1
0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2024-12-23 21:34:54 +03:00
libvirt/docs/schemas/nwfilter.rng
Martin Kletzander 28933c5574 Correct invalid RNG schemas
The 'trang' utility, which is able to transform '.rng' files into
'.rnc' files, reported some errors in our schemas that weren't caught
by the tools we use in the build.  I haven't added a test for this,
but the validity can be checked by the following command:

trang -I rng -O rnc domain.rng domain.rnc

There were unescaped minuses in regular expressions and we were
constraining int (which is by default in the range of [-2^31;2^31-1]
to maximum of 2^32.  But what we wanted was exactly an unsignedInt.
2013-03-21 17:24:08 +01:00

1084 lines
30 KiB
XML

<?xml version="1.0" encoding="UTF-8"?>
<grammar ns="" xmlns="http://relaxng.org/ns/structure/1.0" datatypeLibrary="http://www.w3.org/2001/XMLSchema-datatypes">
<include href='basictypes.rng'/>
<start>
<ref name="filter"/>
</start>
<define name="filter">
<element name="filter">
<ref name="filter-node-attributes"/>
<optional>
<element name="uuid">
<ref name="UUID"/>
</element>
</optional>
<zeroOrMore>
<choice>
<element name="filterref">
<ref name="filterref-node-attributes"/>
</element>
<element name="rule">
<ref name="rule-node-attributes"/>
<optional>
<zeroOrMore>
<element name="mac">
<ref name="match-attribute"/>
<ref name="common-l2-attributes"/>
<ref name="mac-attributes"/>
<ref name="comment-attribute"/>
</element>
</zeroOrMore>
</optional>
<optional>
<zeroOrMore>
<element name="vlan">
<ref name="match-attribute"/>
<ref name="common-l2-attributes"/>
<ref name="vlan-attributes"/>
<ref name="comment-attribute"/>
</element>
</zeroOrMore>
</optional>
<optional>
<zeroOrMore>
<element name="stp">
<ref name="match-attribute"/>
<ref name="srcmacandmask-attributes"/>
<ref name="stp-attributes"/>
<ref name="comment-attribute"/>
</element>
</zeroOrMore>
</optional>
<optional>
<zeroOrMore>
<element name="arp">
<ref name="match-attribute"/>
<ref name="common-l2-attributes"/>
<ref name="arp-attributes"/>
<ref name="comment-attribute"/>
</element>
</zeroOrMore>
</optional>
<optional>
<zeroOrMore>
<element name="rarp">
<ref name="match-attribute"/>
<ref name="common-l2-attributes"/>
<ref name="arp-attributes"/> <!-- same as arp -->
<ref name="comment-attribute"/>
</element>
</zeroOrMore>
</optional>
<optional>
<zeroOrMore>
<element name="ip">
<ref name="match-attribute"/>
<ref name="common-l2-attributes"/>
<ref name="common-ip-attributes-p1"/>
<ref name="common-port-attributes"/>
<ref name="ip-attributes"/>
<ref name="dscp-attribute"/>
<ref name="comment-attribute"/>
</element>
</zeroOrMore>
</optional>
<optional>
<zeroOrMore>
<element name="ipv6">
<ref name="match-attribute"/>
<ref name="common-l2-attributes"/>
<ref name="common-ipv6-attributes-p1"/>
<ref name="common-port-attributes"/>
<ref name="ip-attributes"/>
<ref name="comment-attribute"/>
</element>
</zeroOrMore>
</optional>
<optional>
<zeroOrMore>
<element name="tcp">
<ref name="match-attribute"/>
<ref name="srcmac-attribute"/>
<ref name="common-port-attributes"/>
<ref name="common-ip-attributes-p1"/>
<ref name="common-ip-attributes-p2"/>
<ref name="tcp-attributes"/>
