
             <PolicyRuleOptions>
-              <Option name="action_on_reject"></Option>
-              <Option name="branch_anchor_name"></Option>
-              <Option name="branch_chain_name"></Option>
-              <Option name="classify_str"></Option>
-              <Option name="custom_str"></Option>
-              <Option name="ipf_route_opt_addr"></Option>
-              <Option name="ipf_route_opt_if"></Option>
+              <Option name="action_on_reject"/>
+              <Option name="branch_anchor_name"/>
+              <Option name="branch_chain_name"/>
+              <Option name="classify_str"/>
+              <Option name="custom_str"/>
+              <Option name="ipf_route_opt_addr"/>
+              <Option name="ipf_route_opt_if"/>
               <Option name="ipf_route_option">route_through</Option>
               <Option name="ipfw_classify_method">2</Option>
               <Option name="ipfw_pipe_port_num">0</Option>
               <Option name="ipfw_pipe_queue_num">0</Option>
               <Option name="ipt_continue">False</Option>
-              <Option name="ipt_gw"></Option>
-              <Option name="ipt_iif"></Option>
+              <Option name="ipt_gw"/>
+              <Option name="ipt_iif"/>
               <Option name="ipt_mark_connections">False</Option>
-              <Option name="ipt_oif"></Option>
+              <Option name="ipt_oif"/>
               <Option name="ipt_tee">False</Option>
               <Option name="pf_fastroute">False</Option>
               <Option name="pf_route_opt_addr">192.0.2.10</Option>
               <Option name="pf_route_opt_if">le1</Option>
               <Option name="pf_route_option">route_through</Option>
-              <Option name="rule_name_accounting"></Option>
+              <Option name="rule_name_accounting"/>
               <Option name="stateless">True</Option>
             </PolicyRuleOptions>
           </PolicyRule>
@@ -7066,28 +7066,28 @@
               <IntervalRef ref="sysid2"/>
             </When>
             <PolicyRuleOptions>
-              <Option name="action_on_reject"></Option>
-              <Option name="branch_anchor_name"></Option>
-              <Option name="branch_chain_name"></Option>
-              <Option name="classify_str"></Option>
-              <Option name="custom_str"></Option>
-              <Option name="ipf_route_opt_addr"></Option>
-              <Option name="ipf_route_opt_if"></Option>
+              <Option name="action_on_reject"/>
+              <Option name="branch_anchor_name"/>
+              <Option name="branch_chain_name"/>
+              <Option name="classify_str"/>
+              <Option name="custom_str"/>
+              <Option name="ipf_route_opt_addr"/>
+              <Option name="ipf_route_opt_if"/>
               <Option name="ipf_route_option">route_through</Option>
               <Option name="ipfw_classify_method">2</Option>
               <Option name="ipfw_pipe_port_num">0</Option>
               <Option name="ipfw_pipe_queue_num">0</Option>
               <Option name="ipt_continue">False</Option>
-              <Option name="ipt_gw"></Option>
-              <Option name="ipt_iif"></Option>
+              <Option name="ipt_gw"/>
+              <Option name="ipt_iif"/>
               <Option name="ipt_mark_connections">False</Option>
-              <Option name="ipt_oif"></Option>
+              <Option name="ipt_oif"/>
               <Option name="ipt_tee">False</Option>
               <Option name="pf_fastroute">False</Option>
               <Option name="pf_route_opt_addr">192.0.3.10</Option>
               <Option name="pf_route_opt_if">le2</Option>
               <Option name="pf_route_option">route_through</Option>
-              <Option name="rule_name_accounting"></Option>
+              <Option name="rule_name_accounting"/>
               <Option name="stateless">True</Option>
             </PolicyRuleOptions>
           </PolicyRule>
@@ -7151,16 +7151,16 @@
         <FirewallOptions>
           <Option name="accept_established">true</Option>
           <Option name="accept_new_tcp_with_no_syn">True</Option>
-          <Option name="activationCmd"></Option>
-          <Option name="admUser"></Option>
-          <Option name="altAddress"></Option>
+          <Option name="activationCmd"/>
+          <Option name="admUser"/>
+          <Option name="altAddress"/>
           <Option name="check_shading">True</Option>
-          <Option name="cmdline"></Option>
-          <Option name="compiler"></Option>
+          <Option name="cmdline"/>
+          <Option name="compiler"/>
           <Option name="configure_interfaces">True</Option>
           <Option name="debug">False</Option>
           <Option name="eliminate_duplicates">true</Option>
-          <Option name="epilog_script"></Option>
+          <Option name="epilog_script"/>
           <Option name="fallback_log">False</Option>
           <Option name="firewall_dir">/etc</Option>
           <Option name="firewall_is_part_of_any_and_networks">true</Option>
@@ -7176,11 +7176,11 @@
           <Option name="loopback_interface">lo0</Option>
           <Option name="macosx_ip_forward">1</Option>
           <Option name="manage_virtual_addr">True</Option>
-          <Option name="mgmt_addr"></Option>
+          <Option name="mgmt_addr"/>
           <Option name="mgmt_ssh">False</Option>
           <Option name="modulate_state">True</Option>
           <Option name="openbsd_ip_forward">1</Option>
-          <Option name="output_file"></Option>
+          <Option name="output_file"/>
           <Option name="pass_all_out">False</Option>
           <Option name="pf_adaptive_end">0</Option>
           <Option name="pf_adaptive_start">0</Option>
@@ -7193,7 +7193,7 @@
           <Option name="pf_icmp_first">0</Option>
           <Option name="pf_limit_frags">5000</Option>
           <Option name="pf_limit_states">10000</Option>
-          <Option name="pf_optimization"></Option>
+          <Option name="pf_optimization"/>
           <Option name="pf_other_first">0</Option>
           <Option name="pf_other_multiple">0</Option>
           <Option name="pf_other_single">0</Option>
@@ -7244,11 +7244,11 @@
           <Option name="pix_security_fragguard_supported">true</Option>
           <Option name="pix_syslog_device_id_supported">false</Option>
           <Option name="pix_use_acl_remarks">true</Option>
-          <Option name="prolog_script"></Option>
+          <Option name="prolog_script"/>
           <Option name="prompt1">$ </Option>
           <Option name="prompt2"> # </Option>
           <Option name="solaris_ip_forward">1</Option>
-          <Option name="sshArgs"></Option>
+          <Option name="sshArgs"/>
           <Option name="ulog_nlgroup">1</Option>
           <Option name="verify_interfaces">true</Option>
         </FirewallOptions>
@@ -7452,16 +7452,16 @@
               <IntervalRef ref="sysid2"/>
             </When>
             <PolicyRuleOptions>
-              <Option name="log_prefix"></Option>
+              <Option name="log_prefix"/>
               <Option name="pf_keep_state">False</Option>
               <Option name="pf_max_src_conn">0</Option>
               <Option name="pf_max_src_conn_flush">False</Option>
               <Option name="pf_max_src_conn_global">False</Option>
-              <Option name="pf_max_src_conn_overload_table"></Option>
+              <Option name="pf_max_src_conn_overload_table"/>
               <Option name="pf_max_src_conn_rate_flush">False</Option>
               <Option name="pf_max_src_conn_rate_global">False</Option>
               <Option name="pf_max_src_conn_rate_num">0</Option>
-              <Option name="pf_max_src_conn_rate_overload_table"></Option>
+              <Option name="pf_max_src_conn_rate_overload_table"/>
               <Option name="pf_max_src_conn_rate_seconds">0</Option>
               <Option name="pf_max_src_nodes">0</Option>
               <Option name="pf_max_src_states">0</Option>
@@ -7487,16 +7487,16 @@
               <IntervalRef ref="sysid2"/>
             </When>
             <PolicyRuleOptions>
-              <Option name="log_prefix"></Option>
+              <Option name="log_prefix"/>
               <Option name="pf_keep_state">True</Option>
               <Option name="pf_max_src_conn">0</Option>
               <Option name="pf_max_src_conn_flush">False</Option>
               <Option name="pf_max_src_conn_global">False</Option>
-              <Option name="pf_max_src_conn_overload_table"></Option>
+              <Option name="pf_max_src_conn_overload_table"/>
               <Option name="pf_max_src_conn_rate_flush">False</Option>
               <Option name="pf_max_src_conn_rate_global">False</Option>
               <Option name="pf_max_src_conn_rate_num">0</Option>
-              <Option name="pf_max_src_conn_rate_overload_table"></Option>
+              <Option name="pf_max_src_conn_rate_overload_table"/>
               <Option name="pf_max_src_conn_rate_seconds">0</Option>
               <Option name="pf_max_src_nodes">0</Option>
               <Option name="pf_max_src_states">0</Option>
@@ -7543,29 +7543,29 @@
           <Option name="accept_established">True</Option>
           <Option name="accept_new_tcp_with_no_syn">False</Option>
           <Option name="action_on_reject">ICMP net unreachable</Option>
-          <Option name="activationCmd"></Option>
-          <Option name="admUser"></Option>
-          <Option name="altAddress"></Option>
+          <Option name="activationCmd"/>
+          <Option name="admUser"/>
+          <Option name="altAddress"/>
           <Option name="check_shading">True</Option>
           <Option name="clamp_mss_to_mtu">False</Option>
-          <Option name="cmdline"></Option>
-          <Option name="compiler"></Option>
+          <Option name="cmdline"/>
+          <Option name="compiler"/>
           <Option name="configure_interfaces">False</Option>
           <Option name="debug">False</Option>
           <Option name="dyn_addr">False</Option>
-          <Option name="epilog_script"></Option>
+          <Option name="epilog_script"/>
           <Option name="fallback_log">False</Option>
-          <Option name="firewall_dir"></Option>
+          <Option name="firewall_dir"/>
           <Option name="firewall_is_part_of_any">True</Option>
           <Option name="firewall_is_part_of_any_and_networks">True</Option>
-          <Option name="freebsd_path_ipf"></Option>
-          <Option name="freebsd_path_ipnat"></Option>
-          <Option name="freebsd_path_sysctl"></Option>
+          <Option name="freebsd_path_ipf"/>
+          <Option name="freebsd_path_ipnat"/>
+          <Option name="freebsd_path_sysctl"/>
           <Option name="ignore_empty_groups">False</Option>
           <Option name="in_out_code">True</Option>
-          <Option name="inst_cmdline"></Option>
-          <Option name="inst_script"></Option>
-          <Option name="install_script"></Option>
+          <Option name="inst_cmdline"/>
+          <Option name="inst_script"/>
+          <Option name="install_script"/>
           <Option name="limit_suffix">/day</Option>
           <Option name="limit_value">0</Option>
           <Option name="linux24_ip_forward">0</Option>
@@ -7577,7 +7577,7 @@
           <Option name="log_level">debug</Option>
           <Option name="log_limit_suffix">/second</Option>
           <Option name="log_limit_value">0</Option>
-          <Option name="log_prefix"></Option>
+          <Option name="log_prefix"/>
           <Option name="log_tcp_opt">False</Option>
           <Option name="log_tcp_seq">False</Option>
           <Option name="manage_virtual_addr">True</Option>
@@ -7586,9 +7586,9 @@
           <Option name="modulate_state">False</Option>
           <Option name="no_iochains_for_any">False</Option>
           <Option name="no_optimisation">False</Option>
-          <Option name="openbsd_path_pfctl"></Option>
-          <Option name="openbsd_path_sysctl"></Option>
-          <Option name="output_file"></Option>
+          <Option name="openbsd_path_pfctl"/>
+          <Option name="openbsd_path_sysctl"/>
+          <Option name="output_file"/>
           <Option name="pass_all_out">False</Option>
           <Option name="pf_adaptive_end">0</Option>
           <Option name="pf_adaptive_start">0</Option>
@@ -7607,7 +7607,7 @@
           <Option name="pf_limit_states">10000</Option>
           <Option name="pf_limit_table_entries">0</Option>
           <Option name="pf_limit_tables">0</Option>
-          <Option name="pf_optimization"></Option>
+          <Option name="pf_optimization"/>
           <Option name="pf_other_first">0</Option>
           <Option name="pf_other_multiple">0</Option>
           <Option name="pf_other_single">0</Option>
@@ -7648,13 +7648,13 @@
           <Option name="pf_udp_single">0</Option>
           <Option name="platform">iptables</Option>
           <Option name="prolog_place">fw_file</Option>
-          <Option name="prolog_script"></Option>
+          <Option name="prolog_script"/>
           <Option name="proxy_arp">False</Option>
-          <Option name="script_env_path"></Option>
-          <Option name="snmp_contact"></Option>
-          <Option name="snmp_description"></Option>
-          <Option name="snmp_location"></Option>
-          <Option name="sshArgs"></Option>
+          <Option name="script_env_path"/>
+          <Option name="snmp_contact"/>
+          <Option name="snmp_description"/>
+          <Option name="snmp_location"/>
+          <Option name="sshArgs"/>
           <Option name="use_ip_tool">False</Option>
