head	1.1;
branch	1.1.1;
access;
symbols
	RELENG_8_4:1.1.1.8.0.42
	RELENG_9_1_0_RELEASE:1.1.1.8
	RELENG_9_1:1.1.1.8.0.40
	RELENG_9_1_BP:1.1.1.8
	RELENG_8_3_0_RELEASE:1.1.1.8
	RELENG_8_3:1.1.1.8.0.38
	RELENG_8_3_BP:1.1.1.8
	RELENG_9_0_0_RELEASE:1.1.1.8
	RELENG_9_0:1.1.1.8.0.36
	RELENG_9_0_BP:1.1.1.8
	RELENG_9:1.1.1.8.0.34
	RELENG_9_BP:1.1.1.8
	RELENG_7_4_0_RELEASE:1.1.1.8
	RELENG_8_2_0_RELEASE:1.1.1.8
	RELENG_7_4:1.1.1.8.0.32
	RELENG_7_4_BP:1.1.1.8
	RELENG_8_2:1.1.1.8.0.30
	RELENG_8_2_BP:1.1.1.8
	RELENG_8_1_0_RELEASE:1.1.1.8
	RELENG_8_1:1.1.1.8.0.28
	RELENG_8_1_BP:1.1.1.8
	RELENG_7_3_0_RELEASE:1.1.1.8
	RELENG_7_3:1.1.1.8.0.26
	RELENG_7_3_BP:1.1.1.8
	RELENG_8_0_0_RELEASE:1.1.1.8
	RELENG_8_0:1.1.1.8.0.24
	RELENG_8_0_BP:1.1.1.8
	RELENG_8:1.1.1.8.0.22
	RELENG_8_BP:1.1.1.8
	RELENG_7_2_0_RELEASE:1.1.1.8
	RELENG_7_2:1.1.1.8.0.20
	RELENG_7_2_BP:1.1.1.8
	RELENG_7_1_0_RELEASE:1.1.1.8
	RELENG_6_4_0_RELEASE:1.1.1.8
	RELENG_7_1:1.1.1.8.0.18
	RELENG_7_1_BP:1.1.1.8
	RELENG_6_4:1.1.1.8.0.16
	RELENG_6_4_BP:1.1.1.8
	RELENG_7_0_0_RELEASE:1.1.1.8
	RELENG_6_3_0_RELEASE:1.1.1.8
	RELENG_7_0:1.1.1.8.0.14
	RELENG_7_0_BP:1.1.1.8
	RELENG_6_3:1.1.1.8.0.12
	RELENG_6_3_BP:1.1.1.8
	v4-1-28:1.1.1.8
	RELENG_7:1.1.1.8.0.10
	RELENG_7_BP:1.1.1.8
	v4-1-23:1.1.1.8
	RELENG_6_2_0_RELEASE:1.1.1.8
	RELENG_6_2:1.1.1.8.0.8
	RELENG_6_2_BP:1.1.1.8
	v4-1-13:1.1.1.8
	RELENG_5_5_0_RELEASE:1.1.1.7
	RELENG_5_5:1.1.1.7.0.14
	RELENG_5_5_BP:1.1.1.7
	RELENG_6_1_0_RELEASE:1.1.1.8
	RELENG_6_1:1.1.1.8.0.6
	RELENG_6_1_BP:1.1.1.8
	v4-1-10:1.1.1.8
	RELENG_6_0_0_RELEASE:1.1.1.8
	RELENG_6_0:1.1.1.8.0.4
	RELENG_6_0_BP:1.1.1.8
	RELENG_6:1.1.1.8.0.2
	RELENG_6_BP:1.1.1.8
	RELENG_5_4_0_RELEASE:1.1.1.7
	v4-1-8:1.1.1.8
	RELENG_5_4:1.1.1.7.0.12
	RELENG_5_4_BP:1.1.1.7
	RELENG_4_11_0_RELEASE:1.1.1.4.2.3
	RELENG_4_11:1.1.1.4.2.3.0.12
	RELENG_4_11_BP:1.1.1.4.2.3
	RELENG_5_3_0_RELEASE:1.1.1.7
	RELENG_5_3:1.1.1.7.0.10
	RELENG_5_3_BP:1.1.1.7
	RELENG_5:1.1.1.7.0.8
	RELENG_5_BP:1.1.1.7
	v3-4-35:1.1.1.7