<ref name="comment-attribute"/>
</element>
</zeroOrMore>
</optional>
<optional>
<zeroOrMore>
<element name="udp">
<ref name="match-attribute"/>
<ref name="srcmac-attribute"/>
<ref name="common-port-attributes"/>
<ref name="common-ip-attributes-p1"/>
<ref name="common-ip-attributes-p2"/>
<ref name="comment-attribute"/>
</element>
</zeroOrMore>
</optional>
<optional>
<zeroOrMore>
<element name="sctp">
<ref name="match-attribute"/>
<ref name="srcmac-attribute"/>
<ref name="common-port-attributes"/>
<ref name="common-ip-attributes-p1"/>
<ref name="common-ip-attributes-p2"/>
<ref name="comment-attribute"/>
</element>
</zeroOrMore>
</optional>
<optional>
<zeroOrMore>
<element name="icmp">
<ref name="match-attribute"/>
<ref name="srcmac-attribute"/>
<ref name="common-ip-attributes-p1"/>
<ref name="common-ip-attributes-p2"/>
<ref name="icmp-attributes"/>
<ref name="comment-attribute"/>
</element>
</zeroOrMore>
</optional>
<optional>
<zeroOrMore>
<element name="igmp">
<ref name="match-attribute"/>
<ref name="srcmac-attribute"/>
<ref name="common-ip-attributes-p1"/>
<ref name="common-ip-attributes-p2"/>
<ref name="comment-attribute"/>
</element>
</zeroOrMore>
</optional>
<optional>
<zeroOrMore>
<element name="all">
<ref name="match-attribute"/>
<ref name="srcmac-attribute"/>
<ref name="common-ip-attributes-p1"/>
<ref name="common-ip-attributes-p2"/>
<ref name="comment-attribute"/>
</element>
</zeroOrMore>
</optional>
<optional>
<zeroOrMore>
<element name="esp">
<ref name="match-attribute"/>
<ref name="srcmac-attribute"/>
<ref name="common-ip-attributes-p1"/>
<ref name="common-ip-attributes-p2"/>
<ref name="comment-attribute"/>
</element>
</zeroOrMore>
</optional>
<optional>
<zeroOrMore>
<element name="ah">
<ref name="match-attribute"/>
<ref name="srcmac-attribute"/>
<ref name="common-ip-attributes-p1"/>
<ref name="common-ip-attributes-p2"/>
<ref name="comment-attribute"/>
</element>
</zeroOrMore>
</optional>
<optional>
<zeroOrMore>
<element name="udplite">
<ref name="match-attribute"/>
<ref name="srcmac-attribute"/>
<ref name="common-ip-attributes-p1"/>
<ref name="common-ip-attributes-p2"/>
<ref name="comment-attribute"/>
</element>
</zeroOrMore>
</optional>
<optional>
<zeroOrMore>
<element name="tcp-ipv6">
<ref name="match-attribute"/>
<ref name="srcmac-attribute"/>
<ref name="common-port-attributes"/>
<ref name="common-ipv6-attributes-p1"/>
<ref name="common-ipv6-attributes-p2"/>
<ref name="tcp-attributes"/>
<ref name="comment-attribute"/>
</element>
</zeroOrMore>
</optional>
<optional>
<zeroOrMore>
<element name="udp-ipv6">
<ref name="match-attribute"/>
<ref name="srcmac-attribute"/>
<ref name="common-port-attributes"/>
<ref name="common-ipv6-attributes-p1"/>
<ref name="common-ipv6-attributes-p2"/>
<ref name="comment-attribute"/>
</element>
</zeroOrMore>
</optional>
<optional>
<zeroOrMore>
<element name="sctp-ipv6">
<ref name="match-attribute"/>
<ref name="srcmac-attribute"/>
<ref name="common-port-attributes"/>
<ref name="common-ipv6-attributes-p1"/>
<ref name="common-ipv6-attributes-p2"/>
<ref name="comment-attribute"/>
</element>
</zeroOrMore>
</optional>
<optional>
<zeroOrMore>
<element name="icmpv6">
<ref name="match-attribute"/>
