2.2.2.19 Firewall Rule and the Firewall Rule Grammar Rule
Firewall rules are stored under the Software\Policies\Microsoft\WindowsFirewall\FirewallRules key.
Each value under the key is a firewall rule. The type of the value MUST be REG_SZ. The data of each value is a string that can be parsed by the following grammar. This grammar represents a firewall rule as defined in [MS-FASP] section 2.2.37, except for the wszRuleId field of the FW_RULE structure which is instead represented by the name of the registry value.
-
RULE = "v" VERSION "|" 1*FIELD FIELD = TYPE_VALUE "|" TYPE-VALUE = "Action=" ACTION-VAL TYPE-VALUE =/ "Dir=" DIR-VAL TYPE-VALUE =/ "Profile=" PROFILE-VAL TYPE-VALUE =/ "Protocol=" 1*3DIGIT ; protocol is maximum 3 digits (255) TYPE-VALUE =/ "LPort=" ( PORT-VAL / LPORT-KEYWORD-VAL ) TYPE-VALUE =/ "RPort=" PORT-VAL TYPE-VALUE =/ "LPort2_10=" ( PORT-RANGE-VAL / LPORT-KEYWORD-VAL-2-10 ) TYPE-VALUE =/ "RPort2_10=" ( PORT-RANGE-VAL / RPORT-KEYWORD-VAL-2-10 ) TYPE-VALUE =/ "Security=" IFSECURE-VAL TYPE-VALUE =/ "Security2_9=" IFSECURE2-9-VAL TYPE-VALUE =/ "Security2=" IFSECURE2-10-VAL TYPE-VALUE =/ "IF=" IF-VAL TYPE-VALUE =/ "IFType=" IFTYPE-VAL TYPE-VALUE =/ "App=" APP-VAL TYPE-VALUE =/ "Svc=" SVC-VAL TYPE-VALUE =/ "LA4=" ( ADDRESSV4-RANGE-VAL / ADDRESSV4-SUBNET-VAL ) TYPE-VALUE =/ "RA4=" ( ADDRESSV4-RANGE-VAL / ADDRESSV4-SUBNET-VAL / ADDRESS-KEYWORD-VAL ) TYPE-VALUE =/ "LA6=" ( ADDRESSV6-RANGE-VAL / ADDRESSV6-SUBNET-VAL ) TYPE-VALUE =/ "RA6=" ( ADDRESSV6-RANGE-VAL / ADDRESSV6-SUBNET-VAL / ADDRESS-KEYWORD-VAL ) TYPE-VALUE =/ "Name=" STR-VAL TYPE-VALUE =/ "Desc=" STR-VAL TYPE-VALUE =/ "EmbedCtxt=" STR-VAL TYPE-VALUE =/ "Edge=" BOOL-VAL TYPE-VALUE =/ "Defer=" DEFER-VAL TYPE-VALUE =/ "LSM=" BOOL-VAL TYPE-VALUE =/ "Active=" BOOL-VAL TYPE-VALUE =/ "ICMP4=" ICMP-TYPE-CODE-VAL TYPE-VALUE =/ "ICMP6=" ICMP-TYPE-CODE-VAL TYPE-VALUE =/ "Platform=" PLATFORM-VAL TYPE-VALUE =/ "RMauth=" STR-VAL TYPE-VALUE =/ "RUAuth=" STR-VAL TYPE-VALUE =/ "AuthByPassOut=" BOOL-VAL TYPE-VALUE =/ "SkipVer=" VERSION TYPE-VALUE =/ "LOM=" BOOL-VAL TYPE-VALUE =/ "Platform2=" PLATFORM-OP-VAL TYPE-VALUE =/ "PCross=" BOOL-VAL TYPE-VALUE =/ "LUAuth=" STR-VAL TYPE-VALUE =/ "RA42=" ADDRESS-KEYWORD-VAL-2-20 TYPE-VALUE =/ "RA62=" ADDRESS-KEYWORD-VAL-2-20 TYPE-VALUE =/ "LUOwn=" STR-VAL TYPE-VALUE =/ "AppPkgId=" STR-VAL TYPE-VALUE =/ "LPort2_20=" LPORT-KEYWORD-VAL-2-20 TYPE-VALUE =/ "TTK=" TRUST-TUPLE-KEYWORD-VAL TYPE-VALUE =/ “TTK2_22=” TRUST-TUPLE-KEYWORD-VAL2-22 TYPE-VALUE =/ “TTK2_27=” TRUST-TUPLE-KEYWORD-VAL2-27 TYPE-VALUE =/ “TTK2_28=” TRUST-TUPLE-KEYWORD-VAL2-28 TYPE-VALUE =/ "LUAuth2_24=" STR-VAL TYPE-VALUE =/ "NNm=" STR-ENC-VAL TYPE-VALUE =/ "SecurityRealmId=" STR-VAL VERSION = MAJOR-VER "." MINOR-VER MAJOR-VER = 1*3DIGIT MINOR-VER = 1*3DIGIT APP-VAL = 1*ALPHANUM SVC-VAL = "*" / 1*ALPHANUM STR-VAL = 1*ALPHANUM
MAJOR-VER: This grammar rule describes a decimal number that represents the high order 8 bits of the wSchemaVersion field of the FW_RULE structure as defined in [MS-FASP] section 2.2.37. Because of this, the decimal value of this number MUST NOT be greater than 255. The following grammar rules can also be found in the previously mentioned [MS-FASP] section 2.2.37.