           <Option name="use_numeric_log_levels">False</Option>
           <Option name="use_tables">True</Option>
@@ -7744,16 +7744,16 @@
               <IntervalRef ref="sysid2"/>
             </When>
             <PolicyRuleOptions>
-              <Option name="log_prefix"></Option>
+              <Option name="log_prefix"/>
               <Option name="pf_keep_state">False</Option>
               <Option name="pf_max_src_conn">0</Option>
               <Option name="pf_max_src_conn_flush">False</Option>
               <Option name="pf_max_src_conn_global">False</Option>
-              <Option name="pf_max_src_conn_overload_table"></Option>
+              <Option name="pf_max_src_conn_overload_table"/>
               <Option name="pf_max_src_conn_rate_flush">False</Option>
               <Option name="pf_max_src_conn_rate_global">False</Option>
               <Option name="pf_max_src_conn_rate_num">0</Option>
-              <Option name="pf_max_src_conn_rate_overload_table"></Option>
+              <Option name="pf_max_src_conn_rate_overload_table"/>
               <Option name="pf_max_src_conn_rate_seconds">0</Option>
               <Option name="pf_max_src_nodes">0</Option>
               <Option name="pf_max_src_states">0</Option>
@@ -7779,16 +7779,16 @@
               <IntervalRef ref="sysid2"/>
             </When>
             <PolicyRuleOptions>
-              <Option name="log_prefix"></Option>
+              <Option name="log_prefix"/>
               <Option name="pf_keep_state">True</Option>
               <Option name="pf_max_src_conn">0</Option>
               <Option name="pf_max_src_conn_flush">False</Option>
               <Option name="pf_max_src_conn_global">False</Option>
-              <Option name="pf_max_src_conn_overload_table"></Option>
+              <Option name="pf_max_src_conn_overload_table"/>
               <Option name="pf_max_src_conn_rate_flush">False</Option>
               <Option name="pf_max_src_conn_rate_global">False</Option>
               <Option name="pf_max_src_conn_rate_num">0</Option>
-              <Option name="pf_max_src_conn_rate_overload_table"></Option>
+              <Option name="pf_max_src_conn_rate_overload_table"/>
               <Option name="pf_max_src_conn_rate_seconds">0</Option>
               <Option name="pf_max_src_nodes">0</Option>
               <Option name="pf_max_src_states">0</Option>
@@ -7835,29 +7835,29 @@
           <Option name="accept_established">True</Option>
           <Option name="accept_new_tcp_with_no_syn">False</Option>
           <Option name="action_on_reject">ICMP net unreachable</Option>
-          <Option name="activationCmd"></Option>
-          <Option name="admUser"></Option>
-          <Option name="altAddress"></Option>
+          <Option name="activationCmd"/>
+          <Option name="admUser"/>
+          <Option name="altAddress"/>
           <Option name="check_shading">True</Option>
           <Option name="clamp_mss_to_mtu">False</Option>
-          <Option name="cmdline"></Option>
-          <Option name="compiler"></Option>
+          <Option name="cmdline"/>
+          <Option name="compiler"/>
           <Option name="configure_interfaces">False</Option>
           <Option name="debug">False</Option>
           <Option name="dyn_addr">False</Option>
-          <Option name="epilog_script"></Option>
+          <Option name="epilog_script"/>
           <Option name="fallback_log">False</Option>
-          <Option name="firewall_dir"></Option>
+          <Option name="firewall_dir"/>
           <Option name="firewall_is_part_of_any">True</Option>
           <Option name="firewall_is_part_of_any_and_networks">True</Option>
-          <Option name="freebsd_path_ipf"></Option>
-          <Option name="freebsd_path_ipnat"></Option>
-          <Option name="freebsd_path_sysctl"></Option>
+          <Option name="freebsd_path_ipf"/>
+          <Option name="freebsd_path_ipnat"/>
+          <Option name="freebsd_path_sysctl"/>
           <Option name="ignore_empty_groups">False</Option>
           <Option name="in_out_code">True</Option>
-          <Option name="inst_cmdline"></Option>
-          <Option name="inst_script"></Option>
-          <Option name="install_script"></Option>
+          <Option name="inst_cmdline"/>
+          <Option name="inst_script"/>
+          <Option name="install_script"/>
           <Option name="limit_suffix">/day</Option>
           <Option name="limit_value">0</Option>
           <Option name="linux24_ip_forward">0</Option>
@@ -7869,7 +7869,7 @@
           <Option name="log_level">debug</Option>
           <Option name="log_limit_suffix">/second</Option>
           <Option name="log_limit_value">0</Option>
-          <Option name="log_prefix"></Option>
+          <Option name="log_prefix"/>
           <Option name="log_tcp_opt">False</Option>
           <Option name="log_tcp_seq">False</Option>
           <Option name="manage_virtual_addr">True</Option>
@@ -7878,9 +7878,9 @@
           <Option name="modulate_state">False</Option>
           <Option name="no_iochains_for_any">False</Option>
           <Option name="no_optimisation">False</Option>
-          <Option name="openbsd_path_pfctl"></Option>
-          <Option name="openbsd_path_sysctl"></Option>
-          <Option name="output_file"></Option>
+          <Option name="openbsd_path_pfctl"/>
+          <Option name="openbsd_path_sysctl"/>
+          <Option name="output_file"/>
           <Option name="pass_all_out">False</Option>
           <Option name="pf_adaptive_end">0</Option>
           <Option name="pf_adaptive_start">0</Option>
@@ -7899,7 +7899,7 @@
           <Option name="pf_limit_states">10000</Option>
           <Option name="pf_limit_table_entries">0</Option>
           <Option name="pf_limit_tables">0</Option>
-          <Option name="pf_optimization"></Option>
+          <Option name="pf_optimization"/>
           <Option name="pf_other_first">0</Option>
           <Option name="pf_other_multiple">0</Option>
           <Option name="pf_other_single">0</Option>
@@ -7940,13 +7940,13 @@
           <Option name="pf_udp_single">0</Option>
           <Option name="platform">iptables</Option>
           <Option name="prolog_place">fw_file</Option>
-          <Option name="prolog_script"></Option>
+          <Option name="prolog_script"/>
           <Option name="proxy_arp">False</Option>
-          <Option name="script_env_path"></Option>
-          <Option name="snmp_contact"></Option>
-          <Option name="snmp_description"></Option>
-          <Option name="snmp_location"></Option>
-          <Option name="sshArgs"></Option>
+          <Option name="script_env_path"/>
+          <Option name="snmp_contact"/>
+          <Option name="snmp_description"/>
+          <Option name="snmp_location"/>
+          <Option name="sshArgs"/>
           <Option name="use_ip_tool">False</Option>
           <Option name="use_numeric_log_levels">False</Option>
           <Option name="use_tables">True</Option>
@@ -8036,16 +8036,16 @@
               <IntervalRef ref="sysid2"/>
             </When>
             <PolicyRuleOptions>
-              <Option name="log_prefix"></Option>
+              <Option name="log_prefix"/>
               <Option name="pf_keep_state">False</Option>
               <Option name="pf_max_src_conn">0</Option>
               <Option name="pf_max_src_conn_flush">False</Option>
               <Option name="pf_max_src_conn_global">False</Option>
-              <Option name="pf_max_src_conn_overload_table"></Option>
+              <Option name="pf_max_src_conn_overload_table"/>
               <Option name="pf_max_src_conn_rate_flush">False</Option>
               <Option name="pf_max_src_conn_rate_global">False</Option>
               <Option name="pf_max_src_conn_rate_num">0</Option>
-              <Option name="pf_max_src_conn_rate_overload_table"></Option>
+              <Option name="pf_max_src_conn_rate_overload_table"/>
               <Option name="pf_max_src_conn_rate_seconds">0</Option>
               <Option name="pf_max_src_nodes">0</Option>
               <Option name="pf_max_src_states">0</Option>
@@ -8071,16 +8071,16 @@
               <IntervalRef ref="sysid2"/>
             </When>
             <PolicyRuleOptions>
-              <Option name="log_prefix"></Option>
+              <Option name="log_prefix"/>
               <Option name="pf_keep_state">True</Option>
               <Option name="pf_max_src_conn">0</Option>
               <Option name="pf_max_src_conn_flush">False</Option>
               <Option name="pf_max_src_conn_global">False</Option>
-              <Option name="pf_max_src_conn_overload_table"></Option>
+              <Option name="pf_max_src_conn_overload_table"/>
               <Option name="pf_max_src_conn_rate_flush">False</Option>
               <Option name="pf_max_src_conn_rate_global">False</Option>
               <Option name="pf_max_src_conn_rate_num">0</Option>
-              <Option name="pf_max_src_conn_rate_overload_table"></Option>
+              <Option name="pf_max_src_conn_rate_overload_table"/>
               <Option name="pf_max_src_conn_rate_seconds">0</Option>
               <Option name="pf_max_src_nodes">0</Option>
               <Option name="pf_max_src_states">0</Option>
@@ -8127,29 +8127,29 @@
           <Option name="accept_established">True</Option>
           <Option name="accept_new_tcp_with_no_syn">True</Option>
           <Option name="action_on_reject">ICMP net unreachable</Option>
-          <Option name="activationCmd"></Option>
-          <Option name="admUser"></Option>
-          <Option name="altAddress"></Option>
+          <Option name="activationCmd"/>
+          <Option name="admUser"/>
+          <Option name="altAddress"/>
           <Option name="check_shading">True</Option>
           <Option name="clamp_mss_to_mtu">False</Option>
-          <Option name="cmdline"></Option>
-          <Option name="compiler"></Option>
+          <Option name="cmdline"/>
+          <Option name="compiler"/>
           <Option name="configure_interfaces">False</Option>
           <Option name="debug">False</Option>
           <Option name="dyn_addr">False</Option>
-          <Option name="epilog_script"></Option>
+          <Option name="epilog_script"/>
           <Option name="fallback_log">False</Option>
-          <Option name="firewall_dir"></Option>
+          <Option name="firewall_dir"/>
           <Option name="firewall_is_part_of_any">True</Option>
           <Option name="firewall_is_part_of_any_and_networks">True</Option>
-          <Option name="freebsd_path_ipf"></Option>
-          <Option name="freebsd_path_ipnat"></Option>
-          <Option name="freebsd_path_sysctl"></Option>
+          <Option name="freebsd_path_ipf"/>
+          <Option name="freebsd_path_ipnat"/>
+          <Option name="freebsd_path_sysctl"/>
           <Option name="ignore_empty_groups">False</Option>
           <Option name="in_out_code">True</Option>
-          <Option name="inst_cmdline"></Option>
-          <Option name="inst_script"></Option>
-          <Option name="install_script"></Option>
+          <Option name="inst_cmdline"/>
+          <Option name="inst_script"/>
+          <Option name="install_script"/>
           <Option name="limit_suffix">/day</Option>
           <Option name="limit_value">0</Option>
           <Option name="linux24_ip_forward">0</Option>
@@ -8161,7 +8161,7 @@
           <Option name="log_level">debug</Option>
           <Option name="log_limit_suffix">/second</Option>
           <Option name="log_limit_value">0</Option>
-          <Option name="log_prefix"></Option>
+          <Option name="log_prefix"/>
           <Option name="log_tcp_opt">False</Option>
           <Option name="log_tcp_seq">False</Option>
           <Option name="manage_virtual_addr">True</Option>
@@ -8170,9 +8170,9 @@
           <Option name="modulate_state">False</Option>
           <Option name="no_iochains_for_any">False</Option>
           <Option name="no_optimisation">False</Option>
-          <Option name="openbsd_path_pfctl"></Option>
-          <Option name="openbsd_path_sysctl"></Option>
-          <Option name="output_file"></Option>
+          <Option name="openbsd_path_pfctl"/>
+          <Option name="openbsd_path_sysctl"/>
+          <Option name="output_file"/>
           <Option name="pass_all_out">False</Option>
           <Option name="pf_adaptive_end">0</Option>
           <Option name="pf_adaptive_start">0</Option>
@@ -8191,7 +8191,7 @@
           <Option name="pf_limit_states">10000</Option>
           <Option name="pf_limit_table_entries">0</Option>
           <Option name="pf_limit_tables">0</Option>
-          <Option name="pf_optimization"></Option>
+          <Option name="pf_optimization"/>
           <Option name="pf_other_first">0</Option>
           <Option name="pf_other_multiple">0</Option>
           <Option name="pf_other_single">0</Option>
@@ -8232,13 +8232,13 @@
           <Option name="pf_udp_single">0</Option>
           <Option name="platform">iptables</Option>
           <Option name="prolog_place">fw_file</Option>
-          <Option name="prolog_script"></Option>
+          <Option name="prolog_script"/>
           <Option name="proxy_arp">False</Option>
-          <Option name="script_env_path"></Option>
-          <Option name="snmp_contact"></Option>
-          <Option name="snmp_description"></Option>
-          <Option name="snmp_location"></Option>
-          <Option name="sshArgs"></Option>
+          <Option name="script_env_path"/>
+          <Option name="snmp_contact"/>
+          <Option name="snmp_description"/>
+          <Option name="snmp_location"/>
