From owner-freebsd-pf@FreeBSD.ORG Sun Mar 20 19:20:13 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A1FC116A4CE; Sun, 20 Mar 2005 19:20:13 +0000 (GMT) Received: from r2d2.bromirski.net (r2d2.bromirski.net [217.153.57.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id E78EC43D31; Sun, 20 Mar 2005 19:20:12 +0000 (GMT) (envelope-from lbromirski@mr0vka.eu.org) Received: from [127.0.0.1] (shield.wesola.pl [62.111.150.246]) by r2d2.bromirski.net (Postfix) with ESMTP id 29A7C108972; Sun, 20 Mar 2005 20:20:10 +0100 (CET) Message-ID: <423DCD9A.4010401@mr0vka.eu.org> Date: Sun, 20 Mar 2005 20:23:06 +0100 From: =?ISO-8859-2?Q?=A3ukasz_Bromirski?= User-Agent: Mozilla Thunderbird 1.0.2 (Windows/20050318) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-net@freebsd.org, freebsd-pf@freebsd.org References: <42348BDF.2080101@authtec.com> <20050313230915.GF3697@diehard.n-r-g.com> In-Reply-To: <20050313230915.GF3697@diehard.n-r-g.com> Content-Type: text/plain; charset=ISO-8859-2; format=flowed Content-Transfer-Encoding: 8bit X-Scan-Module: SMTP[2005.03.18 (2004.11.26)] cc: sam.wun@authtec.com cc: Claudio Jeker Subject: Re: OpenBGPD with FreeBSD X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Mar 2005 19:20:13 -0000 Claudio Jeker wrote: >>Had openbgpd ported to freebsd or is it in any progress? >>If I want to install it in FreeBSD, is there any guideline for me to follow? > You have to remove the full pfkey interface and replace it with dummy > functions as it is incompatible. So tcp md5 does not work but I think it > is still broken in FreeBSD anyway. > Here is a diff I created some time ago. Perhaps some other minor changes > are needed. I've created short HOWTO as well as diff to make OpenBGPd easily installable on FreeBSD (tested 5.3/5.4). It works with pf (pushing prefixes to pf tables), but of course lacks MD5 authorization for peers. Claudio, thanks for suggestions about the pfkey. Here's short HOWTO: http://lukasz.bromirski.net/projekty/openbgpd/index-en.html If anyone will push this further and make a port out of it, it would be really nice. -- this space was intentionally left blank | £ukasz Bromirski you can insert your favourite quote here | lukasz:bromirski,net From owner-freebsd-pf@FreeBSD.ORG Sun Mar 20 20:38:11 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D2C0316A4CE for ; Sun, 20 Mar 2005 20:38:11 +0000 (GMT) Received: from rproxy.gmail.com (rproxy.gmail.com [64.233.170.201]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2BD4443D46 for ; Sun, 20 Mar 2005 20:38:11 +0000 (GMT) (envelope-from sbenabas@gmail.com) Received: by rproxy.gmail.com with SMTP id 1so272552rny for ; Sun, 20 Mar 2005 12:38:10 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=htpqeaIuDuEj++h+uwYFqNMGAT43s4nddNuJkFwW6/rIcrIo0ZsnZzGKAmSTTybvbipIDHoaSvuj+R+I9ErrQpHE3n6VVJ1xEiAaUFcwqRFj8wz260qrwd+PhuLMw3em5Kmcu0zGGWR8svY4K0cD+BgFCWWwxzxTlM8Iqvem60U= Received: by 10.38.206.58 with SMTP id d58mr1504334rng; Sun, 20 Mar 2005 12:38:10 -0800 (PST) Received: by 10.38.8.28 with HTTP; Sun, 20 Mar 2005 12:38:10 -0800 (PST) Message-ID: <32d8477c05032012381e95335c@mail.gmail.com> Date: Mon, 21 Mar 2005 00:08:10 +0330 From: Siavosh Benabbas To: stephen In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit References: <200503181403.02521.max@love2party.net> cc: freebsd-pf@freebsd.org Subject: Re: traffic accounting X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Siavosh Benabbas List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Mar 2005 20:38:11 -0000 Hi, If you haven't figured it out yet, every packet on the $int_if gets matched by pass quick on $int_if all as you have put the quick keyword the rest of the ruleset is not seen and your pass in on $int_if from $soh to any keep state label "$srcaddr:: " rule is never matched. To solve the problem you should change the first rule to "pass on $int_if all". Note that your rules is not a default deny one, it is recommended to put a "drop on $int_if all" first and then selectively pass what you need. Regards, Siavosh Benabbas On Fri, 18 Mar 2005 15:48:57 +0200, stephen wrote: > On Fri, 18 Mar 2005 14:02:50 +0100, Max Laier wrote: > > On Friday 18 March 2005 12:41, stephen wrote: > > > Having a little difficulty regarding traffic counting. > > > > > > I have a macro ($soh) with about 30 IPs in it.. The first problem I > > > was having was that: > > > pass out on $ext_if from $soh to any keep state label "$srcaddr:: " > > > was not passing traffic. (nat changing source address before reaching > > > filtering rules) > > > > > > Someone then recommended having the following instead: > > > pass in on $int_if from $soh to any keep state label "$srcaddr:: " > > > pass out on $ext_if from any to any keep state label "total:: " > > > > > > which is now letting traffic out with the pass out rule, but the pass > > > in rule is not counting traffic... whenever doing "pftcl -sl" I can > > > see the "total::" label rising as more bandwidth is used, but all the > > > other labels for all the private IPs remain on zero. > > > > Generally speaking, I'd think that there is a error in your ruleset that > > prevents this rule from being evaluated. Use $pfctl -vsr and check if the > > rule(s) match at all. If you are dealing with 10+ IPs I'd also suggest to > > look at tables. They are not only quicker (by an order of magnitude) but > > also provide per IP counters for traffic that might just give you what you > > want. See the FAQ for details on tables. > > that's exactly what I'm after, the reason I used a macro was when i > did # pfctl -sl I was just getting 0 0 0, the table wasnt > expanding (changed form ipf to pf recently, so I'm a lil new to > things such as tables) > > > > I did get a step closer earlier this morning... Managed to count > > > traffic from the source addresses 100%, but I couldn't account for the > > > web traffic (which is 80% of the traffic) as I have a rdr rule that > > > redirects all traffic for port 80 via localhost port 3128 to > > > proxy/cache webpages. > > > > In any case the traffic must come in from the local side first (as I think > > that you are only dealing with connections initiated from the clients you are > > accounting for). This traffic can always be filtered and accounted for. > > yes, but because of the two rules > > > pass in on $int_if from $soh to any keep state label "$srcaddr:: " > > > pass out on $ext_if from any to any keep state label "total:: " > and the last match win story.. i think it by passes the first rule and > traffic goes out on the second > > > > Could someone possibly help rectify this? > > > (they are also the last rules in the ruleset so the "last match wins" > > > is correct) > > > > "quick" might mess you up? Please post your *complete* ruleset when you want > > help debugging it. It's only fishing in the dark if you don't give details. > > Obfuscate your static IP if you think you have to, but post the complete > > thing or people are not able to help. > > yeah thats what i thought, quick is going to stop traffic going out > same as when I was doing: > pass out on $ext_if from $soh to any keep state label "$srcaddr:: " > it wasnt passing traffic at all. I suspect because of the nat rule > (and seeing as nat is done before filtering) it was converting the > private IPs into the live IP and wouldnt let it go out. > > heres the ruleset: > > # macros > int_if = "rl0" > ext_if = "tun0" > gif_if = "gif3" > > tcp_services_in = "{ 21, 25, 110, 2222, 113 }" > tcp_services_out = "{ 21, 22, 25, 53, 80, 110, 6667 }" > udp_services_in = "{ 53 }" > udp_services_out = "{ 53 }" > icmp_types = "echoreq" > > p2p_ports = " { 6346 }" > p2p_clients = "{ $studio, $stephen }" > studio = "{ x.x.x.5 , x.x.x.11 , x.x.x.12 }" > stephen = "x.x.x.23" > > priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }" > > #table persist file "/etc/soh_hosts" > > soh ="{ x.x.x.1 , x.x.x.2 , x.x.x.3 , x.x.x.4 , x.x.x.5 , x.x.x.6 , > x.x.x.7 , x.x.x.8 , x.x.x.9 , x.x.x.10 , x.x.x.11 , x.x.x.12 , > x.x.x.13 , x.x.x.14 , x.x.x.15 , x.x.x.16 , x.x.x.17 , x.x.x.18 , > x.x.x.19 , x.x.x.20 , x.x.x.21 , 10.0.88.22 , x.x.x.23 , x.x.x.24 , > x.x.x.25 , x.x.x.26 , x.x.x.27 , x.x.x.28 , x.x.x.29 , x.x.x.30 }" > > # comp3 = "x.x.x.x" > > # options > set block-policy return > set loginterface $ext_if > set fingerprints "/etc/pf.os" > > # scrub > scrub in all > > # nat/rdr > #nat on $ext_if from $int_if:network to any -> ($ext_if) > rdr on $int_if proto tcp from any to any port 80 -> 127.0.0.1 port 3128 > > # rdr on $ext_if proto tcp from any to any port 80 -> $comp3 > > # filter rules > block log all > > pass quick on lo0 all > pass quick on $int_if all > > # anti spoofing protection for internal interface > antispoof quick for $int_if inet > antispoof quick for $ext_if inet > antispoof quick for lo0 > > pass in on $ext_if inet proto tcp from any to { $int_if, ($ext_if) } > port $tcp_services_in flags S/SA keep state > > pass in on $ext_if inet proto tcp from port 20 to ($ext_if) user > proxy flags S/SA keep state > > pass in on $gif_if all > pass out on $gif_if all > > pass in on $int_if from $soh to any keep state label "$srcaddr:: " > pass out on $ext_if from any to any keep state label "total:: " > > once I've got the counting working as I want it too (cause I'll do a > pfctl -sl and have the output mailed to me daily and reset the > counter), I'll start bringing the $tcp_services_out into play to > restrict access a bit more. > > > Thanks, > Stephen > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Mon Mar 21 10:17:34 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 139FB16A4CE for ; Mon, 21 Mar 2005 10:17:34 +0000 (GMT) Received: from hera.corecomp.se (hera.corecomp.se [213.131.156.102]) by mx1.FreeBSD.org (Postfix) with SMTP id 5699E43D2D for ; Mon, 21 Mar 2005 10:17:33 +0000 (GMT) (envelope-from astrom@hera.corecomp.se) Received: (qmail 85803 invoked by uid 0); 21 Mar 2005 10:17:25 -0000 Received: from localhost.corecomp.se (HELO localhost) (127.0.0.1) by localhost.corecomp.se with SMTP; 21 Mar 2005 10:17:25 -0000 Date: Mon, 21 Mar 2005 11:17:25 +0100 (CET) From: Patrik Astrom To: freebsd-pf@freebsd.org Message-ID: <20050321111018.Q83033@hera.corecomp.se> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: MS PPTP hangs my firewall. