From 926db9b942c94b9774133b1362d67172ebb63dab Mon Sep 17 00:00:00 2001
From: Vadim Kurland <vadim@slot.vk.crocodile.org>
Date: Sun, 20 Feb 2011 16:11:29 -0800
Subject: [PATCH] see #153 deprecating getInterfaceStr: eliminated use of this
 function in policy compiler for PIX and IOS ACL

---
 VERSION                                       |   2 +-
 VERSION.h                                     |   2 +-
 packaging/fwbuilder-static-qt.spec            |   2 +-
 packaging/fwbuilder.control                   |   2 +-
 packaging/fwbuilder.spec                      |   2 +-
 .../NamedObjectsAndGroupsSupport.cpp          |   4 -
 src/cisco_lib/PolicyCompiler_cisco.cpp        |  51 ++-
 src/cisco_lib/PolicyCompiler_cisco_acls.cpp   |  78 +++-
 ...olicyCompiler_pix_replace_translations.cpp |  21 +-
 src/cisco_lib/PolicyCompiler_pix_v6_acls.cpp  |  88 ++--
 src/cisco_lib/PolicyCompiler_pix_writers.cpp  |  23 +-
 .../objects-for-regression-tests.fwb          | 410 +++++++++---------
 12 files changed, 389 insertions(+), 296 deletions(-)

diff --git a/VERSION b/VERSION
index 09c385d3c..7e3377ed5 100644
--- a/VERSION
+++ b/VERSION
@@ -7,7 +7,7 @@ FWB_MICRO_VERSION=0
 # build number is like "nano" version number. I am incrementing build
 # number during development cycle
 #
-BUILD_NUM="3482"
+BUILD_NUM="3483"
 
 VERSION="$FWB_MAJOR_VERSION.$FWB_MINOR_VERSION.$FWB_MICRO_VERSION.$BUILD_NUM"
 
diff --git a/VERSION.h b/VERSION.h
index fdb07871c..b02513eb0 100644
--- a/VERSION.h
+++ b/VERSION.h
@@ -1,2 +1,2 @@
-#define VERSION      "4.2.0.3482"
+#define VERSION      "4.2.0.3483"
 #define GENERATION   "4.2"
diff --git a/packaging/fwbuilder-static-qt.spec b/packaging/fwbuilder-static-qt.spec
index 250c6d12c..87b343665 100644
--- a/packaging/fwbuilder-static-qt.spec
+++ b/packaging/fwbuilder-static-qt.spec
@@ -3,7 +3,7 @@
 
 
 %define name    fwbuilder
-%define version 4.2.0.3482
+%define version 4.2.0.3483
 %define release 1
 
 %if "%_vendor" == "MandrakeSoft"
diff --git a/packaging/fwbuilder.control b/packaging/fwbuilder.control
index edabe6024..56f9cdbf3 100644
--- a/packaging/fwbuilder.control
+++ b/packaging/fwbuilder.control
@@ -4,6 +4,6 @@ Replaces: fwbuilder (<=4.1.1-1), fwbuilder-common, fwbuilder-bsd, fwbuilder-linu
 Priority: extra
 Section: checkinstall
 Maintainer: vadim@fwbuilder.org
-Version: 4.2.0.3482-1
+Version: 4.2.0.3483-1
 Depends: libqt4-gui (>= 4.3.0), libxml2, libxslt1.1, libsnmp | libsnmp15
 Description: Firewall Builder GUI and policy compilers
diff --git a/packaging/fwbuilder.spec b/packaging/fwbuilder.spec
index e9ac21b4d..289676041 100644
--- a/packaging/fwbuilder.spec
+++ b/packaging/fwbuilder.spec
@@ -1,6 +1,6 @@
 
 %define name    fwbuilder
-%define version 4.2.0.3482
+%define version 4.2.0.3483
 %define release 1
 
 %if "%_vendor" == "MandrakeSoft"
diff --git a/src/cisco_lib/NamedObjectsAndGroupsSupport.cpp b/src/cisco_lib/NamedObjectsAndGroupsSupport.cpp
index 5a8edb521..adc82f1c8 100644
--- a/src/cisco_lib/NamedObjectsAndGroupsSupport.cpp
+++ b/src/cisco_lib/NamedObjectsAndGroupsSupport.cpp
@@ -106,10 +106,6 @@ bool CreateObjectGroups::processNext()
     string version = compiler->fw->getStr("version");
     string platform = compiler->fw->getStr("platform");
 
-    // Interface *rule_iface = Interface::cast(compiler->dbcopy->findInIndex(
-    //                                             rule->getInterfaceId()));
-    //assert(rule_iface);
-
     RuleElement *re = RuleElement::cast(rule->getFirstByType(re_type));
 
     if (re->size()==1)
diff --git a/src/cisco_lib/PolicyCompiler_cisco.cpp b/src/cisco_lib/PolicyCompiler_cisco.cpp
index bcd46e1eb..42c81e78e 100644
--- a/src/cisco_lib/PolicyCompiler_cisco.cpp
+++ b/src/cisco_lib/PolicyCompiler_cisco.cpp
@@ -131,15 +131,18 @@ string PolicyCompiler_cisco::debugPrintRule(Rule *r)
 {
     ostringstream str;
     PolicyRule *rule = PolicyRule::cast(r);
-    FWObject *rule_iface = dbcopy->findInIndex(rule->getInterfaceId());
-    string iname = (rule_iface!=NULL)?rule_iface->getName():"";
+
+//    FWObject *rule_iface = dbcopy->findInIndex(rule->getInterfaceId());
+//    string iname = (rule_iface!=NULL)?rule_iface->getName():"";
 
     string dir = rule->getDirectionAsString();
 
     str << PolicyCompiler::debugPrintRule(rule) <<
-        " " << dir << " " << iname << " " << rule->getStr("acl") <<
-        " intfId=" << rule->getInterfaceId() <<
-        " intfstr=" << rule->getInterfaceStr();
+        " " << dir 
+//        << " " << iname
+        << " " << rule->getStr("acl");
+//        " intfId=" << rule->getInterfaceId() <<
+//        " intfstr=" << rule->getInterfaceStr();
     return str.str();
 }
 
@@ -449,15 +452,16 @@ bool PolicyCompiler_cisco::specialCaseWithDynInterface::dropDynamicInterface(
     PolicyRule  *rule, PolicyRule::Direction cmp_dir, RuleElement *re)
 {
     PolicyRule::Direction dir=rule->getDirection();
-    FWObject *rule_iface = compiler->dbcopy->findInIndex(rule->getInterfaceId());
+//    FWObject *rule_iface = compiler->dbcopy->findInIndex(rule->getInterfaceId());
+
+    RuleElementItf *intf_re = rule->getItf();
+    FWObject *rule_iface = FWObjectReference::getObject(intf_re->front());
 
     list<FWObject*> cl;
     for (list<FWObject*>::iterator i1=re->begin(); i1!=re->end(); ++i1) 
     {
-        FWObject *o   = *i1;
-        FWObject *obj = o;
-        if (FWReference::cast(o)!=NULL) obj=FWReference::cast(o)->getPointer();
-        Interface  *ifs   =Interface::cast( obj );
+        FWObject *obj = FWObjectReference::getObject(*i1);
+        Interface  *ifs = Interface::cast( obj );
 
         if (ifs!=NULL && ifs->isDyn()) 
         {
@@ -585,11 +589,14 @@ bool PolicyCompiler_cisco::tcpServiceToFW::processNext()
 bool PolicyCompiler_cisco::replaceFWinSRCInterfacePolicy::processNext()
 {
     PolicyRule *rule=getNext(); if (rule==NULL) return false;
-    FWObject *rule_iface = compiler->dbcopy->findInIndex(rule->getInterfaceId());
+//    FWObject *rule_iface = compiler->dbcopy->findInIndex(rule->getInterfaceId());
+    RuleElementItf *intf_re = rule->getItf();
+    Interface *rule_iface = Interface::cast(
+        FWObjectReference::getObject(intf_re->front()));
 
-    if (rule_iface!=NULL && rule->getDirection()==PolicyRule::Outbound)
+    if ( rule_iface!=NULL && rule->getDirection()==PolicyRule::Outbound)
     {
-        RuleElementSrc *src=rule->getSrc();
+        RuleElementSrc *src = rule->getSrc();
         
         if (compiler->getFirstSrc(rule)->getId()==compiler->fw->getId()) 
         {
@@ -605,11 +612,14 @@ bool PolicyCompiler_cisco::replaceFWinSRCInterfacePolicy::processNext()
 bool PolicyCompiler_cisco::replaceFWinDSTInterfacePolicy::processNext()
 {
     PolicyRule *rule=getNext(); if (rule==NULL) return false;
-    FWObject *rule_iface = compiler->dbcopy->findInIndex(rule->getInterfaceId());
+//    FWObject *rule_iface = compiler->dbcopy->findInIndex(rule->getInterfaceId());
+    RuleElementItf *intf_re = rule->getItf();
+    Interface *rule_iface = Interface::cast(
+        FWObjectReference::getObject(intf_re->front()));
 
-    if (rule_iface!=NULL && rule->getDirection()==PolicyRule::Inbound)
+    if ( rule_iface!=NULL && rule->getDirection()==PolicyRule::Inbound)
     {
-        RuleElementDst *dst=rule->getDst();
+        RuleElementDst *dst = rule->getDst();
 
         if (compiler->getFirstDst(rule)->getId()==compiler->fw->getId()) 
         {
@@ -630,12 +640,13 @@ bool PolicyCompiler_cisco::replaceFWinDSTPolicy::processNext()
 {
     Helper helper(compiler);
     PolicyRule *rule=getNext(); if (rule==NULL) return false;
-    FWObject *rule_iface = compiler->dbcopy->findInIndex(rule->getInterfaceId());
+//    FWObject *rule_iface = compiler->dbcopy->findInIndex(rule->getInterfaceId());
+    RuleElementItf *intf_re = rule->getItf();
 