MINOR-VER: This grammar rule describes a decimal number that represents the low order 8 bits of the wSchemaVersion field of the FW_RULE structure. Because of this, the decimal value of this number MUST NOT be greater than 255.
VERSION: This grammar rule describes a decimal value whose low 8 order bits are those described in the MINOR-VER grammar rule, and whose high 8 order bits are those described in the MAJOR-VER grammar rule.
Action=: This token value represents the Action field of the FW_RULE structure as defined in [MS-FASP] section 2.2.37. The ACTION-VAL grammar rule represents the value contents of this field. This token MUST appear at most once in a rule string. The remaining token values in this list can be found in the same Protocol specification section except where noted.
Dir=: This token value represents the Direction field of the FW_RULE structure. The DIR-VAL grammar rule represents the value contents of this field. This token MUST appear at most once in a rule string.
Profile=: This token value represents the dwProfiles field of the FW_RULE structure. The PROFILE-VAL grammar rule represents a value content of such field. If this token appears more than once in a RULE grammar rule, then all the contents represented by the PROFILE-VAL rule appearing next to them are included. If the Profile= token never appears in the rule string then it represents a value of FW_PROFILE_TYPE_ALL as defined in [MS-FASP] section 2.2.2.
Protocol=: This token value represents the wIpProtocol field of the FW_RULE structure. The 1*3DIGIT grammar rule represents the value content of this field. Such value MUST NOT be greater than 255. The Protocol token MUST appear at most once in a RULE grammar rule. If a Protocol token does not appear in the rule string, then the meaning is the same as a value of 256 in the wIpProtocol field in [MS-FASP] section 2.2.37.
LPort=: This token value represents the LocalPorts field of the FW_RULE structure. As such defined, LocalPorts is of type FW_PORTS, which contains a Ports field of type FW_PORT_RANGE_LIST, which also contains a pPorts array of type FW_PORT_RANGE. The PORT_VAL grammar rule represents an entry in the pPorts field. The LPORT-KEYWORD-VAL grammar rule, however, represents the wPortKeywords field of the LocalPorts field (which is of type FW_PORTS) of the FW_RULE structure. If the LPort=: token appears multiple times in the rule string, then all the respective PORT-VAL rules and LPORT-KEYWORD-VAL rules of such appearances are allowed.
LPort2_10=: This token value represents the LocalPorts field of the FW_RULE structure. Similarly to the case of the "LPort=" token, the PORT-RANGE-VAL grammar rule represents an entry in the pPorts field. The LPORT-KEYWORD-VAL-2-10 grammar rule, however, represents the wPortKeywords field of the LocalPorts field (which is of type FW_PORTS) of the FW_RULE structure. If the LPort token appears multiple times in the rule string, then all the respective PORT-RANGE-VAL rules and LPORT-KEYWORD-VAL-2-10 rules of such appearances are allowed.
RPort=: This token value represents the RemotePorts field of the FW_RULE structure. As such defined, RemotePorts is of type FW_PORTS, which contains a Ports field of type FW_PORT_RANGE_LIST, which also contains a pPorts array of type FW_PORT_RANGE. The PORT-VAL grammar rule represents an entry in the pPorts field. If the RPort token appears multiple times in the rule string, then all the PORT-VAL rule of such are allowed.
