7 Appendix B: Full ABNF Grammar
The following section list the complete grammar rules of the policy setting that are encoded using ABNF syntax for implementers of Group Policy: Firewall and Advanced Security Group Policy Extension Encoding.
PROFILE-VAL = "Domain" / "Private" / "Public"
PORT-RANGE-VAL = BEGINPORT "-" ENDPORT
PORT-VAL = SINGLEPORT
BEGINPORT = PORT
ENDPORT = PORT
SINGLEPORT = PORT
PORT = 1*5DIGIT
LPORT-KEYWORD-VAL = "RPC" / "RPC-EPMap" / "Teredo"
LPORT-KEYWORD-VAL-2-10 = "IPTLSIn" / "IPHTTPSIn"
RPORT-KEYWORD-VAL-2-10 = "IPTLSOut" / "IPHTTPSOut"
LPORT-KEYWORD-VAL-2-20 = "Ply2Disc" / "DHCP"
LPORT-KEYWORD-VAL-2-25 = "mDNS"
RPORT-KEYWORD-VAL-2-28 = "CortanaOut"
LPORT-KEYWORD-VAL-2-29 = "TcpCDPSvc"
DIR-VAL = "In" / "Out"
ACTION-VAL = "Allow" / "Block" / "ByPass"
IFSECURE-VAL = "Authenticate" / "AuthenticateEncrypt"
IFSECURE2-9-VAL = "An-NoEncap"
IFSECURE2-10-VAL = "AnE-Nego"
IF-VAL = GUID
IFTYPE-VAL = "Lan" / "Wireless" / "RemoteAccess"
ADDRESSV4-RANGE-VAL = ( BEGINADDRV4 "-" ENDADDRV4 / SINGLEADDRV4 )
BEGINADDRV4 = ADDRV4
ENDADDRV4 = ADDRV4
SINGLEADDRV4 = ADDRV4
ADDRV4 = 1*3DIGIT "." 1*3DIGIT "." 1*3DIGIT "." 1*3DIGIT
ADDRESSV4-SUBNET-VAL = ( SUBNET-ADDRV4 "/" V4PREFIX-LENGTH ) / ( SUBNET-ADDRV4 "/" MASK-ADDRV4 )
V4PREFIX-LENGTH = 1*2DIGIT
SUBNET-ADDRV4 = ADDRV4
MASK-ADDRV4 = ADDRV4
ADDRESSV6-RANGE-VAL = ( BEGINADDRV6 "-" ENDADDRV6 / SINGLEADDRV6)
BEGINADDRV6 = ADDRV6
ENDADDRV6 = ADDRV6
SINGLEADDRV6 = ADDRV6
ADDRESSV6-SUBNET-VAL = SUBNET-ADDRV6 "/" V6PREFIX-LENGTH
V6PREFIX-LENGTH = 1*3DIGIT
SUBNET-ADDRV6 = ADDRV6
ADDRESS-KEYWORD-VAL = "LocalSubnet" / "DNS" / "DHCP" / "WINS" / "DefaultGateway"
BOOL-VAL = "TRUE" / "FALSE"
DEFER-VAL = "App" / "User"
ICMP-TYPE-CODE-VAL = TYPE ":" CODE
TYPE = 1*3DIGIT
CODE = 1*3DIGIT / "*"
PLATFORM-VAL = PLATFORM ":" OS-MAJOR-VER ":" OS-MINOR-VER
PLATFORM = 1*DIGIT
OS-MAJOR-VER = 1*3DIGIT
OS-MINOR-VER = 1*3DIGIT
PLATFORM-OP-VAL = "GTEQ"
RULE = "v" VERSION "|" 1*FIELD
FIELD = TYPE-VALUE "|"
TYPE-VALUE = "Action=" ACTION-VAL
TYPE-VALUE =/ "Dir=" DIR-VAL
TYPE-VALUE =/ "Profile=" PROFILE-VAL
TYPE-VALUE =/ "Protocol=" 1*3DIGIT ; protocol is maximum 3 digits (255)
TYPE-VALUE =/ "LPort=" ( PORT-VAL / LPORT-KEYWORD-VAL )
TYPE-VALUE =/ "RPort=" PORT-VAL
TYPE-VALUE =/ "LPort2_10=" ( PORT-RANGE-VAL / LPORT-KEYWORD-VAL-2-10 )