-    if (rule_iface==NULL)
+    if (intf_re->isAny())
     {
-        RuleElementSrc *src=rule->getSrc();
-        RuleElementDst *dst=rule->getDst();
+        RuleElementSrc *src = rule->getSrc();
+        RuleElementDst *dst = rule->getDst();
 
         if (!src->isAny() && compiler->getFirstDst(rule)->getId()==compiler->fw->getId()) 
         {
diff --git a/src/cisco_lib/PolicyCompiler_cisco_acls.cpp b/src/cisco_lib/PolicyCompiler_cisco_acls.cpp
index 2a2f6dbed..a1dc61a56 100644
--- a/src/cisco_lib/PolicyCompiler_cisco_acls.cpp
+++ b/src/cisco_lib/PolicyCompiler_cisco_acls.cpp
@@ -75,13 +75,18 @@ bool PolicyCompiler_cisco::setInterfaceAndDirectionBySrc::processNext()
 
     list<int> intf_id_list;
 
-    if (rule->getInterfaceId() == -1)
+    RuleElementItf *intf_re = rule->getItf();
+
+    if (intf_re->isAny())
     {
-        bool cluster_member = compiler->fw->getOptionsObject()->getBool("cluster_member");
+        bool cluster_member =
+            compiler->fw->getOptionsObject()->getBool("cluster_member");
+
         Cluster *cluster = NULL;
         if (cluster_member)
             cluster = Cluster::cast(
-                compiler->dbcopy->findInIndex(compiler->fw->getInt("parent_cluster_id")));
+                compiler->dbcopy->findInIndex(
+                    compiler->fw->getInt("parent_cluster_id")));
 
         RuleElementSrc *srcre = rule->getSrc();
         RuleElementDst *dstre = rule->getDst();
@@ -108,7 +113,12 @@ bool PolicyCompiler_cisco::setInterfaceAndDirectionBySrc::processNext()
             PolicyRule *new_rule = compiler->dbcopy->createPolicyRule();
             compiler->temp_ruleset->add(new_rule);
             new_rule->duplicate(rule);
-            new_rule->setInterfaceId(intf_id);
+//            new_rule->setInterfaceId(intf_id);
+
+            RuleElementItf *itf_re = new_rule->getItf(); assert(itf_re!=NULL);
+            itf_re->reset();
+            itf_re->addRef(ifs);
+
             new_rule->setDirection(PolicyRule::Inbound);
             new_rule->setBool("interface_and_direction_set_from_src",true);
             tmp_queue.push_back(new_rule);
@@ -144,15 +154,20 @@ bool PolicyCompiler_cisco::setInterfaceAndDirectionByDst::processNext()
         return true;
     }
 
+    RuleElementItf *intf_re = rule->getItf();
+
     list<int> intf_id_list;
 
-    if (rule->getInterfaceId() == -1)
+    if (intf_re->isAny())
     {
-        bool cluster_member = compiler->fw->getOptionsObject()->getBool("cluster_member");
+        bool cluster_member =
+            compiler->fw->getOptionsObject()->getBool("cluster_member");
+
         Cluster *cluster = NULL;
         if (cluster_member)
             cluster = Cluster::cast(
-                compiler->dbcopy->findInIndex(compiler->fw->getInt("parent_cluster_id")));
+                compiler->dbcopy->findInIndex(
+                    compiler->fw->getInt("parent_cluster_id")));
 
         RuleElementDst *dstre = rule->getDst();
         Address *dstobj = compiler->getFirstDst(rule);
@@ -178,7 +193,13 @@ bool PolicyCompiler_cisco::setInterfaceAndDirectionByDst::processNext()
             PolicyRule *new_rule = compiler->dbcopy->createPolicyRule();
             compiler->temp_ruleset->add(new_rule);
             new_rule->duplicate(rule);
-            new_rule->setInterfaceId(intf_id);
+
+//            new_rule->setInterfaceId(intf_id);
+
+            RuleElementItf *itf_re = new_rule->getItf(); assert(itf_re!=NULL);
+            itf_re->reset();
+            itf_re->addRef(ifs);
+
             new_rule->setDirection(PolicyRule::Outbound);
             new_rule->setBool("interface_and_direction_set_from_dst",true);
             tmp_queue.push_back(new_rule);
@@ -195,7 +216,9 @@ bool PolicyCompiler_cisco::setInterfaceAndDirectionIfInterfaceSet::processNext()
 
     //RuleElementItf *itfre=rule->getItf(); 
 
-    if (rule->getInterfaceId() == -1 ||
+    RuleElementItf *intf_re = rule->getItf();
+
+    if (intf_re->isAny() ||
         rule->getBool("interface_and_direction_set_from_src") ||
         rule->getBool("interface_and_direction_set_from_dst"))
     {
@@ -205,16 +228,22 @@ bool PolicyCompiler_cisco::setInterfaceAndDirectionIfInterfaceSet::processNext()
 
     PolicyRule *new_rule;
                     
-    if ( rule->getInterfaceId() > -1 )
+    if ( ! intf_re->isAny())
     {
-        int rule_iface_id = rule->getInterfaceId();
+        FWObject *rule_iface = FWObjectReference::getObject(intf_re->front());
+        RuleElementItf *itf_re;
 
         if (rule->getDirection()==PolicyRule::Both)
         {
             new_rule =compiler->dbcopy->createPolicyRule();
             compiler->temp_ruleset->add(new_rule);
             new_rule->duplicate(rule);
-            new_rule->setInterfaceId( rule_iface_id );
+
+//            new_rule->setInterfaceId( rule_iface_id );
+            itf_re = new_rule->getItf(); assert(itf_re!=NULL);
+            itf_re->reset();
+            itf_re->addRef(rule_iface);
+
             new_rule->setDirection(PolicyRule::Inbound);
             new_rule->setBool("interface_and_direction_set",true);
             tmp_queue.push_back(new_rule);
@@ -222,7 +251,12 @@ bool PolicyCompiler_cisco::setInterfaceAndDirectionIfInterfaceSet::processNext()
             new_rule =compiler->dbcopy->createPolicyRule();
             compiler->temp_ruleset->add(new_rule);
             new_rule->duplicate(rule);
-            new_rule->setInterfaceId( rule_iface_id );
+
+//            new_rule->setInterfaceId( rule_iface_id );
+            itf_re = new_rule->getItf(); assert(itf_re!=NULL);
+            itf_re->reset();
+            itf_re->addRef(rule_iface);
+
             new_rule->setDirection(PolicyRule::Outbound);
             new_rule->setBool("interface_and_direction_set",true);
             tmp_queue.push_back(new_rule);
@@ -231,7 +265,12 @@ bool PolicyCompiler_cisco::setInterfaceAndDirectionIfInterfaceSet::processNext()
             new_rule =compiler->dbcopy->createPolicyRule();
             compiler->temp_ruleset->add(new_rule);
             new_rule->duplicate(rule);
-            new_rule->setInterfaceId( rule_iface_id );
+
+//            new_rule->setInterfaceId( rule_iface_id );
+            itf_re = new_rule->getItf(); assert(itf_re!=NULL);
+            itf_re->reset();
+            itf_re->addRef(rule_iface);
+
             // direction is copied from the original rule
             new_rule->setBool("interface_and_direction_set",true);
             tmp_queue.push_back(new_rule);
@@ -244,10 +283,15 @@ bool PolicyCompiler_cisco::pickACL::processNext()
 {
     PolicyCompiler_cisco *cisco_comp = dynamic_cast<PolicyCompiler_cisco*>(
         compiler);
-    PolicyRule *rule=getNext(); if (rule==NULL) return false;
+    PolicyRule *rule = getNext(); if (rule==NULL) return false;
     
-    Interface  *rule_iface = Interface::cast(compiler->dbcopy->findInIndex(
-                                                 rule->getInterfaceId()));
+//    Interface  *rule_iface = Interface::cast(compiler->dbcopy->findInIndex(
+//                                                 rule->getInterfaceId()));
+
+    RuleElementItf *intf_re = rule->getItf();
+    Interface *rule_iface = Interface::cast(
+        FWObjectReference::getObject(intf_re->front()));
+
     if(rule_iface==NULL)
     {
         compiler->abort(rule, "Missing interface assignment");
diff --git a/src/cisco_lib/PolicyCompiler_pix_replace_translations.cpp b/src/cisco_lib/PolicyCompiler_pix_replace_translations.cpp
index c5e5e3a04..18b8fbf24 100644
--- a/src/cisco_lib/PolicyCompiler_pix_replace_translations.cpp
+++ b/src/cisco_lib/PolicyCompiler_pix_replace_translations.cpp
@@ -48,11 +48,6 @@ bool PolicyCompiler_pix::matchTranslatedAddresses::processNext()
 
     transformed_rules.clear();
 
-//    string rule_iface_id=rule->getInterfaceId();
-
-//    Address *src=compiler->getFirstSrc(rule);
-//    Service *srv=compiler->getFirstSrv(rule);
-
     RuleElementSrc *srcrel = rule->getSrc();
     RuleElementDst *dstrel = rule->getDst();
     RuleElementSrv *srvrel = rule->getSrv();
@@ -132,8 +127,12 @@ void PolicyCompiler_pix::replaceTranslatedAddresses::action(
     PolicyRule* policy_rule,
     NATRule* nat_rule, Address *src, Address*, Service *srv)
 {
-    FWObject *rule_iface = compiler->dbcopy->findInIndex(
-        policy_rule->getInterfaceId());
+
+//    FWObject *rule_iface = compiler->dbcopy->findInIndex(
+//        policy_rule->getInterfaceId());
+
+    RuleElementItf *intf_re = policy_rule->getItf();
+    FWObject *rule_iface = FWObjectReference::getObject(intf_re->front());
 
     RuleElement *re = nat_rule->getOSrc();
     FWObject *o = FWReference::getObject(re->front());
@@ -204,8 +203,12 @@ void PolicyCompiler_pix::warnWhenTranslatedAddressesAreUsed::action(
     PolicyRule* policy_rule,
     NATRule* nat_rule, Address*, Address *dst, Service*)
 {
-    FWObject *rule_iface = compiler->dbcopy->findInIndex(
-        policy_rule->getInterfaceId());
+//    FWObject *rule_iface = compiler->dbcopy->findInIndex(
+//        policy_rule->getInterfaceId());
+
+    RuleElementItf *intf_re = policy_rule->getItf();
+    FWObject *rule_iface = FWObjectReference::getObject(intf_re->front());
+
     string version = compiler->fw->getStr("version");
 
