Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Firewall rules are stored under the Software\Policies\Microsoft\WindowsFirewall\FirewallRules key.
Each value under the key is a firewall rule. The type of the value MUST be REG_SZ. The data of each value is a string that can be parsed by the following grammar. This grammar represents a firewall rule as defined in [MS-FASP] section 2.2.37, except for the wszRuleId field of the FW_RULE structure which is instead represented by the name of the registry value.
-
RULE = "v" VERSION "|" 1*FIELD FIELD = TYPE_VALUE "|" TYPE-VALUE = "Action=" ACTION-VAL TYPE-VALUE =/ "Dir=" DIR-VAL TYPE-VALUE =/ "Profile=" PROFILE-VAL TYPE-VALUE =/ "Protocol=" 1*3DIGIT ; protocol is maximum 3 digits (255) TYPE-VALUE =/ "LPort=" ( PORT-VAL / LPORT-KEYWORD-VAL ) TYPE-VALUE =/ "RPort=" PORT-VAL TYPE-VALUE =/ "LPort2_10=" ( PORT-RANGE-VAL / LPORT-KEYWORD-VAL-2-10 ) TYPE-VALUE =/ "RPort2_10=" ( PORT-RANGE-VAL / RPORT-KEYWORD-VAL-2-10 ) TYPE-VALUE =/ "Security=" IFSECURE-VAL TYPE-VALUE =/ "Security2_9=" IFSECURE2-9-VAL TYPE-VALUE =/ "Security2=" IFSECURE2-10-VAL TYPE-VALUE =/ "IF=" IF-VAL TYPE-VALUE =/ "IFType=" IFTYPE-VAL TYPE-VALUE =/ "App=" APP-VAL TYPE-VALUE =/ "Svc=" SVC-VAL TYPE-VALUE =/ "LA4=" ( ADDRESSV4-RANGE-VAL / ADDRESSV4-SUBNET-VAL ) TYPE-VALUE =/ "RA4=" ( ADDRESSV4-RANGE-VAL / ADDRESSV4-SUBNET-VAL / ADDRESS-KEYWORD-VAL ) TYPE-VALUE =/ "LA6=" ( ADDRESSV6-RANGE-VAL / ADDRESSV6-SUBNET-VAL ) TYPE-VALUE =/ "RA6=" ( ADDRESSV6-RANGE-VAL / ADDRESSV6-SUBNET-VAL / ADDRESS-KEYWORD-VAL ) TYPE-VALUE =/ "Name=" STR-VAL TYPE-VALUE =/ "Desc=" STR-VAL TYPE-VALUE =/ "EmbedCtxt=" STR-VAL TYPE-VALUE =/ "Edge=" BOOL-VAL TYPE-VALUE =/ "Defer=" DEFER-VAL TYPE-VALUE =/ "LSM=" BOOL-VAL TYPE-VALUE =/ "Active=" BOOL-VAL TYPE-VALUE =/ "ICMP4=" ICMP-TYPE-CODE-VAL TYPE-VALUE =/ "ICMP6=" ICMP-TYPE-CODE-VAL TYPE-VALUE =/ "Platform=" PLATFORM-VAL TYPE-VALUE =/ "RMauth=" STR-VAL TYPE-VALUE =/ "RUAuth=" STR-VAL TYPE-VALUE =/ "AuthByPassOut=" BOOL-VAL TYPE-VALUE =/ "SkipVer=" VERSION TYPE-VALUE =/ "LOM=" BOOL-VAL TYPE-VALUE =/ "Platform2=" PLATFORM-OP-VAL TYPE-VALUE =/ "PCross=" BOOL-VAL TYPE-VALUE =/ "LUAuth=" STR-VAL TYPE-VALUE =/ "RA42=" ADDRESS-KEYWORD-VAL-2-20 TYPE-VALUE =/ "RA62=" ADDRESS-KEYWORD-VAL-2-20 TYPE-VALUE =/ "LUOwn=" STR-VAL TYPE-VALUE =/ "AppPkgId=" STR-VAL TYPE-VALUE =/ "LPort2_20=" LPORT-KEYWORD-VAL-2-20 TYPE-VALUE =/ "TTK=" TRUST-TUPLE-KEYWORD-VAL TYPE-VALUE =/ “TTK2_22=” TRUST-TUPLE-KEYWORD-VAL2-22 TYPE-VALUE =/ “TTK2_27=” TRUST-TUPLE-KEYWORD-VAL2-27 TYPE-VALUE =/ “TTK2_28=” TRUST-TUPLE-KEYWORD-VAL2-28 TYPE-VALUE =/ "LUAuth2_24=" STR-VAL TYPE-VALUE =/ "NNm=" STR-ENC-VAL TYPE-VALUE =/ "SecurityRealmId=" STR-VAL VERSION = MAJOR-VER "." MINOR-VER MAJOR-VER = 1*3DIGIT MINOR-VER = 1*3DIGIT APP-VAL = 1*ALPHANUM SVC-VAL = "*" / 1*ALPHANUM STR-VAL = 1*ALPHANUM
MAJOR-VER: This grammar rule describes a decimal number that represents the high order 8 bits of the wSchemaVersion field of the FW_RULE structure as defined in [MS-FASP] section 2.2.37. Because of this, the decimal value of this number MUST NOT be greater than 255. The following grammar rules can also be found in the previously mentioned [MS-FASP] section 2.2.37.