TYPE-VALUE =/ "RPort2_10=" ( PORT-RANGE-VAL / RPORT-KEYWORD-VAL-2-10 )
TYPE-VALUE =/ "Security=" IFSECURE-VAL
TYPE-VALUE =/ "Security2_9=" IFSECURE2-9-VAL
TYPE-VALUE =/ "Security2=" IFSECURE2-10-VAL
TYPE-VALUE =/ "IF=" IF-VAL
TYPE-VALUE =/ "IFType=" IFTYPE-VAL
TYPE-VALUE =/ "App=" APP-VAL
TYPE-VALUE =/ "Svc=" SVC-VAL
TYPE-VALUE =/ "LA4=" ( ADDRESSV4-RANGE-VAL / ADDRESSV4-SUBNET-VAL )
TYPE-VALUE =/ "RA4=" ( ADDRESSV4-RANGE-VAL / ADDRESSV4-SUBNET-VAL / ADDRESS-KEYWORD-VAL )
TYPE-VALUE =/ "LA6=" ( ADDRESSV6-RANGE-VAL / ADDRESSV6-SUBNET-VAL )
TYPE-VALUE =/ "RA6=" ( ADDRESSV6-RANGE-VAL / ADDRESSV6-SUBNET-VAL / ADDRESS-KEYWORD-VAL )
TYPE-VALUE =/ "Name=" STR-VAL
TYPE-VALUE =/ "Desc=" STR-VAL
TYPE-VALUE =/ "EmbedCtxt=" STR-VAL
TYPE-VALUE =/ "Edge=" BOOL-VAL
TYPE-VALUE =/ "Defer=" DEFER-VAL
TYPE-VALUE =/ "LSM=" BOOL-VAL
TYPE-VALUE =/ "Active=" BOOL-VAL
TYPE-VALUE =/ "ICMP4=" ICMP-TYPE-CODE-VAL
TYPE-VALUE =/ "ICMP6=" ICMP-TYPE-CODE-VAL
TYPE-VALUE =/ "Platform=" PLATFORM-VAL
TYPE-VALUE =/ "RMauth=" STR-VAL
TYPE-VALUE =/ "RUAuth=" STR-VAL
TYPE-VALUE =/ "AuthByPassOut=" BOOL-VAL
TYPE-VALUE =/ "SkipVer=" VERSION
VERSION = MAJOR-VER "." MINOR-VER
MAJOR-VER = 1*3DIGIT
MINOR-VER = 1*3DIGIT
APP-VAL = 1*ALPHANUM
SVC-VAL = "*" / 1*ALPHANUM
STR-VAL = 1*ALPHANUM
INTERFACES-VAL = [ *1INTF-FIELD / INTF-FIELD 1*INTF-FIELD-SEQ ]
INTF-FIELD = "{" GUID "}"
INTF-FIELD-SEQ = "," INTF-FIELD
PHASE1-AUTH-METHOD-VAL = "Anonymous" / "MachineKerb" / "MachineCert"
PHASE1-AUTH-METHOD-VAL =/ "MachineSHKey" / "MachineNtlm"
PHASE2-AUTH-METHOD-VAL = "Anonymous" / "MachineCert" / "UserKerb"
PHASE2-AUTH-METHOD-VAL =/ "UserCert" / "UserNtlm"
TIMEOUT-MIN-VAL = 1*8DIGIT
TIMEOUT-SESS-VAL = 1*10DIGIT
PFS-VAL = "Disable" / "EnableDHFromPhase1" / "ReKeyDH1" / "ReKeyDH2" / "ReKeyDH2048"
PFS-VAL =/ "ReKeyECDH256" / "ReKeyECDH384"
KEY-EXCHANGE-VAL = "DH1" / "DH2" / "DH2048" / "ECDH-256" / "ECDH-384"
ENCRYPTION-VAL = "DES" / "3DES" / "AES-128" / "AES-192" / "AES-256"
HASH-VAL = "MD5" / "SHA1"
HASH2-1-VAL = "SHA256" / "SHA384"
PROTOCOL-VAL = "AH" / "ESP" / "AH&ESP"
ENCRYPTION2-1-VAL = "AES-GCM128" / "AES-GCM192" / "AES-GCM256"
AH-ESP-HASH2-1-VAL = "SHA256" / "AES-GCM128" / "AES-GCM192" / "AES-GCM256"
PROTOCOL2-9-VAL = "AUTH_NO_ENCAP"