     RuleElement *re;
diff --git a/src/cisco_lib/PolicyCompiler_pix_v6_acls.cpp b/src/cisco_lib/PolicyCompiler_pix_v6_acls.cpp
index 13c8af9c6..a30d30862 100644
--- a/src/cisco_lib/PolicyCompiler_pix_v6_acls.cpp
+++ b/src/cisco_lib/PolicyCompiler_pix_v6_acls.cpp
@@ -67,24 +67,26 @@ using namespace libfwbuilder;
 using namespace fwcompiler;
 using namespace std;
 
+
 bool PolicyCompiler_pix::InterfaceAndDirection_v6::processNext()
 {
-    PolicyRule *rule=getNext(); if (rule==NULL) return false;
+    PolicyRule *rule = getNext(); if (rule==NULL) return false;
 
     tmp_queue.push_back(rule);
 
     bool icmp_cmd = rule->getBool("icmp_cmd");
     bool ssh_telnet_cmd = rule->getBool("ssh_telnet_cmd");
 
-    int interface_id = rule->getInterfaceId();
+//    int interface_id = rule->getInterfaceId();
+    RuleElementItf *intf_re = rule->getItf();
 
     if (rule->getDirection()==PolicyRule::Undefined) 
         rule->setDirection( PolicyRule::Both );
 
-    if (interface_id==-1 && rule->getDirection()==PolicyRule::Both)
+    if (intf_re->isAny() && rule->getDirection()==PolicyRule::Both)
         return true;
 
-    if (interface_id==-1 && !icmp_cmd && !ssh_telnet_cmd && (
+    if (intf_re->isAny() && !icmp_cmd && !ssh_telnet_cmd && (
             rule->getDirection()==PolicyRule::Inbound ||
             rule->getDirection()==PolicyRule::Outbound)
     ) compiler->abort(rule, "Direction set without interface");
@@ -106,12 +108,13 @@ bool PolicyCompiler_pix::InterfaceAndDirection_v6::processNext()
  */
 bool PolicyCompiler_pix::SplitDirection_v6::processNext()
 {
-    PolicyRule *rule=getNext(); if (rule==NULL) return false;
-    FWObject *rule_iface = compiler->dbcopy->findInIndex(rule->getInterfaceId());
+    PolicyRule *rule = getNext(); if (rule==NULL) return false;
+//    FWObject *rule_iface = compiler->dbcopy->findInIndex(rule->getInterfaceId());
+    RuleElementItf *intf_re = rule->getItf();
 
     if (rule->getDirection()==PolicyRule::Both)
     {
-        if (rule_iface!=NULL)
+        if ( ! intf_re->isAny())
         {
             PolicyRule *r= compiler->dbcopy->createPolicyRule();
             compiler->temp_ruleset->add(r);
@@ -176,9 +179,11 @@ bool PolicyCompiler_pix::EmulateOutboundACL_v6::processNext()
 {
     Helper helper(compiler);
     PolicyRule *rule = getNext(); if (rule==NULL) return false;
-    FWObject *rule_iface = compiler->dbcopy->findInIndex(rule->getInterfaceId());
+//    FWObject *rule_iface = compiler->dbcopy->findInIndex(rule->getInterfaceId());
+    RuleElementItf *intf_re = rule->getItf();
+    FWObject *rule_iface = FWObjectReference::getObject(intf_re->front());
 
-    if (rule->getDirection()==PolicyRule::Outbound && rule_iface!=NULL)
+    if (rule->getDirection()==PolicyRule::Outbound && ! intf_re->isAny())
     {
         if ( compiler->fw->getOptionsObject()->getBool("pix_emulate_out_acl") )
         {
@@ -196,7 +201,7 @@ bool PolicyCompiler_pix::EmulateOutboundACL_v6::processNext()
  * network zone is the same as the one this rule is assigned to, but
  * direction is Outbound - drop this rule 
  */
-                    if (iface1_id==rule->getInterfaceId())
+                    if (iface1_id == rule_iface->getId())
                     {
                         compiler->warning(rule, 
                             "Rule with direction 'Outbound' was suppressed "
@@ -206,7 +211,10 @@ bool PolicyCompiler_pix::EmulateOutboundACL_v6::processNext()
                         return true;
                     }
 
-                    rule->setInterfaceId(iface1_id);
+//                    rule->setInterfaceId(iface1_id);
+                    intf_re->reset();
+                    intf_re->addRef(compiler->dbcopy->findInIndex(iface1_id));
+
                     rule->setDirection(PolicyRule::Inbound);
                     tmp_queue.push_back(rule);
                 } else
@@ -215,16 +223,21 @@ bool PolicyCompiler_pix::EmulateOutboundACL_v6::processNext()
                     iface2_id = helper.findInterfaceByNetzone(
                         compiler->getFirstDst(rule) );
 
-                    list<FWObject*> l2=compiler->fw->getByType(Interface::TYPENAME);
+                    list<FWObject*> l2 = compiler->fw->getByTypeDeep(
+                        Interface::TYPENAME);
                     for (list<FWObject*>::iterator i=l2.begin(); i!=l2.end(); ++i)
                     {
                         if ( (*i)->getId()==iface2_id ) continue;
 
-                        PolicyRule *r= compiler->dbcopy->createPolicyRule();
+                        PolicyRule *r = compiler->dbcopy->createPolicyRule();
                         compiler->temp_ruleset->add(r);
 
                         r->duplicate(rule);
-                        r->setInterfaceId((*i)->getId());
+//                        r->setInterfaceId((*i)->getId());
+                        RuleElementItf *itf_re = r->getItf(); assert(itf_re!=NULL);
+                        itf_re->reset();
+                        itf_re->addRef(*i);
+
                         rule->setDirection(PolicyRule::Inbound);
 
                         tmp_queue.push_back(r);
@@ -283,21 +296,27 @@ bool PolicyCompiler_pix::EmulateOutboundACL_v6::processNext()
  */
 bool PolicyCompiler_pix::assignRuleToInterface_v6::processNext()
 {
-    PolicyRule *rule=getNext(); if (rule==NULL) return false;
+    PolicyRule *rule = getNext(); if (rule==NULL) return false;
     Helper helper(compiler);
 
-    RuleElementSrc *src=rule->getSrc();    assert(src);
-    RuleElementDst *dst=rule->getDst();    assert(dst);
+    RuleElementSrc *src = rule->getSrc();    assert(src);
+    RuleElementDst *dst = rule->getDst();    assert(dst);
 
-    if (rule->getInterfaceId()==-1) 
+    RuleElementItf *intf_re = rule->getItf();
+//    FWObject *rule_iface = FWObjectReference::getObject(intf_re->front());
+
+    if (intf_re->isAny())
     {
         try
         {
             if (! src->isAny() )
             {
-                Address *a=compiler->getFirstSrc(rule);
+                Address *a = compiler->getFirstSrc(rule);
                 int iface1_id = helper.findInterfaceByNetzone(a);
-                rule->setInterfaceId(iface1_id);
+//                rule->setInterfaceId(iface1_id);
+                intf_re->reset();
+                intf_re->addRef(compiler->dbcopy->findInIndex(iface1_id));
+
                 tmp_queue.push_back(rule);
             } else
             {
@@ -305,7 +324,10 @@ bool PolicyCompiler_pix::assignRuleToInterface_v6::processNext()
                 if ( ! dst->isAny() && compiler->complexMatch(a,compiler->fw))
                 {
                     int iface2_id = helper.findInterfaceByNetzone( a );
-                    rule->setInterfaceId(iface2_id);
+//                    rule->setInterfaceId(iface2_id);
+                    intf_re->reset();
+                    intf_re->addRef(compiler->dbcopy->findInIndex(iface2_id));
+
                     rule->setStr("direction","Inbound");
                     tmp_queue.push_back(rule);
                     return true;
@@ -316,13 +338,18 @@ bool PolicyCompiler_pix::assignRuleToInterface_v6::processNext()
                 {
                     Interface *intf = Interface::cast(*i);
                     if (intf->isUnprotected()) continue;
-                    if (intf->getOptionsObject()->getBool("cluster_interface")) continue;
+                    if (intf->getOptionsObject()->getBool("cluster_interface"))
+                        continue;
 
                     PolicyRule *r = compiler->dbcopy->createPolicyRule();
                     compiler->temp_ruleset->add(r);
 
                     r->duplicate(rule);
-                    r->setInterfaceId(intf->getId());
+//                    r->setInterfaceId(intf->getId());
+                    RuleElementItf *itf_re = r->getItf(); assert(itf_re!=NULL);
+                    itf_re->reset();
+                    itf_re->addRef(intf);
+
                     r->setStr("direction","Inbound");
 
                     tmp_queue.push_back(r);
@@ -351,13 +378,18 @@ bool PolicyCompiler_pix::assignRuleToInterface_v6::processNext()
  */
 bool PolicyCompiler_pix::pickACL_v6::processNext()
 {
-    PolicyCompiler_pix *pix_comp=dynamic_cast<PolicyCompiler_pix*>(compiler);
-    PolicyRule *rule=getNext(); if (rule==NULL) return false;
-    Interface *rule_iface = Interface::cast(compiler->dbcopy->findInIndex(rule->getInterfaceId()));
-    if(rule_iface==NULL)
+    PolicyCompiler_pix *pix_comp = dynamic_cast<PolicyCompiler_pix*>(compiler);
+    PolicyRule *rule = getNext(); if (rule==NULL) return false;
+//    Interface *rule_iface = Interface::cast(compiler->dbcopy->findInIndex(rule->getInterfaceId()));
+
+    RuleElementItf *intf_re = rule->getItf();
+    Interface *rule_iface = Interface::cast(
+        FWObjectReference::getObject(intf_re->front()));
+
+    if (intf_re->isAny() || rule_iface==NULL)
         compiler->abort(rule, "Missing interface assignment");
 