MINOR-VER: This grammar rule describes a decimal number that represents the low order 8 bits of the wSchemaVersion field of the FW_RULE structure. Because of this, the decimal value of this number MUST NOT be greater than 255.
VERSION: This grammar rule describes a decimal value whose low 8 order bits are those described in the MINOR-VER grammar rule, and whose high 8 order bits are those described in the MAJOR-VER grammar rule.
Action=: This token value represents the Action field of the FW_RULE structure as defined in [MS-FASP] section 2.2.37. The ACTION-VAL grammar rule represents the value contents of this field. This token MUST appear at most once in a rule string. The remaining token values in this list can be found in the same Protocol specification section except where noted.
Dir=: This token value represents the Direction field of the FW_RULE structure. The DIR-VAL grammar rule represents the value contents of this field. This token MUST appear at most once in a rule string.
Profile=: This token value represents the dwProfiles field of the FW_RULE structure. The PROFILE-VAL grammar rule represents a value content of such field. If this token appears more than once in a RULE grammar rule, then all the contents represented by the PROFILE-VAL rule appearing next to them are included. If the Profile= token never appears in the rule string then it represents a value of FW_PROFILE_TYPE_ALL as defined in [MS-FASP] section 2.2.2.
Protocol=: This token value represents the wIpProtocol field of the FW_RULE structure. The 1*3DIGIT grammar rule represents the value content of this field. Such value MUST NOT be greater than 255. The Protocol token MUST appear at most once in a RULE grammar rule. If a Protocol token does not appear in the rule string, then the meaning is the same as a value of 256 in the wIpProtocol field in [MS-FASP] section 2.2.37.
LPort=: This token value represents the LocalPorts field of the FW_RULE structure. As such defined, LocalPorts is of type FW_PORTS, which contains a Ports field of type FW_PORT_RANGE_LIST, which also contains a pPorts array of type FW_PORT_RANGE. The PORT_VAL grammar rule represents an entry in the pPorts field. The LPORT-KEYWORD-VAL grammar rule, however, represents the wPortKeywords field of the LocalPorts field (which is of type FW_PORTS) of the FW_RULE structure. If the LPort=: token appears multiple times in the rule string, then all the respective PORT-VAL rules and LPORT-KEYWORD-VAL rules of such appearances are allowed.
LPort2_10=: This token value represents the LocalPorts field of the FW_RULE structure. Similarly to the case of the "LPort=" token, the PORT-RANGE-VAL grammar rule represents an entry in the pPorts field. The LPORT-KEYWORD-VAL-2-10 grammar rule, however, represents the wPortKeywords field of the LocalPorts field (which is of type FW_PORTS) of the FW_RULE structure. If the LPort token appears multiple times in the rule string, then all the respective PORT-RANGE-VAL rules and LPORT-KEYWORD-VAL-2-10 rules of such appearances are allowed.
RPort=: This token value represents the RemotePorts field of the FW_RULE structure. As such defined, RemotePorts is of type FW_PORTS, which contains a Ports field of type FW_PORT_RANGE_LIST, which also contains a pPorts array of type FW_PORT_RANGE. The PORT-VAL grammar rule represents an entry in the pPorts field. If the RPort token appears multiple times in the rule string, then all the PORT-VAL rule of such are allowed.