RPort2_10=: This token value represents the RemotePorts field of the FW_RULE structure. Similarly to the case of the "RPort=" token, the PORT-RANGE-VAL grammar rule represents an entry in the pPorts field. The RPORT-KEYWORD-VAL-2-10 grammar rule however represents the wPortKeywords field of the RemotePorts field (which is of type FW_PORTS) of the FW_RULE structure. If the RPort token appears multiple times in the rule string, then all the respective PORT-RANGE-VAL rules and RPORT-KEYWORD-VAL-2-10 rules of such appearances are allowed.
Security=: This token value represents specific flags in the wFlags field of the FW_RULE structure. The IFSECURE-VAL grammar rule represents a flag of such field. This token MUST appear at most once in a rule string.
Security2_9=: This token value represents specific flags in the wFlags field of the FW_RULE structure. The IFSECURE-VAL grammar rule represents a flag of such field. This token MUST appear at most once in a rule string. Also this token MUST appear only if the VERSION is a number greater than or equal to 0x0209.
Security2=: This token value represents specific flags in the wFlags field of the FW_RULE structure. The IFSECURE-VAL grammar rule represents a flag of such field. This token MUST appear at most once in a rule string. Also this token MUST appear only if the VERSION is a number greater than or equal to 0x020A.
IF=: This token represents an entry in the LocalInterfaceIds field of the FW_RULE structure.
IFType=: This token represents the dwLocalInterfaceType field of the FW_RULE structure.
App=: This token represents the wszLocalApplication field of the FW_RULE structure. The grammar rule APP-VAL represents a Unicode string that represents the contents of such field. This token MUST appear at most once in a rule string.
Svc=: This token represents the wszLocalService field of the FW_RULE structure. The grammar rule SVC-VAL represents a Unicode string that represents the contents of such field. This token MUST appear at most once in a rule string.
LA4=: This token value represents the LocalAddress field of the FW_RULE structure, specifically the v4 fields. As such defined LocalAddress is of type FW_ADDRESSES, it contains the following 3 fields: a dwV4AddressKeyword field, a V4Ranges field of type FW_IPV4_RANGE_LIST, which also contains a pRanges array of type FW_IPV4_ADDRESS_RANGE, and lastly a V4SubNets field of type FW_IPV4_SUBNET_LIST, which also contains a pSubNets array of type FW_IPV4_SUBNET. The ADDRESSV4-RANGE-VAL grammar rule represents an entry in the pRanges field. The ADDRESSV4-SUBNET-VAL grammar rule represents an entry in the pSubNets field. If the "LA4" token appears multiple times in the rule string, then all the respective ADDRESSV4-RANGE-VAL and ADDRESSV4-SUBNET-VAL rules of such appearances are allowed.
RA4=: This token value represents the RemoteAddress field of the FW_RULE structure, specifically the v4 fields. As such defined RemoteAddress is of type FW_ADDRESSES, it contains the following 3 fields: a dwV4AddressKeyword field, a V4Ranges field of type FW_IPV4_RANGE_LIST, which also contains a pRanges array of type FW_IPV4_ADDRESS_RANGE, and lastly a V4SubNets field of type FW_IPV4_SUBNET_LIST, which also contains a pSubNets array of type FW_IPV4_SUBNET. The ADDRESSV4-RANGE-VAL grammar rule represents an entry in the pRanges field. The ADDRESSV4-SUBNET-VAL grammar rule represents an entry in the pSubNets field. The ADDRESS-KEYWORD-VAL grammar rule, however, represents the dwV4AddressKeywords field. If the "RA4" token appears multiple times in the rule string, then all the respective ADDRESSV4-RANGE-VAL, ADDRESSV4-SUBNET-VAL, and the ADDRESS-KEYWORD-VAL rules of such appearances are allowed.
