<?xml version="1.0" encoding="UTF-8"?> <grammar ns="" xmlns="http://relaxng.org/ns/structure/1.0" datatypeLibrary="http://www.w3.org/2001/XMLSchema-datatypes"> <include href='basictypes.rng'/> <start> <ref name="filter"/> </start> <define name="filter"> <element name="filter"> <ref name="filter-node-attributes"/> <optional> <element name="uuid"> <ref name="UUID"/> </element> </optional> <zeroOrMore> <choice> <element name="filterref"> <ref name="filterref-node-attributes"/> </element> <element name="rule"> <ref name="rule-node-attributes"/> <optional> <zeroOrMore> <element name="mac"> <ref name="match-attribute"/> <ref name="common-l2-attributes"/> <ref name="mac-attributes"/> <ref name="comment-attribute"/> </element> </zeroOrMore> </optional> <optional> <zeroOrMore> <element name="vlan"> <ref name="match-attribute"/> <ref name="common-l2-attributes"/> <ref name="vlan-attributes"/> <ref name="comment-attribute"/> </element> </zeroOrMore> </optional> <optional> <zeroOrMore> <element name="stp"> <ref name="match-attribute"/> <ref name="srcmacandmask-attributes"/> <ref name="stp-attributes"/> <ref name="comment-attribute"/> </element> </zeroOrMore> </optional> <optional> <zeroOrMore> <element name="arp"> <ref name="match-attribute"/> <ref name="common-l2-attributes"/> <ref name="arp-attributes"/> <ref name="comment-attribute"/> </element> </zeroOrMore> </optional> <optional> <zeroOrMore> <element name="rarp"> <ref name="match-attribute"/> <ref name="common-l2-attributes"/> <ref name="arp-attributes"/> <!-- same as arp --> <ref name="comment-attribute"/> </element> </zeroOrMore> </optional> <optional> <zeroOrMore> <element name="ip"> <ref name="match-attribute"/> <ref name="common-l2-attributes"/> <ref name="common-ip-attributes-p1"/> <ref name="common-port-attributes"/> <ref name="ip-attributes"/> <ref name="dscp-attribute"/> <ref name="comment-attribute"/> </element> </zeroOrMore> </optional> <optional> <zeroOrMore> <element name="ipv6"> <ref name="match-attribute"/> <ref name="common-l2-attributes"/> <ref name="common-ipv6-attributes-p1"/> <ref name="common-port-attributes"/> <ref name="ip-attributes"/> <ref name="icmp-attribute-ranges"/> <ref name="comment-attribute"/> </element> </zeroOrMore> </optional> <optional> <zeroOrMore> <element name="tcp"> <ref name="match-attribute"/> <ref name="srcmac-attribute"/> <ref name="common-port-attributes"/> <ref name="common-ip-attributes-p1"/> <ref name="common-ip-attributes-p2"/> <ref name="tcp-attributes"/> <ref name="comment-attribute"/> </element> </zeroOrMore> </optional> <optional> <zeroOrMore> <element name="udp"> <ref name="match-attribute"/> <ref name="srcmac-attribute"/> <ref name="common-port-attributes"/> <ref name="common-ip-attributes-p1"/> <ref name="common-ip-attributes-p2"/> <ref name="comment-attribute"/> </element> </zeroOrMore> </optional> <optional> <zeroOrMore> <element name="sctp"> <ref name="match-attribute"/> <ref name="srcmac-attribute"/> <ref name="common-port-attributes"/> <ref name="common-ip-attributes-p1"/> <ref name="common-ip-attributes-p2"/> <ref name="comment-attribute"/> </element> </zeroOrMore> </optional> <optional> <zeroOrMore> <element name="icmp"> <ref name="match-attribute"/> <ref name="srcmac-attribute"/> <ref name="common-ip-attributes-p1"/> <ref name="common-ip-attributes-p2"/> <ref name="icmp-attributes"/> <ref name="comment-attribute"/> </element> </zeroOrMore> </optional> <optional> <zeroOrMore> <element name="igmp"> <ref name="match-attribute"/> <ref name="srcmac-attribute"/> <ref name="common-ip-attributes-p1"/> <ref name="common-ip-attributes-p2"/> <ref name="comment-attribute"/> </element> </zeroOrMore> </optional> <optional> <zeroOrMore> <element