RPort2_10=: This token value represents the RemotePorts field of the FW_RULE structure. Similarly to the case of the "RPort=" token, the PORT-RANGE-VAL grammar rule represents an entry in the pPorts field. The RPORT-KEYWORD-VAL-2-10 grammar rule however represents the wPortKeywords field of the RemotePorts field (which is of type FW_PORTS) of the FW_RULE structure. If the RPort token appears multiple times in the rule string, then all the respective PORT-RANGE-VAL rules and RPORT-KEYWORD-VAL-2-10 rules of such appearances are allowed.
Security=: This token value represents specific flags in the wFlags field of the FW_RULE structure. The IFSECURE-VAL grammar rule represents a flag of such field. This token MUST appear at most once in a rule string.
Security2_9=: This token value represents specific flags in the wFlags field of the FW_RULE structure. The IFSECURE-VAL grammar rule represents a flag of such field. This token MUST appear at most once in a rule string. Also this token MUST appear only if the VERSION is a number greater than or equal to 0x0209.
Security2=: This token value represents specific flags in the wFlags field of the FW_RULE structure. The IFSECURE-VAL grammar rule represents a flag of such field. This token MUST appear at most once in a rule string. Also this token MUST appear only if the VERSION is a number greater than or equal to 0x020A.
IF=: This token represents an entry in the LocalInterfaceIds field of the FW_RULE structure.
IFType=: This token represents the dwLocalInterfaceType field of the FW_RULE structure.
App=: This token represents the wszLocalApplication field of the FW_RULE structure. The grammar rule APP-VAL represents a Unicode string that represents the contents of such field. This token MUST appear at most once in a rule string.
Svc=: This token represents the wszLocalService field of the FW_RULE structure. The grammar rule SVC-VAL represents a Unicode string that represents the contents of such field. This token MUST appear at most once in a rule string.
LA4=: This token value represents the LocalAddress field of the FW_RULE structure, specifically the v4 fields. As such defined LocalAddress is of type FW_ADDRESSES, it contains the following 3 fields: a dwV4AddressKeyword field, a V4Ranges field of type FW_IPV4_RANGE_LIST, which also contains a pRanges array of type FW_IPV4_ADDRESS_RANGE, and lastly a V4SubNets field of type FW_IPV4_SUBNET_LIST, which also contains a pSubNets array of type FW_IPV4_SUBNET. The ADDRESSV4-RANGE-VAL grammar rule represents an entry in the pRanges field. The ADDRESSV4-SUBNET-VAL grammar rule represents an entry in the pSubNets field. If the "LA4" token appears multiple times in the rule string, then all the respective ADDRESSV4-RANGE-VAL and ADDRESSV4-SUBNET-VAL rules of such appearances are allowed.
RA4=: This token value represents the RemoteAddress field of the FW_RULE structure, specifically the v4 fields. As such defined RemoteAddress is of type FW_ADDRESSES, it contains the following 3 fields: a dwV4AddressKeyword field, a V4Ranges field of type FW_IPV4_RANGE_LIST, which also contains a pRanges array of type FW_IPV4_ADDRESS_RANGE, and lastly a V4SubNets field of type FW_IPV4_SUBNET_LIST, which also contains a pSubNets array of type FW_IPV4_SUBNET. The ADDRESSV4-RANGE-VAL grammar rule represents an entry in the pRanges field. The ADDRESSV4-SUBNET-VAL grammar rule represents an entry in the pSubNets field. The ADDRESS-KEYWORD-VAL grammar rule, however, represents the dwV4AddressKeywords field. If the "RA4" token appears multiple times in the rule string, then all the respective ADDRESSV4-RANGE-VAL, ADDRESSV4-SUBNET-VAL, and the ADDRESS-KEYWORD-VAL rules of such appearances are allowed.