LA6=: This token value represents the LocalAddress field of the FW_RULE structure, specifically the v6 fields. As such defined LocalAddress is of type FW_ADDRESSES, it contains the following 3 fields: a dwV6AddressKeyword field, a V6Ranges field of type FW_IPV6_RANGE_LIST, which also contains a pRanges array of type FW_IPV6_ADDRESS_RANGE, and lastly a V6SubNets field of type FW_IPV6_SUBNET_LIST, which also contains a pSubNets array of type FW_IPV6_SUBNET. The ADDRESSV6-RANGE-VAL grammar rule represents an entry in the pRanges field. The ADDRESSV6-SUBNET-VAL grammar rule represents an entry in the pSubNets field. If the "LA6" token appears multiple times in the rule string, then all the respective ADDRESSV6-RANGE-VAL and ADDRESSV6-SUBNET-VAL rules of such appearances are allowed.
RA6=: This token value represents the RemoteAddress field of the FW_RULE structure, specifically the v6 fields. As such defined RemoteAddress is of type FW_ADDRESSES, it contains the following 3 fields: a dwV6AddressKeyword field, a V6Ranges field of type FW_IPV6_RANGE_LIST, which also contains a pRanges array of type FW_IPV6_ADDRESS_RANGE, and lastly a V6SubNets field of type FW_IPV6_SUBNET_LIST, which also contains a pSubNets array of type FW_IPV6_SUBNET. The ADDRESSV6-RANGE-VAL grammar rule represents an entry in the pRanges field. The ADDRESSV6-SUBNET-VAL grammar rule represents an entry in the pSubNets field. The ADDRESS-KEYWORD-VAL grammar rule, however, represents the dwV6AddressKeywords field. If the "RA6" token appears multiple times in the rule string, then all the respective ADDRESSV6-RANGE-VAL, ADDRESSV6-SUBNET-VAL, and the ADDRESS-KEYWORD-VAL rules of such appearances are allowed.
Name=: This token represents the wszName field of the FW_RULE structure. The STR-VAL grammar rule represents a Unicode string that represents the contents of such field. This token MUST appear at most once in a rule string.
Desc=: This token represents the wszDescription field of the FW_RULE structure. The STR-VAL grammar rule represents a Unicode string that represents the contents of such field. This token MUST appear at most once in a rule string.
EmbedCtxt=: This token represents the wszEmbeddedContext field of the FW_RULE structure. The STR-VAL grammar rule represents a Unicode string that represents the contents of such field. This token MUST appear at most once in a rule string.
Edge=: This token represents the FW_RULE_FLAGS_ROUTEABLE_ADDRS_TRAVERSE flag (as defined in [MS-FASP] section 2.2.35) of the wFlags field of the FW_RULE structure. The BOOL-VAL grammar rule represents the Boolean meaning of such flag as defined in section 2.2.2.14. If the "Edge=" token does not appear in the rule a Boolean value of false is assumed. This token MUST appear at most once in a rule string.
Defer=: This token represents the contents of the wFlags field of the FW_RULE structure on the position defined by the FW_RULE_FLAGS_ROUTEABLE_ADDRS_TRAVERSE_APP and FW_RULE_FLAGS_ROUTEABLE_ADDRS_TRAVERSE_USER flag (as defined in [MS-FASP] section 2.2.35) The DEFER-VAL grammar rule represents the Boolean contents of such flag as defined in section 2.2.2.14. If the "Defer=" token does not appear in the rule then a Boolean value false is assumed for both flags. Also this token MUST appear only if the VERSION is a number greater than or equal to 0x020A. This token MUST appear at most once in a rule string.
LSM=: This token represents the FW_RULE_FLAGS_LOOSE_SOURCE_MAPPED flag (as defined in [MS-FASP] section 2.2.35) of the wFlags field of the FW_RULE structure. The BOOL-VAL grammar rule represents the Boolean meaning of such flag as defined in section 2.2.2.14. If the "LSM=" token does not appear in the rule a Boolean value of false is assumed. This token MUST appear at most once in a rule string.
Active=: This token represents the FW_RULE_FLAGS_ACTIVE flag (as defined in [MS-FASP] section 2.2.35) of the wFlags field of the FW_RULE structure. The BOOL-VAL grammar rule represents the Boolean meaning of such flag as defined in section 2.2.2.14. If the "Active=" token does not appear in the rule a Boolean value of false is assumed. This token MUST appear at most once in a rule string.
