
line ::= set | if | policy | "interface" ifname .

set	::= "set" variable .
variable ::= "netmask" maskname | "protocol" protoname | "interface" ifname .
if	::= "if" "(" expression ")" "then" "{" do-it "}" .
do-it	::= if | action .
action	::= log | block | pass | action .

log	::= "log" [ "body" ] .
block	::= "block" | "deny" | "drop" | "reject" .
pass	::= "pass" | "permit" | "accept" .

expresion ::= inout | protocol | fromto host | fromto port | "on" ifname
	| fromto net | tcpbits | "and" expression .

inout	::= "inbound" | "outbound" .

fromto	::= "from" | "to" .

protocol ::= "proto" protoname .
host	::= "host" hostname .
net	::= "net" netname [ "mask" maskname ] .
port	::= "port" [ portcmp ] servicename
	| "port" servicename "<>" servicename
	| "port" servicename "><" servicename .
tcpbits	::= "established" | "opening" | "flags" flags .

policy	::= action "all" .
