xref: /freebsd-src/share/examples/ipfilter/BNF (revision 41edb306f05651fcaf6c74f9e3557f59f80292e1) 
1*41edb306SCy Schubertfilter-rule = [ insert ] action in-out [ options ] [ tos ] [ ttl ]
2*41edb306SCy Schubert	      [ proto ] [ ip ] [ group ] [ tag ] [ pps ] .
3*41edb306SCy Schubert
4*41edb306SCy Schubertinsert	= "@" decnumber .
5*41edb306SCy Schubertaction	= block | "pass" | log | "count" | auth | call .
6*41edb306SCy Schubertin-out	= "in" | "out" .
7*41edb306SCy Schubertoptions	= [ log ] [ "quick" ] [ onif [ dup ] [ froute ] ] .
8*41edb306SCy Schuberttos	= "tos" decnumber | "tos" hexnumber .
9*41edb306SCy Schubertttl	= "ttl" decnumber .
10*41edb306SCy Schubertproto	= "proto" protocol .
11*41edb306SCy Schubertip	= srcdst [ flags ] [ with withopt ] [ icmp ] [ keep ] .
12*41edb306SCy Schubertgroup	= [ "head" decnumber ] [ "group" decnumber ] .
13*41edb306SCy Schubertpps	= "pps" decnumber .
14*41edb306SCy Schubert
15*41edb306SCy Schubertonif	= "on" interface-name [ "out-via" interface-name ] .
16*41edb306SCy Schubertblock	= "block" [ return-icmp[return-code] | "return-rst" ] .
17*41edb306SCy Schubertauth	= "auth" | "preauth" .
18*41edb306SCy Schubertlog	= "log" [ "body" ] [ "first" ] [ "or-block" ] [ "level" loglevel ] .
19*41edb306SCy Schuberttag	= "tag" tagid .
20*41edb306SCy Schubertcall	= "call" [ "now" ] function-name "/" decnumber.
21*41edb306SCy Schubertdup	= "dup-to" interface-name[":"ipaddr] .
22*41edb306SCy Schubertfroute	= "fastroute" | "to" interface-name .
23*41edb306SCy Schubertreplyto = "reply-to" interface-name [ ":" ipaddr ] .
24*41edb306SCy Schubertprotocol = "tcp/udp" | "udp" | "tcp" | "icmp" | decnumber .
25*41edb306SCy Schubertsrcdst	= "all" | fromto .
26*41edb306SCy Schubertfromto	= "from" object "to" object .
27*41edb306SCy Schubert
28*41edb306SCy Schubertreturn-icmp = "return-icmp" | "return-icmp-as-dest" .
29*41edb306SCy Schubertloglevel = facility"."priority | priority .
30*41edb306SCy Schubertobject	= addr [ port-comp | port-range ] .
31*41edb306SCy Schubertaddr	= "any" | nummask | host-name [ "mask" ipaddr | "mask" hexnumber ] .
32*41edb306SCy Schubertport-comp = "port" compare port-num .
33*41edb306SCy Schubertport-range = "port" port-num range port-num .
34*41edb306SCy Schubertflags	= "flags" flag { flag } [ "/" flag { flag } ] .
35*41edb306SCy Schubertwith	= "with" | "and" .
36*41edb306SCy Schuberticmp	= "icmp-type" icmp-type [ "code" decnumber ] .
37*41edb306SCy Schubertreturn-code = "("icmp-code")" .
38*41edb306SCy Schubertkeep	= "keep" "state" [ "limit" number ] | "keep" "frags" .
39*41edb306SCy Schubert
40*41edb306SCy Schubertnummask	= host-name [ "/" decnumber ] .
41*41edb306SCy Schuberthost-name = ipaddr | hostname | "any" .
42*41edb306SCy Schubertipaddr	= host-num "." host-num "." host-num "." host-num .
43*41edb306SCy Schuberthost-num = digit [ digit [ digit ] ] .