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Mar 2005 10:17:34 -0000 Hi all, I have multiple FreeBSD 5.3-R Firewalls with PF and they all seems to have the same problem, when I have clients (Windows XP) behind my firewalls that tries to connect out and establish a PPTP VPN to a different network my firewalls just hangs. The only thing I can do at this time is to pull the plug and reboot the firewall, I googled a bit but could not find anything that seems related to my problem. I would be most grateful for any input you may have. Regards Patrik Astrom From owner-freebsd-pf@FreeBSD.ORG Mon Mar 21 10:28:27 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CA4E516A4CF for ; Mon, 21 Mar 2005 10:28:27 +0000 (GMT) Received: from c00l3r.networx.ch (c00l3r.networx.ch [62.48.2.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id B180B43D49 for ; Mon, 21 Mar 2005 10:28:26 +0000 (GMT) (envelope-from andre@freebsd.org) Received: (qmail 55626 invoked from network); 21 Mar 2005 09:59:44 -0000 Received: from unknown (HELO freebsd.org) ([62.48.0.53]) (envelope-sender ) by c00l3r.networx.ch (qmail-ldap-1.03) with SMTP for ; 21 Mar 2005 09:59:44 -0000 Message-ID: <423EA1CB.58BE5E27@freebsd.org> Date: Mon, 21 Mar 2005 11:28:27 +0100 From: Andre Oppermann X-Mailer: Mozilla 4.8 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: =?iso-8859-1?Q?=A3ukasz?= Bromirski References: <42348BDF.2080101@authtec.com> <423DCD9A.4010401@mr0vka.eu.org> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit cc: freebsd-net@freebsd.org cc: Claudio Jeker cc: sam.wun@authtec.com cc: freebsd-pf@freebsd.org Subject: Re: OpenBGPD with FreeBSD X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Mar 2005 10:28:27 -0000 £ukasz Bromirski wrote: > > Claudio Jeker wrote: > > >>Had openbgpd ported to freebsd or is it in any progress? > >>If I want to install it in FreeBSD, is there any guideline for me to follow? > > You have to remove the full pfkey interface and replace it with dummy > > functions as it is incompatible. So tcp md5 does not work but I think it > > is still broken in FreeBSD anyway. > > Here is a diff I created some time ago. Perhaps some other minor changes > > are needed. > > I've created short HOWTO as well as diff to make OpenBGPd easily > installable on FreeBSD (tested 5.3/5.4). It works with pf (pushing > prefixes to pf tables), but of course lacks MD5 authorization for > peers. Claudio, thanks for suggestions about the pfkey. > > Here's short HOWTO: > http://lukasz.bromirski.net/projekty/openbgpd/index-en.html > > If anyone will push this further and make a port out of it, it > would be really nice. You could make a port and I can commit it. -- Andre From owner-freebsd-pf@FreeBSD.ORG Mon Mar 21 13:39:59 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4181B16A4CE for ; Mon, 21 Mar 2005 13:39:59 +0000 (GMT) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5374643D39 for ; Mon, 21 Mar 2005 13:39:58 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1]) j2LDdtxO026957 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Mon, 21 Mar 2005 14:39:55 +0100 (MET) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.13.3/8.12.10/Submit) id j2LDdroW024372; Mon, 21 Mar 2005 14:39:53 +0100 (MET) Date: Mon, 21 Mar 2005 14:39:52 +0100 From: Daniel Hartmeier To: Patrik Astrom Message-ID: <20050321133952.GK26039@insomnia.benzedrine.cx> References: <20050321111018.Q83033@hera.corecomp.se> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050321111018.Q83033@hera.corecomp.se> User-Agent: Mutt/1.5.6i cc: freebsd-pf@freebsd.org Subject: Re: MS PPTP hangs my firewall. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Mar 2005 13:39:59 -0000 On Mon, Mar 21, 2005 at 11:17:25AM +0100, Patrik Astrom wrote: > I have multiple FreeBSD 5.3-R Firewalls with PF and they all seems to have > the same problem, when I have clients (Windows XP) behind my firewalls > that tries to connect out and establish a PPTP VPN to a different > network my firewalls just hangs. The only thing I can do at this time is > to pull the plug and reboot the firewall, I googled a bit but could not > find anything that seems related to my problem. > > I would be most grateful for any input you may have. Assuming you're doing NAT for those connections, I think this is fixed in RELENG_5 by http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/contrib/pf/net/pf.c.diff?r1=1.18.2.5&r2=1.18.2.6&f=h Either apply that patch manually to your 5.3 sources, or update the entire tree to RELENG_5 (which is close to 5.4R now). Daniel From owner-freebsd-pf@FreeBSD.ORG Tue Mar 22 14:49:46 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4827A16A4CE for ; Tue, 22 Mar 2005 14:49:46 +0000 (GMT) Received: from comp.chem.msu.su (comp.chem.msu.su [158.250.32.97]) by mx1.FreeBSD.org (Postfix) with ESMTP id A171143D41 for ; Tue, 22 Mar 2005 14:49:42 +0000 (GMT) (envelope-from yar@comp.chem.msu.su) Received: from comp.chem.msu.su (localhost [127.0.0.1]) by comp.chem.msu.su (8.12.9p2/8.12.9) with ESMTP id j2MEnd2U028646 for ; Tue, 22 Mar 2005 17:49:39 +0300 (MSK) (envelope-from yar@comp.chem.msu.su) Received: (from yar@localhost) by comp.chem.msu.su (8.12.9p2/8.12.9/Submit) id j2MEncCd028645 for freebsd-pf@freebsd.org; Tue, 22 Mar 2005 17:49:38 +0300 (MSK) (envelope-from yar) Date: Tue, 22 Mar 2005 17:49:38 +0300 From: Yar Tikhiy To: freebsd-pf@freebsd.org Message-ID: <20050322144938.GE23681@comp.chem.msu.su> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.6i Subject: Using pfsync leads to rapid state loss? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Mar 2005 14:49:46 -0000 Hi folks, I know I'm unoriginal in my trying to use pf + pfsync + carp :-) But am I unique in observing the following trouble? I have two symmetric routers running rather fresh RELENG_5 (just a few days old) and CARP from the patch by Glebius. As soon as I enable pfsync between them over a dedicated pair of interfaces, they really start to exchange state updates, but at the same time established TCP states start to expire extremely fast. By coincidence I noticed that when "timeout interval" was 20, an idle TCP state lasted for 12-13 seconds in both PF's; but when "timeout interval" was 8, a TCP state vanished after 2-3 seconds of inactivity. The whole issue looks like the other PF expires a state too fast and sends the corresponding update back to the PF originating the state. Disabling pfsync between the routers remedies the problem at once. Did I hit a known pitfall? -- Yar From owner-freebsd-pf@FreeBSD.ORG Tue Mar 22 18:32:59 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3C9D316A4CE for ; Tue, 22 Mar 2005 18:32:59 +0000 (GMT) Received: from mail.gmx.net (mail.gmx.de [213.165.64.20]) by mx1.FreeBSD.org (Postfix) with SMTP id 0830043D1D for ; Tue, 22 Mar 2005 18:32:58 +0000 (GMT) (envelope-from emanuel.strobl@gmx.net) Received: (qmail invoked by alias); 22 Mar 2005 18:32:57 -0000 Received: from flb.schmalzbauer.de (EHLO cale.flintsbach.schmalzbauer.de) [62.245.232.135] by mail.gmx.net (mp028) with SMTP; 22 Mar 2005 19:32:57 +0100 X-Authenticated: #301138 From: Emanuel Strobl To: pyunyh@gmail.com Date: Tue, 22 Mar 2005 19:32:30 +0100 User-Agent: KMail/1.7.2 References: <20050212061756.GF4769@kt-is.co.kr> <200503111712.36310@harrymail> <20050312050722.GC60892@kt-is.co.kr> In-Reply-To: <20050312050722.GC60892@kt-is.co.kr> X-Birthday: 10/06/72 X-CelPhone: +49 173 9967781 X-Tel: +49 89 18947781 X-Country: Germany X-Address: Munich, 80686 X-OS: FreeBSD MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1881086.IdIy2KLtMM"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200503221932.43408@harrymail> X-Y-GMX-Trusted: 0 cc: pf@freebsd.org Subject: PF panick patch doesn't work [Was: Re: pf panic trace] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Mar 2005 18:32:59 -0000 --nextPart1881086.IdIy2KLtMM Content-Type: text/plain; charset="iso-8859-15" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Am Samstag, 12. M=E4rz 2005 06:07 schrieb Pyun YongHyeon: > On Fri, Mar 11, 2005 at 05:12:31PM +0100, Emanuel Strobl wrote: > > Am Freitag, 11. M?rz 2005 16:19 schrieb Emanuel Strobl: > > > Am Freitag, 11. M?rz 2005 14:52 schrieb Daniel Hartmeier: > > > > block return-rst in on wi0 reply-to (wi0 10.1.1.1) inet proto tcp > > > > all > > > > > > > > This is valid syntax and pfctl loads the rule, but the functionali= ty > > > > is not implemented in kernel yet, i.e. the reply-to option is simp= ly > > > > ignored. > > > > > > Thanks, I tried a very similar rule and after that the box vanished. > > > I went on location (the box paniced but didn't reboot) and installed= a > > > console-server so I can access the box from here and currently I'm > > > baking a debug kernel. > > > I'll notify you if I have a trace! > > > > Here's the original panic message (the non