<ref name="srcmac-attribute"/>
<ref name="common-ipv6-attributes-p1"/>
<ref name="common-ipv6-attributes-p2"/>
<ref name="icmp-attributes"/>
<ref name="comment-attribute"/>
</element>
</zeroOrMore>
</optional>
<optional>
<zeroOrMore>
<element name="all-ipv6">
<ref name="match-attribute"/>
<ref name="srcmac-attribute"/>
<ref name="common-ipv6-attributes-p1"/>
<ref name="common-ipv6-attributes-p2"/>
<ref name="comment-attribute"/>
</element>
</zeroOrMore>
</optional>
<optional>
<zeroOrMore>
<element name="esp-ipv6">
<ref name="match-attribute"/>
<ref name="srcmac-attribute"/>
<ref name="common-ipv6-attributes-p1"/>
<ref name="common-ipv6-attributes-p2"/>
<ref name="comment-attribute"/>
</element>
</zeroOrMore>
</optional>
<optional>
<zeroOrMore>
<element name="ah-ipv6">
<ref name="match-attribute"/>
<ref name="srcmac-attribute"/>
<ref name="common-ipv6-attributes-p1"/>
<ref name="common-ipv6-attributes-p2"/>
<ref name="comment-attribute"/>
</element>
</zeroOrMore>
</optional>
<optional>
<zeroOrMore>
<element name="udplite-ipv6">
<ref name="match-attribute"/>
<ref name="srcmac-attribute"/>
<ref name="common-ipv6-attributes-p1"/>
<ref name="common-ipv6-attributes-p2"/>
<ref name="comment-attribute"/>
</element>
</zeroOrMore>
</optional>
</element>
</choice>
</zeroOrMore>
</element>
</define>
<!-- ########### attributes of XML nodes ############ -->
<define name="filter-node-attributes">
<attribute name="name">
<data type="NCName"/>
</attribute>
<optional>
<attribute name="chain">
<choice>
<value>root</value>
<data type="string">
<param name="pattern">mac[a-zA-Z0-9_\.:\-]{0,9}</param>
</data>
<data type="string">
<param name="pattern">stp[a-zA-Z0-9_\.:\-]{0,9}</param>
</data>
<data type="string">
<param name="pattern">vlan[a-zA-Z0-9_\.:\-]{0,8}</param>
</data>
<data type="string">
<param name="pattern">arp[a-zA-Z0-9_\.:\-]{0,9}</param>
</data>
<data type="string">
<param name="pattern">rarp[a-zA-Z0-9_\.:\-]{0,8}</param>
</data>
<data type="string">
<param name="pattern">ipv4[a-zA-Z0-9_\.:\-]{0,8}</param>
</data>
<data type="string">
<param name="pattern">ipv6[a-zA-Z0-9_\.:\-]{0,8}</param>
</data>
</choice>
</attribute>
</optional>
<optional>
<attribute name="priority">
<ref name='priority-type'/>
</attribute>
</optional>
</define>
<define name="filterref-node-attributes">
<attribute name="filter">
<data type="NCName"/>
</attribute>
<zeroOrMore>
<element name="parameter">
<attribute name="name">
<ref name="filter-param-name"/>
</attribute>
<attribute name="value">
<ref name="filter-param-value"/>
</attribute>
</element>
</zeroOrMore>
</define>
<define name="rule-node-attributes">
<attribute name="action">
<ref name='action-type'/>
</attribute>
<attribute name="direction">
<ref name='direction-type'/>
</attribute>
<optional>
<attribute name="priority">
<ref name='priority-type'/>
</attribute>
</optional>
<optional>
<attribute name="statematch">
<ref name='statematch-type'/>
</attribute>
</optional>
</define>
<define name="match-attribute">
<interleave>
<optional>
<attribute name="match">
<choice>
<value>yes</value>
<value>no</value>
</choice>
</attribute>
</optional>
</interleave>
</define>
<define name="srcmac-attribute">
<interleave>