-    string acl_name= rule_iface->getLabel() + "_acl_in";
+    string acl_name = rule_iface->getLabel() + "_acl_in";
     rule->setStr("acl", acl_name);
 
     ciscoACL *acl = new ciscoACL(acl_name, rule_iface, "in");
diff --git a/src/cisco_lib/PolicyCompiler_pix_writers.cpp b/src/cisco_lib/PolicyCompiler_pix_writers.cpp
index 7e4d90a7d..02c84058d 100644
--- a/src/cisco_lib/PolicyCompiler_pix_writers.cpp
+++ b/src/cisco_lib/PolicyCompiler_pix_writers.cpp
@@ -272,8 +272,13 @@ string PolicyCompiler_pix::PrintRule::_printICMPCommand(PolicyRule *rule)
     FWObject *srv = srvrel->front();
     if (FWReference::cast(srv)!=NULL) srv = FWReference::cast(srv)->getPointer();
 
-    Interface *rule_iface =
-        Interface::cast(compiler->dbcopy->findInIndex(rule->getInterfaceId()));
+    // Interface *rule_iface =
+    //     Interface::cast(compiler->dbcopy->findInIndex(rule->getInterfaceId()));
+
+    RuleElementItf *intf_re = rule->getItf();
+    Interface *rule_iface = Interface::cast(
+        FWObjectReference::getObject(intf_re->front()));
+
     assert(rule_iface);
 
     if (PIXObjectGroup::cast(srv)!=NULL)
@@ -314,18 +319,20 @@ string PolicyCompiler_pix::PrintRule::_printICMPCommand(PolicyRule *rule)
 
 string PolicyCompiler_pix::PrintRule::_printSSHTelnetCommand(PolicyRule *rule)
 {
-//    Helper helper(this);
-
     ostringstream  str;
     int port;
 
-    RuleElementSrc *rel=rule->getSrc();
-    Service        *srv=compiler->getFirstSrv(rule);
+    RuleElementSrc *rel = rule->getSrc();
+    Service *srv = compiler->getFirstSrv(rule);
 
-    Interface *rule_iface = Interface::cast(compiler->dbcopy->findInIndex(rule->getInterfaceId()));
+//    Interface *rule_iface = Interface::cast(compiler->dbcopy->findInIndex(rule->getInterfaceId()));
+
+    RuleElementItf *intf_re = rule->getItf();
+    Interface *rule_iface = Interface::cast(
+        FWObjectReference::getObject(intf_re->front()));
     assert(rule_iface);
     
-    port=TCPUDPService::cast(srv)->getDstRangeStart();
+    port = TCPUDPService::cast(srv)->getDstRangeStart();
 