debug kernel) with 5.4-PRE > > one week old: > > Fatal trap 12: page fault while in kernel mode > > fault virtual address =3D 0xc > > fault code =3D supervisor read, page not pre > > instruction pointer =3D 0x8:0xc05ac722 > > stack pointer =3D 0x10:0xcc6919ac > > frame pointer =3D 0x10:0xcc6919e0 > > code segment =3D base 0x0, limit 0xfffff, type > > =3D DPL 0, pres 1, def32 1, gran > > processor eflags =3D interrupt enabled, resume, IO > > current process =3D 34 (swi1: net) > > trap number =3D 12 > > panic: page fault > > Uptime: 1d1h20m33s > > GEOM_MIRROR: Device web: provider mirror/web destroyed. > > GEOM_MIRROR: Device web destroyed. > > ... > > The machine didn't reboot! > > > > > > The following rule panickes the machine: > > block return-icmp(13) in on $SDSL route-to ($SDSL $sdsl_gw) from any to > > $sdsl_net > > > > Here's the trace from 5.4-PRE today: > > panic: m_copym, offset > size of mbuf chain > > KDB: stack backtrace: > > panic(c076ab9a,c174d500,100,cc694a30,0) at panic+0x13c > > m_copym(c1621b00,5dc,5c8,1,14) at m_copym+0x1c7 > > ip_fragment(c1642010,cc694a74,5dc,6,f01) at ip_fragment+0x168 > > pf_route(cc694bf0,c1a10d20,1,c1585000,0) at pf_route+0x767 > > pf_test(1,c1585000,cc694bf0,0,c17554e0) at pf_test+0x7b1 > > pf_check_in(0,cc694bf0,c1585000,1,0) at pf_check_in+0x48 > > pfil_run_hooks(c07f3e60,cc694c9c,c1585000,1,0) at pfil_run_hooks+0x15b > > ip_input(c1621b00,0,c076e621,e6,c07f3f20) at ip_input+0x20f > > netisr_processqueue(cc694cd8,246,c07c8ee0,2,c1508d40) at > > netisr_processqueue+0x15 > > swi_net(0,0,c0762ddc,269,0) at swi_net+0x8d > > ithread_loop(c1526300,cc694d48,c0762bbd,30e,0) at ithread_loop+0x1ff > > fork_exit(c0560640,c1526300,cc694d48) at fork_exit+0xa9 > > fork_trampoline() at fork_trampoline+0x8 > > --- trap 0x1, eip =3D 0, esp =3D 0xcc694d7c, ebp =3D 0 --- > > > > If you need more info, on http://www.schmalzbauer.de/statics/phobos you > > can find dmesg and the whole pf.conf > > Hmm, Max and I had seen these kind of traces when pf porting > was in progress. But now I believe we fixed all possible > cases. > > I can't sure but your trace indicates there is a bug in > ip_fragment(). If a packet already set IP_MF flag in ip header, > we would get invalid ip_off in fragmented packet. > And it seems that there is another bug in pf. Since ip_fragment() > can change passed mbuf, we should not use saved copy of it. > Untested patch for CURRENT attached. Hello, I tested your patch against BETA1 (RELENG_5 from today). It applied and=20 compiled but unfortunately doesn't solf the panick. Here's the latest trace: login: panic: m_copym, offset > size of mbuf chain KDB: enter: panic [thread pid 35 tid 100031 ] Stopped at kdb_enter+0x32: leal 0(%esi),%esi db> trace Tracing pid 35 tid 100031 td 0xc1515190 kdb_enter(c0765289,c07ca240,c076a9a8,cc6949d8,c1515190) at kdb_enter+0x32 panic(c076a9a8,c1751600,100,cc694a48,0) at panic+0x14d m_copym(c1619b00,5dc,5c8,1,14) at m_copym+0x1c7 ip_fragment(c163a010,cc694a88,5dc,6,f01) at ip_fragment+0x168login: panic:= =20 m_copym, offset > size of mbuf chain KDB: enter: panic [thread pid 35 tid 100031 ] Stopped at kdb_enter+0x32: leal 0(%esi),%esi db> trace Tracing pid 35 tid 100031 td 0xc1515190 kdb_enter(c0765289,c07ca240,c076a9a8,cc6949d8,c1515190) at kdb_enter+0x32 panic(c076a9a8,c1751600,100,cc694a48,0) at panic+0x14d m_copym(c1619b00,5dc,5c8,1,14) at m_copym+0x1c7 ip_fragment(c163a010,cc694a88,5dc,6,f01) at ip_fragment+0x168 pf_route(cc694c04,c1a13d20,1,c1588000,0) at pf_route+0x761 pf_test(1,c1588000,cc694c04,0,c1758b20) at pf_test+0x7b1 pf_check_in(0,cc694c04,c1588000,1,0) at pf_check_in+0x48 pfil_run_hooks(c07f3d00,cc694c9c,c1588000,1,0) at pfil_run_hooks+0x15b ip_input(c1619b00,0,c076e42f,e6,c07f3dc0) at ip_input+0x205 netisr_processqueue(cc694cd8,246,c07c8d60,2,c1508d40) at=20 netisr_processqueue+0x15 swi_net(0,0,c0762bea,269,0) at swi_net+0x8d ithread_loop(c1526300,cc694d48,c07629cb,30e,0) at ithread_loop+0x1ff fork_exit(c0560290,c1526300,cc694d48) at fork_exit+0xa9 fork_trampoline() at fork_trampoline+0x8 =2D-- trap 0x1, eip =3D 0, esp =3D 0xcc694d7c, ebp =3D 0 --- db> pf_route(cc694c04,c1a13d20,1,c1588000,0) at pf_route+0x761 pf_test(1,c1588000,cc694c04,0,c1758b20) at pf_test+0x7b1 pf_check_in(0,cc694c04,c1588000,1,0) at pf_check_in+0x48 pfil_run_hooks(c07f3d00,cc694c9c,c1588000,1,0) at pfil_run_hooks+0x15b ip_input(c1619b00,0,c076e42f,e6,c07f3dc0) at ip_input+0x205 netisr_processqueue(cc694cd8,246,c07c8d60,2,c1508d40) at=20 netisr_processqueue+0x15 swi_net(0,0,c0762bea,269,0) at swi_net+0x8d ithread_loop(c1526300,cc694d48,c07629cb,30e,0) at ithread_loop+0x1ff fork_exit(c0560290,c1526300,cc694d48) at fork_exit+0xa9 fork_trampoline() at fork_trampoline+0x8 =2D-- trap 0x1, eip =3D 0, esp =3D 0xcc694d7c, ebp =3D 0 --- db> Thanks, =2DHarry P.S.: Shall I file a PR? Do you think this will be fixed before 5.4? --nextPart1881086.IdIy2KLtMM Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQBCQGTLBylq0S4AzzwRAhMpAJ47G/mp4/A3nQo9i7eAyF7Bil6ZLQCeO5wJ 0ItsSd+IShmnOomU7U4/eaE= =DucL -----END PGP SIGNATURE----- --nextPart1881086.IdIy2KLtMM-- From owner-freebsd-pf@FreeBSD.ORG Wed Mar 23 11:04:41 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B916F16A4CE for ; Wed, 23 Mar 2005 11:04:41 +0000 (GMT) Received: from hera.corecomp.se (hera.corecomp.se [213.131.156.102]) by mx1.FreeBSD.org (Postfix) with SMTP id AD2A543D1D for ; Wed, 23 Mar 2005 11:04:40 +0000 (GMT) (envelope-from astrom@hera.corecomp.se) Received: (qmail 96897 invoked by uid 0); 23 Mar 2005 11:04:37 -0000 Received: from localhost.corecomp.se (HELO localhost) (127.0.0.1) by localhost.corecomp.se with SMTP; 23 Mar 2005 11:04:37 -0000 Date: Wed, 23 Mar 2005 12:04:37 +0100 (CET) From: Patrik Astrom To: Daniel Hartmeier In-Reply-To: <20050321133952.GK26039@insomnia.benzedrine.cx> Message-ID: <20050323120250.R83033@hera.corecomp.se> References: <20050321111018.Q83033@hera.corecomp.se> <20050321133952.GK26039@insomnia.benzedrine.cx> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-pf@freebsd.org Subject: Re: MS PPTP hangs my firewall. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Mar 2005 11:04:41 -0000 Thank you very much for your input, I patched my sources and rebuilt my kernel and everything works perfectly now. Thanks. Regards Patrik Astrom On Mar 21, 2005 at 14:39, Daniel Hartmeier wrote: > Date: Mon, 21 Mar 2005 14:39:52 +0100 > From: Daniel Hartmeier > To: Patrik Astrom > Cc: freebsd-pf@freebsd.org > Subject: Re: MS PPTP hangs my firewall. > > On Mon, Mar 21, 2005 at 11:17:25AM +0100, Patrik Astrom wrote: > > > I have multiple FreeBSD 5.3-R Firewalls with PF and they all seems to have > > the same problem, when I have clients (Windows XP) behind my firewalls > > that tries to connect out and establish a PPTP VPN to a different > > network my firewalls just hangs. The only thing I can do at this time is > > to pull the plug and reboot the firewall, I googled a bit but could not > > find anything that seems related to my problem. > > > > I would be most grateful for any input you may have. > > Assuming you're doing NAT for those connections, I think this is fixed > in RELENG_5 by > > http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/contrib/pf/net/pf.c.diff?r1=1.18.2.5&r2=1.18.2.6&f=h > > Either apply that patch manually to your 5.3 sources, or update the > entire tree to RELENG_5 (which is close to 5.4R now). > > Daniel > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Thu Mar 24 22:48:49 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9418516A4CE for ; Thu, 24 Mar 2005 22:48:49 +0000 (GMT) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.206]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3A7F343D2D for ; Thu, 24 Mar 2005 22:48:49 +0000 (GMT) (envelope-from brent.bolin@gmail.com) Received: by wproxy.gmail.com with SMTP id 70so638922wra for ; Thu, 24 Mar 2005 14:48:48 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-transfer-encoding; b=a9BBuVn5Mw00PLTGmDRIvNJ6r+97TM0DQ8/iTtgRlLxu1RzrSt4kKF4wVXwRUElDiEyWK1ujtAwuEGjU4D9syKvumI9/KXnkPXHXMhk9dyV2QrmFWpxpbcs/fLYjPn6PVYsaP3eNETOuBFyEswPflKhv3rZIPUPRk2tL489kZ3k= Received: by 10.54.99.18 with SMTP id w18mr599422wrb; Thu, 24 Mar 2005 14:48:48 -0800 (PST) Received: by 10.54.68.14 with HTTP; Thu, 24 Mar 2005 14:48:48 -0800 (PST) Message-ID: <787dcac20503241448430a7de2@mail.gmail.com> Date: Thu, 24 Mar 2005 16:48:48 -0600 From: BB To: FreeBSD-pf mail list Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Isn't there a way to parse, don't load rules and complain about syntax errors or missing variables ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: BB List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Mar 2005 22:48:49 -0000 I need to move a new 5.3 firewall box in place in order to upgrade the old system. The pf.conf configuration file has mostly variables setup. When I ran this command it didn't complain about anything - pfctl -nf /tmp/pf.conf However when I looked at the configuration file again the scrub rule had the explicate interface name fxp0 This new box doesn't have fxp0 From owner-freebsd-pf@FreeBSD.ORG Thu Mar 24 23:16:39 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0F9F216A4CE for ; Thu, 24 Mar 2005 23:16:39 +0000 (GMT) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.206]) by mx1.FreeBSD.org (Postfix) with ESMTP id A7FD543D41 for ; Thu, 24 Mar 2005 23:16:38 +0000 (GMT) (envelope-from jsimola@gmail.com) Received: by wproxy.gmail.com with SMTP id 37so600807wra for ; Thu, 24 Mar 2005 15:16:38 