LA6=: This token value represents the LocalAddress field of the FW_RULE structure, specifically the v6 fields. As such defined LocalAddress is of type FW_ADDRESSES, it contains the following 3 fields: a dwV6AddressKeyword field, a V6Ranges field of type FW_IPV6_RANGE_LIST, which also contains a pRanges array of type FW_IPV6_ADDRESS_RANGE, and lastly a V6SubNets field of type FW_IPV6_SUBNET_LIST, which also contains a pSubNets array of type FW_IPV6_SUBNET. The ADDRESSV6-RANGE-VAL grammar rule represents an entry in the pRanges field. The ADDRESSV6-SUBNET-VAL grammar rule represents an entry in the pSubNets field. If the "LA6" token appears multiple times in the rule string, then all the respective ADDRESSV6-RANGE-VAL and ADDRESSV6-SUBNET-VAL rules of such appearances are allowed.
RA6=: This token value represents the RemoteAddress field of the FW_RULE structure, specifically the v6 fields. As such defined RemoteAddress is of type FW_ADDRESSES, it contains the following 3 fields: a dwV6AddressKeyword field, a V6Ranges field of type FW_IPV6_RANGE_LIST, which also contains a pRanges array of type FW_IPV6_ADDRESS_RANGE, and lastly a V6SubNets field of type FW_IPV6_SUBNET_LIST, which also contains a pSubNets array of type FW_IPV6_SUBNET. The ADDRESSV6-RANGE-VAL grammar rule represents an entry in the pRanges field. The ADDRESSV6-SUBNET-VAL grammar rule represents an entry in the pSubNets field. The ADDRESS-KEYWORD-VAL grammar rule, however, represents the dwV6AddressKeywords field. If the "RA6" token appears multiple times in the rule string, then all the respective ADDRESSV6-RANGE-VAL, ADDRESSV6-SUBNET-VAL, and the ADDRESS-KEYWORD-VAL rules of such appearances are allowed.
Name=: This token represents the wszName field of the FW_RULE structure. The STR-VAL grammar rule represents a Unicode string that represents the contents of such field. This token MUST appear at most once in a rule string.
Desc=: This token represents the wszDescription field of the FW_RULE structure. The STR-VAL grammar rule represents a Unicode string that represents the contents of such field. This token MUST appear at most once in a rule string.
EmbedCtxt=: This token represents the wszEmbeddedContext field of the FW_RULE structure. The STR-VAL grammar rule represents a Unicode string that represents the contents of such field. This token MUST appear at most once in a rule string.
Edge=: This token represents the FW_RULE_FLAGS_ROUTEABLE_ADDRS_TRAVERSE flag (as defined in [MS-FASP] section 2.2.35) of the wFlags field of the FW_RULE structure. The BOOL-VAL grammar rule represents the Boolean meaning of such flag as defined in section 2.2.2.14. If the "Edge=" token does not appear in the rule a Boolean value of false is assumed. This token MUST appear at most once in a rule string.
Defer=: This token represents the contents of the wFlags field of the FW_RULE structure on the position defined by the FW_RULE_FLAGS_ROUTEABLE_ADDRS_TRAVERSE_APP and FW_RULE_FLAGS_ROUTEABLE_ADDRS_TRAVERSE_USER flag (as defined in [MS-FASP] section 2.2.35) The DEFER-VAL grammar rule represents the Boolean contents of such flag as defined in section 2.2.2.14. If the "Defer=" token does not appear in the rule then a Boolean value false is assumed for both flags. Also this token MUST appear only if the VERSION is a number greater than or equal to 0x020A. This token MUST appear at most once in a rule string.
LSM=: This token represents the FW_RULE_FLAGS_LOOSE_SOURCE_MAPPED flag (as defined in [MS-FASP] section 2.2.35) of the wFlags field of the FW_RULE structure. The BOOL-VAL grammar rule represents the Boolean meaning of such flag as defined in section 2.2.2.14. If the "LSM=" token does not appear in the rule a Boolean value of false is assumed. This token MUST appear at most once in a rule string.
Active=: This token represents the FW_RULE_FLAGS_ACTIVE flag (as defined in [MS-FASP] section 2.2.35) of the wFlags field of the FW_RULE structure. The BOOL-VAL grammar rule represents the Boolean meaning of such flag as defined in section 2.2.2.14. If the "Active=" token does not appear in the rule a Boolean value of false is assumed. This token MUST appear at most once in a rule string.
ICMP4=: This token value represents the V4TypeCodeList field of the FW_RULE structure. As such defined V4TypeCodeList is of type FW_ICMP_TYPE_CODE_LIST, it contains a pEntries array of type FW_ICMP_TYPE_CODE. The ICMP-TYPE-CODE-VAL grammar rule represents an entry in the pEntries field. If the "ICMP4=" token appears multiple times in the rule string, then all the respective ICMP-TYPE-CODE-VAL grammar rules of such appearances are allowed.