     for (FWObject::iterator i=rel->begin(); i!=rel->end(); ++i)
     {
diff --git a/test/procurve_acl/objects-for-regression-tests.fwb b/test/procurve_acl/objects-for-regression-tests.fwb
index 98aca81f7..449157a27 100644
--- a/test/procurve_acl/objects-for-regression-tests.fwb
+++ b/test/procurve_acl/objects-for-regression-tests.fwb
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="utf-8"?>
 <!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
-<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="17" lastModified="1273676680" id="root">
+<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="18" lastModified="1273676680" id="root">
   <Library id="syslib000" color="#d4f8ff" name="Standard" comment="Standard objects" ro="True">
     <AnyNetwork id="sysid0" name="Any" comment="Any Network" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
     <AnyIPService id="sysid1" protocol_num="0" name="Any" comment="Any IP Service" ro="False"/>
@@ -51,9 +51,9 @@
             <PolicyInstallScript arguments="" command="" enabled="False"/>
           </Management>
           <HostOptions>
-            <Option name="snmp_contact"></Option>
-            <Option name="snmp_description"></Option>
-            <Option name="snmp_location"></Option>
+            <Option name="snmp_contact"/>
+            <Option name="snmp_description"/>
+            <Option name="snmp_location"/>
             <Option name="use_mac_addr">false</Option>
             <Option name="use_mac_addr_filter">False</Option>
           </HostOptions>
@@ -69,9 +69,9 @@
             <PolicyInstallScript arguments="" command="" enabled="False"/>
           </Management>
           <HostOptions>
-            <Option name="snmp_contact"></Option>
-            <Option name="snmp_description"></Option>
-            <Option name="snmp_location"></Option>
+            <Option name="snmp_contact"/>
+            <Option name="snmp_description"/>
+            <Option name="snmp_location"/>
             <Option name="use_mac_addr">false</Option>
             <Option name="use_mac_addr_filter">False</Option>
           </HostOptions>
@@ -100,17 +100,17 @@
     </ObjectGroup>
     <ServiceGroup id="stdid05" name="Services" comment="" ro="False">
       <CustomService id="stdid14_1" name="ESTABLISHED" comment="This service matches all packets which are part of network connections established through the firewall, or connections 'related' to those established through the firewall. Term 'established' refers to the state tracking mechanism which exists inside iptables and other stateful firewalls and does not mean any particular combination of packet header options. Packet is considered to correspond to the state 'ESTABLISHED' if it belongs to the network session, for which proper initiation has been seen by the firewall, so its stateful inspection module made appropriate record in the state table. Usually stateful firewalls keep track of network connections using not only tcp protocol, but also udp and sometimes even icmp protocols. 'RELATED' describes packet belonging to a separate network connection, related to the session firewall is keeping track of. One example is FTP command and FTP data sessions." ro="False" protocol="any" address_family="ipv4">
-        <CustomServiceCommand platform="Undefined"></CustomServiceCommand>
+        <CustomServiceCommand platform="Undefined"/>
         <CustomServiceCommand platform="iosacl">established</CustomServiceCommand>
-        <CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
+        <CustomServiceCommand platform="ipfilter"/>
         <CustomServiceCommand platform="ipfw">established</CustomServiceCommand>
         <CustomServiceCommand platform="iptables">-m state --state ESTABLISHED,RELATED</CustomServiceCommand>
         <CustomServiceCommand platform="procurve_acl">established</CustomServiceCommand>
       </CustomService>
       <CustomService id="stdid14_2" name="ESTABLISHED ipv6" comment="This service matches all packets which are part of network connections established through the firewall, or connections 'related' to those established through the firewall. Term 'established' refers to the state tracking mechanism which exists inside iptables and other stateful firewalls and does not mean any particular combination of packet header options. Packet is considered to correspond to the state 'ESTABLISHED' if it belongs to the network session, for which proper initiation has been seen by the firewall, so its stateful inspection module made appropriate record in the state table. Usually stateful firewalls keep track of network connections using not only tcp protocol, but also udp and sometimes even icmp protocols. 'RELATED' describes packet belonging to a separate network connection, related to the session firewall is keeping track of. One example is FTP command and FTP data sessions." ro="False" protocol="any" address_family="ipv6">
-        <CustomServiceCommand platform="Undefined"></CustomServiceCommand>
+        <CustomServiceCommand platform="Undefined"/>
         <CustomServiceCommand platform="iosacl">established</CustomServiceCommand>
-        <CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
+        <CustomServiceCommand platform="ipfilter"/>
         <CustomServiceCommand platform="ipfw">established</CustomServiceCommand>
         <CustomServiceCommand platform="iptables">-m state --state ESTABLISHED,RELATED</CustomServiceCommand>
         <CustomServiceCommand platform="procurve_acl">established</CustomServiceCommand>
@@ -352,54 +352,54 @@
       </ServiceGroup>
       <ServiceGroup id="stdid13" name="Custom" comment="" ro="False">
         <CustomService id="id3B64EEA8" name="rpc" comment="works in iptables and requires patch-o-matic.&#10;For more information look for patch-o-matic on http://www.netfilter.org/" ro="False" protocol="any" address_family="ipv4">
-          <CustomServiceCommand platform="Undefined"></CustomServiceCommand>
-          <CustomServiceCommand platform="ipf"></CustomServiceCommand>
-          <CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
-          <CustomServiceCommand platform="ipfw"></CustomServiceCommand>
+          <CustomServiceCommand platform="Undefined"/>
+          <CustomServiceCommand platform="ipf"/>
+          <CustomServiceCommand platform="ipfilter"/>
+          <CustomServiceCommand platform="ipfw"/>
           <CustomServiceCommand platform="iptables">-m record_rpc</CustomServiceCommand>
-          <CustomServiceCommand platform="pf"></CustomServiceCommand>
-          <CustomServiceCommand platform="pix"></CustomServiceCommand>
-          <CustomServiceCommand platform="unknown"></CustomServiceCommand>
+          <CustomServiceCommand platform="pf"/>
+          <CustomServiceCommand platform="pix"/>
+          <CustomServiceCommand platform="unknown"/>
         </CustomService>
         <CustomService id="id3B64EF4E" name="irc-conn" comment="IRC connection tracker, supports DCC.&#10;Works on iptables and requires patch-o-matic.&#10;For more information look for patch-o-matic on http://www.netfilter.org/&#10;" ro="False" protocol="any" address_family="ipv4">
-          <CustomServiceCommand platform="Undefined"></CustomServiceCommand>
-          <CustomServiceCommand platform="ipf"></CustomServiceCommand>
-          <CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
-          <CustomServiceCommand platform="ipfw"></CustomServiceCommand>
+          <CustomServiceCommand platform="Undefined"/>
+          <CustomServiceCommand platform="ipf"/>
+          <CustomServiceCommand platform="ipfilter"/>
+          <CustomServiceCommand platform="ipfw"/>
           <CustomServiceCommand platform="iptables">-m irc</CustomServiceCommand>
-          <CustomServiceCommand platform="pf"></CustomServiceCommand>
-          <CustomServiceCommand platform="pix"></CustomServiceCommand>
-          <CustomServiceCommand platform="unknown"></CustomServiceCommand>
+          <CustomServiceCommand platform="pf"/>
+          <CustomServiceCommand platform="pix"/>
+          <CustomServiceCommand platform="unknown"/>
         </CustomService>
         <CustomService id="id3B64EF50" name="psd" comment="Port scan detector, works only on iptables and  requires patch-o-matic &#10;For more information look for patch-o-matic on http://www.netfilter.org/" ro="False" protocol="any" address_family="ipv4">
-          <CustomServiceCommand platform="Undefined"></CustomServiceCommand>
-          <CustomServiceCommand platform="ipf"></CustomServiceCommand>
-          <CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
-          <CustomServiceCommand platform="ipfw"></CustomServiceCommand>
+          <CustomServiceCommand platform="Undefined"/>
+          <CustomServiceCommand platform="ipf"/>
+          <CustomServiceCommand platform="ipfilter"/>
+          <CustomServiceCommand platform="ipfw"/>
           <CustomServiceCommand platform="iptables">-m psd --psd-weight-threshold 5 --psd-delay-threshold 10000</CustomServiceCommand>
-          <CustomServiceCommand platform="pf"></CustomServiceCommand>
-          <CustomServiceCommand platform="pix"></CustomServiceCommand>
-          <CustomServiceCommand platform="unknown"></CustomServiceCommand>
+          <CustomServiceCommand platform="pf"/>
+          <CustomServiceCommand platform="pix"/>
+          <CustomServiceCommand platform="unknown"/>
         </CustomService>
         <CustomService id="id3B64EF52" name="string" comment="Matches a string in a whole packet, works in iptables and requires patch-o-matic.&#10;For more information look for patch-o-matic on http://www.netfilter.org/" ro="False" protocol="any" address_family="ipv4">
-          <CustomServiceCommand platform="Undefined"></CustomServiceCommand>
-          <CustomServiceCommand platform="ipf"></CustomServiceCommand>
-          <CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
-          <CustomServiceCommand platform="ipfw"></CustomServiceCommand>
+          <CustomServiceCommand platform="Undefined"/>
+          <CustomServiceCommand platform="ipf"/>
+          <CustomServiceCommand platform="ipfilter"/>
+          <CustomServiceCommand platform="ipfw"/>
           <CustomServiceCommand platform="iptables">-m string --string test_pattern</CustomServiceCommand>
-          <CustomServiceCommand platform="pf"></CustomServiceCommand>
-          <CustomServiceCommand platform="pix"></CustomServiceCommand>
-          <CustomServiceCommand platform="unknown"></CustomServiceCommand>
+          <CustomServiceCommand platform="pf"/>
+          <CustomServiceCommand platform="pix"/>
+          <CustomServiceCommand platform="unknown"/>
         </CustomService>
         <CustomService id="id3B64EF54" name="talk" comment="Talk protocol support. Works in iptables and requires patch-o-matic.&#10;For more information look for patch-o-matic on http://www.netfilter.org/" ro="False" protocol="any" address_family="ipv4">
-          <CustomServiceCommand platform="Undefined"></CustomServiceCommand>
-          <CustomServiceCommand platform="ipf"></CustomServiceCommand>
-          <CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
-          <CustomServiceCommand platform="ipfw"></CustomServiceCommand>
+          <CustomServiceCommand platform="Undefined"/>
+          <CustomServiceCommand platform="ipf"/>
+          <CustomServiceCommand platform="ipfilter"/>
+          <CustomServiceCommand platform="ipfw"/>
           <CustomServiceCommand platform="iptables">-m talk</CustomServiceCommand>
-          <CustomServiceCommand platform="pf"></CustomServiceCommand>
-          <CustomServiceCommand platform="pix"></CustomServiceCommand>
-          <CustomServiceCommand platform="unknown"></CustomServiceCommand>
+          <CustomServiceCommand platform="pf"/>
+          <CustomServiceCommand platform="pix"/>
+          <CustomServiceCommand platform="unknown"/>
         </CustomService>
       </ServiceGroup>
       <ServiceGroup id="stdid19" name="TagServices" comment="" ro="False"/>
@@ -566,34 +566,34 @@
       <ServiceGroup id="id4511637123682" name="UDP" comment="" ro="False"/>
       <ServiceGroup id="id4511637223682" name="Custom" comment="" ro="False">
         <CustomService id="id4226X64279" name="dscp af11" comment="" ro="False" protocol="tcp" address_family="ipv4">