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=OzCl6+9JVWaovqfrPa/cFiZCx6vGgxTr39GFbXPC8pQ9jpDcRAijE2wBE74/A52iCVfRPNU9ZhKx7WNtBDgaEjv8F6IwCr35dKDGsO1jtw//cb9mCXDV5P6Lu4/whIeZq2E5O83RxNabITaCVvlfaPvwxirI2NJdOy/81G2Ym54= Received: by 10.54.97.12 with SMTP id u12mr642332wrb; Thu, 24 Mar 2005 15:16:38 -0800 (PST) Received: by 10.54.39.34 with HTTP; Thu, 24 Mar 2005 15:16:38 -0800 (PST) Message-ID: <8eea04080503241516211d5aea@mail.gmail.com> Date: Thu, 24 Mar 2005 15:16:38 -0800 From: Jon Simola To: BB In-Reply-To: <787dcac20503241448430a7de2@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit References: <787dcac20503241448430a7de2@mail.gmail.com> cc: FreeBSD-pf mail list Subject: Re: Isn't there a way to parse, don't load rules and complain about syntax errors or missing variables ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: jon@abccomm.com List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Mar 2005 23:16:39 -0000 On Thu, 24 Mar 2005 16:48:48 -0600, BB wrote: > However when I looked at the configuration file again the scrub rule > had the explicate interface name fxp0 > > This new box doesn't have fxp0 It will probably make sense if you think that some interfaces like vlan and tun are created and destroyed. You probably don't want to reload your firewall config everytime you bring up a PPP link. ipfw has the same feature. -- Jon Simola Systems Administrator ABC Communications From owner-freebsd-pf@FreeBSD.ORG Fri Mar 25 00:23:18 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AE83916A4CE for ; Fri, 25 Mar 2005 00:23:18 +0000 (GMT) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.176]) by mx1.FreeBSD.org (Postfix) with ESMTP id C436443D55 for ; Fri, 25 Mar 2005 00:23:17 +0000 (GMT) (envelope-from max@love2party.net) Received: from [212.227.126.179] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1DEcbd-0005yt-00; Fri, 25 Mar 2005 01:23:17 +0100 Received: from [84.128.142.116] (helo=donor.laier.local) by mrelayng.kundenserver.de with asmtp (TLSv1:RC4-MD5:128) (Exim 3.35 #1) id 1DEcbc-0006Jt-00; Fri, 25 Mar 2005 01:23:17 +0100 From: Max Laier To: freebsd-pf@freebsd.org, jon@abccomm.com Date: Fri, 25 Mar 2005 01:22:53 +0100 User-Agent: KMail/1.7.2 References: <787dcac20503241448430a7de2@mail.gmail.com> <8eea04080503241516211d5aea@mail.gmail.com> In-Reply-To: <8eea04080503241516211d5aea@mail.gmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart2524232.sBkiDuRPJc"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200503250123.01060.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:61c499deaeeba3ba5be80f48ecc83056 Subject: Re: Isn't there a way to parse, don't load rules and complain about syntax errors or missing variables ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Mar 2005 00:23:18 -0000 --nextPart2524232.sBkiDuRPJc Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Friday 25 March 2005 00:16, Jon Simola wrote: > On Thu, 24 Mar 2005 16:48:48 -0600, BB wrote: > > However when I looked at the configuration file again the scrub rule > > had the explicate interface name fxp0 > > > > This new box doesn't have fxp0 > > It will probably make sense if you think that some interfaces like > vlan and tun are created and destroyed. You probably don't want to > reload your firewall config everytime you bring up a PPP link. That's part of the reasoning. Also you usually want to have rules to block= =20 PPP traffic *before* you bring up the link etc. ... in the end it's=20 hard^Wimpossible to satisfy everybody. As for "detecting" this kind of=20 foot-shooting, you can do a "$pfctl -vsI | grep placeholder" after you load= ed=20 the ruleset. Something that should probably go to a TBD "Debugging PF - be= st=20 pratices" article in our doc tree. Any takers :-) > ipfw has the same feature. Not quite. IPFW just does pattern matching on the interface name, somethin= g=20 that is even more nasty and can be a lot of fun when you have vlan1 and=20 vlan11. But that just as a sidenote. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart2524232.sBkiDuRPJc Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQBCQ1nkXyyEoT62BG0RArFSAJ4xCSLncAgpN8mwbdz/p+b/i0JatACdFcF2 cfyfuFi620+NwJ6gWe3zqKA= =1Vre -----END PGP SIGNATURE----- --nextPart2524232.sBkiDuRPJc-- From owner-freebsd-pf@FreeBSD.ORG Fri Mar 25 09:49:46 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5219F16A52A for ; Fri, 25 Mar 2005 09:49:46 +0000 (GMT) Received: from post1.wesleyan.edu (post1.wesleyan.edu [129.133.6.131]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9DB1F43D46 for ; Fri, 25 Mar 2005 09:49:43 +0000 (GMT) (envelope-from vsavichev@wesleyan.edu) Received: from pony1.wesleyan.edu (pony1.wesleyan.edu [129.133.6.192]) by post1.wesleyan.edu (8.12.11/8.12.11) with ESMTP id j2P9nfFs013286 for ; Fri, 25 Mar 2005 04:49:41 -0500 Received: from pony1.wesleyan.edu (pony1.wesleyan.edu [127.0.0.1]) by pony1.wesleyan.edu (8.12.11/8.12.11) with ESMTP id j2P9nfG5022916 for ; Fri, 25 Mar 2005 04:49:41 -0500 Received: (from apache@localhost) by pony1.wesleyan.edu (8.12.11/8.12.11/Submit) id j2P9nfUJ022914; Fri, 25 Mar 2005 04:49:41 -0500 Received: from 81.30.200.207 (SquirrelMail authenticated user vsavichev); by webmail.wesleyan.edu with HTTP; Fri, 25 Mar 2005 04:49:41 -0500 (EST) Message-ID: <55087.81.30.200.207.1111744181.squirrel@81.30.200.207> Date: Fri, 25 Mar 2005 04:49:41 -0500 (EST) From: vsavichev@wesleyan.edu To: freebsd-pf@freebsd.org User-Agent: SquirrelMail/1.4.3a-0.e3.1 X-Mailer: SquirrelMail/1.4.3a-0.e3.1 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-Wesleyan-MailScanner-Information: Please contact the ISP for more information X-Wesleyan-MailScanner: Found to be clean X-MailScanner-From: vsavichev@wesleyan.edu Subject: transparent proxy ftp mode X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Mar 2005 09:49:47 -0000 hi, we have pf and couple of ip aliases on the $ext_if. pf NAT's the connections out in round-robin fasion, pf let's the clients out through statefull rules Recently, we switched to the transparent proxy mode in squid-pf conf pf.conf> rdr on $int_if inet proto tcp from any to {!192.168.0.0/24} port \ { 80, 8080, 8101 } -> 127.0.0.1 port 3128 ok, there is small problem then we try to download someth. in browser from ftp sites, reply is: passive ftp connection must come from same host active control connection does it says, i have to use ftp-proxy as well or should I lock somehow ftp related connects to predefined ip, I'm not sure if i express it correctly. thanks, vlad From owner-freebsd-pf@FreeBSD.ORG Fri Mar 25 15:19:13 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C8D6916A4CE for ; Fri, 25 Mar 2005 15:19:13 +0000 (GMT) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id 580A543D2F for ; Fri, 25 Mar 2005 15:19:13 +0000 (GMT) (envelope-from brent.bolin@gmail.com) Received: by wproxy.gmail.com with SMTP id 69so761775wra for ; Fri, 25 Mar 2005 07:19:13 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=THcucaetTf1ONFeiPrmyxGmyeNh/8bSM1J0Ct9cETbKlAJPf++nl0ejN4IUC4I5BibvoORHyT8wFBEQCU4c+Mk7QVFjdsQXcdvS+atrGrxwBxouU6BasG+A1a/F5cU2j8to5N/2uUNJU35E7IvlSgDMoSSXqKMRo8mi8A1YVVcE= Received: by 10.54.22.19 with SMTP id 19mr313411wrv; Fri, 25 Mar 2005 07:19:13 -0800 (PST) Received: by 10.54.68.14 with HTTP; Fri, 25 Mar 2005 07:19:12 -0800 (PST) Message-ID: <787dcac205032507193062c2b4@mail.gmail.com> Date: Fri, 25 Mar 2005 09:19:12 -0600 From: BB To: jon@abccomm.com In-Reply-To: <8eea04080503241516211d5aea@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit References: <787dcac20503241448430a7de2@mail.gmail.com> <8eea04080503241516211d5aea@mail.gmail.com> cc: FreeBSD-pf mail list Subject: Re: Isn't there a way to parse, don't load rules and complain about syntax errors or missing variables ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: BB List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Mar 2005 15:19:13 -0000 These firewall rules don't have any tun or tap0 interfaces. rl0: flags=8843 mtu 1500 options=8 inet 68.79.110.99 netmask 0xffffffe0 broadcast 68.79.110.127 ether 00:02:96:01:bc:13 media: Ethernet autoselect (none) status: no carrier vr0: flags=8843 mtu 1500 inet 192.168.111.252 netmask 0xffff0000 broadcast 192.168.255.255 ether 00:50:2c:00:82:3a media: Ethernet autoselect (100baseTX) status: active plip0: flags=108810 mtu 1500 lo0: flags=8049 mtu 16384 inet 127.0.0.1 netmask 0xff000000 pflog0: flags=141 mtu 33208 As I recall from a previous firewall configuration using openvpn that had rules for tap devices pf would complain if it couldn't find the interface. My main point was to test that all syntax and variables were correct. The rule set that I am moving has nat enabled. I think the box will lock me out if it can't find the default gateway. Thanks On Thu, 24 Mar 2005 15:16:38 -0800, Jon Simola wrote: > On Thu, 24 Mar 2005 16:48:48 -0600, BB wrote: > > > However when I looked at the configuration file again the scrub rule > > had the explicate interface name fxp0 > > > > This new box doesn't have fxp0 > > It will probably make sense if you think that some interfaces like > vlan and tun are created and destroyed. You probably don't want to > reload your firewall config everytime you bring up a PPP link. ipfw > has the same feature. > > -- > Jon Simola > Systems Administrator > ABC Communications > From owner-freebsd-pf@FreeBSD.ORG Sat Mar 26 00:25:51 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E872116A4CE for ; Sat, 26 Mar 2005 00:25:51 +0000 (GMT) Received: from mail.primustel.ca (mail.primustel.ca [216.254.136.23]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5058F43D48 