ICMP4=: This token value represents the V4TypeCodeList field of the FW_RULE structure. As such defined V4TypeCodeList is of type FW_ICMP_TYPE_CODE_LIST, it contains a pEntries array of type FW_ICMP_TYPE_CODE. The ICMP-TYPE-CODE-VAL grammar rule represents an entry in the pEntries field. If the "ICMP4=" token appears multiple times in the rule string, then all the respective ICMP-TYPE-CODE-VAL grammar rules of such appearances are allowed.
ICMP6=: This token value represents the V6TypeCodeList field of the FW_RULE structure. As such defined V6TypeCodeList is of type FW_ICMP_TYPE_CODE_LIST, it contains a pEntries array of type FW_ICMP_TYPE_CODE. The ICMP-TYPE-CODE-VAL grammar rule represents an entry in the pEntries field. If the "ICMP6=" token appears more than once in the rule string, then all the respective ICMP-TYPE-CODE-VAL grammar rules of such appearances are allowed.
Platform=: This token value represents the PlatformValidityList field of the FW_RULE structure. As such defined PlatformValidityList is of type FW_OS_PLATFORM_LIST, it contains a pPlatforms array of type FW_OS_PLATFORM. The PLATFORM-VAL grammar rule represents an entry in the pPlatforms field. If the "Platform=" token appears multiple times in the rule string, then all the respective PLATFORM-VAL grammar rules of such appearances are allowed.
RMAuth=: This token represents the wszRemoteMachineAuthorizationList field of the FW_RULE structure. The STR-VAL grammar rule represents a Unicode string that represents the contents of such field. This token MUST appear at most once in a rule string.
RUAuth=: This token represents the wszRemoteUserAuthorizationList field of the FW_RULE structure. The STR-VAL grammar rule represents a Unicode string that represents the contents of such field. This token MUST appear at most once in a rule string.
AuthByPassOut=: This token represents the FW_RULE_FLAGS_AUTHENTICATE_BYPASS_OUTBOUND flag (as defined in [MS-FASP] section 2.2.35) of the wFlags field of the FW_RULE structure. The BOOL-VAL grammar rule represents the Boolean meaning of such flag as defined in section 2.2.2.14. If the "AuthByPassOut=" token does not appear in the rule a Boolean value of false is assumed. This token MUST appear at most once in a rule string.
SkipVer=: The VERSION grammar rule following this token represents the highest inherent version of the Firewall and Advanced Security components that can ignore this rule string completely. The inherent version of a Firewall and Advanced Security component is the highest version that component supports.
LOM=: This token represents the FW_RULE_FLAGS_LOCAL_ONLY_MAPPED flag (as defined in [MS-FASP] section 2.2.35) of the wFlags field of the FW_RULE structure. The BOOL-VAL grammar rule represents the Boolean meaning of such flag as defined in section 2.2.2.14. If the "LOM=" token does not appear in the rule, a Boolean value of false is assumed. This token MUST appear only once in a rule string.
Platform2=: This token represents the operator to use on the last entry of the PlatformValidityList field of the FW_RULE structure. Hence the PLATFORM-OP-VAL grammar rule represents the five most significant bits of the bPlatform field of the last FW_OS_PLATFORM structure entry (as defined in [MS-FASP] section 2.2.30) of the pPlatforms field of the FW_OS_PLATFORM_LIST structure as defined in [MS-FASP] section 2.2.31.
PCROSS=: This token represents the FW_RULE_FLAGS_ALLOW_PROFILE_CROSSING flag (as defined in [MS-FASP] section 2.2.35) of the wFlags field of the FW_RULE structure. The BOOL-VAL grammar rule represents the Boolean meaning of such flag as defined in section 2.2.2.14. If the "PCROSS=" token does not appear in the rule, a Boolean value of false is assumed. This token MUST appear only once in a rule string.
LUAuth=: This token represents the wszLocalUserAuthorizationList field of the FW_RULE structure. The STR-VAL grammar rule represents a Unicode string that represents the contents of such field. This token MUST appear only once in a rule string.
RA42=: This token value represents the RemoteAddresses field of the FW_RULE structure, specifically the dwV4AddressKeywords field. The ADDRESS-KEYWORD-VAL-2-20 grammar rule represents a flag in the dwV4AddressKeywords field. If the "RA42=" token appears multiple times in the rule string, then all the respective ADDRESS-KEYWORD-VAL-2-20 rules of such appearances are allowed.