	RELENG_4_10_0_RELEASE:1.1.1.4.2.3
	RELENG_4_10:1.1.1.4.2.3.0.10
	RELENG_4_10_BP:1.1.1.4.2.3
	RELENG_5_2_1_RELEASE:1.1.1.7
	RELENG_5_2_0_RELEASE:1.1.1.7
	RELENG_5_2:1.1.1.7.0.6
	RELENG_5_2_BP:1.1.1.7
	RELENG_4_9_0_RELEASE:1.1.1.4.2.3
	RELENG_4_9:1.1.1.4.2.3.0.8
	RELENG_4_9_BP:1.1.1.4.2.3
	RELENG_5_1_0_RELEASE:1.1.1.7
	RELENG_5_1:1.1.1.7.0.4
	RELENG_5_1_BP:1.1.1.7
	RELENG_4_8_0_RELEASE:1.1.1.4.2.3
	RELENG_4_8:1.1.1.4.2.3.0.6
	RELENG_4_8_BP:1.1.1.4.2.3
	v3-4-31:1.1.1.7
	RELENG_5_0_0_RELEASE:1.1.1.7
	RELENG_5_0:1.1.1.7.0.2
	RELENG_5_0_BP:1.1.1.7
	RELENG_4_7_0_RELEASE:1.1.1.4.2.3
	RELENG_4_7:1.1.1.4.2.3.0.4
	RELENG_4_7_BP:1.1.1.4.2.3
	v3-4-29:1.1.1.7
	RELENG_4_6_2_RELEASE:1.1.1.4.2.3
	RELENG_4_6_1_RELEASE:1.1.1.4.2.3
	RELENG_4_6_0_RELEASE:1.1.1.4.2.3
	v3-4-28:1.1.1.7
	RELENG_4_6:1.1.1.4.2.3.0.2
	RELENG_4_6_BP:1.1.1.4.2.3
	v3-4-27:1.1.1.7
	v3-4-26:1.1.1.7
	v3-4-25:1.1.1.7
	RELENG_4_5_0_RELEASE:1.1.1.4.2.2
	RELENG_4_5:1.1.1.4.2.2.0.4
	RELENG_4_5_BP:1.1.1.4.2.2
	RELENG_4_4_0_RELEASE:1.1.1.4.2.2
	RELENG_4_4:1.1.1.4.2.2.0.2
	RELENG_4_4_BP:1.1.1.4.2.2
	v3-4-20:1.1.1.6
	RELENG_4_3_0_RELEASE:1.1.1.4.2.1
	RELENG_4_3:1.1.1.4.2.1.0.2
	RELENG_4_3_BP:1.1.1.4.2.1
	v3-4-16:1.1.1.5
	rev:1.1.1.5
	RELENG_4_2_0_RELEASE:1.1.1.4
	v3-4-13:1.1.1.5
	v3-4-12:1.1.1.5
	RELENG_4_1_1_RELEASE:1.1.1.4
	PRE_SMPNG:1.1.1.4
	v3-4-9:1.1.1.4
	RELENG_4_1_0_RELEASE:1.1.1.4
	v3-4-8:1.1.1.4
	RELENG_3_5_0_RELEASE:1.1.1.2
	v3_4_4:1.1.1.4
	RELENG_4_0_0_RELEASE:1.1.1.4
	RELENG_4:1.1.1.4.0.2
	RELENG_4_BP:1.1.1.4
	v3_3_8:1.1.1.4
	v3_3_6:1.1.1.3
	RELENG_3_4_0_RELEASE:1.1.1.2
	v3_3_3:1.1.1.3
	RELENG_3_3_0_RELEASE:1.1.1.2
	RELENG_3_2_PAO:1.1.1.2.0.4
	RELENG_3_2_PAO_BP:1.1.1.2
	RELENG_3_2_0_RELEASE:1.1.1.2
	RELENG_3_1_0_RELEASE:1.1.1.2
	RELENG_3:1.1.1.2.0.2
	RELENG_3_BP:1.1.1.2
	RELENG_3_0_0_RELEASE:1.1.1.2
	v3_2_7:1.1.1.2
	v3_2_3:1.1.1.2
	v3_2_1:1.1.1.2
	v3-2-a7:1.1.1.1
	V3_2_A4:1.1.1.1
	ipfilter3_1_8:1.1.1.1
	DARRENR:1.1.1
	ipfilter3_1_7:1.1.1.1
	DARRENREED:1.1.1;
locks; strict;
comment	@# @;