name="all"> <ref name="match-attribute"/> <ref name="srcmac-attribute"/> <ref name="common-ip-attributes-p1"/> <ref name="common-ip-attributes-p2"/> <ref name="comment-attribute"/> </element> </zeroOrMore> </optional> <optional> <zeroOrMore> <element name="esp"> <ref name="match-attribute"/> <ref name="srcmac-attribute"/> <ref name="common-ip-attributes-p1"/> <ref name="common-ip-attributes-p2"/> <ref name="comment-attribute"/> </element> </zeroOrMore> </optional> <optional> <zeroOrMore> <element name="ah"> <ref name="match-attribute"/> <ref name="srcmac-attribute"/> <ref name="common-ip-attributes-p1"/> <ref name="common-ip-attributes-p2"/> <ref name="comment-attribute"/> </element> </zeroOrMore> </optional> <optional> <zeroOrMore> <element name="udplite"> <ref name="match-attribute"/> <ref name="srcmac-attribute"/> <ref name="common-ip-attributes-p1"/> <ref name="common-ip-attributes-p2"/> <ref name="comment-attribute"/> </element> </zeroOrMore> </optional> <optional> <zeroOrMore> <element name="tcp-ipv6"> <ref name="match-attribute"/> <ref name="srcmac-attribute"/> <ref name="common-port-attributes"/> <ref name="common-ipv6-attributes-p1"/> <ref name="common-ipv6-attributes-p2"/> <ref name="tcp-attributes"/> <ref name="comment-attribute"/> </element> </zeroOrMore> </optional> <optional> <zeroOrMore> <element name="udp-ipv6"> <ref name="match-attribute"/> <ref name="srcmac-attribute"/> <ref name="common-port-attributes"/> <ref name="common-ipv6-attributes-p1"/> <ref name="common-ipv6-attributes-p2"/> <ref name="comment-attribute"/> </element> </zeroOrMore> </optional> <optional> <zeroOrMore> <element name="sctp-ipv6"> <ref name="match-attribute"/> <ref name="srcmac-attribute"/> <ref name="common-port-attributes"/> <ref name="common-ipv6-attributes-p1"/> <ref name="common-ipv6-attributes-p2"/> <ref name="comment-attribute"/> </element> </zeroOrMore> </optional> <optional> <zeroOrMore> <element name="icmpv6"> <ref name="match-attribute"/> <ref name="srcmac-attribute"/> <ref name="common-ipv6-attributes-p1"/> <ref name="common-ipv6-attributes-p2"/> <ref name="icmp-attributes"/> <ref name="comment-attribute"/> </element> </zeroOrMore> </optional> <optional> <zeroOrMore> <element name="all-ipv6"> <ref name="match-attribute"/> <ref name="srcmac-attribute"/> <ref name="common-ipv6-attributes-p1"/> <ref name="common-ipv6-attributes-p2"/> <ref name="comment-attribute"/> </element> </zeroOrMore> </optional> <optional> <zeroOrMore> <element name="esp-ipv6"> <ref name="match-attribute"/> <ref name="srcmac-attribute"/> <ref name="common-ipv6-attributes-p1"/> <ref name="common-ipv6-attributes-p2"/> <ref name="comment-attribute"/> </element> </zeroOrMore> </optional> <optional> <zeroOrMore> <element name="ah-ipv6"> <ref name="match-attribute"/> <ref name="srcmac-attribute"/> <ref name="common-ipv6-attributes-p1"/> <ref name="common-ipv6-attributes-p2"/> <ref name="comment-attribute"/> </element> </zeroOrMore> </optional> <optional> <zeroOrMore> <element name="udplite-ipv6"> <ref name="match-attribute"/> <ref name="srcmac-attribute"/> <ref name="common-ipv6-attributes-p1"/> <ref name="common-ipv6-attributes-p2"/> <ref name="comment-attribute"/> </element> </zeroOrMore> </optional> </element> </choice> </zeroOrMore> </element> </define> <!