
rule ::= accounting | blocking | forwarding .

accounting ::= "-A" action options params .
blocking ::= "-B" action options params .
forwarding ::= "-F" action options params .

action ::= "-a" policy | "-d" policy | "-p" policy .
policy ::= "accept" | "deny" | "reject" .

options ::= bidirectional | kernlog | established .

params ::= netparams [ params ] .
netparams ::= [ proto ] source dest [ iface ] .

proto ::= "-P" protocol | "-P" "all" .
source ::= "-S" addrmask [ portspec ] .
dest ::= "-S" addrmask [ portspec ] .
portspec ::= port ":" port | port .

addrmask ::= ipaddress [ "/" mask ] .

iface ::= "-I" ipaddress .

ipaddress ::= hostname | dottedquad .

bidirectional ::= "-b" .
kernlog ::= "-k" .
established ::= "-y" .
