Cisco ACLs v2

aclv2.g4

/*
 * To change this license header, choose License Headers in Project Properties.
 * To change this template file, choose Tools | Templates
 * and open the template in the editor.
 */

grammar aclv2;

acl : ace+ EOF ;
ace : remarks*? action ops ;
remarks : remark+ ;
remark : REMARK ;
action : ( permit | deny )source dest ;
permit : PERMIT ( NAMED | NUM ) ;
deny :  DENY ( NAMED | NUM ) ;
source : ( any | host | network ) ports? ;
dest : (any | host | network ) ports? ;
any : ANY ;
host : HOST ADDRESS ;
network : ADDRESS ( MASK | ADDRESS ) ;
ports : eq | lt | gt | range ;
eq : EQ ( PORT | NUM )+ ;
lt : LT ( PORT | NUM ) ;
gt : GT ( PORT | NUM ) ;
range : RNG ( PORT | NUM ) ( PORT | NUM ) ;
ops : icmp? est? reflect? log? ;
est : EST ;
reflect : REFLECT NAME ( TIMEOUT NUM )?;
log : LOG ;
icmp : ICMP_PORTS | ( NUM NUM ) ;
REMARK : 'remark' LINE NL ;
fragment LINE : .+? ;
fragment NL : '\r'? '\n' ;
ANY : 'any' ;

EST : 'established' ;
LOG : 'log-input' | 'log' ;

PERMIT : 'permit' ;
DENY : 'deny' ;
NAMED : 'ip' | 'tcp' | 'udp' | 'icmp' | 'ahp' | 'eigrp' | 'esp'
      | 'gre' | 'igmp' | 'ipinip' | 'nos' | 'ospf' | 'pcp' | 'pim' ;
REFLECT : 'reflect' ;
TIMEOUT : 'timeout' ;

EQ : 'eq' ;
LT : 'lt' ;
GT : 'gt' ;
RNG : 'range' ;
HOST : 'host' ;
MASK : ZERO DOT QUAD DOT QUAD DOT QUAD ;
ADDRESS : QUAD DOT QUAD DOT QUAD DOT QUAD ;
PORT : ( TCP_PORTS | UDP_PORTS ) ;
fragment DOT : '.' ;
fragment ZERO : [0] ;
fragment DIG : [0-9] ;
fragment LO4 : [0-4] ;
fragment LO5 : [0-5] ;
fragment ONE : '1' ;
fragment TWO : '2' ;
fragment QUAD : TWO LO5 LO5 | TWO LO4 DIG | ONE DIG DIG | DIG DIG | DIG ;
ICMP_PORTS : 'administratively-prohibited' | 'alternate-address'
           | 'conversion-error' | 'dod-host-prohibited' | 'dod-net-prohibited'
           | 'dscp' | 'echo' | 'echo-reply' | 'fragments'
           | 'general-parameter-problem' | 'host-isolated'
           | 'host-precedence-unreachable' | 'host-redirect'
           | 'host-tos-redirect' | 'host-tos-unreachable' | 'host-unknown'
           | 'host-unreachable' | 'information-reply' | 'information-request'
           | 'mask-reply' | 'mask-request' | 'mobile-redirect' | 'net-redirect'
           | 'net-tos-redirect' | 'net-tos-unreachable' | 'net-unreachable'
           | 'network-unknown' | 'no-room-for-option' | 'option'
           | 'option-missing' | 'packet-too-big' | 'pak-len'
           | 'parameter-problem' | 'port-unreachable' | 'precedence'
           | 'precedence-unreachable' | 'protocol-unreachable'
           | 'reassembly-timeout' | 'redirect' | 'reflect'
           | 'router-advertisement' | 'router-solicitation' | 'source-quench'
           | 'source-route-failed' | 'time-exceeded' | 'time-range'
           | 'timestamp-reply' | 'timestamp-request' | 'tos' | 'traceroute'
           | 'ttl' | 'ttl-exceeded' | 'unreachable'
           ;
UDP_PORTS : 'biff' | 'bootpc' | 'bootps' | 'discard' | 'dnsix'
          | 'domain' | 'echo' | 'isakmp' | 'mobile-ip' | 'nameserver'
          | 'netbios-dgm' | 'netbios-ns' | 'netbios-ss' | 'non500-isakmp'
          | 'ntp' | 'pim-auto-rp' | 'rip' | 'snmp' | 'snmptrap' | 'sunrpc'
          | 'syslog' | 'tacacs' | 'talk' | 'tftp' | 'time' | 'who' | 'xdmcp'
          ;
TCP_PORTS : 'bgp'
          | 'chargen' | 'cmd' | 'daytime' | 'discard' | 'domain' | 'echo'
          | 'exec' | 'finger' | 'ftp' | 'ftp-data' | 'gopher' | 'hostname'
          | 'ident' | 'irc' | 'klogin' | 'kshell' | 'login' | 'lpd' | 'nntp'
          | 'pim-auto-rp' | 'pop2' | 'pop3' | 'smtp' | 'sunrpc' | 'syslog'
          | 'tacacs' | 'talk' | 'telnet' | 'time' | 'uucp' | 'whois' | 'www'
          ;
NAME : [a-zA-Z\-]+ ;
NUM : DIG+ ;
WS : [ \r\n] -> skip ;