+          <Option name="sshArgs"/>
           <Option name="use_ip_tool">False</Option>
           <Option name="use_numeric_log_levels">False</Option>
           <Option name="use_tables">True</Option>
@@ -8328,16 +8328,16 @@
               <IntervalRef ref="sysid2"/>
             </When>
             <PolicyRuleOptions>
-              <Option name="log_prefix"></Option>
+              <Option name="log_prefix"/>
               <Option name="pf_keep_state">False</Option>
               <Option name="pf_max_src_conn">0</Option>
               <Option name="pf_max_src_conn_flush">False</Option>
               <Option name="pf_max_src_conn_global">False</Option>
-              <Option name="pf_max_src_conn_overload_table"></Option>
+              <Option name="pf_max_src_conn_overload_table"/>
               <Option name="pf_max_src_conn_rate_flush">False</Option>
               <Option name="pf_max_src_conn_rate_global">False</Option>
               <Option name="pf_max_src_conn_rate_num">0</Option>
-              <Option name="pf_max_src_conn_rate_overload_table"></Option>
+              <Option name="pf_max_src_conn_rate_overload_table"/>
               <Option name="pf_max_src_conn_rate_seconds">0</Option>
               <Option name="pf_max_src_nodes">0</Option>
               <Option name="pf_max_src_states">0</Option>
@@ -8363,16 +8363,16 @@
               <IntervalRef ref="sysid2"/>
             </When>
             <PolicyRuleOptions>
-              <Option name="log_prefix"></Option>
+              <Option name="log_prefix"/>
               <Option name="pf_keep_state">True</Option>
               <Option name="pf_max_src_conn">0</Option>
               <Option name="pf_max_src_conn_flush">False</Option>
               <Option name="pf_max_src_conn_global">False</Option>
-              <Option name="pf_max_src_conn_overload_table"></Option>
+              <Option name="pf_max_src_conn_overload_table"/>
               <Option name="pf_max_src_conn_rate_flush">False</Option>
               <Option name="pf_max_src_conn_rate_global">False</Option>
               <Option name="pf_max_src_conn_rate_num">0</Option>
-              <Option name="pf_max_src_conn_rate_overload_table"></Option>
+              <Option name="pf_max_src_conn_rate_overload_table"/>
               <Option name="pf_max_src_conn_rate_seconds">0</Option>
               <Option name="pf_max_src_nodes">0</Option>
               <Option name="pf_max_src_states">0</Option>
@@ -8419,29 +8419,29 @@
           <Option name="accept_established">True</Option>
           <Option name="accept_new_tcp_with_no_syn">True</Option>
           <Option name="action_on_reject">ICMP net unreachable</Option>
-          <Option name="activationCmd"></Option>
-          <Option name="admUser"></Option>
-          <Option name="altAddress"></Option>
+          <Option name="activationCmd"/>
+          <Option name="admUser"/>
+          <Option name="altAddress"/>
           <Option name="check_shading">True</Option>
           <Option name="clamp_mss_to_mtu">False</Option>
-          <Option name="cmdline"></Option>
-          <Option name="compiler"></Option>
+          <Option name="cmdline"/>
+          <Option name="compiler"/>
           <Option name="configure_interfaces">False</Option>
           <Option name="debug">False</Option>
           <Option name="dyn_addr">False</Option>
-          <Option name="epilog_script"></Option>
+          <Option name="epilog_script"/>
           <Option name="fallback_log">False</Option>
-          <Option name="firewall_dir"></Option>
+          <Option name="firewall_dir"/>
           <Option name="firewall_is_part_of_any">True</Option>
           <Option name="firewall_is_part_of_any_and_networks">True</Option>
-          <Option name="freebsd_path_ipf"></Option>
-          <Option name="freebsd_path_ipnat"></Option>
-          <Option name="freebsd_path_sysctl"></Option>
+          <Option name="freebsd_path_ipf"/>
+          <Option name="freebsd_path_ipnat"/>
+          <Option name="freebsd_path_sysctl"/>
           <Option name="ignore_empty_groups">False</Option>
           <Option name="in_out_code">True</Option>
-          <Option name="inst_cmdline"></Option>
-          <Option name="inst_script"></Option>
-          <Option name="install_script"></Option>
+          <Option name="inst_cmdline"/>
+          <Option name="inst_script"/>
+          <Option name="install_script"/>
           <Option name="limit_suffix">/day</Option>
           <Option name="limit_value">0</Option>
           <Option name="linux24_ip_forward">0</Option>
@@ -8453,7 +8453,7 @@
           <Option name="log_level">debug</Option>
           <Option name="log_limit_suffix">/second</Option>
           <Option name="log_limit_value">0</Option>
-          <Option name="log_prefix"></Option>
+          <Option name="log_prefix"/>
           <Option name="log_tcp_opt">False</Option>
           <Option name="log_tcp_seq">False</Option>
           <Option name="manage_virtual_addr">True</Option>
@@ -8462,9 +8462,9 @@
           <Option name="modulate_state">False</Option>
           <Option name="no_iochains_for_any">False</Option>
           <Option name="no_optimisation">False</Option>
-          <Option name="openbsd_path_pfctl"></Option>
-          <Option name="openbsd_path_sysctl"></Option>
-          <Option name="output_file"></Option>
+          <Option name="openbsd_path_pfctl"/>
+          <Option name="openbsd_path_sysctl"/>
+          <Option name="output_file"/>
           <Option name="pass_all_out">False</Option>
           <Option name="pf_adaptive_end">0</Option>
           <Option name="pf_adaptive_start">0</Option>
@@ -8483,7 +8483,7 @@
           <Option name="pf_limit_states">10000</Option>
           <Option name="pf_limit_table_entries">0</Option>
           <Option name="pf_limit_tables">0</Option>
-          <Option name="pf_optimization"></Option>
+          <Option name="pf_optimization"/>
           <Option name="pf_other_first">0</Option>
           <Option name="pf_other_multiple">0</Option>
           <Option name="pf_other_single">0</Option>
@@ -8524,13 +8524,13 @@
           <Option name="pf_udp_single">0</Option>
           <Option name="platform">iptables</Option>
           <Option name="prolog_place">fw_file</Option>
-          <Option name="prolog_script"></Option>
+          <Option name="prolog_script"/>
           <Option name="proxy_arp">False</Option>
-          <Option name="script_env_path"></Option>
-          <Option name="snmp_contact"></Option>
-          <Option name="snmp_description"></Option>
-          <Option name="snmp_location"></Option>
-          <Option name="sshArgs"></Option>
+          <Option name="script_env_path"/>
+          <Option name="snmp_contact"/>
+          <Option name="snmp_description"/>
+          <Option name="snmp_location"/>
+          <Option name="sshArgs"/>
           <Option name="use_ip_tool">False</Option>
           <Option name="use_numeric_log_levels">False</Option>
           <Option name="use_tables">True</Option>
@@ -8599,16 +8599,16 @@
               <IntervalRef ref="sysid2"/>
             </When>
             <PolicyRuleOptions>
-              <Option name="log_prefix"></Option>
+              <Option name="log_prefix"/>
               <Option name="pf_keep_state">True</Option>
               <Option name="pf_max_src_conn">0</Option>
               <Option name="pf_max_src_conn_flush">False</Option>
               <Option name="pf_max_src_conn_global">False</Option>
-              <Option name="pf_max_src_conn_overload_table"></Option>
+              <Option name="pf_max_src_conn_overload_table"/>
               <Option name="pf_max_src_conn_rate_flush">False</Option>
               <Option name="pf_max_src_conn_rate_global">False</Option>
               <Option name="pf_max_src_conn_rate_num">0</Option>
-              <Option name="pf_max_src_conn_rate_overload_table"></Option>
+              <Option name="pf_max_src_conn_rate_overload_table"/>
               <Option name="pf_max_src_conn_rate_seconds">0</Option>
               <Option name="pf_max_src_nodes">0</Option>
               <Option name="pf_max_src_states">0</Option>
@@ -8655,16 +8655,16 @@
               <IntervalRef ref="sysid2"/>
             </When>
             <PolicyRuleOptions>
-              <Option name="log_prefix"></Option>
+              <Option name="log_prefix"/>
               <Option name="pf_keep_state">False</Option>
               <Option name="pf_max_src_conn">0</Option>
               <Option name="pf_max_src_conn_flush">False</Option>
               <Option name="pf_max_src_conn_global">False</Option>
-              <Option name="pf_max_src_conn_overload_table"></Option>
+              <Option name="pf_max_src_conn_overload_table"/>
               <Option name="pf_max_src_conn_rate_flush">False</Option>
               <Option name="pf_max_src_conn_rate_global">False</Option>
               <Option name="pf_max_src_conn_rate_num">0</Option>
-              <Option name="pf_max_src_conn_rate_overload_table"></Option>
+              <Option name="pf_max_src_conn_rate_overload_table"/>
               <Option name="pf_max_src_conn_rate_seconds">0</Option>
               <Option name="pf_max_src_nodes">0</Option>
               <Option name="pf_max_src_states">0</Option>
@@ -8690,16 +8690,16 @@
               <IntervalRef ref="sysid2"/>
             </When>
             <PolicyRuleOptions>
-              <Option name="log_prefix"></Option>
+              <Option name="log_prefix"/>
               <Option name="pf_keep_state">True</Option>
               <Option name="pf_max_src_conn">0</Option>
               <Option name="pf_max_src_conn_flush">False</Option>
               <Option name="pf_max_src_conn_global">False</Option>
-              <Option name="pf_max_src_conn_overload_table"></Option>
+              <Option name="pf_max_src_conn_overload_table"/>
               <Option name="pf_max_src_conn_rate_flush">False</Option>
               <Option name="pf_max_src_conn_rate_global">False</Option>
               <Option name="pf_max_src_conn_rate_num">0</Option>
-              <Option name="pf_max_src_conn_rate_overload_table"></Option>
+              <Option name="pf_max_src_conn_rate_overload_table"/>
               <Option name="pf_max_src_conn_rate_seconds">0</Option>
               <Option name="pf_max_src_nodes">0</Option>
               <Option name="pf_max_src_states">0</Option>
@@ -8746,29 +8746,29 @@
           <Option name="accept_established">True</Option>
           <Option name="accept_new_tcp_with_no_syn">True</Option>
           <Option name="action_on_reject">ICMP net unreachable</Option>
-          <Option name="activationCmd"></Option>
-          <Option name="admUser"></Option>
-          <Option name="altAddress"></Option>
+          <Option name="activationCmd"/>
+          <Option name="admUser"/>
+          <Option name="altAddress"/>
           <Option name="check_shading">False</Option>
           <Option name="clamp_mss_to_mtu">False</Option>
-          <Option name="cmdline"></Option>
-          <Option name="compiler"></Option>
+          <Option name="cmdline"/>
+          <Option name="compiler"/>
           <Option name="configure_interfaces">False</Option>
           <Option name="debug">False</Option>
           <Option name="dyn_addr">False</Option>
-          <Option name="epilog_script"></Option>
+          <Option name="epilog_script"/>
           <Option name="fallback_log">False</Option>
-          <Option name="firewall_dir"></Option>
+          <Option name="firewall_dir"/>
           <Option name="firewall_is_part_of_any">True</Option>
           <Option name="firewall_is_part_of_any_and_networks">True</Option>
-          <Option name="freebsd_path_ipf"></Option>
-          <Option name="freebsd_path_ipnat"></Option>
-          <Option name="freebsd_path_sysctl"></Option>
+          <Option name="freebsd_path_ipf"/>
+          <Option name="freebsd_path_ipnat"/>
+          <Option name="freebsd_path_sysctl"/>
           <Option name="ignore_empty_groups">False</Option>
           <Option name="in_out_code">False</Option>
-          <Option name="inst_cmdline"></Option>
-          <Option name="inst_script"></Option>
-          <Option name="install_script"></Option>
+          <Option name="inst_cmdline"/>
+          <Option name="inst_script"/>
+          <Option name="install_script"/>
           <Option name="limit_suffix">/day</Option>
           <Option name="limit_value">0</Option>
           <Option name="linux24_ip_forward">0</Option>
@@ -8780,7 +8780,7 @@
           <Option name="log_level">debug</Option>
           <Option name="log_limit_suffix">/second</Option>
           <Option name="log_limit_value">0</Option>
-          <Option name="log_prefix"></Option>
+          <Option name="log_prefix"/>
           <Option name="log_tcp_opt">False</Option>
           <Option name="log_tcp_seq">False</Option>
           <Option name="manage_virtual_addr">True</Option>
@@ -8789,9 +8789,9 @@
           <Option name="modulate_state">False</Option>
           <Option name="no_iochains_for_any">False</Option>
           <Option name="no_optimisation">False</Option>
-          <Option name="openbsd_path_pfctl"></Option>
-          <Option name="openbsd_path_sysctl"></Option>
-          <Option name="output_file"></Option>
+          <Option name="openbsd_path_pfctl"/>
+          <Option name="openbsd_path_sysctl"/>
+          <Option name="output_file"/>
           <Option name="pass_all_out">True</Option>
           <Option name="pf_adaptive_end">0</Option>