1.1
date	97.02.09.22.49.47;	author darrenr;	state Exp;
branches
	1.1.1.1;
next	;

1.1.1.1
date	97.02.09.22.49.47;	author darrenr;	state Exp;
branches;
next	1.1.1.2;

1.1.1.2
date	97.11.16.04.46.38;	author peter;	state Exp;
branches;
next	1.1.1.3;

1.1.1.3
date	99.11.08.20.50.03;	author guido;	state Exp;
branches;
next	1.1.1.4;

1.1.1.4
date	2000.02.09.20.45.29;	author guido;	state Exp;
branches
	1.1.1.4.2.1;
next	1.1.1.5;

1.1.1.5
date	2000.10.26.12.45.44;	author darrenr;	state Exp;
branches;
next	1.1.1.6;

1.1.1.6
date	2001.07.28.11.59.16;	author darrenr;	state Exp;
branches;
next	1.1.1.7;

1.1.1.7
date	2002.03.19.11.44.59;	author darrenr;	state Exp;
branches;
next	1.1.1.8;

1.1.1.8
date	2005.04.25.17.29.59;	author darrenr;	state Exp;
branches
	1.1.1.8.42.1;
next	;

1.1.1.4.2.1
date	2001.02.17.20.35.52;	author darrenr;	state Exp;
branches;
next	1.1.1.4.2.2;

1.1.1.4.2.2
date	2001.07.28.13.34.14;	author darrenr;	state Exp;
branches;
next	1.1.1.4.2.3;

1.1.1.4.2.3
date	2002.04.27.17.30.26;	author darrenr;	state Exp;
branches;
next	;

1.1.1.8.42.1
date	2005.04.25.17.29.59;	author svnexp;	state dead;
branches;
next	1.1.1.8.42.2;

1.1.1.8.42.2
date	2013.03.28.13.01.19;	author svnexp;	state Exp;
branches;
next	;


desc
@@


1.1
log
@Initial revision
@
text
@filter-rule = [ insert ] action in-out [ options ] [ tos ] [ ttl ]
	      [ proto ] [ ip ] .

insert	= "@@" decnumber .
action	= block | "pass" | log | "count" | call .
in-out	= "in" | "out" .
options	= [ log ] [ "quick" ] [ "on" interface-name [ dup ] [ froute ] ] .
tos	= "tos" decnumber | "tos" hexnumber .
ttl	= "ttl" decnumber .
proto	= "proto" protocol .
ip	= srcdst [ flags ] [ with withopt ] [ icmp ] [ keep ] .

block	= "block" [ "return-icmp"[return-code] | "return-rst" ] .
log	= "log" [ "body" ] [ "first" ] [ "or-block" ] .
call	= "call" [ "now" ] function-name .
dup	= "dup-to" interface-name[":"ipaddr] .
froute	= "fastroute" | "to" interface-name .
protocol = "tcp/udp" | "udp" | "tcp" | "icmp" | decnumber .
srcdst	= "all" | fromto .
fromto	= "from" object "to" object .

object	= addr [ port-comp | port-range ] .
addr	= "any" | nummask | host-name [ "mask" ipaddr | "mask" hexnumber ] .
port-comp = "port" compare port-num .
port-range = "port" port-num range port-num .
flags	= "flags" flag { flag } [ "/" flag { flag } ] .
with	= "with" | "and" .
icmp	= "icmp-type" icmp-type [ "code" decnumber ] .
return-code = "("icmp-code")" .
keep	= "keep" "state" | "keep" "frags" .

nummask	= host-name [ "/" decnumber ] .
host-name = ipaddr | hostname | "any" .
ipaddr	= host-num "." host-num "." host-num "." host-num .
host-num = digit [ digit [ digit ] ] .
port-num = service-name | decnumber .