for ; Sat, 26 Mar 2005 00:25:51 +0000 (GMT) (envelope-from drwitura@primus.ca) Received: from staffshell.tor.primus.ca ([216.254.136.110]) by mail.primustel.ca with esmtp (Exim 3.36 #1) id 1DEz7e-0007lt-00 for freebsd-pf@freebsd.org; Sat, 26 Mar 2005 00:25:50 +0000 Date: Fri, 25 Mar 2005 19:25:50 -0500 (EST) From: Didier Rwitura To: freebsd-pf@freebsd.org Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: SSH hanging X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 26 Mar 2005 00:25:52 -0000 I am installing PF I added in /etc/sysctl.com ---> net.inet.ip.forwarding=1 /etc/shell ---> /usr/sbin/authpf /etc/pf.conf Int= "xl0" Ext = "sis0" scrub in all # filter block drop all pass out quick on $Ext proto tcp from $Int:network flags S/SA \ modulate state pass out quick on $Ext proto { udp, icmp } from $Int:network \ keep state pass in quick on $Intproto tcp from $Int:network to $Int\ port ssh flags S/SA keep state anchor "authpf/*" in on $Int /etc/authpf/authpf.rules Int = "xl0" dns_servers = "{ 10.0.0.33, 66.11.168.194 }" pass in quick on $Int proto udp from $user_ip to $dns_servers \ port domain keep state pass in quick on $Int proto tcp from $user_ip to port { ssh, http, \ https } flags S/SA keep state I am getting Hello didier, You are authenticated from host "10.0.0.33" when I connect with ssh but it hangs ... I don't get the prompt any help will be appreciated Thanx -- ------------------------------------------ Didier Rwitura Technical Support Technique Primus Telecommunications Inc Tel: 1-800-370-0015 Residential 1-888-222-8577 Commercial Ext :8628 "injustice anywhere is a threat to justice everywhere" Martin Luther King Jr -- ---------------------------------------------------------------------------- This electronic message contains information from Primus Telecommunications Canada Inc. ("PRIMUS") , which may be legally privileged and confidential. The information is intended to be for the use of the individual(s) or entity named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. If you have received this electronic message in error, please notify us by telephone or e-mail (to the number or address above) immediately. Any views, opinions or advice expressed in this electronic message are not necessarily the views, opinions or advice of PRIMUS. It is the responsibility of the recipient to ensure that any attachments are virus free and PRIMUS bears no responsibility for any loss or damage arising in any way from the use thereof.The term "PRIMUS" includes its affiliates. ---------------------------------------------------------------------------- Pour la version en français de ce message, veuillez voir http://www.primustel.ca/fr/legal/cs.htm ---------------------------------------------------------------------------- From owner-freebsd-pf@FreeBSD.ORG Sat Mar 26 05:50:46 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 727EA16A4CE for ; Sat, 26 Mar 2005 05:50:46 +0000 (GMT) Received: from mx1.mail.ru (mx1.mail.ru [194.67.23.121]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2461543D46 for ; Sat, 26 Mar 2005 05:50:46 +0000 (GMT) (envelope-from mvetsalo@mail.ru) Received: from [193.138.84.70] (port=59932 helo=mx.msu1) by mx1.mail.ru with esmtp id 1DF4C2-000DGq-00 for freebsd-pf@freebsd.org; Sat, 26 Mar 2005 08:50:43 +0300 Date: Sat, 26 Mar 2005 07:50:43 +0200 From: Maxim Vetsalo To: freebsd-pf@freebsd.org Message-ID: <20050326075043.6561f419@mx.msu1> In-Reply-To: References: X-Mailer: Sylpheed-Claws 1.0.1 (GTK+ 1.2.10; i386-portbld-freebsd5.4) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Spam: Not detected Subject: Re: SSH hanging X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 26 Mar 2005 05:50:46 -0000 On Fri, 25 Mar 2005 19:25:50 -0500 (EST) Didier Rwitura wrote: > > I am installing PF > [ skipped ] > https } flags S/SA keep state > > I am getting > > Hello didier, You are authenticated from host "10.0.0.33" > > when I connect with ssh but it hangs ... I don't get the prompt > > any help will be appreciated I had same problem when my pf enabled server was unable to send DNS request. Setting UseDNS -> no in /etc/ssh/sshd_config help will help in this case. Best regards, Maxim. -- mailto:mvetsalo@mail.ru From owner-freebsd-pf@FreeBSD.ORG Sat Mar 26 11:35:34 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0268C16A4CE for ; Sat, 26 Mar 2005 11:35:34 +0000 (GMT) Received: from mail.primustel.ca (mail.primustel.ca [216.254.136.23]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6C67343D54 for ; Sat, 26 Mar 2005 11:35:33 +0000 (GMT) (envelope-from drwitura@primus.ca) Received: from staffshell.tor.primus.ca ([216.254.136.110]) by mail.primustel.ca with esmtp (Exim 3.36 #1) id 1DF9Zj-0007ga-00; Sat, 26 Mar 2005 11:35:31 +0000 Date: Sat, 26 Mar 2005 06:35:30 -0500 (EST) From: Didier Rwitura To: Maxim Vetsalo In-Reply-To: <20050326075043.6561f419@mx.msu1> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-pf@freebsd.org Subject: Re: SSH hanging X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 26 Mar 2005 11:35:34 -0000 Sorry Maxim... I added UseDNS no in my sshd_config ... restarted the the deamon but still no luck. I even activated VerifyReverseMapping no Still no luck. By the way I am running Prelease FreeBSD 5.4 OpenSSH_3.8.1p1 Thanx On Sat, 26 Mar 2005, Maxim Vetsalo wrote: > On Fri, 25 Mar 2005 19:25:50 -0500 (EST) > Didier Rwitura wrote: > > > > > I am installing PF > > > [ skipped ] > > > https } flags S/SA keep state > > > > I am getting > > > > Hello didier, You are authenticated from host "10.0.0.33" > > > > when I connect with ssh but it hangs ... I don't get the prompt > > > > any help will be appreciated > > I had same problem when my pf enabled server was unable to send DNS request. Setting > UseDNS -> no in /etc/ssh/sshd_config help will help in this case. > > Best regards, > Maxim. > -- > mailto:mvetsalo@mail.ru > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > -- ------------------------------------------ Didier Rwitura Technical Support Technique Primus Telecommunications Inc Tel: 1-800-370-0015 Residential 1-888-222-8577 Commercial Ext :8628 "injustice anywhere is a threat to justice everywhere" Martin Luther King Jr -- ---------------------------------------------------------------------------- This electronic message contains information from Primus Telecommunications Canada Inc. ("PRIMUS") , which may be legally privileged and confidential. The information is intended to be for the use of the individual(s) or entity named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. If you have received this electronic message in error, please notify us by telephone or e-mail (to the number or address above) immediately. Any views, opinions or advice expressed in this electronic message are not necessarily the views, opinions or advice of PRIMUS. It is the responsibility of the recipient to ensure that any attachments are virus free and PRIMUS bears no responsibility for any loss or damage arising in any way from the use thereof.The term "PRIMUS" includes its affiliates. ---------------------------------------------------------------------------- Pour la version en français de ce message, veuillez voir http://www.primustel.ca/fr/legal/cs.htm ---------------------------------------------------------------------------- From owner-freebsd-pf@FreeBSD.ORG Sat Mar 26 21:24:39 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C3F1916A4CE for ; Sat, 26 Mar 2005 21:24:39 +0000 (GMT) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.176]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5367B43D55 for ; Sat, 26 Mar 2005 21:24:38 +0000 (GMT) (envelope-from Holger.Bauer@citec-ag.de) Received: from [212.227.126.207] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1DFIlp-0006Yi-00; Sat, 26 Mar 2005 22:24:37 +0100 Received: from [84.245.131.170] (helo=TELEFONIE) by mrelayng.kundenserver.de with asmtp (Exim 3.35 #1) id 1DFIlp-0008KV-00; Sat, 26 Mar 2005 22:24:37 +0100 Received: from[192.168.2.10] (helo=citec-srv1.citec-ag.local) by TELEFONIE with AVK MailGateway Sat, 26 Mar 2005 22:24:37 +0100 Date: Sat, 26 Mar 2005 22:24:36 +0100 From: "Holger Bauer" To: MIME-Version: 1.0 Message-ID: <157D367A82DF174EA394C897A261142D57008B@citec-srv1.citec-ag.local> Content-Class: urn:content-classes:message Content-Type: multipart/mixed; boundary="----_=_NextPart_001_01C5324A.360344F0" X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0 X-MS-Has-Attach: yes X-MS-TNEF-Correlator: Thread-Topic: possible hardwareissue with pfsync on via C3 cpus: generated node id is always the same, even on 2 different but identical equiped systems Thread-Index: AcUySjUFZGfe4t5ASX+wfDQLCidc7A== X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:5ea6c0f6a655c3cdba1dcf9a7a1af460 Subject: possible hardwareissue with pfsync on via C3 cpus: generated node id is always the same, even on 2 different but identical equiped systems X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 26 Mar 2005 21:24:39 -0000 This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C5324A.360344F0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hi pf-list, I have been playing around with http://www.pfsense.com, a firewall distribut= ion, that uses pf. It also is able to be configured with carp and pfsync for= failover. The hardware I am running this on are 2 via c3 1000MHz mini-itx pl= atforms. Carp and syncing is working, but I only see one syncing node. Furth= er investigation showed, that the nodes are syncing but have the same node i= d. I was told, that the node id should be generated randomly on every reboot= but I always get the same node id. The same id appears on BOTH systems. Did= some reinstalls from scratch but always get the same node id on each system.