           <Option name="pf_adaptive_start">0</Option>
@@ -8810,7 +8810,7 @@
           <Option name="pf_limit_states">10000</Option>
           <Option name="pf_limit_table_entries">0</Option>
           <Option name="pf_limit_tables">0</Option>
-          <Option name="pf_optimization"></Option>
+          <Option name="pf_optimization"/>
           <Option name="pf_other_first">0</Option>
           <Option name="pf_other_multiple">0</Option>
           <Option name="pf_other_single">0</Option>
@@ -8851,13 +8851,13 @@
           <Option name="pf_udp_single">0</Option>
           <Option name="platform">iptables</Option>
           <Option name="prolog_place">fw_file</Option>
-          <Option name="prolog_script"></Option>
+          <Option name="prolog_script"/>
           <Option name="proxy_arp">False</Option>
-          <Option name="script_env_path"></Option>
-          <Option name="snmp_contact"></Option>
-          <Option name="snmp_description"></Option>
-          <Option name="snmp_location"></Option>
-          <Option name="sshArgs"></Option>
+          <Option name="script_env_path"/>
+          <Option name="snmp_contact"/>
+          <Option name="snmp_description"/>
+          <Option name="snmp_location"/>
+          <Option name="sshArgs"/>
           <Option name="use_ip_tool">False</Option>
           <Option name="use_numeric_log_levels">False</Option>
           <Option name="use_tables">True</Option>
@@ -8947,16 +8947,16 @@
               <IntervalRef ref="sysid2"/>
             </When>
             <PolicyRuleOptions>
-              <Option name="log_prefix"></Option>
+              <Option name="log_prefix"/>
               <Option name="pf_keep_state">False</Option>
               <Option name="pf_max_src_conn">0</Option>
               <Option name="pf_max_src_conn_flush">False</Option>
               <Option name="pf_max_src_conn_global">False</Option>
-              <Option name="pf_max_src_conn_overload_table"></Option>
+              <Option name="pf_max_src_conn_overload_table"/>
               <Option name="pf_max_src_conn_rate_flush">False</Option>
               <Option name="pf_max_src_conn_rate_global">False</Option>
               <Option name="pf_max_src_conn_rate_num">0</Option>
-              <Option name="pf_max_src_conn_rate_overload_table"></Option>
+              <Option name="pf_max_src_conn_rate_overload_table"/>
               <Option name="pf_max_src_conn_rate_seconds">0</Option>
               <Option name="pf_max_src_nodes">0</Option>
               <Option name="pf_max_src_states">0</Option>
@@ -8982,16 +8982,16 @@
               <IntervalRef ref="sysid2"/>
             </When>
             <PolicyRuleOptions>
-              <Option name="log_prefix"></Option>
+              <Option name="log_prefix"/>
               <Option name="pf_keep_state">True</Option>
               <Option name="pf_max_src_conn">0</Option>
               <Option name="pf_max_src_conn_flush">False</Option>
               <Option name="pf_max_src_conn_global">False</Option>
-              <Option name="pf_max_src_conn_overload_table"></Option>
+              <Option name="pf_max_src_conn_overload_table"/>
               <Option name="pf_max_src_conn_rate_flush">False</Option>
               <Option name="pf_max_src_conn_rate_global">False</Option>
               <Option name="pf_max_src_conn_rate_num">0</Option>
-              <Option name="pf_max_src_conn_rate_overload_table"></Option>
+              <Option name="pf_max_src_conn_rate_overload_table"/>
               <Option name="pf_max_src_conn_rate_seconds">0</Option>
               <Option name="pf_max_src_nodes">0</Option>
               <Option name="pf_max_src_states">0</Option>
@@ -9038,29 +9038,29 @@
           <Option name="accept_established">True</Option>
           <Option name="accept_new_tcp_with_no_syn">True</Option>
           <Option name="action_on_reject">ICMP net unreachable</Option>
-          <Option name="activationCmd"></Option>
-          <Option name="admUser"></Option>
-          <Option name="altAddress"></Option>
+          <Option name="activationCmd"/>
+          <Option name="admUser"/>
+          <Option name="altAddress"/>
           <Option name="check_shading">True</Option>
           <Option name="clamp_mss_to_mtu">False</Option>
-          <Option name="cmdline"></Option>
-          <Option name="compiler"></Option>
+          <Option name="cmdline"/>
+          <Option name="compiler"/>
           <Option name="configure_interfaces">False</Option>
           <Option name="debug">False</Option>
           <Option name="dyn_addr">False</Option>
-          <Option name="epilog_script"></Option>
+          <Option name="epilog_script"/>
           <Option name="fallback_log">False</Option>
-          <Option name="firewall_dir"></Option>
+          <Option name="firewall_dir"/>
           <Option name="firewall_is_part_of_any">True</Option>
           <Option name="firewall_is_part_of_any_and_networks">True</Option>
-          <Option name="freebsd_path_ipf"></Option>
-          <Option name="freebsd_path_ipnat"></Option>
-          <Option name="freebsd_path_sysctl"></Option>
+          <Option name="freebsd_path_ipf"/>
+          <Option name="freebsd_path_ipnat"/>
+          <Option name="freebsd_path_sysctl"/>
           <Option name="ignore_empty_groups">False</Option>
           <Option name="in_out_code">False</Option>
-          <Option name="inst_cmdline"></Option>
-          <Option name="inst_script"></Option>
-          <Option name="install_script"></Option>
+          <Option name="inst_cmdline"/>
+          <Option name="inst_script"/>
+          <Option name="install_script"/>
           <Option name="limit_suffix">/day</Option>
           <Option name="limit_value">0</Option>
           <Option name="linux24_ip_forward">0</Option>
@@ -9072,7 +9072,7 @@
           <Option name="log_level">debug</Option>
           <Option name="log_limit_suffix">/second</Option>
           <Option name="log_limit_value">0</Option>
-          <Option name="log_prefix"></Option>
+          <Option name="log_prefix"/>
           <Option name="log_tcp_opt">False</Option>
           <Option name="log_tcp_seq">False</Option>
           <Option name="manage_virtual_addr">True</Option>
@@ -9081,9 +9081,9 @@
           <Option name="modulate_state">False</Option>
           <Option name="no_iochains_for_any">False</Option>
           <Option name="no_optimisation">False</Option>
-          <Option name="openbsd_path_pfctl"></Option>
-          <Option name="openbsd_path_sysctl"></Option>
-          <Option name="output_file"></Option>
+          <Option name="openbsd_path_pfctl"/>
+          <Option name="openbsd_path_sysctl"/>
+          <Option name="output_file"/>
           <Option name="pass_all_out">True</Option>
           <Option name="pf_adaptive_end">0</Option>
           <Option name="pf_adaptive_start">0</Option>
@@ -9102,7 +9102,7 @@
           <Option name="pf_limit_states">10000</Option>
           <Option name="pf_limit_table_entries">0</Option>
           <Option name="pf_limit_tables">0</Option>
-          <Option name="pf_optimization"></Option>
+          <Option name="pf_optimization"/>
           <Option name="pf_other_first">0</Option>
           <Option name="pf_other_multiple">0</Option>
           <Option name="pf_other_single">0</Option>
@@ -9143,13 +9143,13 @@
           <Option name="pf_udp_single">0</Option>
           <Option name="platform">iptables</Option>
           <Option name="prolog_place">fw_file</Option>
-          <Option name="prolog_script"></Option>
+          <Option name="prolog_script"/>
           <Option name="proxy_arp">False</Option>
-          <Option name="script_env_path"></Option>
-          <Option name="snmp_contact"></Option>
-          <Option name="snmp_description"></Option>
-          <Option name="snmp_location"></Option>
-          <Option name="sshArgs"></Option>
+          <Option name="script_env_path"/>
+          <Option name="snmp_contact"/>
+          <Option name="snmp_description"/>
+          <Option name="snmp_location"/>
+          <Option name="sshArgs"/>
           <Option name="use_ip_tool">False</Option>
           <Option name="use_numeric_log_levels">False</Option>
           <Option name="use_tables">True</Option>
@@ -9218,35 +9218,35 @@
               <IntervalRef ref="sysid2"/>
             </When>
             <PolicyRuleOptions>
-              <Option name="action_on_reject"></Option>
-              <Option name="branch_anchor_name"></Option>
-              <Option name="branch_chain_name"></Option>
-              <Option name="classify_str"></Option>
+              <Option name="action_on_reject"/>
+              <Option name="branch_anchor_name"/>
+              <Option name="branch_chain_name"/>
+              <Option name="classify_str"/>
               <Option name="color">#8BC065</Option>
-              <Option name="custom_str"></Option>
-              <Option name="ipf_route_opt_addr"></Option>
-              <Option name="ipf_route_opt_if"></Option>
+              <Option name="custom_str"/>
+              <Option name="ipf_route_opt_addr"/>
+              <Option name="ipf_route_opt_if"/>
               <Option name="ipf_route_option">route_through</Option>
               <Option name="ipfw_classify_method">2</Option>
               <Option name="ipfw_pipe_port_num">0</Option>
               <Option name="ipfw_pipe_queue_num">0</Option>
               <Option name="ipt_continue">False</Option>
-              <Option name="ipt_gw"></Option>
-              <Option name="ipt_iif"></Option>
+              <Option name="ipt_gw"/>
+              <Option name="ipt_iif"/>
               <Option name="ipt_mark_connections">False</Option>
-              <Option name="ipt_oif"></Option>
+              <Option name="ipt_oif"/>
               <Option name="ipt_tee">False</Option>
-              <Option name="log_prefix"></Option>
+              <Option name="log_prefix"/>
               <Option name="pf_fastroute">False</Option>
               <Option name="pf_keep_state">False</Option>
               <Option name="pf_max_src_conn">0</Option>
               <Option name="pf_max_src_conn_flush">False</Option>
               <Option name="pf_max_src_conn_global">False</Option>
-              <Option name="pf_max_src_conn_overload_table"></Option>
+              <Option name="pf_max_src_conn_overload_table"/>
               <Option name="pf_max_src_conn_rate_flush">False</Option>
               <Option name="pf_max_src_conn_rate_global">False</Option>
               <Option name="pf_max_src_conn_rate_num">0</Option>
-              <Option name="pf_max_src_conn_rate_overload_table"></Option>
+              <Option name="pf_max_src_conn_rate_overload_table"/>
               <Option name="pf_max_src_conn_rate_seconds">0</Option>
               <Option name="pf_max_src_nodes">0</Option>
               <Option name="pf_max_src_states">0</Option>
@@ -9256,7 +9256,7 @@
               <Option name="pf_route_option">route_through</Option>
               <Option name="pf_rule_max_state">0</Option>
               <Option name="pf_source_tracking">False</Option>
-              <Option name="rule_name_accounting"></Option>
+              <Option name="rule_name_accounting"/>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
           </PolicyRule>
@@ -9277,35 +9277,35 @@
               <IntervalRef ref="sysid2"/>
             </When>
             <PolicyRuleOptions>
-              <Option name="action_on_reject"></Option>
-              <Option name="branch_anchor_name"></Option>
-              <Option name="branch_chain_name"></Option>
-              <Option name="classify_str"></Option>
+              <Option name="action_on_reject"/>
+              <Option name="branch_anchor_name"/>
+              <Option name="branch_chain_name"/>
+              <Option name="classify_str"/>
               <Option name="color">#8BC065</Option>
-              <Option name="custom_str"></Option>
-              <Option name="ipf_route_opt_addr"></Option>
-              <Option name="ipf_route_opt_if"></Option>
+              <Option name="custom_str"/>
+              <Option name="ipf_route_opt_addr"/>
+              <Option name="ipf_route_opt_if"/>
               <Option name="ipf_route_option">route_through</Option>
               <Option name="ipfw_classify_method">2</Option>
               <Option name="ipfw_pipe_port_num">0</Option>
               <Option name="ipfw_pipe_queue_num">0</Option>
               <Option name="ipt_continue">False</Option>
-              <Option name="ipt_gw"></Option>
-              <Option name="ipt_iif"></Option>
+              <Option name="ipt_gw"/>
+              <Option name="ipt_iif"/>
               <Option name="ipt_mark_connections">False</Option>
-              <Option name="ipt_oif"></Option>
+              <Option name="ipt_oif"/>
               <Option name="ipt_tee">False</Option>
-              <Option name="log_prefix"></Option>
+              <Option name="log_prefix"/>
               <Option name="pf_fastroute">False</Option>
               <Option name="pf_keep_state">False</Option>
               <Option name="pf_max_src_conn">0</Option>
               <Option name="pf_max_src_conn_flush">False</Option>
               <Option name="pf_max_src_conn_global">False</Option>
-              <Option name="pf_max_src_conn_overload_table"></Option>
+              <Option name="pf_max_src_conn_overload_table"/>
               <Option name="pf_max_src_conn_rate_flush">False</Option>