withopt = [ "not" | "no" ] opttype [ withopt ] .
opttype = "ipopts" | "short" | "frag" | "opt" ipopts  .
optname	= ipopts [ "," optname ] .
ipopts  = optlist | "sec-class" [ secname ] .
secname	= seclvl [ "," secname ] .
seclvl  = "unclass" | "confid" | "reserv-1" | "reserv-2" | "reserv-3" |
	  "reserv-4" | "secret" | "topsecret" .
icmp-type = "unreach" | "echo" | "echorep" | "squench" | "redir" |
	    "timex" | "paramprob" | "timest" | "timestrep" | "inforeq" |
	    "inforep" | "maskreq" | "maskrep"  | decnumber .
icmp-code = decumber | "net-unr" | "host-unr" | "proto-unr" | "port-unr" |
	    "needfrag" | "srcfail" | "net-unk" | "host-unk" | "isolate" |
	    "net-prohib" | "host-prohib" | "net-tos" | "host-tos" .
optlist	= "nop" | "rr" | "zsu" | "mtup" | "mtur" | "encode" | "ts" | "tr" |
	  "sec" | "lsrr" | "e-sec" | "cipso" | "satid" | "ssrr" | "addext" |
	  "visa" | "imitd" | "eip" | "finn" .

hexnumber = "0" "x" hexstring .
hexstring = hexdigit [ hexstring ] .
decnumber = digit [ decnumber ] .

compare = "=" | "!=" | "<" | ">" | "<=" | ">=" | "eq" | "ne" | "lt" | "gt" |
	  "le" | "ge" .
range	= "<>" | "><" .
hexdigit = digit | "a" | "b" | "c" | "d" | "e" | "f" .
digit	= "0" | "1" | "2" | "3" | "4" | "5" | "6" | "7" | "8" | "9" .
flag	= "F" | "S" | "R" | "P" | "A" | "U" .
@


1.1.1.1
log
@Import IP Filter v3.1.7 into FreeBSD tree
@
text
@@


1.1.1.2
log
@Import ipfilter 3.2.1 (update from 3.1.8)
@
text
@d2 1
a2 1
	      [ proto ] [ ip ] [ group ].
d5 1
a5 1
action	= block | "pass" | log | "count" | skip | auth | call .
a11 1
group	= [ "head" decnumber ] [ "group" decnumber ] .
a13 1
auth	= "auth" | "preauth" .
a15 1
skip	= "skip" decnumber .
d47 1
a47 2
	    "inforep" | "maskreq" | "maskrep"  | "routerad" |
	    "routersol" | decnumber .
@


1.1.1.3
log
@Import of ipfilter 3.3.3  in anticipation of its revival.
More to come in the next days.
@
text
@d14 1
a14 1
block	= "block" [ icmp [return-code] | "return-rst" ] .
d16 1
a16 1
log	= "log" [ "body" ] [ "first" ] [ "or-block" ] [ "level" loglevel ] .
a24 2
icmp	= "return-icmp" | "return-icmp-as-dest" .
loglevel = facility"."priority | priority .
a57 6
facility = "kern" | "user" | "mail" | "daemon" | "auth" | "syslog" |
	   "lpr" | "news" | "uucp" | "cron" | "ftp" | "authpriv" |
	   "audit" | "logalert" | "local0" | "local1" | "local2" |
	   "local3" | "local4" | "local5" | "local6" | "local7" .
priority = "emerg" | "alert" | "crit" | "err" | "warn" | "notice" |
	   "info" | "debug" . 
@


1.1.1.4
log
@Import of ipfilter 3.3.8

Approved by: jkh
@
text
@d56 1
a56 2
	    "net-prohib" | "host-prohib" | "net-tos" | "host-tos" |
	    "filter-prohib" | "host-preced" | "cutoff-preced" .
@


1.1.1.4.2.1
log
@Merge changes from 3.4.8 to 3.4.16
@
text
@d14 1
a14 1
block	= "block" [ reutrn-icmp[return-code] | "return-rst" ] .
d25 1
a25 1
reutrn-icmp = "return-icmp" | "return-icmp-as-dest" .
@


1.1.1.4.2.2
log
@merge diffs for ipfilter 3.4.16 -> 3.4.20 into RELENG_4
@
text
@d20 1
a20 1
froute	= "fastroute" | "to" interface-name [ ":" ipaddr ] .
@