-          <CustomServiceCommand platform="fwsm"></CustomServiceCommand>
+          <CustomServiceCommand platform="fwsm"/>
           <CustomServiceCommand platform="iosacl">dscp af11</CustomServiceCommand>
-          <CustomServiceCommand platform="ipf"></CustomServiceCommand>
-          <CustomServiceCommand platform="ipfw"></CustomServiceCommand>
-          <CustomServiceCommand platform="iptables"></CustomServiceCommand>
-          <CustomServiceCommand platform="pf"></CustomServiceCommand>
-          <CustomServiceCommand platform="pix"></CustomServiceCommand>
-          <CustomServiceCommand platform="unknown"></CustomServiceCommand>
+          <CustomServiceCommand platform="ipf"/>
+          <CustomServiceCommand platform="ipfw"/>
+          <CustomServiceCommand platform="iptables"/>
+          <CustomServiceCommand platform="pf"/>
+          <CustomServiceCommand platform="pix"/>
+          <CustomServiceCommand platform="unknown"/>
         </CustomService>
         <CustomService id="id8888X64279" name="esp dscp af12" comment="" ro="False" protocol="50" address_family="ipv4">
-          <CustomServiceCommand platform="fwsm"></CustomServiceCommand>
+          <CustomServiceCommand platform="fwsm"/>
           <CustomServiceCommand platform="iosacl">dscp af12</CustomServiceCommand>
-          <CustomServiceCommand platform="ipf"></CustomServiceCommand>
-          <CustomServiceCommand platform="ipfw"></CustomServiceCommand>
-          <CustomServiceCommand platform="iptables"></CustomServiceCommand>
-          <CustomServiceCommand platform="pf"></CustomServiceCommand>
-          <CustomServiceCommand platform="pix"></CustomServiceCommand>
-          <CustomServiceCommand platform="unknown"></CustomServiceCommand>
+          <CustomServiceCommand platform="ipf"/>
+          <CustomServiceCommand platform="ipfw"/>
+          <CustomServiceCommand platform="iptables"/>
+          <CustomServiceCommand platform="pf"/>
+          <CustomServiceCommand platform="pix"/>
+          <CustomServiceCommand platform="unknown"/>
         </CustomService>
         <CustomService id="id26068X65694" name="esp dscp af11 ipv6" comment="" ro="False" protocol="50" address_family="ipv6">
-          <CustomServiceCommand platform="fwsm"></CustomServiceCommand>
+          <CustomServiceCommand platform="fwsm"/>
           <CustomServiceCommand platform="iosacl">dscp af11</CustomServiceCommand>
-          <CustomServiceCommand platform="ipf"></CustomServiceCommand>
-          <CustomServiceCommand platform="ipfw"></CustomServiceCommand>
-          <CustomServiceCommand platform="iptables"></CustomServiceCommand>
-          <CustomServiceCommand platform="pf"></CustomServiceCommand>
-          <CustomServiceCommand platform="pix"></CustomServiceCommand>
-          <CustomServiceCommand platform="unknown"></CustomServiceCommand>
+          <CustomServiceCommand platform="ipf"/>
+          <CustomServiceCommand platform="ipfw"/>
+          <CustomServiceCommand platform="iptables"/>
+          <CustomServiceCommand platform="pf"/>
+          <CustomServiceCommand platform="pix"/>
+          <CustomServiceCommand platform="unknown"/>
         </CustomService>
       </ServiceGroup>
       <ServiceGroup id="id4511637323682" name="TagServices" comment="" ro="False"/>
@@ -1174,10 +1174,10 @@
           <Option name="accept_established">true</Option>
           <Option name="accept_new_tcp_with_no_syn">true</Option>
           <Option name="add_check_state_rule">true</Option>
-          <Option name="admUser"></Option>
-          <Option name="altAddress"></Option>
+          <Option name="admUser"/>
+          <Option name="altAddress"/>
           <Option name="check_shading">False</Option>
-          <Option name="compiler"></Option>
+          <Option name="compiler"/>
           <Option name="configure_interfaces">true</Option>
           <Option name="eliminate_duplicates">true</Option>
           <Option name="filesystem">/etc</Option>
@@ -1206,8 +1206,8 @@
           <Option name="iosacl_logging_trap_level">3</Option>
           <Option name="iosacl_prolog_script">! This is prolog</Option>
           <Option name="iosacl_regroup_commands">False</Option>
-          <Option name="iosacl_syslog_facility"></Option>
-          <Option name="iosacl_syslog_host"></Option>
+          <Option name="iosacl_syslog_facility"/>
+          <Option name="iosacl_syslog_host"/>
           <Option name="iosacl_use_acl_remarks">False</Option>
           <Option name="ipv4_6_order">ipv4_first</Option>
           <Option name="limit_value">0</Option>
@@ -1222,7 +1222,7 @@
           <Option name="mgmt_addr">10.10.11.10</Option>
           <Option name="mgmt_ssh">True</Option>
           <Option name="openbsd_ip_forward">1</Option>
-          <Option name="output_file"></Option>
+          <Option name="output_file"/>
           <Option name="pass_all_out">false</Option>
           <Option name="pf_limit_frags">5000</Option>
           <Option name="pf_limit_states">10000</Option>
@@ -1244,10 +1244,10 @@
           <Option name="procurve_acl_acl_basic">True</Option>
           <Option name="procurve_acl_acl_no_clear">False</Option>
           <Option name="procurve_acl_acl_substitution">False</Option>
-          <Option name="procurve_acl_acl_temp_addr"></Option>
+          <Option name="procurve_acl_acl_temp_addr"/>
           <Option name="procurve_acl_add_clear_statements">true</Option>
           <Option name="procurve_acl_assume_fw_part_of_any">true</Option>
-          <Option name="procurve_acl_epilog_script"></Option>
+          <Option name="procurve_acl_epilog_script"/>
           <Option name="procurve_acl_generate_logging_commands">False</Option>
           <Option name="procurve_acl_include_comments">true</Option>
           <Option name="procurve_acl_logging_buffered">False</Option>
@@ -1256,14 +1256,14 @@
           <Option name="procurve_acl_logging_console_level">2</Option>
           <Option name="procurve_acl_logging_timestamp">False</Option>
           <Option name="procurve_acl_logging_trap_level">2</Option>
-          <Option name="procurve_acl_prolog_script"></Option>
-          <Option name="procurve_acl_syslog_facility"></Option>
-          <Option name="procurve_acl_syslog_host"></Option>
+          <Option name="procurve_acl_prolog_script"/>
+          <Option name="procurve_acl_syslog_facility"/>
+          <Option name="procurve_acl_syslog_host"/>
           <Option name="prompt1">$ </Option>
           <Option name="prompt2"> # </Option>
-          <Option name="scpArgs"></Option>
+          <Option name="scpArgs"/>
           <Option name="solaris_ip_forward">1</Option>
-          <Option name="sshArgs"></Option>
+          <Option name="sshArgs"/>
           <Option name="ulog_nlgroup">1</Option>
           <Option name="use_scp">False</Option>
           <Option name="verify_interfaces">true</Option>
@@ -1621,34 +1621,34 @@
         <FirewallOptions>
           <Option name="accept_established">True</Option>
           <Option name="accept_new_tcp_with_no_syn">True</Option>
-          <Option name="action_on_reject"></Option>
-          <Option name="activationCmd"></Option>
+          <Option name="action_on_reject"/>
+          <Option name="activationCmd"/>
           <Option name="add_check_state_rule">true</Option>
-          <Option name="admUser"></Option>
-          <Option name="altAddress"></Option>
+          <Option name="admUser"/>
+          <Option name="altAddress"/>
           <Option name="bridging_fw">False</Option>
           <Option name="check_shading">True</Option>
           <Option name="clamp_mss_to_mtu">False</Option>
           <Option name="classify_mark_terminating">False</Option>
           <Option name="cmdline">-xt</Option>
-          <Option name="compiler"></Option>
+          <Option name="compiler"/>
           <Option name="configure_interfaces">True</Option>
           <Option name="debug">False</Option>
           <Option name="drop_invalid">False</Option>
           <Option name="eliminate_duplicates">true</Option>
           <Option name="enable_ipv6">True</Option>
-          <Option name="epilog_script"></Option>
+          <Option name="epilog_script"/>
           <Option name="fallback_log">False</Option>
           <Option name="firewall_dir">/etc</Option>
           <Option name="firewall_is_part_of_any_and_networks">True</Option>
           <Option name="freebsd_ip_forward">1</Option>
-          <Option name="freebsd_ip_redirect"></Option>
-          <Option name="freebsd_ip_sourceroute"></Option>
+          <Option name="freebsd_ip_redirect"/>
+          <Option name="freebsd_ip_sourceroute"/>
           <Option name="freebsd_ipv6_forward">1</Option>
-          <Option name="freebsd_path_ipf"></Option>
-          <Option name="freebsd_path_ipfw"></Option>
-          <Option name="freebsd_path_ipnat"></Option>
-          <Option name="freebsd_path_sysctl"></Option>
+          <Option name="freebsd_path_ipf"/>
+          <Option name="freebsd_path_ipfw"/>
+          <Option name="freebsd_path_ipnat"/>
+          <Option name="freebsd_path_sysctl"/>
           <Option name="ignore_empty_groups">False</Option>
           <Option name="in_out_code">True</Option>
           <Option name="iosacl_acl_basic">False</Option>
@@ -1657,7 +1657,7 @@
           <Option name="iosacl_acl_temp_addr">fe80::21d:9ff:aaaa:bbbb</Option>
           <Option name="iosacl_add_clear_statements">true</Option>
           <Option name="iosacl_assume_fw_part_of_any">true</Option>
-          <Option name="iosacl_epilog_script"></Option>
+          <Option name="iosacl_epilog_script"/>
           <Option name="iosacl_generate_logging_commands">False</Option>
           <Option name="iosacl_include_comments">True</Option>
           <Option name="iosacl_logging_buffered">False</Option>
@@ -1666,13 +1666,13 @@
           <Option name="iosacl_logging_console_level">0</Option>
           <Option name="iosacl_logging_timestamp">False</Option>
           <Option name="iosacl_logging_trap_level">0</Option>
-          <Option name="iosacl_prolog_script"></Option>
+          <Option name="iosacl_prolog_script"/>
           <Option name="iosacl_regroup_commands">False</Option>
-          <Option name="iosacl_syslog_facility"></Option>
-          <Option name="iosacl_syslog_host"></Option>
-          <Option name="ipt_mangle_only_rulesets"></Option>
+          <Option name="iosacl_syslog_facility"/>
+          <Option name="iosacl_syslog_host"/>
+          <Option name="ipt_mangle_only_rulesets"/>
           <Option name="ipv4_6_order">ipv4_first</Option>
-          <Option name="limit_suffix"></Option>
+          <Option name="limit_suffix"/>
           <Option name="limit_value">0</Option>
           <Option name="linux24_ip_forward">1</Option>
           <Option name="load_modules">True</Option>
@@ -1687,18 +1687,18 @@
           <Option name="loopback_interface">lo0</Option>
           <Option name="macosx_ip_forward">1</Option>
           <Option name="manage_virtual_addr">True</Option>
-          <Option name="mgmt_addr"></Option>
+          <Option name="mgmt_addr"/>
           <Option name="mgmt_ssh">False</Option>
           <Option name="modulate_state">False</Option>
           <Option name="no_ipv6_default_policy">False</Option>
-          <Option name="openbsd_ip_directed_broadcast"></Option>
+          <Option name="openbsd_ip_directed_broadcast"/>
           <Option name="openbsd_ip_forward">1</Option>
-          <Option name="openbsd_ip_redirect"></Option>
-          <Option name="openbsd_ip_sourceroute"></Option>
+          <Option name="openbsd_ip_redirect"/>
+          <Option name="openbsd_ip_sourceroute"/>
           <Option name="openbsd_ipv6_forward">1</Option>
-          <Option name="openbsd_path_pfctl"></Option>
-          <Option name="openbsd_path_sysctl"></Option>
-          <Option name="output_file"></Option>
+          <Option name="openbsd_path_pfctl"/>
+          <Option name="openbsd_path_sysctl"/>
+          <Option name="output_file"/>
           <Option name="pass_all_out">False</Option>
           <Option name="pf_adaptive_end">0</Option>
           <Option name="pf_adaptive_start">0</Option>
@@ -1717,7 +1717,7 @@
           <Option name="pf_limit_states">10000</Option>
           <Option name="pf_limit_table_entries">0</Option>