               <Option name="pf_max_src_conn_rate_global">False</Option>
               <Option name="pf_max_src_conn_rate_num">0</Option>
-              <Option name="pf_max_src_conn_rate_overload_table"></Option>
+              <Option name="pf_max_src_conn_rate_overload_table"/>
               <Option name="pf_max_src_conn_rate_seconds">0</Option>
               <Option name="pf_max_src_nodes">0</Option>
               <Option name="pf_max_src_states">0</Option>
@@ -9315,7 +9315,7 @@
               <Option name="pf_route_option">route_through</Option>
               <Option name="pf_rule_max_state">0</Option>
               <Option name="pf_source_tracking">False</Option>
-              <Option name="rule_name_accounting"></Option>
+              <Option name="rule_name_accounting"/>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
           </PolicyRule>
@@ -9336,35 +9336,35 @@
               <IntervalRef ref="sysid2"/>
             </When>
             <PolicyRuleOptions>
-              <Option name="action_on_reject"></Option>
-              <Option name="branch_anchor_name"></Option>
-              <Option name="branch_chain_name"></Option>
-              <Option name="classify_str"></Option>
+              <Option name="action_on_reject"/>
+              <Option name="branch_anchor_name"/>
+              <Option name="branch_chain_name"/>
+              <Option name="classify_str"/>
               <Option name="color">#8BC065</Option>
-              <Option name="custom_str"></Option>
-              <Option name="ipf_route_opt_addr"></Option>
-              <Option name="ipf_route_opt_if"></Option>
+              <Option name="custom_str"/>
+              <Option name="ipf_route_opt_addr"/>
+              <Option name="ipf_route_opt_if"/>
               <Option name="ipf_route_option">route_through</Option>
               <Option name="ipfw_classify_method">2</Option>
               <Option name="ipfw_pipe_port_num">0</Option>
               <Option name="ipfw_pipe_queue_num">0</Option>
               <Option name="ipt_continue">False</Option>
-              <Option name="ipt_gw"></Option>
-              <Option name="ipt_iif"></Option>
+              <Option name="ipt_gw"/>
+              <Option name="ipt_iif"/>
               <Option name="ipt_mark_connections">False</Option>
-              <Option name="ipt_oif"></Option>
+              <Option name="ipt_oif"/>
               <Option name="ipt_tee">False</Option>
-              <Option name="log_prefix"></Option>
+              <Option name="log_prefix"/>
               <Option name="pf_fastroute">False</Option>
               <Option name="pf_keep_state">False</Option>
               <Option name="pf_max_src_conn">0</Option>
               <Option name="pf_max_src_conn_flush">False</Option>
               <Option name="pf_max_src_conn_global">False</Option>
-              <Option name="pf_max_src_conn_overload_table"></Option>
+              <Option name="pf_max_src_conn_overload_table"/>
               <Option name="pf_max_src_conn_rate_flush">False</Option>
               <Option name="pf_max_src_conn_rate_global">False</Option>
               <Option name="pf_max_src_conn_rate_num">0</Option>
-              <Option name="pf_max_src_conn_rate_overload_table"></Option>
+              <Option name="pf_max_src_conn_rate_overload_table"/>
               <Option name="pf_max_src_conn_rate_seconds">0</Option>
               <Option name="pf_max_src_nodes">0</Option>
               <Option name="pf_max_src_states">0</Option>
@@ -9374,7 +9374,7 @@
               <Option name="pf_route_option">route_through</Option>
               <Option name="pf_rule_max_state">0</Option>
               <Option name="pf_source_tracking">False</Option>
-              <Option name="rule_name_accounting"></Option>
+              <Option name="rule_name_accounting"/>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
           </PolicyRule>
@@ -9395,35 +9395,35 @@
               <IntervalRef ref="sysid2"/>
             </When>
             <PolicyRuleOptions>
-              <Option name="action_on_reject"></Option>
-              <Option name="branch_anchor_name"></Option>
-              <Option name="branch_chain_name"></Option>
-              <Option name="classify_str"></Option>
+              <Option name="action_on_reject"/>
+              <Option name="branch_anchor_name"/>
+              <Option name="branch_chain_name"/>
+              <Option name="classify_str"/>
               <Option name="color">#7694C0</Option>
-              <Option name="custom_str"></Option>
-              <Option name="ipf_route_opt_addr"></Option>
-              <Option name="ipf_route_opt_if"></Option>
+              <Option name="custom_str"/>
+              <Option name="ipf_route_opt_addr"/>
+              <Option name="ipf_route_opt_if"/>
               <Option name="ipf_route_option">route_through</Option>
               <Option name="ipfw_classify_method">2</Option>
               <Option name="ipfw_pipe_port_num">0</Option>
               <Option name="ipfw_pipe_queue_num">0</Option>
               <Option name="ipt_continue">False</Option>
-              <Option name="ipt_gw"></Option>
-              <Option name="ipt_iif"></Option>
+              <Option name="ipt_gw"/>
+              <Option name="ipt_iif"/>
               <Option name="ipt_mark_connections">False</Option>
-              <Option name="ipt_oif"></Option>
+              <Option name="ipt_oif"/>
               <Option name="ipt_tee">False</Option>
-              <Option name="log_prefix"></Option>
+              <Option name="log_prefix"/>
               <Option name="pf_fastroute">False</Option>
               <Option name="pf_keep_state">False</Option>
               <Option name="pf_max_src_conn">0</Option>
               <Option name="pf_max_src_conn_flush">False</Option>
               <Option name="pf_max_src_conn_global">False</Option>
-              <Option name="pf_max_src_conn_overload_table"></Option>
+              <Option name="pf_max_src_conn_overload_table"/>
               <Option name="pf_max_src_conn_rate_flush">False</Option>
               <Option name="pf_max_src_conn_rate_global">False</Option>
               <Option name="pf_max_src_conn_rate_num">0</Option>
-              <Option name="pf_max_src_conn_rate_overload_table"></Option>
+              <Option name="pf_max_src_conn_rate_overload_table"/>
               <Option name="pf_max_src_conn_rate_seconds">0</Option>
               <Option name="pf_max_src_nodes">0</Option>
               <Option name="pf_max_src_states">0</Option>
@@ -9433,7 +9433,7 @@
               <Option name="pf_route_option">route_through</Option>
               <Option name="pf_rule_max_state">0</Option>
               <Option name="pf_source_tracking">False</Option>
-              <Option name="rule_name_accounting"></Option>
+              <Option name="rule_name_accounting"/>
               <Option name="stateless">True</Option>
             </PolicyRuleOptions>
           </PolicyRule>
@@ -9454,35 +9454,35 @@
               <IntervalRef ref="sysid2"/>
             </When>
             <PolicyRuleOptions>
-              <Option name="action_on_reject"></Option>
-              <Option name="branch_anchor_name"></Option>
-              <Option name="branch_chain_name"></Option>
-              <Option name="classify_str"></Option>
+              <Option name="action_on_reject"/>
+              <Option name="branch_anchor_name"/>
+              <Option name="branch_chain_name"/>
+              <Option name="classify_str"/>
               <Option name="color">#7694C0</Option>
-              <Option name="custom_str"></Option>
-              <Option name="ipf_route_opt_addr"></Option>
-              <Option name="ipf_route_opt_if"></Option>
+              <Option name="custom_str"/>
+              <Option name="ipf_route_opt_addr"/>
+              <Option name="ipf_route_opt_if"/>
               <Option name="ipf_route_option">route_through</Option>
               <Option name="ipfw_classify_method">2</Option>
               <Option name="ipfw_pipe_port_num">0</Option>
               <Option name="ipfw_pipe_queue_num">0</Option>
               <Option name="ipt_continue">False</Option>
-              <Option name="ipt_gw"></Option>
-              <Option name="ipt_iif"></Option>
+              <Option name="ipt_gw"/>
+              <Option name="ipt_iif"/>
               <Option name="ipt_mark_connections">False</Option>
-              <Option name="ipt_oif"></Option>
+              <Option name="ipt_oif"/>
               <Option name="ipt_tee">False</Option>
-              <Option name="log_prefix"></Option>
+              <Option name="log_prefix"/>
               <Option name="pf_fastroute">False</Option>
               <Option name="pf_keep_state">False</Option>
               <Option name="pf_max_src_conn">0</Option>
               <Option name="pf_max_src_conn_flush">False</Option>
               <Option name="pf_max_src_conn_global">False</Option>
-              <Option name="pf_max_src_conn_overload_table"></Option>
+              <Option name="pf_max_src_conn_overload_table"/>
               <Option name="pf_max_src_conn_rate_flush">False</Option>
               <Option name="pf_max_src_conn_rate_global">False</Option>
               <Option name="pf_max_src_conn_rate_num">0</Option>
-              <Option name="pf_max_src_conn_rate_overload_table"></Option>
+              <Option name="pf_max_src_conn_rate_overload_table"/>
               <Option name="pf_max_src_conn_rate_seconds">0</Option>
               <Option name="pf_max_src_nodes">0</Option>
               <Option name="pf_max_src_states">0</Option>
@@ -9492,7 +9492,7 @@
               <Option name="pf_route_option">route_through</Option>
               <Option name="pf_rule_max_state">0</Option>
               <Option name="pf_source_tracking">False</Option>
-              <Option name="rule_name_accounting"></Option>
+              <Option name="rule_name_accounting"/>
               <Option name="stateless">True</Option>
             </PolicyRuleOptions>
           </PolicyRule>
@@ -9513,35 +9513,35 @@
               <IntervalRef ref="sysid2"/>
             </When>
             <PolicyRuleOptions>
-              <Option name="action_on_reject"></Option>
-              <Option name="branch_anchor_name"></Option>
-              <Option name="branch_chain_name"></Option>
-              <Option name="classify_str"></Option>
+              <Option name="action_on_reject"/>
+              <Option name="branch_anchor_name"/>
+              <Option name="branch_chain_name"/>
+              <Option name="classify_str"/>
               <Option name="color">#7694C0</Option>
-              <Option name="custom_str"></Option>
-              <Option name="ipf_route_opt_addr"></Option>
-              <Option name="ipf_route_opt_if"></Option>
+              <Option name="custom_str"/>
+              <Option name="ipf_route_opt_addr"/>
+              <Option name="ipf_route_opt_if"/>
               <Option name="ipf_route_option">route_through</Option>
               <Option name="ipfw_classify_method">2</Option>
               <Option name="ipfw_pipe_port_num">0</Option>
               <Option name="ipfw_pipe_queue_num">0</Option>
               <Option name="ipt_continue">False</Option>
-              <Option name="ipt_gw"></Option>
-              <Option name="ipt_iif"></Option>
+              <Option name="ipt_gw"/>
+              <Option name="ipt_iif"/>
               <Option name="ipt_mark_connections">False</Option>
-              <Option name="ipt_oif"></Option>
+              <Option name="ipt_oif"/>
               <Option name="ipt_tee">False</Option>
-              <Option name="log_prefix"></Option>
+              <Option name="log_prefix"/>
               <Option name="pf_fastroute">False</Option>
               <Option name="pf_keep_state">False</Option>
               <Option name="pf_max_src_conn">0</Option>
               <Option name="pf_max_src_conn_flush">False</Option>
               <Option name="pf_max_src_conn_global">False</Option>
-              <Option name="pf_max_src_conn_overload_table"></Option>
+              <Option name="pf_max_src_conn_overload_table"/>
               <Option name="pf_max_src_conn_rate_flush">False</Option>
               <Option name="pf_max_src_conn_rate_global">False</Option>
               <Option name="pf_max_src_conn_rate_num">0</Option>
-              <Option name="pf_max_src_conn_rate_overload_table"></Option>
+              <Option name="pf_max_src_conn_rate_overload_table"/>
               <Option name="pf_max_src_conn_rate_seconds">0</Option>
               <Option name="pf_max_src_nodes">0</Option>
               <Option name="pf_max_src_states">0</Option>
@@ -9551,7 +9551,7 @@
               <Option name="pf_route_option">route_through</Option>
               <Option name="pf_rule_max_state">0</Option>
               <Option name="pf_source_tracking">False</Option>
-              <Option name="rule_name_accounting"></Option>
+              <Option name="rule_name_accounting"/>
               <Option name="stateless">True</Option>
             </PolicyRuleOptions>
           </PolicyRule>
@@ -9572,35 +9572,35 @@
               <IntervalRef ref="sysid2"/>
             </When>
             <PolicyRuleOptions>
-              <Option name="action_on_reject"></Option>
-              <Option name="branch_anchor_name"></Option>
-              <Option name="branch_chain_name"></Option>
-              <Option name="classify_str"></Option>
+              <Option name="action_on_reject"/>