= On other machines the node ids are changing, so it must be something special= concernig probabely the c3 cpus. The c3s have an integrated random generator= =2E Maybe this one is not used or initialized correctly and that's why the res= ults are always the same. I have appended the output of some commands. One of the developers of pfsens= e told me that these should be useful for analyzing and showing the problem. If anybody needs further information on hardware or wants me to run some com= mands and report the output just tell me. Regards, Holger Bauer <>=20 ____________ Virus checked by G DATA AntiVirusKit ------_=_NextPart_001_01C5324A.360344F0 Content-Type: text/plain; name="nodeids.txt" Content-Transfer-Encoding: base64 Content-Description: nodeids.txt Content-Disposition: attachment; filename="nodeids.txt" Ym94MToNCi0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tDQojIGlmY29uZmlnDQp2cjA6 IGZsYWdzPTg5NDM8VVAsQlJPQURDQVNULFJVTk5JTkcsUFJPTUlTQyxTSU1QTEVYLE1VTFRJQ0FT VD4gbXR1IDE1MDANCiAgICAgICAgaW5ldCAxOTIuMTY4LjEuMSBuZXRtYXNrIDB4ZmZmZmZmMDAg YnJvYWRjYXN0IDE5Mi4xNjguMS4yNTUNCiAgICAgICAgaW5ldDYgZmU4MDo6MjQwOjYzZmY6ZmVk Yjo4OTU3JXZyMCBwcmVmaXhsZW4gNjQgc2NvcGVpZCAweDENCiAgICAgICAgZXRoZXIgMDA6NDA6 NjM6ZGI6ODk6NTcNCiAgICAgICAgbWVkaWE6IEV0aGVybmV0IGF1dG9zZWxlY3QgKDEwMGJhc2VU WCkNCiAgICAgICAgc3RhdHVzOiBhY3RpdmUNCmF1ZTA6IGZsYWdzPTEwODg0MzxVUCxCUk9BRENB U1QsUlVOTklORyxTSU1QTEVYLE1VTFRJQ0FTVD4gbXR1IDE1MDANCiAgICAgICAgaW5ldCAxOTIu MTY4LjIwMC4xIG5ldG1hc2sgMHhmZmZmZmYwMCBicm9hZGNhc3QgMTkyLjE2OC4yMDAuMjU1DQog ICAgICAgIGluZXQ2IGZlODA6OjIwNToxYmZmOmZlMDA6M2RjMyVhdWUwIHByZWZpeGxlbiA2NCBz Y29wZWlkIDB4Mg0KICAgICAgICBldGhlciAwMDowNToxYjowMDozZDpjMw0KICAgICAgICBtZWRp YTogRXRoZXJuZXQgYXV0b3NlbGVjdCAoMTAwYmFzZVRYIDxmdWxsLWR1cGxleD4pDQogICAgICAg IHN0YXR1czogYWN0aXZlDQp2cjE6IGZsYWdzPTg5NDM8VVAsQlJPQURDQVNULFJVTk5JTkcsUFJP TUlTQyxTSU1QTEVYLE1VTFRJQ0FTVD4gbXR1IDE1MDANCiAgICAgICAgaW5ldCAxOTIuMTY4LjEw LjkxIG5ldG1hc2sgMHhmZmZmZmYwMCBicm9hZGNhc3QgMTkyLjE2OC4xMC4yNTUNCiAgICAgICAg aW5ldDYgZmU4MDo6MjQwOjYzZmY6ZmVkYjo4OTg5JXZyMSBwcmVmaXhsZW4gNjQgc2NvcGVpZCAw eDMNCiAgICAgICAgZXRoZXIgMDA6NDA6NjM6ZGI6ODk6ODkNCiAgICAgICAgbWVkaWE6IEV0aGVy bmV0IGF1dG9zZWxlY3QgKDEwMGJhc2VUWCA8ZnVsbC1kdXBsZXg+KQ0KICAgICAgICBzdGF0dXM6 IGFjdGl2ZQ0KcGZzeW5jMDogZmxhZ3M9NDE8VVAsUlVOTklORz4gbXR1IDEzNDgNCiAgICAgICAg cGZzeW5jOiBzeW5jaWY6IGF1ZTAgbWF4dXBkOiAxMjgNCnBmbG9nMDogZmxhZ3M9MTQxPFVQLFJV Tk5JTkcsUFJPTUlTQz4gbXR1IDMzMjA4DQpsbzA6IGZsYWdzPTgwNDk8VVAsTE9PUEJBQ0ssUlVO TklORyxNVUxUSUNBU1Q+IG10dSAxNjM4NA0KICAgICAgICBpbmV0IDEyNy4wLjAuMSBuZXRtYXNr IDB4ZmYwMDAwMDANCiAgICAgICAgaW5ldDYgOjoxIHByZWZpeGxlbiAxMjgNCiAgICAgICAgaW5l dDYgZmU4MDo6MSVsbzAgcHJlZml4bGVuIDY0IHNjb3BlaWQgMHg2DQpuZzA6IGZsYWdzPTg4OTA8 UE9JTlRPUE9JTlQsTk9BUlAsU0lNUExFWCxNVUxUSUNBU1Q+IG10dSAxNTAwDQpuZzE6IGZsYWdz PTg4OTA8UE9JTlRPUE9JTlQsTk9BUlAsU0lNUExFWCxNVUxUSUNBU1Q+IG10dSAxNTAwDQpuZzI6 IGZsYWdzPTg4OTA8UE9JTlRPUE9JTlQsTk9BUlAsU0lNUExFWCxNVUxUSUNBU1Q+IG10dSAxNTAw DQpuZzM6IGZsYWdzPTg4OTA8UE9JTlRPUE9JTlQsTk9BUlAsU0lNUExFWCxNVUxUSUNBU1Q+IG10 dSAxNTAwDQpuZzQ6IGZsYWdzPTg4OTA8UE9JTlRPUE9JTlQsTk9BUlAsU0lNUExFWCxNVUxUSUNB U1Q+IG10dSAxNTAwDQpuZzU6IGZsYWdzPTg4OTA8UE9JTlRPUE9JTlQsTk9BUlAsU0lNUExFWCxN VUxUSUNBU1Q+IG10dSAxNTAwDQpuZzY6IGZsYWdzPTg4OTA8UE9JTlRPUE9JTlQsTk9BUlAsU0lN UExFWCxNVUxUSUNBU1Q+IG10dSAxNTAwDQpuZzc6IGZsYWdzPTg4OTA8UE9JTlRPUE9JTlQsTk9B UlAsU0lNUExFWCxNVUxUSUNBU1Q+IG10dSAxNTAwDQpuZzg6IGZsYWdzPTg4OTA8UE9JTlRPUE9J TlQsTk9BUlAsU0lNUExFWCxNVUxUSUNBU1Q+IG10dSAxNTAwDQpuZzk6IGZsYWdzPTg4OTA8UE9J TlRPUE9JTlQsTk9BUlAsU0lNUExFWCxNVUxUSUNBU1Q+IG10dSAxNTAwDQpuZzEwOiBmbGFncz04 ODkwPFBPSU5UT1BPSU5ULE5PQVJQLFNJTVBMRVgsTVVMVElDQVNUPiBtdHUgMTUwMA0KbmcxMTog ZmxhZ3M9ODg5MDxQT0lOVE9QT0lOVCxOT0FSUCxTSU1QTEVYLE1VTFRJQ0FTVD4gbXR1IDE1MDAN Cm5nMTI6IGZsYWdzPTg4OTA8UE9JTlRPUE9JTlQsTk9BUlAsU0lNUExFWCxNVUxUSUNBU1Q+IG10 dSAxNTAwDQpuZzEzOiBmbGFncz04ODkwPFBPSU5UT1BPSU5ULE5PQVJQLFNJTVBMRVgsTVVMVElD QVNUPiBtdHUgMTUwMA0KbmcxNDogZmxhZ3M9ODg5MDxQT0lOVE9QT0lOVCxOT0FSUCxTSU1QTEVY LE1VTFRJQ0FTVD4gbXR1IDE1MDANCm5nMTU6IGZsYWdzPTg4OTA8UE9JTlRPUE9JTlQsTk9BUlAs U0lNUExFWCxNVUxUSUNBU1Q+IG10dSAxNTAwDQpuZzE2OiBmbGFncz04ODkwPFBPSU5UT1BPSU5U LE5PQVJQLFNJTVBMRVgsTVVMVElDQVNUPiBtdHUgMTUwMA0KY2FycDA6IGZsYWdzPTQxPFVQLFJV Tk5JTkc+IG10dSAxNTAwDQogICAgICAgIGluZXQgMTkyLjE2OC4xMC45OSBuZXRtYXNrIDB4ZmZm ZmZmMDANCiAgICAgICAgY2FycDogQkFDS1VQIHZoaWQgMSBhZHZiYXNlIDEgYWR2c2tldyAwDQpj YXJwMTogZmxhZ3M9NDE8VVAsUlVOTklORz4gbXR1IDE1MDANCiAgICAgICAgaW5ldCAxOTIuMTY4 LjEuMTAgbmV0bWFzayAweGZmZmZmZjAwDQogICAgICAgIGNhcnA6IEJBQ0tVUCB2aGlkIDIgYWR2 YmFzZSAxIGFkdnNrZXcgMA0KIw0KLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0NCiMg Y2F0IC91c3IvbG9jYWwvZXRjL3JjLmQvY2FycC5zaCAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgDQojIS9iaW4vc2gNCi9zYmluL2lmY29uZmlnIHBmc3luYzAg Y3JlYXRlDQovc2Jpbi9pZmNvbmZpZyBwZnN5bmMwIHN5bmNpZiBhdWUwDQovc2Jpbi9pZmNvbmZp ZyBhdWUwIHVwDQovc2Jpbi9pZmNvbmZpZyBwZnN5bmMwIHVwDQplY2hvIENyZWF0aW5nIDAgLi4u DQovc2Jpbi9pZmNvbmZpZyBjYXJwMCBjcmVhdGUNCi9zYmluL2lmY29uZmlnIGNhcnAwIDE5Mi4x NjguMTAuOTkvMjQgYnJvYWRjYXN0IDE5Mi4xNjguMTAuMjU1IHZoaWQgMSBhZHZza2V3IDAgcGFz cyB3YW4NCi9zYmluL2lmY29uZmlnIGNhcnAwIHVwDQplY2hvIENyZWF0aW5nIDEgLi4uDQovc2Jp bi9pZmNvbmZpZyBjYXJwMSBjcmVhdGUNCi9zYmluL2lmY29uZmlnIGNhcnAxIDE5Mi4xNjguMS4x MC8yNCBicm9hZGNhc3QgMTkyLjE2OC4xLjI1NSB2aGlkIDIgYWR2c2tldyAwIHBhc3MgbGFuDQov c2Jpbi9pZmNvbmZpZyBjYXJwMSB1cA0KL2V0Yy9yYy5maWx0ZXJfY29uZmlndXJlIw0KLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0NCiMgL3NiaW4vcGZjdGwgLXZ2c3MgfCAvdXNyL2Jp bi9ncmVwIGNyZWF0b3IgfCAvdXNyL2Jpbi9jdXQgLWQiICIgLWY3IHwgL3Vzci9iaW4vc29ydCAt dQ0KMDhlNzI2MDANCiMNCi0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tDQojIGRtZXNn IC1hDQpDb3B5cmlnaHQgKGMpIDE5OTItMjAwNSBUaGUgRnJlZUJTRCBQcm9qZWN0Lg0KQ29weXJp Z2h0IChjKSAxOTc5LCAxOTgwLCAxOTgzLCAxOTg2LCAxOTg4LCAxOTg5LCAxOTkxLCAxOTkyLCAx OTkzLCAxOTk0DQogICAgICAgIFRoZSBSZWdlbnRzIG9mIHRoZSBVbml2ZXJzaXR5IG9mIENhbGlm b3JuaWEuIEFsbCByaWdodHMgcmVzZXJ2ZWQuDQpGcmVlQlNEIDUuNC1QUkVSRUxFQVNFICMxOiBU dWUgTWFyIDIyIDAzOjI2OjM5IFVUQyAyMDA1DQogICAgc3VsbHJpY2hAYnVpbGRlci5saXZlYnNk LmNvbTovdXNyL29iai91c3Ivc3JjL3N5cy9GUkVFU0JJRS41DQpUaW1lY291bnRlciAiaTgyNTQi IGZyZXF1ZW5jeSAxMTkzMTgyIEh6IHF1YWxpdHkgMA0KQ1BVOiBWSUEgQzMgTmVoZW1pYWgrUk5H K0FDRSAoMTAwMi4yOC1NSHogNjg2LWNsYXNzIENQVSkNCiAgT3JpZ2luID0gIkNlbnRhdXJIYXVs cyIgIElkID0gMHg2OTggIFN0ZXBwaW5nID0gOA0KICBGZWF0dXJlcz0weDM4MWI4M2Y8RlBVLFZN RSxERSxQU0UsVFNDLE1TUixTRVAsTVRSUixQR0UsQ01PVixQQVQsTU1YLEZYU1IsU1NFPg0KcmVh bCBtZW1vcnkgID0gMjUxNTkyNzA0ICgyMzkgTUIpDQphdmFpbCBtZW1vcnkgPSAyMzY1NTIxOTIg KDIyNSBNQikNCm5weDA6IDxtYXRoIHByb2Nlc3Nvcj4gb24gbW90aGVyYm9hcmQNCm5weDA6IElO VCAxNiBpbnRlcmZhY2UNCmNwdTAgb24gbW90aGVyYm9hcmQNCnBjaWIwOiA8SG9zdCB0byBQQ0kg YnJpZGdlPiBwY2lidXMgMCBvbiBtb3RoZXJib2FyZA0KcGlyMDogPFBDSSBJbnRlcnJ1cHQgUm91 dGluZyBUYWJsZTogNyBFbnRyaWVzPiBvbiBtb3RoZXJib2FyZA0KcGNpMDogPFBDSSBidXM+IG9u IHBjaWIwDQphZ3AwOiA8VklBIDg2MnggKENMRTI2NikgaG9zdCB0byBQQ0kgYnJpZGdlPiBtZW0g MHhlNjAwMDAwMC0weGU2M2ZmZmZmIGF0IGRldmljZSAwLjAgb24gcGNpMA0KcGNpYjE6IDxQQ0kt UENJIGJyaWRnZT4gYXQgZGV2aWNlIDEuMCBvbiBwY2kwDQpwY2kxOiA8UENJIGJ1cz4gb24gcGNp YjENCnBjaTE6IDxkaXNwbGF5LCBWR0E+IGF0IGRldmljZSAwLjAgKG5vIGRyaXZlciBhdHRhY2hl ZCkNCnZyMDogPFZJQSBWVDYxMDUgUmhpbmUgSUlJIDEwLzEwMEJhc2VUWD4gcG9ydCAweGQwMDAt MHhkMGZmIG1lbSAweGU2NDAwMDAwLTB4ZTY0MDAwZmYgaXJxIDEwIGF0IGRldmljZSAxNS4wIG9u IHBjaTANCm1paWJ1czA6IDxNSUkgYnVzPiBvbiB2cjANCnVrcGh5MDogPEdlbmVyaWMgSUVFRSA4 MDIuM3UgbWVkaWEgaW50ZXJmYWNlPiBvbiBtaWlidXMwDQp1a3BoeTA6ICAxMGJhc2VULCAxMGJh c2VULUZEWCwgMTAwYmFzZVRYLCAxMDBiYXNlVFgtRkRYLCBhdXRvDQp2cjA6IEV0aGVybmV0IGFk ZHJlc3M6IDAwOjQwOjYzOmRiOjg5OjU3DQp1aGNpMDogPFZJQSA4M0M1NzIgVVNCIGNvbnRyb2xs ZXI+IHBvcnQgMHhkNDAwLTB4ZDQxZiBpcnEgMTEgYXQgZGV2aWNlIDE2LjAgb24gcGNpMA0KdXNi MDogPFZJQSA4M0M1NzIgVVNCIGNvbnRyb2xsZXI+IG9uIHVoY2kwDQp1c2IwOiBVU0IgcmV2aXNp b24gMS4wDQp1aHViMDogVklBIFVIQ0kgcm9vdCBodWIsIGNsYXNzIDkvMCwgcmV2IDEuMDAvMS4w MCwgYWRkciAxDQp1aHViMDogMiBwb3J0cyB3aXRoIDIgcmVtb3ZhYmxlLCBzZWxmIHBvd2VyZWQN CnVoY2kxOiA8VklBIDgzQzU3MiBVU0IgY29udHJvbGxlcj4gcG9ydCAweGQ4MDAtMHhkODFmIGly cSA1IGF0IGRldmljZSAxNi4xIG9uIHBjaTANCnVzYjE6IDxWSUEgODNDNTcyIFVTQiBjb250cm9s bGVyPiBvbiB1aGNpMQ0KdXNiMTogVVNCIHJldmlzaW9uIDEuMA0KdWh1YjE6IFZJQSBVSENJIHJv b3QgaHViLCBjbGFzcyA5LzAsIHJldiAxLjAwLzEuMDAsIGFkZHIgMQ0KdWh1YjE6IDIgcG9ydHMg d2l0aCAyIHJlbW92YWJsZSwgc2VsZiBwb3dlcmVkDQp1aGNpMjogPFZJQSA4M0M1NzIgVVNCIGNv bnRyb2xsZXI+IHBvcnQgMHhkYzAwLTB4ZGMxZiBpcnEgMTIgYXQgZGV2aWNlIDE2LjIgb24gcGNp MA0KdXNiMjogPFZJQSA4M0M1NzIgVVNCIGNvbnRyb2xsZXI+IG9uIHVoY2kyDQp1c2IyOiBVU0Ig cmV2aXNpb24gMS4wDQp1aHViMjogVklBIFVIQ0kgcm9vdCBodWIsIGNsYXNzIDkvMCwgcmV2IDEu MDAvMS4wMCwgYWRkciAxDQp1aHViMjogMiBwb3J0cyB3aXRoIDIgcmVtb3ZhYmxlLCBzZWxmIHBv d2VyZWQNCmF1ZTA6IEFETXRlayBVU0IgVG8gTEFOIENvbnZlcnRlciwgcmV2IDEuMTAvMS4wMSwg YWRkciAyDQptaWlidXMxOiA8TUlJIGJ1cz4gb24gYXVlMA0KdWtwaHkxOiA8R2VuZXJpYyBJRUVF IDgwMi4zdSBtZWRpYSBpbnRlcmZhY2U+IG9uIG1paWJ1czENCnVrcGh5MTogIDEwYmFzZVQsIDEw YmFzZVQtRkRYLCAxMDBiYXNlVFgsIDEwMGJhc2VUWC1GRFgsIGF1dG8NCmF1ZTA6IEV0aGVybmV0 IGFkZHJlc3M6IDAwOjA1OjFiOjAwOjNkOmMzDQphdWUwOiBpZl9zdGFydCBydW5uaW5nIGRlZmVy cmVkIGZvciBHaWFudA0KcGNpMDogPHNlcmlhbCBidXMsIFVTQj4gYXQgZGV2aWNlIDE2LjMgKG5v IGRyaXZlciBhdHRhY2hlZCkNCmlzYWIwOiA8UENJLUlTQSBicmlkZ2U+IGF0IGRldmljZSAxNy4w IG9uIHBjaTANCmlzYTA6IDxJU0EgYnVzPiBvbiBpc2FiMA0KYXRhcGNpMDogPFZJQSA4MjM1IFVE TUExMzMgY29udHJvbGxlcj4gcG9ydCAweGUwMDAtMHhlMDBmLDB4Mzc2LDB4MTcwLTB4MTc3LDB4 M2Y2LDB4MWYwLTB4MWY3IGF0IGRldmljZSAxNy4xIG9uIHBjaTANCmF0YTA6IGNoYW5uZWwgIzAg b24gYXRhcGNpMA0KYXRhMTogY2hhbm5lbCAjMSBvbiBhdGFwY2kwDQp2cjE6IDxWSUEgVlQ2MTAy