<optional>
<attribute name="srcmacaddr">
<ref name="addrMAC"/>
</attribute>
</optional>
</interleave>
</define>
<define name="srcmacandmask-attributes">
<interleave>
<ref name="srcmac-attribute"/>
<optional>
<attribute name="srcmacmask">
<ref name="addrMAC"/>
</attribute>
</optional>
</interleave>
</define>
<define name="common-l2-attributes">
<interleave>
<ref name="srcmacandmask-attributes"/>
<optional>
<attribute name="dstmacaddr">
<ref name="addrMAC"/>
</attribute>
</optional>
<optional>
<attribute name="dstmacmask">
<ref name="addrMAC"/>
</attribute>
</optional>
</interleave>
</define>
<define name="common-ip-attributes-p1">
<interleave>
<optional>
<attribute name="srcipaddr">
<ref name="addrIP"/>
</attribute>
</optional>
<optional>
<attribute name="srcipmask">
<ref name="addrMask"/>
</attribute>
</optional>
<optional>
<attribute name="dstipaddr">
<ref name="addrIP"/>
</attribute>
</optional>
<optional>
<attribute name="dstipmask">
<ref name="addrMask"/>
</attribute>
</optional>
</interleave>
</define>
<define name="common-ip-attributes-p2">
<interleave>
<optional>
<attribute name="srcipfrom">
<ref name="addrIP"/>
</attribute>
</optional>
<optional>
<attribute name="srcipto">
<ref name="addrIP"/>
</attribute>
</optional>
<optional>
<attribute name="dstipfrom">
<ref name="addrIP"/>
</attribute>
</optional>
<optional>
<attribute name="dstipto">
<ref name="addrIP"/>
</attribute>
</optional>
<optional>
<attribute name="dscp">
<ref name="sixbitrange"/>
</attribute>
</optional>
<optional>
<attribute name="connlimit-above">
<ref name="uint16range"/>
</attribute>
</optional>
<optional>
<attribute name="state">
<ref name="stateflags-type"/>
</attribute>
</optional>
<optional>
<attribute name="ipset">
<ref name="ipset-name-type"/>
</attribute>
<attribute name="ipsetflags">
<ref name="ipset-flags-type"/>
</attribute>
</optional>
</interleave>
</define>
<define name="common-ipv6-attributes-p1">
<interleave>
<optional>
<attribute name="srcipaddr">
<ref name="addrIPv6"/>
</attribute>
</optional>
<optional>
<attribute name="srcipmask">
<ref name="addrMaskv6"/>
</attribute>
</optional>
<optional>
<attribute name="dstipaddr">
<ref name="addrIPv6"/>
</attribute>
</optional>
<optional>
<attribute name="dstipmask">
<ref name="addrMaskv6"/>
</attribute>
</optional>
</interleave>
</define>
<define name="common-ipv6-attributes-p2">
<interleave>
<optional>
<attribute name="srcipfrom">
<ref name="addrIPv6"/>
</attribute>
</optional>
<optional>
<attribute name="srcipto">
<ref name="addrIPv6"/>
</attribute>
</optional>
<optional>
<attribute name="dstipfrom">
<ref name="addrIPv6"/>
</attribute>
</optional>
<optional>
<attribute name="dstipto">
<ref name="addrIPv6"/>
</attribute>
</optional>
<optional>
<attribute name="dscp">
<ref name="sixbitrange"/>
</attribute>
</optional>
</interleave>
</define>
<define name="common-port-attributes">
<interleave>
<optional>
<attribute name="srcportstart">
<ref name="uint16range"/>
</attribute>
</optional>
<optional>
<attribute name="srcportend">
<ref name="uint16range"/>
</attribute>
</optional>
<optional>
<attribute name="dstportstart">
<ref name="uint16range"/>
</attribute>
</optional>
<optional>
<attribute name="dstportend">