           <Option name="pf_limit_tables">0</Option>
-          <Option name="pf_optimization"></Option>
+          <Option name="pf_optimization"/>
           <Option name="pf_other_first">0</Option>
           <Option name="pf_other_multiple">0</Option>
           <Option name="pf_other_single">0</Option>
@@ -1769,12 +1769,12 @@
           <Option name="pix_syslog_device_id_supported">false</Option>
           <Option name="pix_use_acl_remarks">true</Option>
           <Option name="prolog_place">fw_file</Option>
-          <Option name="prolog_script"></Option>
+          <Option name="prolog_script"/>
           <Option name="prompt1">$ </Option>
           <Option name="prompt2"> # </Option>
-          <Option name="scpArgs"></Option>
+          <Option name="scpArgs"/>
           <Option name="solaris_ip_forward">1</Option>
-          <Option name="sshArgs"></Option>
+          <Option name="sshArgs"/>
           <Option name="ulog_cprange">0</Option>
           <Option name="ulog_nlgroup">1</Option>
           <Option name="ulog_qthreshold">1</Option>
@@ -2136,34 +2136,34 @@
         <FirewallOptions>
           <Option name="accept_established">True</Option>
           <Option name="accept_new_tcp_with_no_syn">True</Option>
-          <Option name="action_on_reject"></Option>
-          <Option name="activationCmd"></Option>
+          <Option name="action_on_reject"/>
+          <Option name="activationCmd"/>
           <Option name="add_check_state_rule">true</Option>
-          <Option name="admUser"></Option>
-          <Option name="altAddress"></Option>
+          <Option name="admUser"/>
+          <Option name="altAddress"/>
           <Option name="bridging_fw">False</Option>
           <Option name="check_shading">True</Option>
           <Option name="clamp_mss_to_mtu">False</Option>
           <Option name="classify_mark_terminating">False</Option>
           <Option name="cmdline">-xt</Option>
-          <Option name="compiler"></Option>
+          <Option name="compiler"/>
           <Option name="configure_interfaces">True</Option>
           <Option name="debug">False</Option>
           <Option name="drop_invalid">False</Option>
           <Option name="eliminate_duplicates">true</Option>
           <Option name="enable_ipv6">True</Option>
-          <Option name="epilog_script"></Option>
+          <Option name="epilog_script"/>
           <Option name="fallback_log">False</Option>
           <Option name="firewall_dir">/etc</Option>
           <Option name="firewall_is_part_of_any_and_networks">True</Option>
           <Option name="freebsd_ip_forward">1</Option>
-          <Option name="freebsd_ip_redirect"></Option>
-          <Option name="freebsd_ip_sourceroute"></Option>
+          <Option name="freebsd_ip_redirect"/>
+          <Option name="freebsd_ip_sourceroute"/>
           <Option name="freebsd_ipv6_forward">1</Option>
-          <Option name="freebsd_path_ipf"></Option>
-          <Option name="freebsd_path_ipfw"></Option>
-          <Option name="freebsd_path_ipnat"></Option>
-          <Option name="freebsd_path_sysctl"></Option>
+          <Option name="freebsd_path_ipf"/>
+          <Option name="freebsd_path_ipfw"/>
+          <Option name="freebsd_path_ipnat"/>
+          <Option name="freebsd_path_sysctl"/>
           <Option name="ignore_empty_groups">False</Option>
           <Option name="in_out_code">True</Option>
           <Option name="iosacl_acl_basic">False</Option>
@@ -2172,7 +2172,7 @@
           <Option name="iosacl_acl_temp_addr">1.1.1.0/24</Option>
           <Option name="iosacl_add_clear_statements">true</Option>
           <Option name="iosacl_assume_fw_part_of_any">true</Option>
-          <Option name="iosacl_epilog_script"></Option>
+          <Option name="iosacl_epilog_script"/>
           <Option name="iosacl_generate_logging_commands">False</Option>
           <Option name="iosacl_include_comments">True</Option>
           <Option name="iosacl_logging_buffered">False</Option>
@@ -2181,13 +2181,13 @@
           <Option name="iosacl_logging_console_level">2</Option>
           <Option name="iosacl_logging_timestamp">False</Option>
           <Option name="iosacl_logging_trap_level">2</Option>
-          <Option name="iosacl_prolog_script"></Option>
+          <Option name="iosacl_prolog_script"/>
           <Option name="iosacl_regroup_commands">False</Option>
-          <Option name="iosacl_syslog_facility"></Option>
-          <Option name="iosacl_syslog_host"></Option>
-          <Option name="ipt_mangle_only_rulesets"></Option>
+          <Option name="iosacl_syslog_facility"/>
+          <Option name="iosacl_syslog_host"/>
+          <Option name="ipt_mangle_only_rulesets"/>
           <Option name="ipv4_6_order">ipv4_first</Option>
-          <Option name="limit_suffix"></Option>
+          <Option name="limit_suffix"/>
           <Option name="limit_value">0</Option>
           <Option name="linux24_ip_forward">1</Option>
           <Option name="load_modules">True</Option>
@@ -2206,14 +2206,14 @@
           <Option name="mgmt_ssh">True</Option>
           <Option name="modulate_state">False</Option>
           <Option name="no_ipv6_default_policy">False</Option>
-          <Option name="openbsd_ip_directed_broadcast"></Option>
+          <Option name="openbsd_ip_directed_broadcast"/>
           <Option name="openbsd_ip_forward">1</Option>
-          <Option name="openbsd_ip_redirect"></Option>
-          <Option name="openbsd_ip_sourceroute"></Option>
+          <Option name="openbsd_ip_redirect"/>
+          <Option name="openbsd_ip_sourceroute"/>
           <Option name="openbsd_ipv6_forward">1</Option>
-          <Option name="openbsd_path_pfctl"></Option>
-          <Option name="openbsd_path_sysctl"></Option>
-          <Option name="output_file"></Option>
+          <Option name="openbsd_path_pfctl"/>
+          <Option name="openbsd_path_sysctl"/>
+          <Option name="output_file"/>
           <Option name="pass_all_out">False</Option>
           <Option name="pf_adaptive_end">0</Option>
           <Option name="pf_adaptive_start">0</Option>
@@ -2232,7 +2232,7 @@
           <Option name="pf_limit_states">10000</Option>
           <Option name="pf_limit_table_entries">0</Option>
           <Option name="pf_limit_tables">0</Option>
-          <Option name="pf_optimization"></Option>
+          <Option name="pf_optimization"/>
           <Option name="pf_other_first">0</Option>
           <Option name="pf_other_multiple">0</Option>
           <Option name="pf_other_single">0</Option>
@@ -2284,12 +2284,12 @@
           <Option name="pix_syslog_device_id_supported">false</Option>
           <Option name="pix_use_acl_remarks">true</Option>
           <Option name="prolog_place">fw_file</Option>
-          <Option name="prolog_script"></Option>
+          <Option name="prolog_script"/>
           <Option name="prompt1">$ </Option>
           <Option name="prompt2"> # </Option>
-          <Option name="scpArgs"></Option>
+          <Option name="scpArgs"/>
           <Option name="solaris_ip_forward">1</Option>
-          <Option name="sshArgs"></Option>
+          <Option name="sshArgs"/>
           <Option name="ulog_cprange">0</Option>
           <Option name="ulog_nlgroup">1</Option>
           <Option name="ulog_qthreshold">1</Option>
@@ -2430,34 +2430,34 @@
         <FirewallOptions>
           <Option name="accept_established">True</Option>
           <Option name="accept_new_tcp_with_no_syn">True</Option>
-          <Option name="action_on_reject"></Option>
-          <Option name="activationCmd"></Option>
+          <Option name="action_on_reject"/>
+          <Option name="activationCmd"/>
           <Option name="add_check_state_rule">true</Option>
-          <Option name="admUser"></Option>
-          <Option name="altAddress"></Option>
+          <Option name="admUser"/>
+          <Option name="altAddress"/>
           <Option name="bridging_fw">False</Option>
           <Option name="check_shading">True</Option>
           <Option name="clamp_mss_to_mtu">False</Option>
           <Option name="classify_mark_terminating">False</Option>
           <Option name="cmdline">-xt</Option>
-          <Option name="compiler"></Option>
+          <Option name="compiler"/>
           <Option name="configure_interfaces">True</Option>
           <Option name="debug">False</Option>
           <Option name="drop_invalid">False</Option>
           <Option name="eliminate_duplicates">true</Option>
           <Option name="enable_ipv6">True</Option>
-          <Option name="epilog_script"></Option>
+          <Option name="epilog_script"/>
           <Option name="fallback_log">False</Option>
           <Option name="firewall_dir">/etc</Option>
           <Option name="firewall_is_part_of_any_and_networks">True</Option>
           <Option name="freebsd_ip_forward">1</Option>
-          <Option name="freebsd_ip_redirect"></Option>
-          <Option name="freebsd_ip_sourceroute"></Option>
+          <Option name="freebsd_ip_redirect"/>
+          <Option name="freebsd_ip_sourceroute"/>
           <Option name="freebsd_ipv6_forward">1</Option>
-          <Option name="freebsd_path_ipf"></Option>
-          <Option name="freebsd_path_ipfw"></Option>
-          <Option name="freebsd_path_ipnat"></Option>
-          <Option name="freebsd_path_sysctl"></Option>
+          <Option name="freebsd_path_ipf"/>
+          <Option name="freebsd_path_ipfw"/>
+          <Option name="freebsd_path_ipnat"/>
+          <Option name="freebsd_path_sysctl"/>
           <Option name="ignore_empty_groups">False</Option>
           <Option name="in_out_code">True</Option>
           <Option name="iosacl_acl_basic">False</Option>
@@ -2466,7 +2466,7 @@
           <Option name="iosacl_acl_temp_addr">fe80::21d:9ff:aaaa:bbbb/64</Option>
           <Option name="iosacl_add_clear_statements">true</Option>
           <Option name="iosacl_assume_fw_part_of_any">true</Option>
-          <Option name="iosacl_epilog_script"></Option>
+          <Option name="iosacl_epilog_script"/>
           <Option name="iosacl_generate_logging_commands">False</Option>
           <Option name="iosacl_include_comments">True</Option>
           <Option name="iosacl_logging_buffered">False</Option>
@@ -2475,13 +2475,13 @@
           <Option name="iosacl_logging_console_level">1</Option>
           <Option name="iosacl_logging_timestamp">False</Option>
           <Option name="iosacl_logging_trap_level">1</Option>
-          <Option name="iosacl_prolog_script"></Option>
+          <Option name="iosacl_prolog_script"/>
           <Option name="iosacl_regroup_commands">False</Option>
-          <Option name="iosacl_syslog_facility"></Option>
-          <Option name="iosacl_syslog_host"></Option>
-          <Option name="ipt_mangle_only_rulesets"></Option>
+          <Option name="iosacl_syslog_facility"/>
+          <Option name="iosacl_syslog_host"/>
+          <Option name="ipt_mangle_only_rulesets"/>
           <Option name="ipv4_6_order">ipv4_first</Option>
-          <Option name="limit_suffix"></Option>
+          <Option name="limit_suffix"/>
           <Option name="limit_value">0</Option>
           <Option name="linux24_ip_forward">1</Option>
           <Option name="load_modules">True</Option>
@@ -2496,18 +2496,18 @@
           <Option name="loopback_interface">lo0</Option>
           <Option name="macosx_ip_forward">1</Option>
           <Option name="manage_virtual_addr">True</Option>
-          <Option name="mgmt_addr"></Option>
+          <Option name="mgmt_addr"/>
           <Option name="mgmt_ssh">False</Option>
           <Option name="modulate_state">False</Option>
           <Option name="no_ipv6_default_policy">False</Option>
-          <Option name="openbsd_ip_directed_broadcast"></Option>
+          <Option name="openbsd_ip_directed_broadcast"/>
           <Option name="openbsd_ip_forward">1</Option>
-          <Option name="openbsd_ip_redirect"></Option>
-          <Option name="openbsd_ip_sourceroute"></Option>
+          <Option name="openbsd_ip_redirect"/>
+          <Option name="openbsd_ip_sourceroute"/>
           <Option name="openbsd_ipv6_forward">1</Option>
-          <Option name="openbsd_path_pfctl"></Option>
-          <Option name="openbsd_path_sysctl"></Option>
-          <Option name="output_file"></Option>