CS-ACTION-VAL = "SecureServer" / "Boundary" / "Secure" / "DoNotSecure"
CSRULE = "v" VERSION "|" 1*FIELD
TYPE-VALUE =/ "Action=" CS-ACTION-VAL
TYPE-VALUE =/ "Profile=" PROFILE-VAL
TYPE-VALUE =/ "Protocol=" 1*3DIGIT ; protocol is maximum 3 digits (255)
TYPE-VALUE =/ "EP1Port=" PORT-VAL
TYPE-VALUE =/ "EP2Port=" PORT-VAL
TYPE-VALUE =/ "EP1Port2_10=" PORT-RANGE-VAL
TYPE-VALUE =/ "EP2Port2_10=" PORT-RANGE-VAL
TYPE-VALUE =/ "IF=" IF-VAL
TYPE-VALUE =/ "IFType=" IFTYPE-VAL
TYPE-VALUE =/ "Auth1Set=" STR-VAL
TYPE-VALUE =/ "Auth2Set=" STR-VAL
TYPE-VALUE =/ "Crypto2Set=" STR-VAL
TYPE-VALUE =/ "EP1_4=" ( ADDRESSV4-RANGE-VAL / ADDRESSV4-SUBNET-VAL / ADDRESS-KEYWORD-VAL )
TYPE-VALUE =/ "EP2_4=" ( ADDRESSV4-RANGE-VAL / ADDRESSV4-SUBNET-VAL / ADDRESS-KEYWORD-VAL )
TYPE-VALUE =/ "EP1_6=" ( ADDRESSV6-RANGE-VAL / ADDRESSV6-SUBNET-VAL / ADDRESS-KEYWORD-VAL )
TYPE-VALUE =/ "EP2_6=" ( ADDRESSV6-RANGE-VAL / ADDRESSV6-SUBNET-VAL / ADDRESS-KEYWORD-VAL )
TYPE-VALUE =/ "Name=" STR-VAL
TYPE-VALUE =/ "Desc=" STR-VAL
TYPE-VALUE =/ "EmbedCtxt=" STR-VAL
TYPE-VALUE =/ "Active=" BOOL-VAL
TYPE-VALUE =/ "Platform=" PLATFORM-VAL
TYPE-VALUE =/ "SkipVer=" VERSION
TYPE-VALUE =/ "Platform2=" PLATFORM-OP-VAL
TYPE-VALUE =/ "SecureInClearOut=" BOOL-VAL
TYPE-VALUE =/ "ByPassTunnel=" BOOL-VAL
TYPE-VALUE =/ "Authz=" BOOL-VAL
TYPE-VALUE =/ "RTunnel4=" ADDRV4
TYPE-VALUE =/ "RTunnel6=" ADDRV6
TYPE-VALUE =/ "LTunnel4=" ADDRV4
TYPE-VALUE =/ "LTunnel6=" ADDRV6
TYPE-VALUE =/ "RTunnel4_2=" ADDRV4
TYPE-VALUE =/ "RTunnel6_2=" ADDRV6
TYPE-VALUE =/ "LTunnel4_2=" ADDRV4
TYPE-VALUE =/ "LTunnel6_2=" ADDRV6
MMRULE = "v" VERSION "|" 1*FIELD
TYPE-VALUE =/ "Profile=" PROFILE-VAL
TYPE-VALUE =/ "Auth1Set=" STR-VAL
TYPE-VALUE =/ "Crypto1Set=" STR-VAL
TYPE-VALUE =/ "EP1_4=" ( ADDRESSV4-RANGE-VAL / ADDRESSV4-SUBNET-VAL / ADDRESS-KEYWORD-VAL )
TYPE-VALUE =/ "EP2_4=" ( ADDRESSV4-RANGE-VAL / ADDRESSV4-SUBNET-VAL / ADDRESS-KEYWORD-VAL )
TYPE-VALUE =/ "EP1_6=" ( ADDRESSV6-RANGE-VAL / ADDRESSV6-SUBNET-VAL / ADDRESS-KEYWORD-VAL )
TYPE-VALUE =/ "EP2_6=" ( ADDRESSV6-RANGE-VAL / ADDRESSV6-SUBNET-VAL / ADDRESS-KEYWORD-VAL )
TYPE-VALUE =/ "Name=" STR-VAL
TYPE-VALUE =/ "Desc=" STR-VAL
TYPE-VALUE =/ "EmbedCtxt=" STR-VAL
TYPE-VALUE =/ "Active=" BOOL-VAL
TYPE-VALUE =/ "Platform=" PLATFORM-VAL
TYPE-VALUE =/ "SkipVer=" VERSION