-- ########### attributes of XML nodes ############ --> <define name="filter-node-attributes"> <attribute name="name"> <data type="NCName"/> </attribute> <optional> <attribute name="chain"> <choice> <value>root</value> <data type="string"> <param name="pattern">mac[a-zA-Z0-9_\.:\-]{0,9}</param> </data> <data type="string"> <param name="pattern">stp[a-zA-Z0-9_\.:\-]{0,9}</param> </data> <data type="string"> <param name="pattern">vlan[a-zA-Z0-9_\.:\-]{0,8}</param> </data> <data type="string"> <param name="pattern">arp[a-zA-Z0-9_\.:\-]{0,9}</param> </data> <data type="string"> <param name="pattern">rarp[a-zA-Z0-9_\.:\-]{0,8}</param> </data> <data type="string"> <param name="pattern">ipv4[a-zA-Z0-9_\.:\-]{0,8}</param> </data> <data type="string"> <param name="pattern">ipv6[a-zA-Z0-9_\.:\-]{0,8}</param> </data> </choice> </attribute> </optional> <optional> <attribute name="priority"> <ref name='priority-type'/> </attribute> </optional> </define> <define name="filterref-node-attributes"> <attribute name="filter"> <data type="NCName"/> </attribute> <zeroOrMore> <element name="parameter"> <attribute name="name"> <ref name="filter-param-name"/> </attribute> <attribute name="value"> <ref name="filter-param-value"/> </attribute> </element> </zeroOrMore> </define> <define name="rule-node-attributes"> <attribute name="action"> <ref name='action-type'/> </attribute> <attribute name="direction"> <ref name='direction-type'/> </attribute> <optional> <attribute name="priority"> <ref name='priority-type'/> </attribute> </optional> <optional> <attribute name="statematch"> <ref name='statematch-type'/> </attribute> </optional> </define> <define name="match-attribute"> <interleave> <optional> <attribute name="match"> <ref name="virYesNo"/> </attribute> </optional> </interleave> </define> <define name="srcmac-attribute"> <interleave> <optional> <attribute name="srcmacaddr"> <ref name="addrMAC"/> </attribute> </optional> </interleave> </define> <define name="srcmacandmask-attributes"> <interleave> <ref name="srcmac-attribute"/> <optional> <attribute name="srcmacmask"> <ref name="addrMAC"/> </attribute> </optional> </interleave> </define> <define name="common-l2-attributes"> <interleave> <ref name="srcmacandmask-attributes"/> <optional> <attribute name="dstmacaddr"> <ref name="addrMAC"/> </attribute> </optional> <optional> <attribute name="dstmacmask"> <ref name="addrMAC"/> </attribute> </optional> </interleave> </define> <define name="common-ip-attributes-p1"> <interleave> <optional> <attribute name="srcipaddr"> <ref name="addrIP"/> </attribute> </optional> <optional> <attribute name="srcipmask"> <ref name="addrMask"/> </attribute> </optional> <optional> <attribute name="dstipaddr"> <ref name="addrIP"/> </attribute> </optional> <optional> <attribute name="dstipmask"> <ref name="addrMask"/> </attribute> </optional> </interleave> </define> <define name="common-ip-attributes-p2"> <interleave> <optional> <attribute name="srcipfrom"> <ref name="addrIP"/> </attribute> </optional> <optional> <attribute name="srcipto"> <ref name="addrIP"/> </attribute> </optional> <optional> <attribute name="dstipfrom"> <ref name="addrIP"/> </attribute> </optional> <optional> <attribute name="dstipto"> <ref name="addrIP"/> </attribute> </optional> <optional> <attribute name="dscp"> <ref name="sixbitrange"/> </attribute> </optional> <optional> <attribute name="connlimit-above"> <ref name="uint16range"/> </attribute> </optional> <optional> <attribute name="state"> <ref name="stateflags-type"/> </attribute> </optional> <optional> <attribute name="ipset"> <ref name="ipset-name-type"/> </attribute> <attribute name="ipsetflags"> <ref name="ipset-flags-type"/> </attribute> </optional> </interleave> </define> <define name="common-ipv6-attributes-p1"> <interleave> <optional> <attribute name="srcipaddr"> <ref name="addrIPv6"/> </attribute> </optional> <optional> <attribute name="srcipmask"> <ref name="addrMaskv6"/> </attribute> </optional> <optional> <attribute name="dstipaddr"> <ref