<!--
daxfifw_0.5.dtd
DAXFi Firewall Rules 0.5
Probably it's not a completely valid DTD.
Copyright 2001, 2002 Davide Alberani <alberanid@libero.it>
-->
<!-- Common attributes.
'id' is reserved for future uses.
-->
<!ENTITY % common.attrs
'id ID #IMPLIED'>
<!-- Elements that represent an action to be taken for one or more rules. -->
<!ENTITY % action.elem
'(append|delete|replace|insert|flush)+'>
<!-- Elements used to describe protocols. -->
<!ENTITY % protocol.elem
'(tcp|udp|icmp|protocol)?'>
<!-- Elements used to describe NAT rules. -->
<!ENTITY % nat.val 'snat|dnat|masq|redirect'>
<!-- Valid targets (what to do with matching packets). -->
<!ENTITY % target.val 'accept|reject|drop'>
<!-- Target elements. Only one target or one NAT type can be present. -->
<!ENTITY % target.elem
'(target|%target.val;|nat|%nat.val;)?'>
<!-- Various elements. -->
<!ENTITY % misc.elem
'limit?, log?'>
<!-- Elements that can/must be present inside a 'rule' element. -->
<!ENTITY % rule.elem
'(%protocol.elem;,
%target.elem;,
%misc.elem;)'>
<!-- Valid values for the 'direction' attribute. -->
<!ENTITY % direction.val '(in|out)'>
<!-- Valid values for flags. -->
<!ENTITY % flag.val '(yes|no)'>
<!-- Stateful inspection support. -->
<!ENTITY % state.val '(related|new)'>
<!-- flags for TCP packets. -->
<!ENTITY % tcpflags '(fin,syn,rst,push,ack,urg,ecn,cwr)'>
<!ENTITY % tcpflags.val '%tcpflags;(/%tcpflags;)?'>
<!-- Log priority and facility. -->
<!ENTITY % logprio.val '(debug|info|notice|warning|err|crit|alert|emerg)'>
<!ENTITY % logfac.val '(auth|authpriv|cron|daemon|kern|lpr|mail|news|syslog|user|uucp|ftp|local[1-7])'>
<!-- The direction for a rule.
XXX: the 'direction' attribute is not required in a NAT rule.
-->
<!ENTITY % direction.req
'direction %direction.val; #IMPLIED'>
<!-- Attributes of a 'rule' element. -->
<!ENTITY % rule.attrs
%direction.req;
'source-ip CDATA #IMPLIED
destination-ip CDATA #IMPLIED
interface CDATA #IMPLIED
fragment-only %flag.val; #IMPLIED'>
<!-- Attribute used with some actions. -->
<!ENTITY % rulenum.req
'rule-number CDATA #REQUIRED'>
<!ENTITY % rulenum.opt
'rule-number CDATA #IMPLIED'>
<!-- Attributes for the 'protocol' element. -->
<!ENTITY % otherproto.req
'protocol CDATA #REQUIRED'>
<!ENTITY % sourcedestp.opt
'source-port CDATA #IMPLIED
destination-port CDATA #IMPLIED'>
<!ENTITY % state.opt
'state %state.val; #IMPLIED'>
<!ENTITY % tcp.attrs
'%sourcedestp.opt;
tcp-flags %tcpflags.val; #IMPLIED
syn-only %flag.val; #IMPLIED
%state.opt;'>
<!ENTITY % udp.attrs
'%sourcedestp.opt;
%state.opt;'>
<!ENTITY % icmp.attrs
'icmp-type CDATA #IMPLIED
%state.opt;'>
<!-- Attributes for the 'target' element. -->
<!ENTITY % reject.attrs
'reject-with CDATA #IMPLIED'>
<!ENTITY % target.attrs
'%reject.attrs;
target %target.val; #REQUIRED'>
<!-- Attributes for the 'log' element. -->
<!ENTITY % log.attrs
'priority %logprio.val; #IMPLIED
facility %logfac.val; #IMPLIED'>
<!-- Attributes for the 'limit' element. -->
<!ENTITY % limit.attrs
'rate CDATA #IMPLIED
burst CDATA #IMPLIED'>
<!-- Attributes for the 'nat' -->
<!ENTITY % nattype.req
'nat %nat.val; #REQUIRED'>
<!ENTITY % toport.opt
'to-port CDATA #IMPLIED'>
<!ENTITY % toport.req
'to-port CDATA #REQUIRED'>
<!ENTITY % toaddress.opt
'to-address CDATA #IMPLIED'>
<!ENTITY % toaddress.req
'to-address CDATA #REQUIRED'>
<!-- A 'ruleset' element can contain more than one 'action elements'. -->
<!ELEMENT ruleset %action.elem;>
<!ATTLIST ruleset
%common.attrs;>
<!-- The 'action elements'. -->
<!ELEMENT append (rule)+>
<!ATTLIST append
%common.attrs;>
<!ELEMENT delete (rule)*>
<!ATTLIST delete
%common.attrs;
%rulenum.opt;>
<!ELEMENT replace (rule)>
<!ATTLIST replace
%common.attrs;
%rulenum.req;>
<!ELEMENT insert (rule)>
<!ATTLIST insert
%common.attrs;
%rulenum.req;>
<!ELEMENT flush (rule)>
<!ATTLIST flush
%common.attrs;>
<!-- The 'rule' element -->
<!ELEMENT rule %rule.elem;>
<!ATTLIST rule
%common.attrs;
%rule.attrs;>
<!-- Protocol elements. -->
<!ELEMENT tcp EMPTY>
<!ATTLIST tcp
%common.attrs;
%tcp.attrs;>
<!ELEMENT udp EMPTY>
<!ATTLIST udp
%common.attrs;
%udp.attrs;>
<!ELEMENT icmp EMPTY>
<!ATTLIST icmp
%common.attrs;
%icmp.attrs;>
<!ELEMENT protocol EMPTY>
<!ATTLIST protocol
%common.attrs;
%otherproto.req;
%tcp.attrs;
%udp.attrs;
%icmp.attrs;>
<!-- Target elements. -->
<!ELEMENT accept EMPTY>
<!ATTLIST accept
%common.attrs;>
<!ELEMENT reject EMPTY>
<!ATTLIST reject
%common.attrs;
%reject.attrs;>
<!ELEMENT drop EMPTY>
<!ATTLIST drop
%common.attrs;>
<!ELEMENT target EMPTY>
<!ATTLIST target
%common.attrs;
%target.attrs;>
<!-- Limit element. -->
<!ELEMENT limit EMPTY>
<!ATTLIST limit
%common.attrs;
%limit.attrs;>
<!-- Log element. -->
<!ELEMENT log EMPTY>
<!ATTLIST log
%common.attrs;
%log.attrs;>
<!-- NAT elements. -->
<!ELEMENT snat EMPTY>
<!ATTLIST snat
%common.attrs;
%toaddress.req;
%toport.opt;>
<!ELEMENT dnat EMPTY>
<!ATTLIST dnat
%common.attrs;
%toaddress.req;
%toport.opt;>
<!ELEMENT masq EMPTY>
<!ATTLIST masq
%common.attrs;
%toport.req;>
<!ELEMENT redirect EMPTY>
<!ATTLIST redirect
%common.attrs;
%toport.req;>
<!ELEMENT nat EMPTY>
<!ATTLIST nat
%common.attrs;
%nattype.req;
%toport.opt;
%toaddress.opt;>