1.1.1.4.2.3
log
@Update (finally) IPFilter on RELENG_4 CVS branch.
@
text
@d5 1
a5 1
action	= block | "no-match" | "pass" | log | "count" | skip | auth | call .
d7 1
a7 2
options	= [ log ] [ "quick" ] [ "on" interface-name [ dup ] [ froute ]
          [ via ] ] .
d14 1
a14 1
block	= "block" [ return-icmp[return-code] | "return-rst" ] .
a19 1
via	= "in-via" interface-name | "out-via" interface-name .
d25 1
a25 1
return-icmp = "return-icmp" | "return-icmp-as-dest" .
d35 1
a35 2
keep	= "keep" "state" | "keep" "frags" | "keep" "state-age" state-age .
state-age = decnmber [ "/" decnumber ] .
@


1.1.1.5
log
@Import IP Filter 3.4.12
@
text
@d14 1
a14 1
block	= "block" [ reutrn-icmp[return-code] | "return-rst" ] .
d25 1
a25 1
reutrn-icmp = "return-icmp" | "return-icmp-as-dest" .
@


1.1.1.6
log
@Import IPFilter version 3.4.20
@
text
@d20 1
a20 1
froute	= "fastroute" | "to" interface-name [ ":" ipaddr ] .
@


1.1.1.7
log
@Import IPFilter 3.4.25
@
text
@d5 1
a5 1
action	= block | "no-match" | "pass" | log | "count" | skip | auth | call .
d7 1
a7 2
options	= [ log ] [ "quick" ] [ "on" interface-name [ dup ] [ froute ]
          [ via ] ] .
d14 1
a14 1
block	= "block" [ return-icmp[return-code] | "return-rst" ] .
a19 1
via	= "in-via" interface-name | "out-via" interface-name .
d25 1
a25 1
return-icmp = "return-icmp" | "return-icmp-as-dest" .
d35 1
a35 2
keep	= "keep" "state" | "keep" "frags" | "keep" "state-age" state-age .
state-age = decnmber [ "/" decnumber ] .
@


1.1.1.8
log
@import ipfilter 4.1.8 into the vendor branch
@
text
@d2 1
a2 1
	      [ proto ] [ ip ] [ group ] [ tag ] [ pps ] .
d5 1
a5 1
action	= block | "pass" | log | "count" | auth | call .
d7 2
a8 1
options	= [ log ] [ "quick" ] [ onif [ dup ] [ froute ] ] .
a13 1
pps	= "pps" decnumber .
a14 1
onif	= "on" interface-name [ "out-via" interface-name ] .
d18 2
a19 2
tag	= "tag" tagid .
call	= "call" [ "now" ] function-name "/" decnumber.
d21 2
a22 2
froute	= "fastroute" | "to" interface-name .
replyto = "reply-to" interface-name [ ":" ipaddr ] .
d37 2
a38 1
keep	= "keep" "state" [ "limit" number ] | "keep" "frags" .
d46 2
a47 3
withopt = [ "not" | "no" ] opttype [ [ "," ] withopt ] .
opttype = "ipopts" | "short" | "nat" | "bad-src" | "lowttl" | "frag" |
          "mbcast" | "opt" ipopts  .
d80 1
a80 1
flag	= "F" | "S" | "R" | "P" | "A" | "U" | "C" | "W" .
@


1.1.1.8.42.1
log
@file BNF was added on branch RELENG_8_4 on 2013-03-28 13:01:19 +0000
@
text
@d1 81
@


1.1.1.8.42.2
log
@## SVN ## Exported commit - http://svnweb.freebsd.org/changeset/base/248810
## SVN ## CVS IS DEPRECATED: http://wiki.freebsd.org/CvsIsDeprecated
@
text
@a0 81
filter-rule = [ insert ] action in-out [ options ] [ tos ] [ ttl ]
	      [ proto ] [ ip ] [ group ] [ tag ] [ pps ] .

insert	= "@@" decnumber .
action	= block | "pass" | log | "count" | auth | call .
in-out	= "in" | "out" .
options	= [ log ] [ "quick" ] [ onif [ dup ] [ froute ] ] .
tos	= "tos" decnumber | "tos" hexnumber .
ttl	= "ttl" decnumber .
proto	= "proto" protocol .
ip	= srcdst [ flags ] [ with withopt ] [ icmp ] [ keep ] .
group	= [ "head" decnumber ] [ "group" decnumber ] .
pps	= "pps" decnumber .