name="addrIPv6"/> </attribute> </optional> <optional> <attribute name="dstipmask"> <ref name="addrMaskv6"/> </attribute> </optional> </interleave> </define> <define name="common-ipv6-attributes-p2"> <interleave> <optional> <attribute name="srcipfrom"> <ref name="addrIPv6"/> </attribute> </optional> <optional> <attribute name="srcipto"> <ref name="addrIPv6"/> </attribute> </optional> <optional> <attribute name="dstipfrom"> <ref name="addrIPv6"/> </attribute> </optional> <optional> <attribute name="dstipto"> <ref name="addrIPv6"/> </attribute> </optional> <optional> <attribute name="dscp"> <ref name="sixbitrange"/> </attribute> </optional> </interleave> </define> <define name="common-port-attributes"> <interleave> <optional> <attribute name="srcportstart"> <ref name="uint16range"/> </attribute> </optional> <optional> <attribute name="srcportend"> <ref name="uint16range"/> </attribute> </optional> <optional> <attribute name="dstportstart"> <ref name="uint16range"/> </attribute> </optional> <optional> <attribute name="dstportend"> <ref name="uint16range"/> </attribute> </optional> </interleave> </define> <define name="icmp-attributes"> <interleave> <optional> <attribute name="type"> <ref name="uint8range"/> </attribute> </optional> <optional> <attribute name="code"> <ref name="uint8range"/> </attribute> </optional> </interleave> </define> <define name="icmp-attribute-ranges"> <interleave> <optional> <attribute name="type"> <ref name="uint8range"/> </attribute> </optional> <optional> <attribute name="typeend"> <ref name="uint8range"/> </attribute> </optional> <optional> <attribute name="code"> <ref name="uint8range"/> </attribute> </optional> <optional> <attribute name="codeend"> <ref name="uint8range"/> </attribute> </optional> </interleave> </define> <define name="mac-attributes"> <interleave> <optional> <attribute name="protocolid"> <ref name="mac-protocolid"/> </attribute> </optional> </interleave> </define> <define name="vlan-attributes"> <interleave> <optional> <attribute name="vlanid"> <ref name="vlan-vlanid"/> </attribute> </optional> <optional> <attribute name="encap-protocol"> <ref name="mac-protocolid"/> </attribute> </optional> </interleave> </define> <define name="stp-attributes"> <optional> <attribute name="type"> <ref name="uint8range"/> </attribute> </optional> <optional> <attribute name="flags"> <ref name="uint8range"/> </attribute> </optional> <optional> <attribute name="root-priority"> <ref name="uint16range"/> </attribute> </optional> <optional> <attribute name="root-priority-hi"> <ref name="uint16range"/> </attribute> </optional> <optional> <attribute name="root-address"> <ref name="addrMAC"/> </attribute> </optional> <optional> <attribute name="root-address-mask"> <ref name="addrMAC"/> </attribute> </optional> <optional> <attribute name="root-cost"> <ref name="uint32range"/> </attribute> </optional> <optional> <attribute name="root-cost-hi"> <ref name="uint32range"/> </attribute> </optional> <optional> <attribute name="sender-priority"> <ref name="uint16range"/> </attribute> </optional> <optional> <attribute name="sender-priority-hi"> <ref name="uint16range"/> </attribute> </optional> <optional> <attribute name="sender-address"> <ref name="addrMAC"/> </attribute> </optional> <optional> <attribute name="sender-address-mask"> <ref name="addrMAC"/> </attribute> </optional> <optional> <attribute name="port"> <ref name="uint16range"/> </attribute> </optional> <optional> <attribute name="port-hi"> <ref name="uint16range"/> </attribute> </optional> <optional> <attribute name="age"> <ref name="uint16range"/> </attribute> </optional> <optional> <attribute name="age-hi"> <ref