IFJoaW5lIElJIDEwLzEwMEJhc2VUWD4gcG9ydCAweGU0MDAtMHhlNGZmIG1lbSAweGU2NDAyMDAw LTB4ZTY0MDIwZmYgaXJxIDExIGF0IGRldmljZSAxOC4wIG9uIHBjaTANCm1paWJ1czI6IDxNSUkg YnVzPiBvbiB2cjENCnVrcGh5MjogPEdlbmVyaWMgSUVFRSA4MDIuM3UgbWVkaWEgaW50ZXJmYWNl PiBvbiBtaWlidXMyDQp1a3BoeTI6ICAxMGJhc2VULCAxMGJhc2VULUZEWCwgMTAwYmFzZVRYLCAx MDBiYXNlVFgtRkRYLCBhdXRvDQp2cjE6IEV0aGVybmV0IGFkZHJlc3M6IDAwOjQwOjYzOmRiOjg5 Ojg5DQpvcm0wOiA8SVNBIE9wdGlvbiBST00+IGF0IGlvbWVtIDB4YzAwMDAtMHhjZGZmZiBvbiBp c2EwDQpwbXRpbWVyMCBvbiBpc2EwDQphdGtiZGMwOiA8S2V5Ym9hcmQgY29udHJvbGxlciAoaTgw NDIpPiBhdCBwb3J0IDB4NjQsMHg2MCBvbiBpc2EwDQphdGtiZDA6IDxBVCBLZXlib2FyZD4gaXJx IDEgb24gYXRrYmRjMA0Ka2JkMCBhdCBhdGtiZDANCnZnYTA6IDxHZW5lcmljIElTQSBWR0E+IGF0 IHBvcnQgMHgzYzAtMHgzZGYgaW9tZW0gMHhhMDAwMC0weGJmZmZmIG9uIGlzYTANCnNjMDogPFN5 c3RlbSBjb25zb2xlPiBhdCBmbGFncyAweDEwMCBvbiBpc2EwDQpzYzA6IFZHQSA8MTYgdmlydHVh bCBjb25zb2xlcywgZmxhZ3M9MHgzMDA+DQpzaW8wIGF0IHBvcnQgMHgzZjgtMHgzZmYgaXJxIDQg ZmxhZ3MgMHgxMCBvbiBpc2EwDQpzaW8wOiB0eXBlIDE2NTUwQQ0Kc2lvMSBhdCBwb3J0IDB4MmY4 LTB4MmZmIGlycSAzIG9uIGlzYTANCnNpbzE6IHR5cGUgMTY1NTBBDQpwcGMwOiBwYXJhbGxlbCBw b3J0IG5vdCBmb3VuZC4NCnVua25vd246IDxQTlAwMzAzPiBjYW4ndCBhc3NpZ24gcmVzb3VyY2Vz IChwb3J0KQ0Kc3BlYWtlcjA6IDxQQyBzcGVha2VyPiBhdCBwb3J0IDB4NjEgb24gaXNhMA0KdW5r bm93bjogPFBOUDA1MDE+IGNhbid0IGFzc2lnbiByZXNvdXJjZXMgKHBvcnQpDQp1bmtub3duOiA8 UE5QMDUwMT4gY2FuJ3QgYXNzaWduIHJlc291cmNlcyAocG9ydCkNClRpbWVjb3VudGVyICJUU0Mi IGZyZXF1ZW5jeSAxMDAyMjc5MzA2IEh6IHF1YWxpdHkgODAwDQpUaW1lY291bnRlcnMgdGljayBl dmVyeSAxLjAwMCBtc2VjDQpGYXN0IElQc2VjOiBJbml0aWFsaXplZCBTZWN1cml0eSBBc3NvY2lh dGlvbiBQcm9jZXNzaW5nLg0KYXRhMC1tYXN0ZXI6IEZBSUxVUkUgLSBTRVRGRUFUVVJFUyBTRVQg VFJBTlNGRVIgTU9ERSBzdGF0dXM9NTE8UkVBRFksRFNDLEVSUk9SPiBlcnJvcj00PEFCT1JURUQ+ DQphdGEwLW1hc3RlcjogRkFJTFVSRSAtIFNFVEZFQVRVUkVTIFNFVCBUUkFOU0ZFUiBNT0RFIHN0 YXR1cz01MTxSRUFEWSxEU0MsRVJST1I+IGVycm9yPTQ8QUJPUlRFRD4NCmFkMDogRkFJTFVSRSAt IFNFVEZFQVRVUkVTIEVOQUJMRSBSQ0FDSEUgc3RhdHVzPTUxPFJFQURZLERTQyxFUlJPUj4gZXJy b3I9NDxBQk9SVEVEPg0KYWQwOiBGQUlMVVJFIC0gU0VURkVBVFVSRVMgRU5BQkxFIFdDQUNIRSBz dGF0dXM9NTE8UkVBRFksRFNDLEVSUk9SPiBlcnJvcj00PEFCT1JURUQ+DQphZDA6IDI0Nk1CIDxT QU1TVU5HIENGL0FUQS9SZXYgNy4wPiBbOTg1LzE2LzMyXSBhdCBhdGEwLW1hc3RlciBCSU9TUElP DQphY2QwOiBDRFJXIDxBT1BFTiBDRC1SVyBDUlcyMDQwLzEuMDE+IGF0IGF0YTEtc2xhdmUgVURN QTMzDQpjZDAgYXQgYXRhMSBidXMgMCB0YXJnZXQgMSBsdW4gMA0KY2QwOiA8QU9QRU4gQ0QtUlcg Q1JXMjA0MCAxLjAxPiBSZW1vdmFibGUgQ0QtUk9NIFNDU0ktMCBkZXZpY2UNCmNkMDogMzMuMDAw TUIvcyB0cmFuc2ZlcnMNCmNkMDogY2QgcHJlc2VudCBbMTg0MzQgeCAyMDQ4IGJ5dGUgcmVjb3Jk c10NCk1vdW50aW5nIHJvb3QgZnJvbSB1ZnM6L2Rldi9hZDBzMWENCldBUk5JTkc6IC8gd2FzIG5v dCBwcm9wZXJseSBkaXNtb3VudGVkDQoNClN0YXJ0aW5nIHBmU2Vuc2UgLi4uDQoNCldBUk5JTkc6 IFIvVyBtb3VudCBvZiAvIGRlbmllZC4gIEZpbGVzeXN0ZW0gaXMgbm90IGNsZWFuIC0gcnVuIGZz Y2sNCm1vdW50Og0KL2Rldi9hZDBzMWENCjoNCk9wZXJhdGlvbiBub3QgcGVybWl0dGVkDQoqKiAv ZGV2L2FkMHMxYQ0KKiogTGFzdCBNb3VudGVkIG9uIC8NCioqIFJvb3QgZmlsZSBzeXN0ZW0NCioq IFBoYXNlIDEgLSBDaGVjayBCbG9ja3MgYW5kIFNpemVzDQoqKiBQaGFzZSAyIC0gQ2hlY2sgUGF0 aG5hbWVzDQoqKiBQaGFzZSAzIC0gQ2hlY2sgQ29ubmVjdGl2aXR5DQoqKiBQaGFzZSA0IC0gQ2hl Y2sgUmVmZXJlbmNlIENvdW50cw0KKiogUGhhc2UgNSAtIENoZWNrIEN5bCBncm91cHMNCjQ0MDgg ZmlsZXMsIDgxNzA3IHVzZWQsIDEzNjUwOCBmcmVlICgzOTYgZnJhZ3MsIDE3MDE0IGJsb2Nrcywg MC4yJSBmcmFnbWVudGF0aW9uKQ0KDQoqKioqKiBGSUxFIFNZU1RFTSBNQVJLRUQgQ0xFQU4gKioq KioNCmtlcm5lbCBkdW1wcyBvbiAvZGV2L2FkMHMxYg0Kc3dhcG9uOiBhZGRpbmcgL2Rldi9hZDBz MWIgYXMgc3dhcCBkZXZpY2UNCnNhdmVjb3JlOiBubyBkdW1wcyBmb3VuZA0KbmV0LmluZXQudGNw LnNhY2suZW5hYmxlOg0KMQ0KIC0+DQowDQoNClN5bmNpbmcgbWFzdGVyLnBhc3N3ZC4uLg0KSW5p dGlhbGl6aW5nIHRpbWV6b25lLi4uDQpkb25lDQpJbml0aWFsaXppbmcgUEMgY2FyZHMuLi4NCmZh aWxlZCAocHJvYmFibHkgbm8gUEMgY2FyZCBjb250cm9sbGVyIHByZXNlbnQpDQpDb25maWd1cmlu ZyBMQU4gaW50ZXJmYWNlLi4uDQpkb25lDQpDb25maWd1cmluZyBXQU4gaW50ZXJmYWNlLi4uDQpk b25lDQpDb25maWd1cmluZyBPUFQxIChTeW5jKSBpbnRlcmZhY2UuLi4NCmRvbmUNCk1hciAyNiAy MTowNzozMCBwZmxvZ2RbMTY4XTogW3ByaXZdOiBtc2cgUFJJVl9PUEVOX0xPRyByZWNlaXZlZA0K Q29uZmlndXJpbmcgZmlyZXdhbGwuLi4NCmRvbmUNClN0YXJ0aW5nIHN5c2xvZyBzZXJ2aWNlLi4u DQpkb25lDQpTdGFydGluZyB3ZWJHVUkuLi4NCmRvbmUNClN0YXJ0aW5nIEROUyBmb3J3YXJkZXIu Li4NCmRvbmUNClN0YXJ0aW5nIE5UUCBjbGllbnQuLi4NCmRvbmUNCkNvbmZpZ3VyaW5nIFBQVFAg VlBOIHNlcnZpY2UuLi4NCmRvbmUNClN0YXJ0aW5nIElORVREIGFuZCBGVFAgSGVscGVycyBmb3Ig RlRQLVBST1hZLi4uDQpTdGFydGluZyBTZWN1cmUgU2hlbGwgU2VydmljZXMuLi4NCkRvbmUuDQoN ClN0YXJ0aW5nIFVTQi4uLg0KU3luY2luZyBwYWNrYWdlIGNvbmZpZ3VyYXRpb25zLi4uDQpTeW5j aW5nIHBhY2thZ2VzOg0KIGNhcnANCnZyMTogcHJvbWlzY3VvdXMgbW9kZSBlbmFibGVkDQp2cjA6 IHByb21pc2N1b3VzIG1vZGUgZW5hYmxlZA0KYXJwX3J0cmVxdWVzdDogYmFkIGdhdGV3YXkgMTky LjE2OC4xMC45OSAoIUFGX0xJTkspDQphcnBfcnRyZXF1ZXN0OiBiYWQgZ2F0ZXdheSAxOTIuMTY4 LjEuMTAgKCFBRl9MSU5LKQ0KIG5tYXANCiBkb29ybWFuDQouDQpFeGVjdXRpbmcgcmMuZCBpdGVt cy4uLg0KU3RhcnRpbmcgL3Vzci9sb2NhbC9ldGMvcmMuZC9jYXJwLnNoLi4uDQpTdGFydGluZyAv dXNyL2xvY2FsL2V0Yy9yYy5kL2Rvb3JtYW5kLnNoLi4uDQpTdGFydGluZyAvdXNyL2xvY2FsL2V0 Yy9yYy5kL2lmc3RhdGVkLnNoLi4uDQpGaW5hbCBmaXJld2FsbCBzZXR1cCBpbiBwcm9ncmVzcy4u Lg0KDQpXZWxjb21lIHRvIHBmU2Vuc2UgKGxlZnQtcGZzZW5zZS5sb2NhbCkgKGNvbnNvbGUpDQoN CkNvcHlyaWdodCAoYykgMTk5Mi0yMDA1IFRoZSBGcmVlQlNEIFByb2plY3QuDQpDb3B5cmlnaHQg KGMpIDE5NzksIDE5ODAsIDE5ODMsIDE5ODYsIDE5ODgsIDE5ODksIDE5OTEsIDE5OTIsIDE5OTMs IDE5OTQNCiAgICAgICAgVGhlIFJlZ2VudHMgb2YgdGhlIFVuaXZlcnNpdHkgb2YgQ2FsaWZvcm5p YS4gQWxsIHJpZ2h0cyByZXNlcnZlZC4NCg0KDQoqKiogVGhpcyBpcyBwZlNlbnNlIHZlcnNpb24g MC41Ni4yLUJvYmJhQm9vZXktIzINCiAgICBDb3B5cmlnaHQgMjAwNCBTY290dCBVbGxyaWNoLiAg QWxsIHJpZ2h0cyByZXNlcnZlZC4NCiAgICBPcmlnaW5hbGx5IGJhc2VkIG9uIG0wbjB3YWxsLCB2 ZXJzaW9uIDEuMmIxDQogICAgbTBuMHdhbGwgaXMgQ29weXJpZ2h0IDIwMDItMjAwNCBieSBNYW51 ZWwgS2FzcGVyLiBBbGwgcmlnaHRzIHJlc2VydmVkDQoNCiAgICBMQU4gICAtPiAgIHZyMCAgIC0+ ICAgMTkyLjE2OC4xLjENCiAgICBXQU4gICAtPiAgIHZyMSAgIC0+ICAgMTkyLjE2OC4xMC45MQ0K DQogICBPUFQxICAgLT4gICBhdWUwICAgLT4gICAxOTIuMTY4LjIwMC4xKFN5bmMpDQoNCg0KDQpw ZlNlbnNlIGNvbnNvbGUgc2V0dXANCioqKioqKioqKioqKioqKioqKioqKioNCjApICBMb2dvdXQg aWYgYWNjZXNzaW5nIHZpYSBTU0gNCjEpICBJbnRlcmZhY2VzOiBhc3NpZ24gbmV0d29yayBwb3J0 cw0KMikgIFNldCB1cCBMQU4gSVAgYWRkcmVzcw0KMykgIFJlc2V0IHdlYkdVSSBwYXNzd29yZA0K NCkgIFJlc2V0IHRvIGZhY3RvcnkgZGVmYXVsdHMNCjUpICBSZWJvb3Qgc3lzdGVtDQo2KSAgSGFs dCBzeXN0ZW0NCjcpICBQaW5nIGhvc3QNCjgpICBTaGVsbA0KOSkgIFBGdG9wDQoNCkVudGVyIGEg bnVtYmVyOg0KIw0KLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0NCiMgdW5hbWUgLWEN CkZyZWVCU0QgbGVmdC1wZnNlbnNlLmxvY2FsIDUuNC1QUkVSRUxFQVNFIEZyZWVCU0QgNS40LVBS RVJFTEVBU0UgIzE6IFR1ZSBNYXIgMjIgMDM6MjY6MzkgVVRDIDIwMDUgICAgIHN1bGxyaWNoQGJ1 aWxkZXIubGl2ZWJzZC5jb206L3Vzci9vYmovdXNyL3NyYy9zeXMvRlJFRVNCSUUuNSAgaTM4Ng0K LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0NCg0KDQoNCi0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tDQotLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ0KLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0NCg0KDQpib3gyOg0KLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0NCiMgaWZjb25maWcNCnZyMDogZmxhZ3M9ODk0MzxVUCxCUk9BRENBU1Qs UlVOTklORyxQUk9NSVNDLFNJTVBMRVgsTVVMVElDQVNUPiBtdHUgMTUwMA0KICAgICAgICBpbmV0 IDE5Mi4xNjguMS4yIG5ldG1hc2sgMHhmZmZmZmYwMCBicm9hZGNhc3QgMTkyLjE2OC4xLjI1NQ0K ICAgICAgICBpbmV0NiBmZTgwOjoyNDA6NjNmZjpmZWRiOjhhYTUldnIwIHByZWZpeGxlbiA2NCBz Y29wZWlkIDB4MQ0KICAgICAgICBldGhlciAwMDo0MDo2MzpkYjo4YTphNQ0KICAgICAgICBtZWRp YTogRXRoZXJuZXQgYXV0b3NlbGVjdCAoMTAwYmFzZVRYKQ0KICAgICAgICBzdGF0dXM6IGFjdGl2 ZQ0KYXVlMDogZmxhZ3M9MTA4ODQzPFVQLEJST0FEQ0FTVCxSVU5OSU5HLFNJTVBMRVgsTVVMVElD QVNUPiBtdHUgMTUwMA0KICAgICAgICBpbmV0IDE5Mi4xNjguMjAwLjIgbmV0bWFzayAweGZmZmZm ZjAwIGJyb2FkY2FzdCAxOTIuMTY4LjIwMC4yNTUNCiAgICAgICAgaW5ldDYgZmU4MDo6MjA1OjFi ZmY6ZmUwMDo0MWQ1JWF1ZTAgcHJlZml4bGVuIDY0IHNjb3BlaWQgMHgyDQogICAgICAgIGV0aGVy IDAwOjA1OjFiOjAwOjQxOmQ1DQogICAgICAgIG1lZGlhOiBFdGhlcm5ldCBhdXRvc2VsZWN0ICgx MDBiYXNlVFggPGZ1bGwtZHVwbGV4PikNCiAgICAgICAgc3RhdHVzOiBhY3RpdmUNCnZyMTogZmxh Z3M9ODk0MzxVUCxCUk9BRENBU1QsUlVOTklORyxQUk9NSVNDLFNJTVBMRVgsTVVMVElDQVNUPiBt dHUgMTUwMA0KICAgICAgICBpbmV0IDE5Mi4xNjguMTAuOTIgbmV0bWFzayAweGZmZmZmZjAwIGJy b2FkY2FzdCAxOTIuMTY4LjEwLjI1NQ0KICAgICAgICBpbmV0NiBmZTgwOjoyNDA6NjNmZjpmZWRi OjhhNzQldnIxIHByZWZpeGxlbiA2NCBzY29wZWlkIDB4Mw0KICAgICAgICBldGhlciAwMDo0MDo2 MzpkYjo4YTo3NA0KICAgICAgICBtZWRpYTogRXRoZXJuZXQgYXV0b3NlbGVjdCAoMTAwYmFzZVRY IDxmdWxsLWR1cGxleD4pDQogICAgICAgIHN0YXR1czogYWN0aXZlDQpwbGlwMDogZmxhZ3M9MTA4 ODEwPFBPSU5UT1BPSU5ULFNJTVBMRVgsTVVMVElDQVNUPiBtdHUgMTUwMA0KcGZzeW5jMDogZmxh Z3M9NDE8VVAsUlVOTklORz4gbXR1IDEzNDgNCiAgICAgICAgcGZzeW5jOiBzeW5jaWY6IGF1ZTAg bWF4dXBkOiAxMjgNCnBmbG9nMDogZmxhZ3M9MTQxPFVQLFJVTk5JTkcsUFJPTUlTQz4gbXR1IDMz MjA4DQpsbzA6IGZsYWdzPTgwNDk8VVAsTE9PUEJBQ0ssUlVOTklORyxNVUxUSUNBU1Q+IG10dSAx NjM4NA0KICAgICAgICBpbmV0IDEyNy4wLjAuMSBuZXRtYXNrIDB4ZmYwMDAwMDANCiAgICAgICAg aW5ldDYgOjoxIHByZWZpeGxlbiAxMjgNCiAgICAgICAgaW5ldDYgZmU4MDo6MSVsbzAgcHJlZml4 bGVuIDY0IHNjb3BlaWQgMHg3DQpjYXJwMDogZmxhZ3M9NDE8VVAsUlVOTklORz4gbXR1IDE1MDAN CiAgICAgICAgaW5ldCAxOTIuMTY4LjEwLjk5IG5ldG1hc2sgMHhmZmZmZmYwMA0KICAgICAgICBj YXJwOiBNQVNURVIgdmhpZCAxIGFkdmJhc2UgMSBhZHZza2V3IDANCmNhcnAxOiBmbGFncz00MTxV UCxSVU5OSU5HPiBtdHUgMTUwMA0KICAgICAgICBpbmV0IDE5Mi4xNjguMS4xMCBuZXRtYXNrIDB4 ZmZmZmZmMDANCiAgICAgICAgY2FycDogTUFTVEVSIHZoaWQgMiBhZHZiYXNlIDEgYWR2c2tldyAw DQojDQotLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ0KIyBjYXQgL3Vzci9sb2NhbC9l dGMvcmMuZC9jYXJwLnNoDQojIS9iaW4vc2gNCi9zYmluL2lmY29uZmlnIHBmc3luYzAgY3JlYXRl DQovc2Jpbi9pZmNvbmZpZyBwZnN5bmMwIHN5bmNpZiBhdWUwDQovc2Jpbi9pZmNvbmZpZyBhdWUw IHVwDQovc2Jpbi9pZmNvbmZpZyBwZnN5bmMwIHVwDQplY2hvIENyZWF0aW5nIDAgLi4uDQovc2Jp bi9pZmNvbmZpZyBjYXJwMCBjcmVhdGUNCi9zYmluL2lmY29uZmlnIGNhcnAwIDE5Mi4xNjguMTAu OTkvMjQgYnJvYWRjYXN0IDE5Mi4xNjguMTAuMjU1IHZoaWQgMSBhZHZza2V3IDAgcGFzcyB3YW4N Ci9zYmluL2lmY29uZmlnIGNhcnAwIHVwDQplY2hvIENyZWF0aW5nIDEgLi4uDQovc2Jpbi9pZmNv bmZpZyBjYXJwMSBjcmVhdGUNCi9zYmluL2lmY29uZmlnIGNhcnAxIDE5Mi4xNjguMS4xMC8yNCBi cm9hZGNhc3QgMTkyLjE2OC4xLjI1NSB2aGlkIDIgYWR2c2tldyAwIHBhc3MgbGFuDQovc2Jpbi9p