+              <Option name="branch_anchor_name"/>
+              <Option name="branch_chain_name"/>
+              <Option name="classify_str"/>
               <Option name="color">#C0BA44</Option>
-              <Option name="custom_str"></Option>
-              <Option name="ipf_route_opt_addr"></Option>
-              <Option name="ipf_route_opt_if"></Option>
+              <Option name="custom_str"/>
+              <Option name="ipf_route_opt_addr"/>
+              <Option name="ipf_route_opt_if"/>
               <Option name="ipf_route_option">route_through</Option>
               <Option name="ipfw_classify_method">2</Option>
               <Option name="ipfw_pipe_port_num">0</Option>
               <Option name="ipfw_pipe_queue_num">0</Option>
               <Option name="ipt_continue">False</Option>
-              <Option name="ipt_gw"></Option>
-              <Option name="ipt_iif"></Option>
+              <Option name="ipt_gw"/>
+              <Option name="ipt_iif"/>
               <Option name="ipt_mark_connections">False</Option>
-              <Option name="ipt_oif"></Option>
+              <Option name="ipt_oif"/>
               <Option name="ipt_tee">False</Option>
-              <Option name="log_prefix"></Option>
+              <Option name="log_prefix"/>
               <Option name="pf_fastroute">False</Option>
               <Option name="pf_keep_state">False</Option>
               <Option name="pf_max_src_conn">0</Option>
               <Option name="pf_max_src_conn_flush">False</Option>
               <Option name="pf_max_src_conn_global">False</Option>
-              <Option name="pf_max_src_conn_overload_table"></Option>
+              <Option name="pf_max_src_conn_overload_table"/>
               <Option name="pf_max_src_conn_rate_flush">False</Option>
               <Option name="pf_max_src_conn_rate_global">False</Option>
               <Option name="pf_max_src_conn_rate_num">0</Option>
-              <Option name="pf_max_src_conn_rate_overload_table"></Option>
+              <Option name="pf_max_src_conn_rate_overload_table"/>
               <Option name="pf_max_src_conn_rate_seconds">0</Option>
               <Option name="pf_max_src_nodes">0</Option>
               <Option name="pf_max_src_states">0</Option>
@@ -9610,7 +9610,7 @@
               <Option name="pf_route_option">route_through</Option>
               <Option name="pf_rule_max_state">0</Option>
               <Option name="pf_source_tracking">False</Option>
-              <Option name="rule_name_accounting"></Option>
+              <Option name="rule_name_accounting"/>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
           </PolicyRule>
@@ -9631,35 +9631,35 @@
               <IntervalRef ref="sysid2"/>
             </When>
             <PolicyRuleOptions>
-              <Option name="action_on_reject"></Option>
-              <Option name="branch_anchor_name"></Option>
-              <Option name="branch_chain_name"></Option>
-              <Option name="classify_str"></Option>
+              <Option name="action_on_reject"/>
+              <Option name="branch_anchor_name"/>
+              <Option name="branch_chain_name"/>
+              <Option name="classify_str"/>
               <Option name="color">#C0BA44</Option>
-              <Option name="custom_str"></Option>
-              <Option name="ipf_route_opt_addr"></Option>
-              <Option name="ipf_route_opt_if"></Option>
+              <Option name="custom_str"/>
+              <Option name="ipf_route_opt_addr"/>
+              <Option name="ipf_route_opt_if"/>
               <Option name="ipf_route_option">route_through</Option>
               <Option name="ipfw_classify_method">2</Option>
               <Option name="ipfw_pipe_port_num">0</Option>
               <Option name="ipfw_pipe_queue_num">0</Option>
               <Option name="ipt_continue">False</Option>
-              <Option name="ipt_gw"></Option>
-              <Option name="ipt_iif"></Option>
+              <Option name="ipt_gw"/>
+              <Option name="ipt_iif"/>
               <Option name="ipt_mark_connections">False</Option>
-              <Option name="ipt_oif"></Option>
+              <Option name="ipt_oif"/>
               <Option name="ipt_tee">False</Option>
-              <Option name="log_prefix"></Option>
+              <Option name="log_prefix"/>
               <Option name="pf_fastroute">False</Option>
               <Option name="pf_keep_state">False</Option>
               <Option name="pf_max_src_conn">0</Option>
               <Option name="pf_max_src_conn_flush">False</Option>
               <Option name="pf_max_src_conn_global">False</Option>
-              <Option name="pf_max_src_conn_overload_table"></Option>
+              <Option name="pf_max_src_conn_overload_table"/>
               <Option name="pf_max_src_conn_rate_flush">False</Option>
               <Option name="pf_max_src_conn_rate_global">False</Option>
               <Option name="pf_max_src_conn_rate_num">0</Option>
-              <Option name="pf_max_src_conn_rate_overload_table"></Option>
+              <Option name="pf_max_src_conn_rate_overload_table"/>
               <Option name="pf_max_src_conn_rate_seconds">0</Option>
               <Option name="pf_max_src_nodes">0</Option>
               <Option name="pf_max_src_states">0</Option>
@@ -9669,7 +9669,7 @@
               <Option name="pf_route_option">route_through</Option>
               <Option name="pf_rule_max_state">0</Option>
               <Option name="pf_source_tracking">False</Option>
-              <Option name="rule_name_accounting"></Option>
+              <Option name="rule_name_accounting"/>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
           </PolicyRule>
@@ -9690,35 +9690,35 @@
               <IntervalRef ref="sysid2"/>
             </When>
             <PolicyRuleOptions>
-              <Option name="action_on_reject"></Option>
-              <Option name="branch_anchor_name"></Option>
-              <Option name="branch_chain_name"></Option>
-              <Option name="classify_str"></Option>
+              <Option name="action_on_reject"/>
+              <Option name="branch_anchor_name"/>
+              <Option name="branch_chain_name"/>
+              <Option name="classify_str"/>
               <Option name="color">#C0BA44</Option>
-              <Option name="custom_str"></Option>
-              <Option name="ipf_route_opt_addr"></Option>
-              <Option name="ipf_route_opt_if"></Option>
+              <Option name="custom_str"/>
+              <Option name="ipf_route_opt_addr"/>
+              <Option name="ipf_route_opt_if"/>
               <Option name="ipf_route_option">route_through</Option>
               <Option name="ipfw_classify_method">2</Option>
               <Option name="ipfw_pipe_port_num">0</Option>
               <Option name="ipfw_pipe_queue_num">0</Option>
               <Option name="ipt_continue">False</Option>
-              <Option name="ipt_gw"></Option>
-              <Option name="ipt_iif"></Option>
+              <Option name="ipt_gw"/>
+              <Option name="ipt_iif"/>
               <Option name="ipt_mark_connections">False</Option>
-              <Option name="ipt_oif"></Option>
+              <Option name="ipt_oif"/>
               <Option name="ipt_tee">False</Option>
-              <Option name="log_prefix"></Option>
+              <Option name="log_prefix"/>
               <Option name="pf_fastroute">False</Option>
               <Option name="pf_keep_state">False</Option>
               <Option name="pf_max_src_conn">0</Option>
               <Option name="pf_max_src_conn_flush">False</Option>
               <Option name="pf_max_src_conn_global">False</Option>
-              <Option name="pf_max_src_conn_overload_table"></Option>
+              <Option name="pf_max_src_conn_overload_table"/>
               <Option name="pf_max_src_conn_rate_flush">False</Option>
               <Option name="pf_max_src_conn_rate_global">False</Option>
               <Option name="pf_max_src_conn_rate_num">0</Option>
-              <Option name="pf_max_src_conn_rate_overload_table"></Option>
+              <Option name="pf_max_src_conn_rate_overload_table"/>
               <Option name="pf_max_src_conn_rate_seconds">0</Option>
               <Option name="pf_max_src_nodes">0</Option>
               <Option name="pf_max_src_states">0</Option>
@@ -9728,7 +9728,7 @@
               <Option name="pf_route_option">route_through</Option>
               <Option name="pf_rule_max_state">0</Option>
               <Option name="pf_source_tracking">False</Option>
-              <Option name="rule_name_accounting"></Option>
+              <Option name="rule_name_accounting"/>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
           </PolicyRule>
@@ -9749,35 +9749,35 @@
               <IntervalRef ref="sysid2"/>
             </When>
             <PolicyRuleOptions>
-              <Option name="action_on_reject"></Option>
-              <Option name="branch_anchor_name"></Option>
-              <Option name="branch_chain_name"></Option>
-              <Option name="classify_str"></Option>
+              <Option name="action_on_reject"/>
+              <Option name="branch_anchor_name"/>
+              <Option name="branch_chain_name"/>
+              <Option name="classify_str"/>
               <Option name="color">#C86E6E</Option>
-              <Option name="custom_str"></Option>
-              <Option name="ipf_route_opt_addr"></Option>
-              <Option name="ipf_route_opt_if"></Option>
+              <Option name="custom_str"/>
+              <Option name="ipf_route_opt_addr"/>
+              <Option name="ipf_route_opt_if"/>
               <Option name="ipf_route_option">route_through</Option>
               <Option name="ipfw_classify_method">2</Option>
               <Option name="ipfw_pipe_port_num">0</Option>
               <Option name="ipfw_pipe_queue_num">0</Option>
               <Option name="ipt_continue">False</Option>
-              <Option name="ipt_gw"></Option>
-              <Option name="ipt_iif"></Option>
+              <Option name="ipt_gw"/>
+              <Option name="ipt_iif"/>
               <Option name="ipt_mark_connections">False</Option>
-              <Option name="ipt_oif"></Option>
+              <Option name="ipt_oif"/>
               <Option name="ipt_tee">False</Option>
-              <Option name="log_prefix"></Option>
+              <Option name="log_prefix"/>
               <Option name="pf_fastroute">False</Option>
               <Option name="pf_keep_state">False</Option>
               <Option name="pf_max_src_conn">0</Option>
               <Option name="pf_max_src_conn_flush">False</Option>
               <Option name="pf_max_src_conn_global">False</Option>
-              <Option name="pf_max_src_conn_overload_table"></Option>
+              <Option name="pf_max_src_conn_overload_table"/>
               <Option name="pf_max_src_conn_rate_flush">False</Option>
               <Option name="pf_max_src_conn_rate_global">False</Option>
               <Option name="pf_max_src_conn_rate_num">0</Option>
-              <Option name="pf_max_src_conn_rate_overload_table"></Option>
+              <Option name="pf_max_src_conn_rate_overload_table"/>
               <Option name="pf_max_src_conn_rate_seconds">0</Option>
               <Option name="pf_max_src_nodes">0</Option>
               <Option name="pf_max_src_states">0</Option>
@@ -9787,7 +9787,7 @@
               <Option name="pf_route_option">route_through</Option>
               <Option name="pf_rule_max_state">0</Option>
               <Option name="pf_source_tracking">False</Option>
-              <Option name="rule_name_accounting"></Option>
+              <Option name="rule_name_accounting"/>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
           </PolicyRule>
@@ -9808,35 +9808,35 @@
               <IntervalRef ref="sysid2"/>
             </When>
             <PolicyRuleOptions>
-              <Option name="action_on_reject"></Option>
-              <Option name="branch_anchor_name"></Option>
-              <Option name="branch_chain_name"></Option>
-              <Option name="classify_str"></Option>
+              <Option name="action_on_reject"/>
+              <Option name="branch_anchor_name"/>
+              <Option name="branch_chain_name"/>
+              <Option name="classify_str"/>
               <Option name="color">#C86E6E</Option>
-              <Option name="custom_str"></Option>
-              <Option name="ipf_route_opt_addr"></Option>
-              <Option name="ipf_route_opt_if"></Option>
+              <Option name="custom_str"/>
+              <Option name="ipf_route_opt_addr"/>
+              <Option name="ipf_route_opt_if"/>
               <Option name="ipf_route_option">route_through</Option>
               <Option name="ipfw_classify_method">2</Option>
               <Option name="ipfw_pipe_port_num">0</Option>
               <Option name="ipfw_pipe_queue_num">0</Option>
               <Option name="ipt_continue">False</Option>
-              <Option name="ipt_gw"></Option>
-              <Option name="ipt_iif"></Option>
+              <Option name="ipt_gw"/>
+              <Option name="ipt_iif"/>
               <Option name="ipt_mark_connections">False</Option>
-              <Option name="ipt_oif"></Option>
+              <Option name="ipt_oif"/>
               <Option name="ipt_tee">False</Option>
-              <Option name="log_prefix"></Option>
+              <Option name="log_prefix"/>
               <Option name="pf_fastroute">False</Option>
               <Option name="pf_keep_state">False</Option>