name="uint16range"/> </attribute> </optional> <optional> <attribute name="max-age"> <ref name="uint16range"/> </attribute> </optional> <optional> <attribute name="max-age-hi"> <ref name="uint16range"/> </attribute> </optional> <optional> <attribute name="hello-time"> <ref name="uint16range"/> </attribute> </optional> <optional> <attribute name="hello-time-hi"> <ref name="uint16range"/> </attribute> </optional> <optional> <attribute name="forward-delay"> <ref name="uint16range"/> </attribute> </optional> <optional> <attribute name="forward-delay-hi"> <ref name="uint16range"/> </attribute> </optional> </define> <define name="arp-attributes"> <interleave> <optional> <attribute name="arpsrcmacaddr"> <ref name="addrMAC"/> </attribute> </optional> <optional> <attribute name="arpsrcipaddr"> <ref name="addrIP"/> </attribute> </optional> <optional> <attribute name="arpdstmacaddr"> <ref name="addrMAC"/> </attribute> </optional> <optional> <attribute name="arpdstipaddr"> <ref name="addrIP"/> </attribute> </optional> <optional> <attribute name="hwtype"> <ref name="uint16range"/> </attribute> </optional> <optional> <attribute name="opcode"> <ref name="arpOpcodeType"/> </attribute> </optional> <optional> <attribute name="protocoltype"> <ref name="uint16range"/> </attribute> </optional> <optional> <attribute name="gratuitous"> <ref name="boolean"/> </attribute> </optional> </interleave> </define> <define name="ip-attributes"> <optional> <attribute name="protocol"> <ref name="ipProtocolType"/> </attribute> </optional> </define> <define name="dscp-attribute"> <optional> <attribute name="dscp"> <ref name="sixbitrange"/> </attribute> </optional> </define> <define name="comment-attribute"> <optional> <attribute name="comment"> <ref name="comment-type"/> </attribute> </optional> </define> <define name="tcp-attributes"> <optional> <attribute name="flags"> <ref name="tcpflags-type"/> </attribute> </optional> </define> <!-- ################ type library ################ --> <define name="variable-name-type"> <data type="string"> <param name="pattern">$[a-zA-Z0-9_]+(\[[ ]*[@]?[0-9]+[ ]*\])?</param> </data> </define> <define name="addrMAC"> <choice> <ref name="variable-name-type"/> <data type="string"> <param name="pattern">([a-fA-F0-9]{1,2}:){5}[a-fA-F0-9]{1,2}</param> </data> </choice> </define> <define name="addrIP"> <choice> <ref name="variable-name-type"/> <data type="string"> <param name="pattern">([0-2]?[0-9]?[0-9]\.){3}[0-2]?[0-9]?[0-9]</param> </data> </choice> </define> <define name="addrIPv6"> <choice> <ref name="variable-name-type"/> <data type="string"> <param name="pattern">([a-fA-F0-9]{0,4}:){2,7}([a-fA-F0-9]*)(([0-2]?[0-9]?[0-9]\.){3}[0-2]?[0-9]?[0-9])?</param> </data> </choice> </define> <define name="addrMask"> <choice> <ref name="variable-name-type"/> <data type="int"> <param name="minInclusive">0</param> <param name="maxInclusive">32</param> </data> <data type="string"> <param name="pattern">([0-2]?[0-9]?[0-9]\.){3}[0-2]?[0-9]?[0-9]</param> </data> </choice> </define> <define name="addrMaskv6"> <choice> <ref name="variable-name-type"/> <data type="int"> <param name="minInclusive">0</param> <param name="maxInclusive">128</param> </data> <data type="string"> <param name="pattern">([a-fA-F0-9]{0,4}:){2,7}([a-fA-F0-9]*)</param> </data> </choice> </define> <define name="sixbitrange"> <choice> <data type="string"> <param name="pattern">0x([0-3][0-9a-fA-F]|[0-9a-fA-F])</param> </data> <ref name="variable-name-type"/> <data type="int"> <param name="minInclusive">0</param> <param name="maxInclusive">63</param> </data> </choice> </define> <define name="mac-protocolid"> <choice> <ref name="variable-name-type"/> <data type="string"> <param