+          <Option name="openbsd_path_pfctl"/>
+          <Option name="openbsd_path_sysctl"/>
+          <Option name="output_file"/>
           <Option name="pass_all_out">False</Option>
           <Option name="pf_adaptive_end">0</Option>
           <Option name="pf_adaptive_start">0</Option>
@@ -2526,7 +2526,7 @@
           <Option name="pf_limit_states">10000</Option>
           <Option name="pf_limit_table_entries">0</Option>
           <Option name="pf_limit_tables">0</Option>
-          <Option name="pf_optimization"></Option>
+          <Option name="pf_optimization"/>
           <Option name="pf_other_first">0</Option>
           <Option name="pf_other_multiple">0</Option>
           <Option name="pf_other_single">0</Option>
@@ -2578,12 +2578,12 @@
           <Option name="pix_syslog_device_id_supported">false</Option>
           <Option name="pix_use_acl_remarks">true</Option>
           <Option name="prolog_place">fw_file</Option>
-          <Option name="prolog_script"></Option>
+          <Option name="prolog_script"/>
           <Option name="prompt1">$ </Option>
           <Option name="prompt2"> # </Option>
-          <Option name="scpArgs"></Option>
+          <Option name="scpArgs"/>
           <Option name="solaris_ip_forward">1</Option>
-          <Option name="sshArgs"></Option>
+          <Option name="sshArgs"/>
           <Option name="ulog_cprange">0</Option>
           <Option name="ulog_nlgroup">1</Option>
           <Option name="ulog_qthreshold">1</Option>
@@ -3106,10 +3106,10 @@
           <Option name="accept_established">true</Option>
           <Option name="accept_new_tcp_with_no_syn">true</Option>
           <Option name="add_check_state_rule">true</Option>
-          <Option name="admUser"></Option>
-          <Option name="altAddress"></Option>
+          <Option name="admUser"/>
+          <Option name="altAddress"/>
           <Option name="check_shading">False</Option>
-          <Option name="compiler"></Option>
+          <Option name="compiler"/>
           <Option name="configure_interfaces">true</Option>
           <Option name="eliminate_duplicates">true</Option>
           <Option name="filesystem">/etc</Option>
@@ -3138,8 +3138,8 @@
           <Option name="iosacl_logging_trap_level">3</Option>
           <Option name="iosacl_prolog_script">! This is prolog</Option>
           <Option name="iosacl_regroup_commands">False</Option>
-          <Option name="iosacl_syslog_facility"></Option>
-          <Option name="iosacl_syslog_host"></Option>
+          <Option name="iosacl_syslog_facility"/>
+          <Option name="iosacl_syslog_host"/>
           <Option name="iosacl_use_acl_remarks">False</Option>
           <Option name="ipv4_6_order">ipv4_first</Option>
           <Option name="limit_value">0</Option>
@@ -3154,7 +3154,7 @@
           <Option name="mgmt_addr">10.10.11.10</Option>
           <Option name="mgmt_ssh">True</Option>
           <Option name="openbsd_ip_forward">1</Option>
-          <Option name="output_file"></Option>
+          <Option name="output_file"/>
           <Option name="pass_all_out">false</Option>
           <Option name="pf_limit_frags">5000</Option>
           <Option name="pf_limit_states">10000</Option>
@@ -3176,10 +3176,10 @@
           <Option name="procurve_acl_acl_basic">False</Option>
           <Option name="procurve_acl_acl_no_clear">True</Option>
           <Option name="procurve_acl_acl_substitution">False</Option>
-          <Option name="procurve_acl_acl_temp_addr"></Option>
+          <Option name="procurve_acl_acl_temp_addr"/>
           <Option name="procurve_acl_add_clear_statements">true</Option>
           <Option name="procurve_acl_assume_fw_part_of_any">true</Option>
-          <Option name="procurve_acl_epilog_script"></Option>
+          <Option name="procurve_acl_epilog_script"/>
           <Option name="procurve_acl_generate_logging_commands">False</Option>
           <Option name="procurve_acl_include_comments">False</Option>
           <Option name="procurve_acl_logging_buffered">False</Option>
@@ -3188,15 +3188,15 @@
           <Option name="procurve_acl_logging_console_level">4</Option>
           <Option name="procurve_acl_logging_timestamp">False</Option>
           <Option name="procurve_acl_logging_trap_level">4</Option>
-          <Option name="procurve_acl_prolog_script"></Option>
-          <Option name="procurve_acl_syslog_facility"></Option>
-          <Option name="procurve_acl_syslog_host"></Option>
+          <Option name="procurve_acl_prolog_script"/>
+          <Option name="procurve_acl_syslog_facility"/>
+          <Option name="procurve_acl_syslog_host"/>
           <Option name="procurve_acl_use_acl_remarks">False</Option>
           <Option name="prompt1">$ </Option>
           <Option name="prompt2"> # </Option>
-          <Option name="scpArgs"></Option>
+          <Option name="scpArgs"/>
           <Option name="solaris_ip_forward">1</Option>
-          <Option name="sshArgs"></Option>
+          <Option name="sshArgs"/>
           <Option name="ulog_nlgroup">1</Option>
           <Option name="use_scp">False</Option>
           <Option name="verify_interfaces">true</Option>
@@ -3715,14 +3715,14 @@
           <Option name="accept_established">true</Option>
           <Option name="accept_new_tcp_with_no_syn">true</Option>
           <Option name="add_check_state_rule">true</Option>
-          <Option name="admUser"></Option>
-          <Option name="altAddress"></Option>
+          <Option name="admUser"/>
+          <Option name="altAddress"/>
           <Option name="check_shading">False</Option>
-          <Option name="compiler"></Option>
+          <Option name="compiler"/>
           <Option name="configure_interfaces">true</Option>
           <Option name="eliminate_duplicates">true</Option>
-          <Option name="filesystem"></Option>
-          <Option name="firewall_dir"></Option>
+          <Option name="filesystem"/>
+          <Option name="firewall_dir"/>
           <Option name="firewall_is_part_of_any_and_networks">true</Option>
           <Option name="freebsd_ip_forward">1</Option>
           <Option name="ignore_empty_groups">False</Option>
@@ -3747,8 +3747,8 @@
           <Option name="iosacl_logging_trap_level">3</Option>
           <Option name="iosacl_prolog_script">! This is prolog</Option>
           <Option name="iosacl_regroup_commands">False</Option>
-          <Option name="iosacl_syslog_facility"></Option>
-          <Option name="iosacl_syslog_host"></Option>
+          <Option name="iosacl_syslog_facility"/>
+          <Option name="iosacl_syslog_host"/>
           <Option name="iosacl_use_acl_remarks">False</Option>
           <Option name="ipv4_6_order">ipv4_first</Option>
           <Option name="limit_value">0</Option>
@@ -3763,7 +3763,7 @@
           <Option name="mgmt_addr">10.10.11.10</Option>
           <Option name="mgmt_ssh">True</Option>
           <Option name="openbsd_ip_forward">1</Option>
-          <Option name="output_file"></Option>
+          <Option name="output_file"/>
           <Option name="pass_all_out">false</Option>
           <Option name="pf_limit_frags">5000</Option>
           <Option name="pf_limit_states">10000</Option>
@@ -3788,7 +3788,7 @@
           <Option name="procurve_acl_acl_temp_addr">10.10.11.10</Option>
           <Option name="procurve_acl_add_clear_statements">true</Option>
           <Option name="procurve_acl_assume_fw_part_of_any">true</Option>
-          <Option name="procurve_acl_epilog_script"></Option>
+          <Option name="procurve_acl_epilog_script"/>
           <Option name="procurve_acl_generate_logging_commands">False</Option>
           <Option name="procurve_acl_include_comments">True</Option>
           <Option name="procurve_acl_logging_buffered">False</Option>
@@ -3797,15 +3797,15 @@
           <Option name="procurve_acl_logging_console_level">6</Option>
           <Option name="procurve_acl_logging_timestamp">False</Option>
           <Option name="procurve_acl_logging_trap_level">6</Option>
-          <Option name="procurve_acl_prolog_script"></Option>
-          <Option name="procurve_acl_syslog_facility"></Option>
-          <Option name="procurve_acl_syslog_host"></Option>
+          <Option name="procurve_acl_prolog_script"/>
+          <Option name="procurve_acl_syslog_facility"/>
+          <Option name="procurve_acl_syslog_host"/>
           <Option name="procurve_acl_use_acl_remarks">False</Option>
           <Option name="prompt1">$ </Option>
           <Option name="prompt2"> # </Option>
-          <Option name="scpArgs"></Option>
+          <Option name="scpArgs"/>
           <Option name="solaris_ip_forward">1</Option>
-          <Option name="sshArgs"></Option>
+          <Option name="sshArgs"/>
           <Option name="ulog_nlgroup">1</Option>
           <Option name="use_scp">True</Option>
           <Option name="verify_interfaces">true</Option>
@@ -4330,10 +4330,10 @@
           <Option name="accept_established">true</Option>
           <Option name="accept_new_tcp_with_no_syn">true</Option>
           <Option name="add_check_state_rule">true</Option>
-          <Option name="admUser"></Option>
-          <Option name="altAddress"></Option>
+          <Option name="admUser"/>
+          <Option name="altAddress"/>
           <Option name="check_shading">False</Option>
-          <Option name="compiler"></Option>
+          <Option name="compiler"/>
           <Option name="configure_interfaces">true</Option>
           <Option name="eliminate_duplicates">true</Option>
           <Option name="filesystem">/etc</Option>
@@ -4362,8 +4362,8 @@
           <Option name="iosacl_logging_trap_level">3</Option>
           <Option name="iosacl_prolog_script">! This is prolog</Option>
           <Option name="iosacl_regroup_commands">False</Option>
-          <Option name="iosacl_syslog_facility"></Option>
-          <Option name="iosacl_syslog_host"></Option>
+          <Option name="iosacl_syslog_facility"/>
+          <Option name="iosacl_syslog_host"/>
           <Option name="iosacl_use_acl_remarks">False</Option>
           <Option name="ipv4_6_order">ipv4_first</Option>
           <Option name="limit_value">0</Option>
@@ -4378,7 +4378,7 @@
           <Option name="mgmt_addr">10.10.11.10</Option>
           <Option name="mgmt_ssh">True</Option>
           <Option name="openbsd_ip_forward">1</Option>
-          <Option name="output_file"></Option>
+          <Option name="output_file"/>
           <Option name="pass_all_out">false</Option>
           <Option name="pf_limit_frags">5000</Option>
           <Option name="pf_limit_states">10000</Option>
@@ -4403,7 +4403,7 @@
           <Option name="procurve_acl_acl_temp_addr">10.10.11.10</Option>
           <Option name="procurve_acl_add_clear_statements">true</Option>
           <Option name="procurve_acl_assume_fw_part_of_any">true</Option>
-          <Option name="procurve_acl_epilog_script"></Option>
+          <Option name="procurve_acl_epilog_script"/>
           <Option name="procurve_acl_generate_logging_commands">False</Option>
           <Option name="procurve_acl_include_comments">True</Option>
           <Option name="procurve_acl_logging_buffered">False</Option>
@@ -4412,15 +4412,15 @@
           <Option name="procurve_acl_logging_console_level">5</Option>
           <Option name="procurve_acl_logging_timestamp">False</Option>
           <Option name="procurve_acl_logging_trap_level">5</Option>
-          <Option name="procurve_acl_prolog_script"></Option>
-          <Option name="procurve_acl_syslog_facility"></Option>
-          <Option name="procurve_acl_syslog_host"></Option>
+          <Option name="procurve_acl_prolog_script"/>
+          <Option name="procurve_acl_syslog_facility"/>
+          <Option name="procurve_acl_syslog_host"/>
           <Option name="procurve_acl_use_acl_remarks">True</Option>
           <Option name="prompt1">$ </Option>
           <Option name="prompt2"> # </Option>
-          <Option name="scpArgs"></Option>
+          <Option name="scpArgs"/>
           <Option name="solaris_ip_forward">1</Option>
-          <Option name="sshArgs"></Option>
+          <Option name="sshArgs"/>
           <Option name="ulog_nlgroup">1</Option>
           <Option name="use_scp">False</Option>
           <Option name="verify_interfaces">true</Option>