44*41edb306SCy Schubertport-num = service-name | decnumber .
45*41edb306SCy Schubert
46*41edb306SCy Schubertwithopt = [ "not" | "no" ] opttype [ [ "," ] withopt ] .
47*41edb306SCy Schubertopttype = "ipopts" | "short" | "nat" | "bad-src" | "lowttl" | "frag" |
48*41edb306SCy Schubert          "mbcast" | "opt" ipopts  .
49*41edb306SCy Schubertoptname	= ipopts [ "," optname ] .
50*41edb306SCy Schubertipopts  = optlist | "sec-class" [ secname ] .
51*41edb306SCy Schubertsecname	= seclvl [ "," secname ] .
52*41edb306SCy Schubertseclvl  = "unclass" | "confid" | "reserv-1" | "reserv-2" | "reserv-3" |
53*41edb306SCy Schubert	  "reserv-4" | "secret" | "topsecret" .
54*41edb306SCy Schuberticmp-type = "unreach" | "echo" | "echorep" | "squench" | "redir" |
55*41edb306SCy Schubert	    "timex" | "paramprob" | "timest" | "timestrep" | "inforeq" |
56*41edb306SCy Schubert	    "inforep" | "maskreq" | "maskrep"  | "routerad" |
57*41edb306SCy Schubert	    "routersol" | decnumber .
58*41edb306SCy Schuberticmp-code = decumber | "net-unr" | "host-unr" | "proto-unr" | "port-unr" |
59*41edb306SCy Schubert	    "needfrag" | "srcfail" | "net-unk" | "host-unk" | "isolate" |
60*41edb306SCy Schubert	    "net-prohib" | "host-prohib" | "net-tos" | "host-tos" |
61*41edb306SCy Schubert	    "filter-prohib" | "host-preced" | "cutoff-preced" .
62*41edb306SCy Schubertoptlist	= "nop" | "rr" | "zsu" | "mtup" | "mtur" | "encode" | "ts" | "tr" |
63*41edb306SCy Schubert	  "sec" | "lsrr" | "e-sec" | "cipso" | "satid" | "ssrr" | "addext" |
64*41edb306SCy Schubert	  "visa" | "imitd" | "eip" | "finn" .
65*41edb306SCy Schubertfacility = "kern" | "user" | "mail" | "daemon" | "auth" | "syslog" |
66*41edb306SCy Schubert	   "lpr" | "news" | "uucp" | "cron" | "ftp" | "authpriv" |
67*41edb306SCy Schubert	   "audit" | "logalert" | "local0" | "local1" | "local2" |
68*41edb306SCy Schubert	   "local3" | "local4" | "local5" | "local6" | "local7" .
69*41edb306SCy Schubertpriority = "emerg" | "alert" | "crit" | "err" | "warn" | "notice" |
70*41edb306SCy Schubert	   "info" | "debug" .
71*41edb306SCy Schubert
72*41edb306SCy Schuberthexnumber = "0" "x" hexstring .
73*41edb306SCy Schuberthexstring = hexdigit [ hexstring ] .
74*41edb306SCy Schubertdecnumber = digit [ decnumber ] .
75*41edb306SCy Schubert
76*41edb306SCy Schubertcompare = "=" | "!=" | "<" | ">" | "<=" | ">=" | "eq" | "ne" | "lt" | "gt" |
77*41edb306SCy Schubert	  "le" | "ge" .
78*41edb306SCy Schubertrange	= "<>" | "><" .
79*41edb306SCy Schuberthexdigit = digit | "a" | "b" | "c" | "d" | "e" | "f" .
80*41edb306SCy Schubertdigit	= "0" | "1" | "2" | "3" | "4" | "5" | "6" | "7" | "8" | "9" .
81*41edb306SCy Schubertflag	= "F" | "S" | "R" | "P" | "A" | "U" | "C" | "W" .
82