               <Option name="pf_max_src_conn">0</Option>
               <Option name="pf_max_src_conn_flush">False</Option>
               <Option name="pf_max_src_conn_global">False</Option>
-              <Option name="pf_max_src_conn_overload_table"></Option>
+              <Option name="pf_max_src_conn_overload_table"/>
               <Option name="pf_max_src_conn_rate_flush">False</Option>
               <Option name="pf_max_src_conn_rate_global">False</Option>
               <Option name="pf_max_src_conn_rate_num">0</Option>
-              <Option name="pf_max_src_conn_rate_overload_table"></Option>
+              <Option name="pf_max_src_conn_rate_overload_table"/>
               <Option name="pf_max_src_conn_rate_seconds">0</Option>
               <Option name="pf_max_src_nodes">0</Option>
               <Option name="pf_max_src_states">0</Option>
@@ -9846,7 +9846,7 @@
               <Option name="pf_route_option">route_through</Option>
               <Option name="pf_rule_max_state">0</Option>
               <Option name="pf_source_tracking">False</Option>
-              <Option name="rule_name_accounting"></Option>
+              <Option name="rule_name_accounting"/>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
           </PolicyRule>
@@ -9867,35 +9867,35 @@
               <IntervalRef ref="sysid2"/>
             </When>
             <PolicyRuleOptions>
-              <Option name="action_on_reject"></Option>
-              <Option name="branch_anchor_name"></Option>
-              <Option name="branch_chain_name"></Option>
-              <Option name="classify_str"></Option>
+              <Option name="action_on_reject"/>
+              <Option name="branch_anchor_name"/>
+              <Option name="branch_chain_name"/>
+              <Option name="classify_str"/>
               <Option name="color">#C86E6E</Option>
-              <Option name="custom_str"></Option>
-              <Option name="ipf_route_opt_addr"></Option>
-              <Option name="ipf_route_opt_if"></Option>
+              <Option name="custom_str"/>
+              <Option name="ipf_route_opt_addr"/>
+              <Option name="ipf_route_opt_if"/>
               <Option name="ipf_route_option">route_through</Option>
               <Option name="ipfw_classify_method">2</Option>
               <Option name="ipfw_pipe_port_num">0</Option>
               <Option name="ipfw_pipe_queue_num">0</Option>
               <Option name="ipt_continue">False</Option>
-              <Option name="ipt_gw"></Option>
-              <Option name="ipt_iif"></Option>
+              <Option name="ipt_gw"/>
+              <Option name="ipt_iif"/>
               <Option name="ipt_mark_connections">False</Option>
-              <Option name="ipt_oif"></Option>
+              <Option name="ipt_oif"/>
               <Option name="ipt_tee">False</Option>
-              <Option name="log_prefix"></Option>
+              <Option name="log_prefix"/>
               <Option name="pf_fastroute">False</Option>
               <Option name="pf_keep_state">False</Option>
               <Option name="pf_max_src_conn">0</Option>
               <Option name="pf_max_src_conn_flush">False</Option>
               <Option name="pf_max_src_conn_global">False</Option>
-              <Option name="pf_max_src_conn_overload_table"></Option>
+              <Option name="pf_max_src_conn_overload_table"/>
               <Option name="pf_max_src_conn_rate_flush">False</Option>
               <Option name="pf_max_src_conn_rate_global">False</Option>
               <Option name="pf_max_src_conn_rate_num">0</Option>
-              <Option name="pf_max_src_conn_rate_overload_table"></Option>
+              <Option name="pf_max_src_conn_rate_overload_table"/>
               <Option name="pf_max_src_conn_rate_seconds">0</Option>
               <Option name="pf_max_src_nodes">0</Option>
               <Option name="pf_max_src_states">0</Option>
@@ -9905,7 +9905,7 @@
               <Option name="pf_route_option">route_through</Option>
               <Option name="pf_rule_max_state">0</Option>
               <Option name="pf_source_tracking">False</Option>
-              <Option name="rule_name_accounting"></Option>
+              <Option name="rule_name_accounting"/>
               <Option name="stateless">False</Option>
             </PolicyRuleOptions>
           </PolicyRule>
@@ -9931,16 +9931,16 @@
         <FirewallOptions>
           <Option name="accept_established">true</Option>
           <Option name="accept_new_tcp_with_no_syn">True</Option>
-          <Option name="activationCmd"></Option>
-          <Option name="admUser"></Option>
-          <Option name="altAddress"></Option>
+          <Option name="activationCmd"/>
+          <Option name="admUser"/>
+          <Option name="altAddress"/>
           <Option name="check_shading">True</Option>
-          <Option name="cmdline"></Option>
-          <Option name="compiler"></Option>
+          <Option name="cmdline"/>
+          <Option name="compiler"/>
           <Option name="configure_interfaces">True</Option>
           <Option name="debug">False</Option>
           <Option name="eliminate_duplicates">true</Option>
-          <Option name="epilog_script"></Option>
+          <Option name="epilog_script"/>
           <Option name="fallback_log">False</Option>
           <Option name="firewall_dir">/etc</Option>
           <Option name="firewall_is_part_of_any_and_networks">true</Option>
@@ -9956,11 +9956,11 @@
           <Option name="loopback_interface">lo0</Option>
           <Option name="macosx_ip_forward">1</Option>
           <Option name="manage_virtual_addr">True</Option>
-          <Option name="mgmt_addr"></Option>
+          <Option name="mgmt_addr"/>
           <Option name="mgmt_ssh">False</Option>
           <Option name="modulate_state">True</Option>
           <Option name="openbsd_ip_forward">1</Option>
-          <Option name="output_file"></Option>
+          <Option name="output_file"/>
           <Option name="pass_all_out">False</Option>
           <Option name="pf_adaptive_end">0</Option>
           <Option name="pf_adaptive_start">0</Option>
@@ -9973,7 +9973,7 @@
           <Option name="pf_icmp_first">0</Option>
           <Option name="pf_limit_frags">5000</Option>
           <Option name="pf_limit_states">10000</Option>
-          <Option name="pf_optimization"></Option>
+          <Option name="pf_optimization"/>
           <Option name="pf_other_first">0</Option>
           <Option name="pf_other_multiple">0</Option>
           <Option name="pf_other_single">0</Option>
@@ -10024,11 +10024,11 @@
           <Option name="pix_security_fragguard_supported">true</Option>
           <Option name="pix_syslog_device_id_supported">false</Option>
           <Option name="pix_use_acl_remarks">true</Option>
-          <Option name="prolog_script"></Option>
+          <Option name="prolog_script"/>
           <Option name="prompt1">$ </Option>
           <Option name="prompt2"> # </Option>
           <Option name="solaris_ip_forward">1</Option>
-          <Option name="sshArgs"></Option>
+          <Option name="sshArgs"/>
           <Option name="ulog_nlgroup">1</Option>
           <Option name="verify_interfaces">true</Option>
         </FirewallOptions>
@@ -10409,26 +10409,26 @@
           <Option name="accept_established">True</Option>
           <Option name="accept_new_tcp_with_no_syn">True</Option>
           <Option name="action_on_reject">ICMP host prohibited</Option>
-          <Option name="activationCmd"></Option>
+          <Option name="activationCmd"/>
           <Option name="admUser">root</Option>
           <Option name="altAddress">labfw</Option>
           <Option name="check_shading">True</Option>
           <Option name="clamp_mss_to_mtu">False</Option>
-          <Option name="cmdline"></Option>
-          <Option name="compiler"></Option>
+          <Option name="cmdline"/>
+          <Option name="compiler"/>
           <Option name="configure_interfaces">False</Option>
           <Option name="debug">False</Option>
           <Option name="dyn_addr">False</Option>
-          <Option name="epilog_script"></Option>
+          <Option name="epilog_script"/>
           <Option name="fallback_log">False</Option>
           <Option name="firewall_dir">/etc/fw</Option>
           <Option name="firewall_is_part_of_any">True</Option>
           <Option name="firewall_is_part_of_any_and_networks">True</Option>
           <Option name="ignore_empty_groups">False</Option>
           <Option name="in_out_code">True</Option>
-          <Option name="inst_cmdline"></Option>
-          <Option name="inst_script"></Option>
-          <Option name="install_script"></Option>
+          <Option name="inst_cmdline"/>
+          <Option name="inst_script"/>
+          <Option name="install_script"/>
           <Option name="limit_suffix">/day</Option>
           <Option name="limit_value">0</Option>
           <Option name="linux24_ip_forward">0</Option>
@@ -10438,9 +10438,9 @@
           <Option name="log_all_dropped">False</Option>
           <Option name="log_ip_opt">False</Option>
           <Option name="log_level">debug</Option>
-          <Option name="log_limit_suffix"></Option>
+          <Option name="log_limit_suffix"/>
           <Option name="log_limit_value">0</Option>
-          <Option name="log_prefix"></Option>
+          <Option name="log_prefix"/>
           <Option name="log_tcp_opt">False</Option>
           <Option name="log_tcp_seq">False</Option>
           <Option name="manage_virtual_addr">False</Option>
@@ -10449,13 +10449,13 @@
           <Option name="modulate_state">False</Option>
           <Option name="no_iochains_for_any">False</Option>
           <Option name="no_optimisation">False</Option>
-          <Option name="openbsd_ip_directed_broadcast"></Option>
+          <Option name="openbsd_ip_directed_broadcast"/>
           <Option name="openbsd_ip_forward">1</Option>
-          <Option name="openbsd_ip_redirect"></Option>
-          <Option name="openbsd_ip_sourceroute"></Option>
-          <Option name="openbsd_path_pfctl"></Option>
-          <Option name="openbsd_path_sysctl"></Option>
-          <Option name="output_file"></Option>
+          <Option name="openbsd_ip_redirect"/>
+          <Option name="openbsd_ip_sourceroute"/>
+          <Option name="openbsd_path_pfctl"/>
+          <Option name="openbsd_path_sysctl"/>
+          <Option name="output_file"/>
           <Option name="pass_all_out">False</Option>
           <Option name="pf_adaptive_end">0</Option>
           <Option name="pf_adaptive_start">0</Option>
@@ -10468,7 +10468,7 @@
           <Option name="pf_icmp_first">0</Option>
           <Option name="pf_limit_frags">5000</Option>
           <Option name="pf_limit_states">10000</Option>
-          <Option name="pf_optimization"></Option>
+          <Option name="pf_optimization"/>
           <Option name="pf_other_first">0</Option>
           <Option name="pf_other_multiple">0</Option>
           <Option name="pf_other_single">0</Option>
@@ -10509,12 +10509,12 @@
           <Option name="pf_udp_single">0</Option>
           <Option name="platform">iptables</Option>
           <Option name="prolog_place">fw_file</Option>
-          <Option name="prolog_script"></Option>
-          <Option name="script_env_path"></Option>
-          <Option name="snmp_contact"></Option>
-          <Option name="snmp_description"></Option>
-          <Option name="snmp_location"></Option>
-          <Option name="sshArgs"></Option>
+          <Option name="prolog_script"/>
+          <Option name="script_env_path"/>
+          <Option name="snmp_contact"/>
+          <Option name="snmp_description"/>
+          <Option name="snmp_location"/>
+          <Option name="sshArgs"/>
           <Option name="use_ip_tool">False</Option>
           <Option name="use_numeric_log_levels">False</Option>
           <Option name="use_tables">True</Option>
@@ -10701,33 +10701,33 @@
           <Option name="accept_established">True</Option>
           <Option name="accept_new_tcp_with_no_syn">True</Option>
           <Option name="action_on_reject">ICMP host prohibited</Option>
-          <Option name="activationCmd"></Option>
+          <Option name="activationCmd"/>
           <Option name="admUser">root</Option>
           <Option name="altAddress">10.3.14.121</Option>
           <Option name="check_shading">True</Option>
           <Option name="clamp_mss_to_mtu">False</Option>
-          <Option name="cmdline"></Option>
-          <Option name="compiler"></Option>
+          <Option name="cmdline"/>
+          <Option name="compiler"/>
           <Option name="configure_interfaces">False</Option>
           <Option name="debug">False</Option>
           <Option name="dyn_addr">False</Option>
-          <Option name="epilog_script"></Option>
+          <Option name="epilog_script"/>
           <Option name="fallback_log">False</Option>
           <Option name="firewall_dir">/etc/fw</Option>
           <Option name="firewall_is_part_of_any">True</Option>
           <Option name="firewall_is_part_of_any_and_networks">True</Option>
           <Option name="freebsd_ip_forward">1</Option>
-          <Option name="freebsd_ip_redirect"></Option>
-          <Option name="freebsd_ip_sourceroute"></Option>
-          <Option name="freebsd_path_ipf"></Option>
-          <Option name="freebsd_path_ipfw"></Option>
-          <Option name="freebsd_path_ipnat"></Option>
-          <Option name="freebsd_path_sysctl"></Option>
+          <Option name="freebsd_ip_redirect"/>