<ref name="uint16range"/>
</attribute>
</optional>
</interleave>
</define>
<define name="icmp-attributes">
<interleave>
<optional>
<attribute name="type">
<ref name="uint8range"/>
</attribute>
</optional>
<optional>
<attribute name="code">
<ref name="uint8range"/>
</attribute>
</optional>
</interleave>
</define>
<define name="mac-attributes">
<interleave>
<optional>
<attribute name="protocolid">
<ref name="mac-protocolid"/>
</attribute>
</optional>
</interleave>
</define>
<define name="vlan-attributes">
<interleave>
<optional>
<attribute name="vlanid">
<ref name="vlan-vlanid"/>
</attribute>
</optional>
<optional>
<attribute name="encap-protocol">
<ref name="mac-protocolid"/>
</attribute>
</optional>
</interleave>
</define>
<define name="stp-attributes">
<optional>
<attribute name="type">
<ref name="uint8range"/>
</attribute>
</optional>
<optional>
<attribute name="flags">
<ref name="uint8range"/>
</attribute>
</optional>
<optional>
<attribute name="root-priority">
<ref name="uint16range"/>
</attribute>
</optional>
<optional>
<attribute name="root-priority-hi">
<ref name="uint16range"/>
</attribute>
</optional>
<optional>
<attribute name="root-address">
<ref name="addrMAC"/>
</attribute>
</optional>
<optional>
<attribute name="root-address-mask">
<ref name="addrMAC"/>
</attribute>
</optional>
<optional>
<attribute name="root-cost">
<ref name="uint32range"/>
</attribute>
</optional>
<optional>
<attribute name="root-cost-hi">
<ref name="uint32range"/>
</attribute>
</optional>
<optional>
<attribute name="sender-priority">
<ref name="uint16range"/>
</attribute>
</optional>
<optional>
<attribute name="sender-priority-hi">
<ref name="uint16range"/>
</attribute>
</optional>
<optional>
<attribute name="sender-address">
<ref name="addrMAC"/>
</attribute>
</optional>
<optional>
<attribute name="sender-address-mask">
<ref name="addrMAC"/>
</attribute>
</optional>
<optional>
<attribute name="port">
<ref name="uint16range"/>
</attribute>
</optional>
<optional>
<attribute name="port-hi">
<ref name="uint16range"/>
</attribute>
</optional>
<optional>
<attribute name="age">
<ref name="uint16range"/>
</attribute>
</optional>
<optional>
<attribute name="age-hi">
<ref name="uint16range"/>
</attribute>
</optional>
<optional>
<attribute name="max-age">
<ref name="uint16range"/>
</attribute>
</optional>
<optional>
<attribute name="max-age-hi">
<ref name="uint16range"/>
</attribute>
</optional>
<optional>
<attribute name="hello-time">
<ref name="uint16range"/>
</attribute>
</optional>
<optional>
<attribute name="hello-time-hi">
<ref name="uint16range"/>
</attribute>
</optional>
<optional>
<attribute name="forward-delay">
<ref name="uint16range"/>
</attribute>
</optional>
<optional>
<attribute name="forward-delay-hi">
<ref name="uint16range"/>
</attribute>
</optional>
</define>
<define name="arp-attributes">
<interleave>
<optional>
<attribute name="arpsrcmacaddr">
<ref name="addrMAC"/>
</attribute>
</optional>
<optional>
<attribute name="arpsrcipaddr">
<ref name="addrIP"/>
</attribute>
</optional>
<optional>
<attribute name="arpdstmacaddr">
<ref name="addrMAC"/>
</attribute>
</optional>
<optional>
<attribute name="arpdstipaddr">
<ref name="addrIP"/>