name="pattern">0x([6-9a-fA-F][0-9a-fA-F]{2}|[0-9a-fA-F]{4})</param> </data> <data type="int"> <param name="minInclusive">1536</param> <param name="maxInclusive">65535</param> </data> <choice> <value>arp</value> <value>rarp</value> <value>ipv4</value> <value>ipv6</value> <value>vlan</value> </choice> </choice> </define> <define name="vlan-vlanid"> <choice> <ref name="variable-name-type"/> <data type="string"> <param name="pattern">0x([0-9a-fA-F]{1,3})</param> </data> <data type="int"> <param name="minInclusive">0</param> <param name="maxInclusive">4095</param> </data> </choice> </define> <define name="uint16range"> <choice> <ref name="variable-name-type"/> <data type="string"> <param name="pattern">0x[0-9a-fA-F]{1,4}</param> </data> <data type="int"> <param name="minInclusive">0</param> <param name="maxInclusive">65535</param> </data> </choice> </define> <define name="uint32range"> <choice> <ref name="variable-name-type"/> <data type="string"> <param name="pattern">0x[0-9a-fA-F]{1,8}</param> </data> <data type="unsignedInt"/> </choice> </define> <define name="boolean"> <choice> <value>yes</value> <value>no</value> <value>true</value> <value>false</value> <value>1</value> <value>0</value> </choice> </define> <define name="arpOpcodeType"> <choice> <ref name="variable-name-type"/> <data type="int"> <param name="minInclusive">0</param> <param name="maxInclusive">65535</param> </data> <data type="string"> <param name="pattern">([Rr]eply|[Rr]equest|[Rr]equest_[Rr]everse|[Rr]eply_[Rr]everse|DRARP_[Rr]equest|DRARP_[Rr]eply|DRARP_[Ee]rror|InARP_[Rr]equest|ARP_NAK)</param> </data> </choice> </define> <define name="ipProtocolType"> <choice> <ref name="variable-name-type"/> <data type="string"> <param name="pattern">0x[0-9a-fA-F]{1,2}</param> </data> <data type="int"> <param name="minInclusive">0</param> <param name="maxInclusive">255</param> </data> <choice> <value>tcp</value> <value>udp</value> <value>udplite</value> <value>esp</value> <value>ah</value> <value>icmp</value> <value>igmp</value> <value>sctp</value> <value>icmpv6</value> </choice> </choice> </define> <define name="filter-param-name"> <data type="string"> <param name="pattern">[a-zA-Z0-9_]+</param> </data> </define> <define name="filter-param-value"> <data type="string"> <param name="pattern">[a-zA-Z0-9_\.:]+</param> </data> </define> <define name='action-type'> <choice> <value>drop</value> <value>accept</value> <value>reject</value> <value>continue</value> <value>return</value> </choice> </define> <define name='direction-type'> <choice> <value>in</value> <value>out</value> <value>inout</value> </choice> </define> <define name='priority-type'> <data type="int"> <param name="minInclusive">-1000</param> <param name="maxInclusive">1000</param> </data> </define> <define name='statematch-type'> <data type="string"> <param name="pattern">([Ff][Aa][Ll][Ss][Ee]|0)</param> </data> </define> <define name='comment-type'> <data type="string"/> </define> <define name='stateflags-type'> <data type="string"> <param name="pattern">((NEW|ESTABLISHED|RELATED|INVALID)(,(NEW|ESTABLISHED|RELATED|INVALID))*|NONE)</param> </data> </define> <define name='tcpflags-type'> <data type="string"> <param name="pattern">((SYN|ACK|URG|PSH|FIN|RST)(,(SYN|ACK|URG|PSH|FIN|RST))*|ALL|NONE)/((SYN|ACK|URG|PSH|FIN|RST)(,(SYN|ACK|URG|PSH|FIN|RST))*|ALL|NONE)</param> </data> </define> <define name='ipset-name-type'> <choice> <ref name="variable-name-type"/> <data type="string"> <param name="pattern">[a-zA-Z0-9_\.:\-\+ ]{1,31}</param> </data> </choice> </define> <define name='ipset-flags-type'> <data type="string"> <param name="pattern">(src|dst)(,(src|dst)){0,5}</param> </data> </define> </grammar>