filter-rule = [ insert ] action in-out [ options ] [ tos ] [ ttl ]
	      [ proto ] [ ip ] .

insert	= "@" decnumber .
action	= block | "pass" | log .
in-out	= "in" | "out" .
options	= [ log ] [ "quick" ] [ "on" interface-name] .
tos	= "tos" decnumber | "tos" hexnumber .
ttl	= "ttl" decnumber .
proto	= "proto" protocol .
ip	= srcdst [ flags ] [ with ] [ icmp ] .

block	= "block" [ "return-icmp" | "return-rst" ] .
log	= "log" [ "body" ] .
protocol = "tcp/udp" | "udp" | "tcp" | "icmp" | decnumber .
srcdst	= "all" | fromto .
fromto	= "from" object "to" object .

object	= addr [ port-comp | port-range ] .
addr	= "any" | nummask | host-name [ "mask" ipaddr | hexnumber ] .
port-comp = "port" compare port-num .
port-range = "port" port-num range port-num .
flags	= "flags" flag { flag } [ "/" flag { flag } ] .
with	= "with" options .
icmp	= "icmp-type" icmp-type [ "code" decnumber ] .

nummask	= host-name [ "/" decnumber ] .
host-name = ipaddr | hostname | "any" .
ipaddr	= host-num "." host-num "." host-num "." host-num .
host-num = digit [ digit [ digit ] ] .
port-num = service-name | decnumber .

options = opttype [ options ] .
opttype = "ipopts" | "short" | "frag" | "opt" ipopts .
optname	= ipopts [ "," optname ] .
ipopts  = "nop" | "rr" | "ts" | "security" | "sec-class" [ "=" secname ] |
	  "lsrr" | "satid" | "rsrr" .
secname	= seclvl [ "," secname ] .
seclvl  = "unclass" | "confid" | "reserv-1" | "reserv-2" | "reserv-3" |
	  "reserv-4" | "secret" | "topsecret" .
icmp-type = "unreach" | "echo" | "echorep" | "squench" | "redir" |
	    "timex" | "paramprob" | "timest" | "timestrep" | "inforeq" |
	    "inforep" | "maskreq" | "maskrep"  | decnumber .

hexnumber = "0" "x" hexstring .
hexstring = hexdigit [ hexstring ] .
decnumber = digit [ decnumber ] .

compare = "=" | "!=" | "<" | ">" | "<=" | ">=" | "eq" | "ne" | "lt" | "gt" |
	  "le" | "ge" .
range	= "<>" | "><" .
hexdigit = digit | "a" | "b" | "c" | "d" | "e" | "f" .
digit	= "0" | "1" | "2" | "3" | "4" | "5" | "6" | "7" | "8" | "9" .
flag	= "F" | "S" | "R" | "P" | "A" | "U" .