</attribute>
</optional>
<optional>
<attribute name="hwtype">
<ref name="uint16range"/>
</attribute>
</optional>
<optional>
<attribute name="opcode">
<ref name="arpOpcodeType"/>
</attribute>
</optional>
<optional>
<attribute name="protocoltype">
<ref name="uint16range"/>
</attribute>
</optional>
<optional>
<attribute name="gratuitous">
<ref name="boolean"/>
</attribute>
</optional>
</interleave>
</define>
<define name="ip-attributes">
<optional>
<attribute name="protocol">
<ref name="ipProtocolType"/>
</attribute>
</optional>
</define>
<define name="dscp-attribute">
<optional>
<attribute name="dscp">
<ref name="sixbitrange"/>
</attribute>
</optional>
</define>
<define name="comment-attribute">
<optional>
<attribute name="comment">
<ref name="comment-type"/>
</attribute>
</optional>
</define>
<define name="tcp-attributes">
<optional>
<attribute name="flags">
<ref name="tcpflags-type"/>
</attribute>
</optional>
</define>
<!-- ################ type library ################ -->
<define name="variable-name-type">
<data type="string">
<param name="pattern">$[a-zA-Z0-9_]+(\[[ ]*[@]?[0-9]+[ ]*\])?</param>
</data>
</define>
<define name="addrMAC">
<choice>
<ref name="variable-name-type"/>
<data type="string">
<param name="pattern">([a-fA-F0-9]{1,2}:){5}[a-fA-F0-9]{1,2}</param>
</data>
</choice>
</define>
<define name="addrIP">
<choice>
<ref name="variable-name-type"/>
<data type="string">
<param name="pattern">([0-2]?[0-9]?[0-9]\.){3}[0-2]?[0-9]?[0-9]</param>
</data>
</choice>
</define>
<define name="addrIPv6">
<choice>
<ref name="variable-name-type"/>
<data type="string">
<param name="pattern">([a-fA-F0-9]{0,4}:){2,7}([a-fA-F0-9]*)(([0-2]?[0-9]?[0-9]\.){3}[0-2]?[0-9]?[0-9])?</param>
</data>
</choice>
</define>
<define name="addrMask">
<choice>
<ref name="variable-name-type"/>
<data type="int">
<param name="minInclusive">0</param>
<param name="maxInclusive">32</param>
</data>
<data type="string">
<param name="pattern">([0-2]?[0-9]?[0-9]\.){3}[0-2]?[0-9]?[0-9]</param>
</data>
</choice>
</define>
<define name="addrMaskv6">
<choice>
<ref name="variable-name-type"/>
<data type="int">
<param name="minInclusive">0</param>
<param name="maxInclusive">128</param>
</data>
<data type="string">
<param name="pattern">([a-fA-F0-9]{0,4}:){2,7}([a-fA-F0-9]*)</param>
</data>
</choice>
</define>
<define name="sixbitrange">
<choice>
<data type="string">
<param name="pattern">0x([0-3][0-9a-fA-F]|[0-9a-fA-F])</param>
</data>
<ref name="variable-name-type"/>
<data type="int">
<param name="minInclusive">0</param>
<param name="maxInclusive">63</param>
</data>
</choice>
</define>
<define name="mac-protocolid">
<choice>
<ref name="variable-name-type"/>
<data type="string">
<param name="pattern">0x([6-9a-fA-F][0-9a-fA-F]{2}|[0-9a-fA-F]{4})</param>
</data>
<data type="int">
<param name="minInclusive">1536</param>
<param name="maxInclusive">65535</param>
</data>
<choice>
<value>arp</value>
<value>rarp</value>
<value>ipv4</value>
<value>ipv6</value>
<value>vlan</value>
</choice>
</choice>
</define>
<define name="vlan-vlanid">
<choice>
<ref name="variable-name-type"/>
<data type="string">
<param name="pattern">0x([0-9a-fA-F]{1,3})</param>
</data>
<data type="int">