ICMP6=: This token value represents the V6TypeCodeList field of the FW_RULE structure. As such defined V6TypeCodeList is of type FW_ICMP_TYPE_CODE_LIST, it contains a pEntries array of type FW_ICMP_TYPE_CODE. The ICMP-TYPE-CODE-VAL grammar rule represents an entry in the pEntries field. If the "ICMP6=" token appears more than once in the rule string, then all the respective ICMP-TYPE-CODE-VAL grammar rules of such appearances are allowed.
Platform=: This token value represents the PlatformValidityList field of the FW_RULE structure. As such defined PlatformValidityList is of type FW_OS_PLATFORM_LIST, it contains a pPlatforms array of type FW_OS_PLATFORM. The PLATFORM-VAL grammar rule represents an entry in the pPlatforms field. If the "Platform=" token appears multiple times in the rule string, then all the respective PLATFORM-VAL grammar rules of such appearances are allowed.
RMAuth=: This token represents the wszRemoteMachineAuthorizationList field of the FW_RULE structure. The STR-VAL grammar rule represents a Unicode string that represents the contents of such field. This token MUST appear at most once in a rule string.
RUAuth=: This token represents the wszRemoteUserAuthorizationList field of the FW_RULE structure. The STR-VAL grammar rule represents a Unicode string that represents the contents of such field. This token MUST appear at most once in a rule string.
AuthByPassOut=: This token represents the FW_RULE_FLAGS_AUTHENTICATE_BYPASS_OUTBOUND flag (as defined in [MS-FASP] section 2.2.35) of the wFlags field of the FW_RULE structure. The BOOL-VAL grammar rule represents the Boolean meaning of such flag as defined in section 2.2.2.14. If the "AuthByPassOut=" token does not appear in the rule a Boolean value of false is assumed. This token MUST appear at most once in a rule string.
SkipVer=: The VERSION grammar rule following this token represents the highest inherent version of the Firewall and Advanced Security components that can ignore this rule string completely. The inherent version of a Firewall and Advanced Security component is the highest version that component supports.
LOM=: This token represents the FW_RULE_FLAGS_LOCAL_ONLY_MAPPED flag (as defined in [MS-FASP] section 2.2.35) of the wFlags field of the FW_RULE structure. The BOOL-VAL grammar rule represents the Boolean meaning of such flag as defined in section 2.2.2.14. If the "LOM=" token does not appear in the rule, a Boolean value of false is assumed. This token MUST appear only once in a rule string.
Platform2=: This token represents the operator to use on the last entry of the PlatformValidityList field of the FW_RULE structure. Hence the PLATFORM-OP-VAL grammar rule represents the five most significant bits of the bPlatform field of the last FW_OS_PLATFORM structure entry (as defined in [MS-FASP] section 2.2.30) of the pPlatforms field of the FW_OS_PLATFORM_LIST structure as defined in [MS-FASP] section 2.2.31.
PCROSS=: This token represents the FW_RULE_FLAGS_ALLOW_PROFILE_CROSSING flag (as defined in [MS-FASP] section 2.2.35) of the wFlags field of the FW_RULE structure. The BOOL-VAL grammar rule represents the Boolean meaning of such flag as defined in section 2.2.2.14. If the "PCROSS=" token does not appear in the rule, a Boolean value of false is assumed. This token MUST appear only once in a rule string.
LUAuth=: This token represents the wszLocalUserAuthorizationList field of the FW_RULE structure. The STR-VAL grammar rule represents a Unicode string that represents the contents of such field. This token MUST appear only once in a rule string.
RA42=: This token value represents the RemoteAddresses field of the FW_RULE structure, specifically the dwV4AddressKeywords field. The ADDRESS-KEYWORD-VAL-2-20 grammar rule represents a flag in the dwV4AddressKeywords field. If the "RA42=" token appears multiple times in the rule string, then all the respective ADDRESS-KEYWORD-VAL-2-20 rules of such appearances are allowed.