RA62=: This token value represents the RemoteAddresses field of the FW_RULE structure, specifically the dwTrustTupleKeywords field. The ADDRESS-KEYWORD-VAL-2-20 grammar rule represents a flag in the dwV6AddressKeywords field. If the "RA62=" token appears multiple times in the rule string, then all the respective ADDRESS-KEYWORD-VAL-2-20 rules of such appearances are allowed.
LUOwn=: This token represents the wszLocalUserOwner field of the FW_RULE structure. The STR_VAL grammar rule represents a Unicode string that represents the contents of such field. This token MUST appear only once in a rule string.
AppPkgId=: This token represents the wszPackageId field of the FW_RULE structure. The STR_VAL grammar rule represents a Unicode string that represents the contents of such field. This token MUST appear only once in a rule string.
LPort2_20=: This token value represents the LocalPorts field of the FW_RULE structure, specifically the wPortKeywords field. The LPORT-KEYWORD-VAL-2-20 grammar rule represents a flag in the dwTrustTupleKeywords field. If the "LPort2_20=" token appears multiple times in the rule string, then all the respective LPORT-KEYWORD-VAL-2-20 rules of such appearances are allowed.
TTK=: This token value represents the dwTrustTupleKeywords field of the FW_RULE structure. The TRUST-TUPLE-KEYWORD-VAL grammar rule represents a flag in the dwTrustTupleKeywords field. If the "TTK=" token appears multiple times in the rule string, then all the respective TRUST-TUPLE-KEYWORD-VAL rules of such appearances are allowed.
LUAuth2_24=: This token value<3> represents the base64 encoded content of wszLocalUserAuthorizationList and it also adds the FW_RULE_FLAGS_LUA_CONDITIONAL_ACE flag on the wFlags field of the FW_RULE2_24 structure ([MS-FASP] section 2.2.104). This token MUST appear only once in a rule string.
NNm=: This token value<4> represents the OnNetworkNames field of the FW_RULE2_24 structure ([MS-FASP] section 2.2.104). The STR-ENC-VAL grammar rule represents an encoded string that represents the contents of such field. This token MUST appear only once in a rule string.
SecurityRealmId=: This token<5> represents the wszSecurityRealmId field of the FW_RULE2_24 structure ([MS-FASP] section 2.2.104). The STR-VAL grammar rule represents a Unicode string that represents the contents of the field. This token MUST appear only once in a rule string.
TTK2_22=: This token value represents the dwTrustTupleKeywords field of the FW_RULE structure. The TRUST-TUPLE-KEYWORD-VAL2-22 grammar rule represents a flag in the dwTrustTupleKeywords field. If the "TTK2_22=" token appears multiple times in the rule string, then all the respective TRUST-TUPLE-KEYWORD-VAL2-22 rules of such appearances are allowed.
TTK2_27=: This token value represents the dwTrustTupleKeywords field of the FW_RULE structure. The TRUST-TUPLE-KEYWORD-VAL2-27 grammar rule represents a flag in the dwTrustTupleKeywords field. If the "TTK2_27=" token appears multiple times in the rule string, then all the respective TRUST-TUPLE-KEYWORD-VAL2-27 rules of such appearances are allowed.
TTK2_28=: This token value represents the dwTrustTupleKeywords field of the FW_RULE structure. The TRUST-TUPLE-KEYWORD-VAL2-28 grammar rule represents a flag in the dwTrustTupleKeywords field. If the "TTK2_28=" token appears multiple times in the rule string, then all the respective TRUST-TUPLE-KEYWORD-VAL2-28 rules of such appearances are allowed.
The "LPort=" token MUST appear only if a "Protocol=" token has appeared before it on the rule string AND the value of the "Protocol=" token is either 6 (for TCP) or 17 (for UDP). The same applies to the "RPort=", "LPort2_10=" and "RPort2_10=" tokens. The "ICMP4=" and "ICMP6=" tokens MUST appear only if the "Protocol=" token has appeared before it on the rule string and expressed a value of 1 for "ICMP4=" or of 58 for "ICMP6=". The "LPort=", "RPort=", "LPort2_10=", and "RPort2_10=" tokens cannot appear in a rule string where a "ICMP4=" or a "ICMP6=" token appears and vice versa.
The semantic checks described in [MS-FASP] section 2.2.37 are also applicable to the firewall rules described in this section after following the mapping in each of the preceding tokens.