<param name="minInclusive">0</param>
<param name="maxInclusive">4095</param>
</data>
</choice>
</define>
<define name="uint16range">
<choice>
<ref name="variable-name-type"/>
<data type="string">
<param name="pattern">0x[0-9a-fA-F]{1,4}</param>
</data>
<data type="int">
<param name="minInclusive">0</param>
<param name="maxInclusive">65535</param>
</data>
</choice>
</define>
<define name="uint32range">
<choice>
<ref name="variable-name-type"/>
<data type="string">
<param name="pattern">0x[0-9a-fA-F]{1,8}</param>
</data>
<data type="unsignedInt"/>
</choice>
</define>
<define name="boolean">
<choice>
<value>yes</value>
<value>no</value>
<value>true</value>
<value>false</value>
<value>1</value>
<value>0</value>
</choice>
</define>
<define name="arpOpcodeType">
<choice>
<ref name="variable-name-type"/>
<data type="int">
<param name="minInclusive">0</param>
<param name="maxInclusive">65535</param>
</data>
<data type="string">
<param name="pattern">([Rr]eply|[Rr]equest|[Rr]equest_[Rr]everse|[Rr]eply_[Rr]everse|DRARP_[Rr]equest|DRARP_[Rr]eply|DRARP_[Ee]rror|InARP_[Rr]equest|ARP_NAK)</param>
</data>
</choice>
</define>
<define name="ipProtocolType">
<choice>
<ref name="variable-name-type"/>
<data type="string">
<param name="pattern">0x[0-9a-fA-F]{1,2}</param>
</data>
<data type="int">
<param name="minInclusive">0</param>
<param name="maxInclusive">255</param>
</data>
<choice>
<value>tcp</value>
<value>udp</value>
<value>udplite</value>
<value>esp</value>
<value>ah</value>
<value>icmp</value>
<value>igmp</value>
<value>sctp</value>
<value>icmpv6</value>
</choice>
</choice>
</define>
<define name="filter-param-name">
<data type="string">
<param name="pattern">[a-zA-Z0-9_]+</param>
</data>
</define>
<define name="filter-param-value">
<data type="string">
<param name="pattern">[a-zA-Z0-9_\.:]+</param>
</data>
</define>
<define name='action-type'>
<choice>
<value>drop</value>
<value>accept</value>
<value>reject</value>
<value>continue</value>
<value>return</value>
</choice>
</define>
<define name='direction-type'>
<choice>
<value>in</value>
<value>out</value>
<value>inout</value>
</choice>
</define>
<define name='priority-type'>
<data type="int">
<param name="minInclusive">-1000</param>
<param name="maxInclusive">1000</param>
</data>
</define>
<define name='statematch-type'>
<data type="string">
<param name="pattern">([Ff][Aa][Ll][Ss][Ee]|0)</param>
</data>
</define>
<define name='comment-type'>
<data type="string"/>
</define>
<define name='stateflags-type'>
<data type="string">
<param name="pattern">((NEW|ESTABLISHED|RELATED|INVALID)(,(NEW|ESTABLISHED|RELATED|INVALID))*|NONE)</param>
</data>
</define>
<define name='tcpflags-type'>
<data type="string">
<param name="pattern">((SYN|ACK|URG|PSH|FIN|RST)(,(SYN|ACK|URG|PSH|FIN|RST))*|ALL|NONE)/((SYN|ACK|URG|PSH|FIN|RST)(,(SYN|ACK|URG|PSH|FIN|RST))*|ALL|NONE)</param>
</data>
</define>
<define name='ipset-name-type'>
<choice>
<ref name="variable-name-type"/>
<data type="string">
<param name="pattern">[a-zA-Z0-9_\.:\-\+ ]{1,31}</param>
</data>
</choice>
</define>
<define name='ipset-flags-type'>
<data type="string">
<param name="pattern">(src|dst)(,(src|dst)){0,5}</param>
</data>
</define>
</grammar>