RA62=: This token value represents the RemoteAddresses field of the FW_RULE structure, specifically the dwTrustTupleKeywords field. The ADDRESS-KEYWORD-VAL-2-20 grammar rule represents a flag in the dwV6AddressKeywords field. If the "RA62=" token appears multiple times in the rule string, then all the respective ADDRESS-KEYWORD-VAL-2-20 rules of such appearances are allowed.
LUOwn=: This token represents the wszLocalUserOwner field of the FW_RULE structure. The STR_VAL grammar rule represents a Unicode string that represents the contents of such field. This token MUST appear only once in a rule string.
AppPkgId=: This token represents the wszPackageId field of the FW_RULE structure. The STR_VAL grammar rule represents a Unicode string that represents the contents of such field. This token MUST appear only once in a rule string.
LPort2_20=: This token value represents the LocalPorts field of the FW_RULE structure, specifically the wPortKeywords field. The LPORT-KEYWORD-VAL-2-20 grammar rule represents a flag in the dwTrustTupleKeywords field. If the "LPort2_20=" token appears multiple times in the rule string, then all the respective LPORT-KEYWORD-VAL-2-20 rules of such appearances are allowed.
TTK=: This token value represents the dwTrustTupleKeywords field of the FW_RULE structure. The TRUST-TUPLE-KEYWORD-VAL grammar rule represents a flag in the dwTrustTupleKeywords field. If the "TTK=" token appears multiple times in the rule string, then all the respective TRUST-TUPLE-KEYWORD-VAL rules of such appearances are allowed.
LUAuth2_24=: This token value<3> represents the base64 encoded content of wszLocalUserAuthorizationList and it also adds the FW_RULE_FLAGS_LUA_CONDITIONAL_ACE flag on the wFlags field of the FW_RULE2_24 structure ([MS-FASP] section 2.2.104). This token MUST appear only once in a rule string.
NNm=: This token value<4> represents the OnNetworkNames field of the FW_RULE2_24 structure ([MS-FASP] section 2.2.104). The STR-ENC-VAL grammar rule represents an encoded string that represents the contents of such field. This token MUST appear only once in a rule string.
SecurityRealmId=: This token<5> represents the wszSecurityRealmId field of the FW_RULE2_24 structure ([MS-FASP] section 2.2.104). The STR-VAL grammar rule represents a Unicode string that represents the contents of the field. This token MUST appear only once in a rule string.
TTK2_22=: This token value represents the dwTrustTupleKeywords field of the FW_RULE structure. The TRUST-TUPLE-KEYWORD-VAL2-22 grammar rule represents a flag in the dwTrustTupleKeywords field. If the "TTK2_22=" token appears multiple times in the rule string, then all the respective TRUST-TUPLE-KEYWORD-VAL2-22 rules of such appearances are allowed.
TTK2_27=: This token value represents the dwTrustTupleKeywords field of the FW_RULE structure. The TRUST-TUPLE-KEYWORD-VAL2-27 grammar rule represents a flag in the dwTrustTupleKeywords field. If the "TTK2_27=" token appears multiple times in the rule string, then all the respective TRUST-TUPLE-KEYWORD-VAL2-27 rules of such appearances are allowed.
TTK2_28=: This token value represents the dwTrustTupleKeywords field of the FW_RULE structure. The TRUST-TUPLE-KEYWORD-VAL2-28 grammar rule represents a flag in the dwTrustTupleKeywords field. If the "TTK2_28=" token appears multiple times in the rule string, then all the respective TRUST-TUPLE-KEYWORD-VAL2-28 rules of such appearances are allowed.
The "LPort=" token MUST appear only if a "Protocol=" token has appeared before it on the rule string AND the value of the "Protocol=" token is either 6 (for TCP) or 17 (for UDP). The same applies to the "RPort=", "LPort2_10=" and "RPort2_10=" tokens. The "ICMP4=" and "ICMP6=" tokens MUST appear only if the "Protocol=" token has appeared before it on the rule string and expressed a value of 1 for "ICMP4=" or of 58 for "ICMP6=". The "LPort=", "RPort=", "LPort2_10=", and "RPort2_10=" tokens cannot appear in a rule string where a "ICMP4=" or a "ICMP6=" token appears and vice versa.
The semantic checks described in [MS-FASP] section 2.2.37 are also applicable to the firewall rules described in this section after following the mapping in each of the preceding tokens.