+          <Option name="freebsd_ip_sourceroute"/>
+          <Option name="freebsd_path_ipf"/>
+          <Option name="freebsd_path_ipfw"/>
+          <Option name="freebsd_path_ipnat"/>
+          <Option name="freebsd_path_sysctl"/>
           <Option name="ignore_empty_groups">False</Option>
           <Option name="in_out_code">True</Option>
-          <Option name="inst_cmdline"></Option>
-          <Option name="inst_script"></Option>
-          <Option name="install_script"></Option>
+          <Option name="inst_cmdline"/>
+          <Option name="inst_script"/>
+          <Option name="install_script"/>
           <Option name="limit_suffix">/day</Option>
           <Option name="limit_value">0</Option>
           <Option name="linux24_ip_forward">0</Option>
@@ -10737,9 +10737,9 @@
           <Option name="log_all_dropped">False</Option>
           <Option name="log_ip_opt">False</Option>
           <Option name="log_level">debug</Option>
-          <Option name="log_limit_suffix"></Option>
+          <Option name="log_limit_suffix"/>
           <Option name="log_limit_value">0</Option>
-          <Option name="log_prefix"></Option>
+          <Option name="log_prefix"/>
           <Option name="log_tcp_opt">False</Option>
           <Option name="log_tcp_seq">False</Option>
           <Option name="manage_virtual_addr">False</Option>
@@ -10748,13 +10748,13 @@
           <Option name="modulate_state">False</Option>
           <Option name="no_iochains_for_any">False</Option>
           <Option name="no_optimisation">False</Option>
-          <Option name="openbsd_ip_directed_broadcast"></Option>
+          <Option name="openbsd_ip_directed_broadcast"/>
           <Option name="openbsd_ip_forward">1</Option>
-          <Option name="openbsd_ip_redirect"></Option>
-          <Option name="openbsd_ip_sourceroute"></Option>
-          <Option name="openbsd_path_pfctl"></Option>
-          <Option name="openbsd_path_sysctl"></Option>
-          <Option name="output_file"></Option>
+          <Option name="openbsd_ip_redirect"/>
+          <Option name="openbsd_ip_sourceroute"/>
+          <Option name="openbsd_path_pfctl"/>
+          <Option name="openbsd_path_sysctl"/>
+          <Option name="output_file"/>
           <Option name="pass_all_out">False</Option>
           <Option name="pf_adaptive_end">0</Option>
           <Option name="pf_adaptive_start">0</Option>
@@ -10767,7 +10767,7 @@
           <Option name="pf_icmp_first">0</Option>
           <Option name="pf_limit_frags">5000</Option>
           <Option name="pf_limit_states">10000</Option>
-          <Option name="pf_optimization"></Option>
+          <Option name="pf_optimization"/>
           <Option name="pf_other_first">0</Option>
           <Option name="pf_other_multiple">0</Option>
           <Option name="pf_other_single">0</Option>
@@ -10807,12 +10807,12 @@
           <Option name="pf_udp_multiple">0</Option>
           <Option name="pf_udp_single">0</Option>
           <Option name="platform">iptables</Option>
-          <Option name="prolog_script"></Option>
-          <Option name="script_env_path"></Option>
-          <Option name="snmp_contact"></Option>
-          <Option name="snmp_description"></Option>
-          <Option name="snmp_location"></Option>
-          <Option name="sshArgs"></Option>
+          <Option name="prolog_script"/>
+          <Option name="script_env_path"/>
+          <Option name="snmp_contact"/>
+          <Option name="snmp_description"/>
+          <Option name="snmp_location"/>
+          <Option name="sshArgs"/>
           <Option name="use_ip_tool">False</Option>
           <Option name="use_numeric_log_levels">False</Option>
           <Option name="use_tables">True</Option>
@@ -11003,26 +11003,26 @@
           <Option name="accept_established">True</Option>
           <Option name="accept_new_tcp_with_no_syn">True</Option>
           <Option name="action_on_reject">ICMP host prohibited</Option>
-          <Option name="activationCmd"></Option>
+          <Option name="activationCmd"/>
           <Option name="admUser">root</Option>
-          <Option name="altAddress"></Option>
+          <Option name="altAddress"/>
           <Option name="check_shading">True</Option>
           <Option name="clamp_mss_to_mtu">False</Option>
-          <Option name="cmdline"></Option>
-          <Option name="compiler"></Option>
+          <Option name="cmdline"/>
+          <Option name="compiler"/>
           <Option name="configure_interfaces">False</Option>
           <Option name="debug">True</Option>
           <Option name="dyn_addr">False</Option>
-          <Option name="epilog_script"></Option>
+          <Option name="epilog_script"/>
           <Option name="fallback_log">False</Option>
           <Option name="firewall_dir">/etc/fw</Option>
           <Option name="firewall_is_part_of_any">True</Option>
           <Option name="firewall_is_part_of_any_and_networks">True</Option>
           <Option name="ignore_empty_groups">False</Option>
           <Option name="in_out_code">True</Option>
-          <Option name="inst_cmdline"></Option>
-          <Option name="inst_script"></Option>
-          <Option name="install_script"></Option>
+          <Option name="inst_cmdline"/>
+          <Option name="inst_script"/>
+          <Option name="install_script"/>
           <Option name="limit_suffix">/day</Option>
           <Option name="limit_value">0</Option>
           <Option name="linux24_ip_forward">0</Option>
@@ -11032,9 +11032,9 @@
           <Option name="log_all_dropped">False</Option>
           <Option name="log_ip_opt">False</Option>
           <Option name="log_level">debug</Option>
-          <Option name="log_limit_suffix"></Option>
+          <Option name="log_limit_suffix"/>
           <Option name="log_limit_value">0</Option>
-          <Option name="log_prefix"></Option>
+          <Option name="log_prefix"/>
           <Option name="log_tcp_opt">False</Option>
           <Option name="log_tcp_seq">False</Option>
           <Option name="manage_virtual_addr">False</Option>
@@ -11043,13 +11043,13 @@
           <Option name="modulate_state">False</Option>
           <Option name="no_iochains_for_any">False</Option>
           <Option name="no_optimisation">False</Option>
-          <Option name="openbsd_ip_directed_broadcast"></Option>
+          <Option name="openbsd_ip_directed_broadcast"/>
           <Option name="openbsd_ip_forward">1</Option>
-          <Option name="openbsd_ip_redirect"></Option>
-          <Option name="openbsd_ip_sourceroute"></Option>
-          <Option name="openbsd_path_pfctl"></Option>
-          <Option name="openbsd_path_sysctl"></Option>
-          <Option name="output_file"></Option>
+          <Option name="openbsd_ip_redirect"/>
+          <Option name="openbsd_ip_sourceroute"/>
+          <Option name="openbsd_path_pfctl"/>
+          <Option name="openbsd_path_sysctl"/>
+          <Option name="output_file"/>
           <Option name="pass_all_out">False</Option>
           <Option name="pf_adaptive_end">0</Option>
           <Option name="pf_adaptive_start">0</Option>
@@ -11062,7 +11062,7 @@
           <Option name="pf_icmp_first">0</Option>
           <Option name="pf_limit_frags">5000</Option>
           <Option name="pf_limit_states">10000</Option>
-          <Option name="pf_optimization"></Option>
+          <Option name="pf_optimization"/>
           <Option name="pf_other_first">0</Option>
           <Option name="pf_other_multiple">0</Option>
           <Option name="pf_other_single">0</Option>
@@ -11103,12 +11103,12 @@
           <Option name="pf_udp_single">0</Option>
           <Option name="platform">iptables</Option>
           <Option name="prolog_place">fw_file</Option>
-          <Option name="prolog_script"></Option>
-          <Option name="script_env_path"></Option>
-          <Option name="snmp_contact"></Option>
-          <Option name="snmp_description"></Option>
-          <Option name="snmp_location"></Option>
-          <Option name="sshArgs"></Option>
+          <Option name="prolog_script"/>
+          <Option name="script_env_path"/>
+          <Option name="snmp_contact"/>
+          <Option name="snmp_description"/>
+          <Option name="snmp_location"/>
+          <Option name="sshArgs"/>
           <Option name="use_ip_tool">False</Option>
           <Option name="use_numeric_log_levels">False</Option>
           <Option name="use_tables">True</Option>
@@ -11299,26 +11299,26 @@
           <Option name="accept_established">True</Option>
           <Option name="accept_new_tcp_with_no_syn">True</Option>
           <Option name="action_on_reject">ICMP host prohibited</Option>
-          <Option name="activationCmd"></Option>
+          <Option name="activationCmd"/>
           <Option name="admUser">root</Option>
-          <Option name="altAddress"></Option>
+          <Option name="altAddress"/>
           <Option name="check_shading">True</Option>
           <Option name="clamp_mss_to_mtu">False</Option>
-          <Option name="cmdline"></Option>
-          <Option name="compiler"></Option>
+          <Option name="cmdline"/>
+          <Option name="compiler"/>
           <Option name="configure_interfaces">False</Option>
           <Option name="debug">True</Option>
           <Option name="dyn_addr">False</Option>
-          <Option name="epilog_script"></Option>
+          <Option name="epilog_script"/>
           <Option name="fallback_log">False</Option>
           <Option name="firewall_dir">/etc/fw</Option>
           <Option name="firewall_is_part_of_any">True</Option>
           <Option name="firewall_is_part_of_any_and_networks">True</Option>
           <Option name="ignore_empty_groups">False</Option>
           <Option name="in_out_code">True</Option>
-          <Option name="inst_cmdline"></Option>
-          <Option name="inst_script"></Option>
-          <Option name="install_script"></Option>
+          <Option name="inst_cmdline"/>
+          <Option name="inst_script"/>
+          <Option name="install_script"/>
           <Option name="limit_suffix">/day</Option>
           <Option name="limit_value">0</Option>
           <Option name="linux24_ip_forward">0</Option>
@@ -11328,9 +11328,9 @@
           <Option name="log_all_dropped">False</Option>
           <Option name="log_ip_opt">False</Option>
           <Option name="log_level">debug</Option>
-          <Option name="log_limit_suffix"></Option>
+          <Option name="log_limit_suffix"/>
           <Option name="log_limit_value">0</Option>
-          <Option name="log_prefix"></Option>
+          <Option name="log_prefix"/>
           <Option name="log_tcp_opt">False</Option>
           <Option name="log_tcp_seq">False</Option>
           <Option name="manage_virtual_addr">False</Option>
@@ -11339,13 +11339,13 @@
           <Option name="modulate_state">False</Option>
           <Option name="no_iochains_for_any">False</Option>
           <Option name="no_optimisation">False</Option>
-          <Option name="openbsd_ip_directed_broadcast"></Option>
+          <Option name="openbsd_ip_directed_broadcast"/>
           <Option name="openbsd_ip_forward">1</Option>
-          <Option name="openbsd_ip_redirect"></Option>
-          <Option name="openbsd_ip_sourceroute"></Option>
-          <Option name="openbsd_path_pfctl"></Option>
-          <Option name="openbsd_path_sysctl"></Option>
-          <Option name="output_file"></Option>
+          <Option name="openbsd_ip_redirect"/>
+          <Option name="openbsd_ip_sourceroute"/>
+          <Option name="openbsd_path_pfctl"/>
+          <Option name="openbsd_path_sysctl"/>
+          <Option name="output_file"/>
           <Option name="pass_all_out">False</Option>
           <Option name="pf_adaptive_end">0</Option>
           <Option name="pf_adaptive_start">0</Option>
@@ -11364,7 +11364,7 @@
           <Option name="pf_limit_states">10000</Option>
           <Option name="pf_limit_table_entries">0</Option>
           <Option name="pf_limit_tables">0</Option>
-          <Option name="pf_optimization"></Option>
+          <Option name="pf_optimization"/>
           <Option name="pf_other_first">0</Option>
           <Option name="pf_other_multiple">0</Option>
           <Option name="pf_other_single">0</Option>
@@ -11405,12 +11405,12 @@
           <Option name="pf_udp_single">0</Option>
           <Option name="platform">iptables</Option>
           <Option name="prolog_place">fw_file</Option>
-          <Option name="prolog_script"></Option>
-          <Option name="script_env_path"></Option>
-          <Option name="snmp_contact"></Option>
-          <Option name="snmp_description"></Option>
-          <Option name="snmp_location"></Option>
-          <Option name="sshArgs"></Option>
+          <Option name="prolog_script"/>
+          <Option name="script_env_path"/>
+          <Option name="snmp_contact"/>
+          <Option name="snmp_description"/>
+          <Option name="snmp_location"/>
+          <Option name="sshArgs"/>
           <Option name="use_ip_tool">False</Option>
           <Option name="use_numeric_log_levels">False</Option>
           <Option name="use_tables">True</Option>
diff --git a/test/pix/quick-cmp.sh b/test/pix/quick-cmp.sh
index 515b1bd28..b86e16ec3 100755
--- a/test/pix/quick-cmp.sh
+++ b/test/pix/quick-cmp.sh
@@ -2,7 +2,9 @@
 
 $XMLFILE=@ARGV[0];
 
-$DIFFCMD="diff -0 -u -b -B -I \"!  Generated\" ";
+$DIFFCMD="diff -C 1 -c -b -B -I \"!  Generated\" -I 'Activating ' -I '!  Firewall Builder  fwb_pix v' -I 'Can not find file' ";
+
+#$DIFFCMD="diff -u -b -B -I \"!  Generated\" ";
 
 while (<>) {
   $str=$_;