onif	= "on" interface-name [ "out-via" interface-name ] .
block	= "block" [ return-icmp[return-code] | "return-rst" ] .
auth	= "auth" | "preauth" .
log	= "log" [ "body" ] [ "first" ] [ "or-block" ] [ "level" loglevel ] .
tag	= "tag" tagid .
call	= "call" [ "now" ] function-name "/" decnumber.
dup	= "dup-to" interface-name[":"ipaddr] .
froute	= "fastroute" | "to" interface-name .
replyto = "reply-to" interface-name [ ":" ipaddr ] .
protocol = "tcp/udp" | "udp" | "tcp" | "icmp" | decnumber .
srcdst	= "all" | fromto .
fromto	= "from" object "to" object .

return-icmp = "return-icmp" | "return-icmp-as-dest" .
loglevel = facility"."priority | priority .
object	= addr [ port-comp | port-range ] .
addr	= "any" | nummask | host-name [ "mask" ipaddr | "mask" hexnumber ] .
port-comp = "port" compare port-num .
port-range = "port" port-num range port-num .
flags	= "flags" flag { flag } [ "/" flag { flag } ] .
with	= "with" | "and" .
icmp	= "icmp-type" icmp-type [ "code" decnumber ] .
return-code = "("icmp-code")" .
keep	= "keep" "state" [ "limit" number ] | "keep" "frags" .

nummask	= host-name [ "/" decnumber ] .
host-name = ipaddr | hostname | "any" .
ipaddr	= host-num "." host-num "." host-num "." host-num .
host-num = digit [ digit [ digit ] ] .
port-num = service-name | decnumber .

withopt = [ "not" | "no" ] opttype [ [ "," ] withopt ] .
opttype = "ipopts" | "short" | "nat" | "bad-src" | "lowttl" | "frag" |
          "mbcast" | "opt" ipopts  .
optname	= ipopts [ "," optname ] .
ipopts  = optlist | "sec-class" [ secname ] .
secname	= seclvl [ "," secname ] .
seclvl  = "unclass" | "confid" | "reserv-1" | "reserv-2" | "reserv-3" |
	  "reserv-4" | "secret" | "topsecret" .
icmp-type = "unreach" | "echo" | "echorep" | "squench" | "redir" |
	    "timex" | "paramprob" | "timest" | "timestrep" | "inforeq" |
	    "inforep" | "maskreq" | "maskrep"  | "routerad" |
	    "routersol" | decnumber .
icmp-code = decumber | "net-unr" | "host-unr" | "proto-unr" | "port-unr" |
	    "needfrag" | "srcfail" | "net-unk" | "host-unk" | "isolate" |
	    "net-prohib" | "host-prohib" | "net-tos" | "host-tos" |
	    "filter-prohib" | "host-preced" | "cutoff-preced" .
optlist	= "nop" | "rr" | "zsu" | "mtup" | "mtur" | "encode" | "ts" | "tr" |
	  "sec" | "lsrr" | "e-sec" | "cipso" | "satid" | "ssrr" | "addext" |
	  "visa" | "imitd" | "eip" | "finn" .
facility = "kern" | "user" | "mail" | "daemon" | "auth" | "syslog" |
	   "lpr" | "news" | "uucp" | "cron" | "ftp" | "authpriv" |
	   "audit" | "logalert" | "local0" | "local1" | "local2" |
	   "local3" | "local4" | "local5" | "local6" | "local7" .
priority = "emerg" | "alert" | "crit" | "err" | "warn" | "notice" |
	   "info" | "debug" . 

hexnumber = "0" "x" hexstring .
hexstring = hexdigit [ hexstring ] .
decnumber = digit [ decnumber ] .

compare = "=" | "!=" | "<" | ">" | "<=" | ">=" | "eq" | "ne" | "lt" | "gt" |
	  "le" | "ge" .
range	= "<>" | "><" .
hexdigit = digit | "a" | "b" | "c" | "d" | "e" | "f" .
digit	= "0" | "1" | "2" | "3" | "4" | "5" | "6" | "7" | "8" | "9" .
flag	= "F" | "S" | "R" | "P" | "A" | "U" | "C" | "W" .
@