ZmNvbmZpZyBjYXJwMSB1cA0KL2V0Yy9yYy5maWx0ZXJfY29uZmlndXJlIw0KLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0NCiMgL3NiaW4vcGZjdGwgLXZ2c3MgfCAvdXNyL2Jpbi9ncmVw IGNyZWF0b3IgfCAvdXNyL2Jpbi9jdXQgLWQiICIgLWY3IHwgL3Vzci9iaW4vc29ydCAtdQ0KMDhl NzI2MDANCi0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tDQojIGRtZXNnIC1hDQpDb3B5 cmlnaHQgKGMpIDE5OTItMjAwNSBUaGUgRnJlZUJTRCBQcm9qZWN0Lg0KQ29weXJpZ2h0IChjKSAx OTc5LCAxOTgwLCAxOTgzLCAxOTg2LCAxOTg4LCAxOTg5LCAxOTkxLCAxOTkyLCAxOTkzLCAxOTk0 DQogICAgICAgIFRoZSBSZWdlbnRzIG9mIHRoZSBVbml2ZXJzaXR5IG9mIENhbGlmb3JuaWEuIEFs bCByaWdodHMgcmVzZXJ2ZWQuDQpGcmVlQlNEIDUuNC1QUkVSRUxFQVNFICMxOiBUdWUgTWFyIDIy IDAzOjI2OjM5IFVUQyAyMDA1DQogICAgc3VsbHJpY2hAYnVpbGRlci5saXZlYnNkLmNvbTovdXNy L29iai91c3Ivc3JjL3N5cy9GUkVFU0JJRS41DQpUaW1lY291bnRlciAiaTgyNTQiIGZyZXF1ZW5j eSAxMTkzMTgyIEh6IHF1YWxpdHkgMA0KQ1BVOiBWSUEgQzMgTmVoZW1pYWgrUk5HK0FDRSAoMTAw Mi4yOC1NSHogNjg2LWNsYXNzIENQVSkNCiAgT3JpZ2luID0gIkNlbnRhdXJIYXVscyIgIElkID0g MHg2OTggIFN0ZXBwaW5nID0gOA0KICBGZWF0dXJlcz0weDM4MWI4M2Y8RlBVLFZNRSxERSxQU0Us VFNDLE1TUixTRVAsTVRSUixQR0UsQ01PVixQQVQsTU1YLEZYU1IsU1NFPg0KcmVhbCBtZW1vcnkg ID0gMjUxNTkyNzA0ICgyMzkgTUIpDQphdmFpbCBtZW1vcnkgPSAyMzY1NTIxOTIgKDIyNSBNQikN Cm5weDA6IDxtYXRoIHByb2Nlc3Nvcj4gb24gbW90aGVyYm9hcmQNCm5weDA6IElOVCAxNiBpbnRl cmZhY2UNCmNwdTAgb24gbW90aGVyYm9hcmQNCnBjaWIwOiA8SG9zdCB0byBQQ0kgYnJpZGdlPiBw Y2lidXMgMCBvbiBtb3RoZXJib2FyZA0KcGlyMDogPFBDSSBJbnRlcnJ1cHQgUm91dGluZyBUYWJs ZTogNyBFbnRyaWVzPiBvbiBtb3RoZXJib2FyZA0KcGNpMDogPFBDSSBidXM+IG9uIHBjaWIwDQph Z3AwOiA8VklBIDg2MnggKENMRTI2NikgaG9zdCB0byBQQ0kgYnJpZGdlPiBtZW0gMHhlNjAwMDAw MC0weGU2N2ZmZmZmIGF0IGRldmljZSAwLjAgb24gcGNpMA0KcGNpYjE6IDxQQ0ktUENJIGJyaWRn ZT4gYXQgZGV2aWNlIDEuMCBvbiBwY2kwDQpwY2kxOiA8UENJIGJ1cz4gb24gcGNpYjENCnBjaTE6 IDxkaXNwbGF5LCBWR0E+IGF0IGRldmljZSAwLjAgKG5vIGRyaXZlciBhdHRhY2hlZCkNCnZyMDog PFZJQSBWVDYxMDUgUmhpbmUgSUlJIDEwLzEwMEJhc2VUWD4gcG9ydCAweGQwMDAtMHhkMGZmIG1l bSAweGU2ODAwMDAwLTB4ZTY4MDAwZmYgaXJxIDEyIGF0IGRldmljZSAxNS4wIG9uIHBjaTANCm1p aWJ1czA6IDxNSUkgYnVzPiBvbiB2cjANCnVrcGh5MDogPEdlbmVyaWMgSUVFRSA4MDIuM3UgbWVk aWEgaW50ZXJmYWNlPiBvbiBtaWlidXMwDQp1a3BoeTA6ICAxMGJhc2VULCAxMGJhc2VULUZEWCwg MTAwYmFzZVRYLCAxMDBiYXNlVFgtRkRYLCBhdXRvDQp2cjA6IEV0aGVybmV0IGFkZHJlc3M6IDAw OjQwOjYzOmRiOjhhOmE1DQp1aGNpMDogPFZJQSA4M0M1NzIgVVNCIGNvbnRyb2xsZXI+IHBvcnQg MHhkNDAwLTB4ZDQxZiBpcnEgMTEgYXQgZGV2aWNlIDE2LjAgb24gcGNpMA0KdXNiMDogPFZJQSA4 M0M1NzIgVVNCIGNvbnRyb2xsZXI+IG9uIHVoY2kwDQp1c2IwOiBVU0IgcmV2aXNpb24gMS4wDQp1 aHViMDogVklBIFVIQ0kgcm9vdCBodWIsIGNsYXNzIDkvMCwgcmV2IDEuMDAvMS4wMCwgYWRkciAx DQp1aHViMDogMiBwb3J0cyB3aXRoIDIgcmVtb3ZhYmxlLCBzZWxmIHBvd2VyZWQNCnVoY2kxOiA8 VklBIDgzQzU3MiBVU0IgY29udHJvbGxlcj4gcG9ydCAweGQ4MDAtMHhkODFmIGlycSAxMSBhdCBk ZXZpY2UgMTYuMSBvbiBwY2kwDQp1c2IxOiA8VklBIDgzQzU3MiBVU0IgY29udHJvbGxlcj4gb24g dWhjaTENCnVzYjE6IFVTQiByZXZpc2lvbiAxLjANCnVodWIxOiBWSUEgVUhDSSByb290IGh1Yiwg Y2xhc3MgOS8wLCByZXYgMS4wMC8xLjAwLCBhZGRyIDENCnVodWIxOiAyIHBvcnRzIHdpdGggMiBy ZW1vdmFibGUsIHNlbGYgcG93ZXJlZA0KdWhjaTI6IDxWSUEgODNDNTcyIFVTQiBjb250cm9sbGVy PiBwb3J0IDB4ZGMwMC0weGRjMWYgaXJxIDkgYXQgZGV2aWNlIDE2LjIgb24gcGNpMA0KdXNiMjog PFZJQSA4M0M1NzIgVVNCIGNvbnRyb2xsZXI+IG9uIHVoY2kyDQp1c2IyOiBVU0IgcmV2aXNpb24g MS4wDQp1aHViMjogVklBIFVIQ0kgcm9vdCBodWIsIGNsYXNzIDkvMCwgcmV2IDEuMDAvMS4wMCwg YWRkciAxDQp1aHViMjogMiBwb3J0cyB3aXRoIDIgcmVtb3ZhYmxlLCBzZWxmIHBvd2VyZWQNCmF1 ZTA6IEFETXRlayBVU0IgVG8gTEFOIENvbnZlcnRlciwgcmV2IDEuMTAvMS4wMSwgYWRkciAyDQpt aWlidXMxOiA8TUlJIGJ1cz4gb24gYXVlMA0KdWtwaHkxOiA8R2VuZXJpYyBJRUVFIDgwMi4zdSBt ZWRpYSBpbnRlcmZhY2U+IG9uIG1paWJ1czENCnVrcGh5MTogIDEwYmFzZVQsIDEwYmFzZVQtRkRY LCAxMDBiYXNlVFgsIDEwMGJhc2VUWC1GRFgsIGF1dG8NCmF1ZTA6IEV0aGVybmV0IGFkZHJlc3M6 IDAwOjA1OjFiOjAwOjQxOmQ1DQphdWUwOiBpZl9zdGFydCBydW5uaW5nIGRlZmVycmVkIGZvciBH aWFudA0KcGNpMDogPHNlcmlhbCBidXMsIFVTQj4gYXQgZGV2aWNlIDE2LjMgKG5vIGRyaXZlciBh dHRhY2hlZCkNCmlzYWIwOiA8UENJLUlTQSBicmlkZ2U+IGF0IGRldmljZSAxNy4wIG9uIHBjaTAN CmlzYTA6IDxJU0EgYnVzPiBvbiBpc2FiMA0KYXRhcGNpMDogPFZJQSA4MjM1IFVETUExMzMgY29u dHJvbGxlcj4gcG9ydCAweGUwMDAtMHhlMDBmLDB4Mzc2LDB4MTcwLTB4MTc3LDB4M2Y2LDB4MWYw LTB4MWY3IGF0IGRldmljZSAxNy4xIG9uIHBjaTANCmF0YTA6IGNoYW5uZWwgIzAgb24gYXRhcGNp MA0KYXRhMTogY2hhbm5lbCAjMSBvbiBhdGFwY2kwDQp2cjE6IDxWSUEgVlQ2MTAyIFJoaW5lIElJ IDEwLzEwMEJhc2VUWD4gcG9ydCAweGU0MDAtMHhlNGZmIG1lbSAweGU2ODAyMDAwLTB4ZTY4MDIw ZmYgaXJxIDExIGF0IGRldmljZSAxOC4wIG9uIHBjaTANCm1paWJ1czI6IDxNSUkgYnVzPiBvbiB2 cjENCnVrcGh5MjogPEdlbmVyaWMgSUVFRSA4MDIuM3UgbWVkaWEgaW50ZXJmYWNlPiBvbiBtaWli dXMyDQp1a3BoeTI6ICAxMGJhc2VULCAxMGJhc2VULUZEWCwgMTAwYmFzZVRYLCAxMDBiYXNlVFgt RkRYLCBhdXRvDQp2cjE6IEV0aGVybmV0IGFkZHJlc3M6IDAwOjQwOjYzOmRiOjhhOjc0DQpvcm0w OiA8SVNBIE9wdGlvbiBST00+IGF0IGlvbWVtIDB4YzAwMDAtMHhjZGZmZiBvbiBpc2EwDQpwbXRp bWVyMCBvbiBpc2EwDQphdGtiZGMwOiA8S2V5Ym9hcmQgY29udHJvbGxlciAoaTgwNDIpPiBhdCBw b3J0IDB4NjQsMHg2MCBvbiBpc2EwDQphdGtiZDA6IDxBVCBLZXlib2FyZD4gaXJxIDEgb24gYXRr YmRjMA0Ka2JkMCBhdCBhdGtiZDANCnZnYTA6IDxHZW5lcmljIElTQSBWR0E+IGF0IHBvcnQgMHgz YzAtMHgzZGYgaW9tZW0gMHhhMDAwMC0weGJmZmZmIG9uIGlzYTANCnNjMDogPFN5c3RlbSBjb25z b2xlPiBhdCBmbGFncyAweDEwMCBvbiBpc2EwDQpzYzA6IFZHQSA8MTYgdmlydHVhbCBjb25zb2xl cywgZmxhZ3M9MHgzMDA+DQpzaW8wIGF0IHBvcnQgMHgzZjgtMHgzZmYgaXJxIDQgZmxhZ3MgMHgx MCBvbiBpc2EwDQpzaW8wOiB0eXBlIDE2NTUwQQ0Kc2lvMSBhdCBwb3J0IDB4MmY4LTB4MmZmIGly cSAzIG9uIGlzYTANCnNpbzE6IHR5cGUgMTY1NTBBDQpwcGMwOiA8UGFyYWxsZWwgcG9ydD4gYXQg cG9ydCAweDM3OC0weDM3ZiBpcnEgNyBvbiBpc2EwDQpwcGMwOiBHZW5lcmljIGNoaXBzZXQgKEVQ UC9OSUJCTEUpIGluIENPTVBBVElCTEUgbW9kZQ0KcHBidXMwOiA8UGFyYWxsZWwgcG9ydCBidXM+ IG9uIHBwYzANCnBsaXAwOiA8UExJUCBuZXR3b3JrIGludGVyZmFjZT4gb24gcHBidXMwDQpscHQw OiA8UHJpbnRlcj4gb24gcHBidXMwDQpscHQwOiBJbnRlcnJ1cHQtZHJpdmVuIHBvcnQNCnBwaTA6 IDxQYXJhbGxlbCBJL08+IG9uIHBwYnVzMA0KdW5rbm93bjogPFBOUDAzMDM+IGNhbid0IGFzc2ln biByZXNvdXJjZXMgKHBvcnQpDQpzcGVha2VyMDogPFBDIHNwZWFrZXI+IGF0IHBvcnQgMHg2MSBv biBpc2EwDQp1bmtub3duOiA8UE5QMDUwMT4gY2FuJ3QgYXNzaWduIHJlc291cmNlcyAocG9ydCkN CnVua25vd246IDxQTlAwNDAwPiBjYW4ndCBhc3NpZ24gcmVzb3VyY2VzIChwb3J0KQ0KdW5rbm93 bjogPFBOUDA1MDE+IGNhbid0IGFzc2lnbiByZXNvdXJjZXMgKHBvcnQpDQpUaW1lY291bnRlciAi VFNDIiBmcmVxdWVuY3kgMTAwMjI3OTA5MCBIeiBxdWFsaXR5IDgwMA0KVGltZWNvdW50ZXJzIHRp Y2sgZXZlcnkgMS4wMDAgbXNlYw0KRmFzdCBJUHNlYzogSW5pdGlhbGl6ZWQgU2VjdXJpdHkgQXNz b2NpYXRpb24gUHJvY2Vzc2luZy4NCmF0YTAtbWFzdGVyOiBGQUlMVVJFIC0gU0VURkVBVFVSRVMg U0VUIFRSQU5TRkVSIE1PREUgc3RhdHVzPTUxPFJFQURZLERTQyxFUlJPUj4gZXJyb3I9NDxBQk9S VEVEPg0KYXRhMC1tYXN0ZXI6IEZBSUxVUkUgLSBTRVRGRUFUVVJFUyBTRVQgVFJBTlNGRVIgTU9E RSBzdGF0dXM9NTE8UkVBRFksRFNDLEVSUk9SPiBlcnJvcj00PEFCT1JURUQ+DQphZDA6IEZBSUxV UkUgLSBTRVRGRUFUVVJFUyBFTkFCTEUgUkNBQ0hFIHN0YXR1cz01MTxSRUFEWSxEU0MsRVJST1I+ IGVycm9yPTQ8QUJPUlRFRD4NCmFkMDogRkFJTFVSRSAtIFNFVEZFQVRVUkVTIEVOQUJMRSBXQ0FD SEUgc3RhdHVzPTUxPFJFQURZLERTQyxFUlJPUj4gZXJyb3I9NDxBQk9SVEVEPg0KYWQwOiAyNDZN QiA8U0FNU1VORyBDRi9BVEEvUmV2IDcuMD4gWzk4NS8xNi8zMl0gYXQgYXRhMC1tYXN0ZXIgQklP U1BJTw0KTW91bnRpbmcgcm9vdCBmcm9tIHVmczovZGV2L2FkMHMxYQ0KV0FSTklORzogLyB3YXMg bm90IHByb3Blcmx5IGRpc21vdW50ZWQNCg0KU3RhcnRpbmcgcGZTZW5zZSAuLi4NCg0KV0FSTklO RzogUi9XIG1vdW50IG9mIC8gZGVuaWVkLiAgRmlsZXN5c3RlbSBpcyBub3QgY2xlYW4gLSBydW4g ZnNjaw0KbW91bnQ6DQovZGV2L2FkMHMxYQ0KOg0KT3BlcmF0aW9uIG5vdCBwZXJtaXR0ZWQNCioq IC9kZXYvYWQwczFhDQoqKiBMYXN0IE1vdW50ZWQgb24gLw0KKiogUm9vdCBmaWxlIHN5c3RlbQ0K KiogUGhhc2UgMSAtIENoZWNrIEJsb2NrcyBhbmQgU2l6ZXMNCioqIFBoYXNlIDIgLSBDaGVjayBQ YXRobmFtZXMNCioqIFBoYXNlIDMgLSBDaGVjayBDb25uZWN0aXZpdHkNCioqIFBoYXNlIDQgLSBD aGVjayBSZWZlcmVuY2UgQ291bnRzDQoqKiBQaGFzZSA1IC0gQ2hlY2sgQ3lsIGdyb3Vwcw0KMzMz MCBmaWxlcywgNjg2ODEgdXNlZCwgMTQ5NTM0IGZyZWUgKDE5MCBmcmFncywgMTg2NjggYmxvY2tz LCAwLjElIGZyYWdtZW50YXRpb24pDQoNCioqKioqIEZJTEUgU1lTVEVNIE1BUktFRCBDTEVBTiAq KioqKg0Ka2VybmVsIGR1bXBzIG9uIC9kZXYvYWQwczFiDQpzd2Fwb246IGFkZGluZyAvZGV2L2Fk MHMxYiBhcyBzd2FwIGRldmljZQ0Kc2F2ZWNvcmU6IG5vIGR1bXBzIGZvdW5kDQpuZXQuaW5ldC50 Y3Auc2Fjay5lbmFibGU6DQoxDQogLT4NCjANCg0KU3luY2luZyBtYXN0ZXIucGFzc3dkLi4uDQpJ bml0aWFsaXppbmcgdGltZXpvbmUuLi4NCmRvbmUNCkluaXRpYWxpemluZyBQQyBjYXJkcy4uLg0K ZmFpbGVkIChwcm9iYWJseSBubyBQQyBjYXJkIGNvbnRyb2xsZXIgcHJlc2VudCkNCkNvbmZpZ3Vy aW5nIExBTiBpbnRlcmZhY2UuLi4NCmRvbmUNCkNvbmZpZ3VyaW5nIFdBTiBpbnRlcmZhY2UuLi4N CmRvbmUNCkNvbmZpZ3VyaW5nIE9QVDEgKFN5bmMpIGludGVyZmFjZS4uLg0KZG9uZQ0KTWFyIDI2 IDIxOjA3OjI3IHBmbG9nZFsxNjhdOiBbcHJpdl06IG1zZyBQUklWX09QRU5fTE9HIHJlY2VpdmVk DQpDb25maWd1cmluZyBmaXJld2FsbC4uLg0KZG9uZQ0KU3RhcnRpbmcgc3lzbG9nIHNlcnZpY2Uu Li4NCmRvbmUNClN0YXJ0aW5nIHdlYkdVSS4uLg0KZG9uZQ0KU3RhcnRpbmcgRE5TIGZvcndhcmRl ci4uLg0KZG9uZQ0KU3RhcnRpbmcgREhDUCBzZXJ2aWNlLi4uDQpkb25lDQpTdGFydGluZyBOVFAg Y2xpZW50Li4uDQpkb25lDQpTdGFydGluZyBJTkVURCBhbmQgRlRQIEhlbHBlcnMgZm9yIEZUUC1Q Uk9YWS4uLg0KU3RhcnRpbmcgU2VjdXJlIFNoZWxsIFNlcnZpY2VzLi4uDQpEb25lLg0KDQpTdGFy dGluZyBVU0IuLi4NClN5bmNpbmcgcGFja2FnZSBjb25maWd1cmF0aW9ucy4uLg0KU3luY2luZyBw YWNrYWdlczoNCiBjYXJwDQp2cjE6IHByb21pc2N1b3VzIG1vZGUgZW5hYmxlZA0KdnIwOiBwcm9t aXNjdW91cyBtb2RlIGVuYWJsZWQNCmFycF9ydHJlcXVlc3Q6IGJhZCBnYXRld2F5IDE5Mi4xNjgu MTAuOTkgKCFBRl9MSU5LKQ0KYXJwX3J0cmVxdWVzdDogYmFkIGdhdGV3YXkgMTkyLjE2OC4xLjEw ICghQUZfTElOSykNCi4NCkV4ZWN1dGluZyByYy5kIGl0ZW1zLi4uDQpTdGFydGluZyAvdXNyL2xv Y2FsL2V0Yy9yYy5kL2NhcnAuc2guLi4NCkZpbmFsIGZpcmV3YWxsIHNldHVwIGluIHByb2dyZXNz Li4uDQoNCldlbGNvbWUgdG8gcGZTZW5zZSAocmlnaHQtcGZTZW5zZS5sb2NhbCkgKGNvbnNvbGUp DQoNCkNvcHlyaWdodCAoYykgMTk5Mi0yMDA1IFRoZSBGcmVlQlNEIFByb2plY3QuDQpDb3B5cmln aHQgKGMpIDE5NzksIDE5ODAsIDE5ODMsIDE5ODYsIDE5ODgsIDE5ODksIDE5OTEsIDE5OTIsIDE5 OTMsIDE5OTQNCiAgICAgICAgVGhlIFJlZ2VudHMgb2YgdGhlIFVuaXZlcnNpdHkgb2YgQ2FsaWZv cm5pYS4gQWxsIHJpZ2h0cyByZXNlcnZlZC4NCg0KDQoqKiogVGhpcyBpcyBwZlNlbnNlIHZlcnNp b24gMC41Ni4yLUJvYmJhQm9vZXktIzINCiAgICBDb3B5cmlnaHQgMjAwNCBTY290dCBVbGxyaWNo LiAgQWxsIHJpZ2h0cyByZXNlcnZlZC4NCiAgICBPcmlnaW5hbGx5IGJhc2VkIG9uIG0wbjB3YWxs LCB2ZXJzaW9uIDEuMmIxDQogICAgbTBuMHdhbGwgaXMgQ29weXJpZ2h0IDIwMDItMjAwNCBieSBN YW51ZWwgS2FzcGVyLiBBbGwgcmlnaHRzIHJlc2VydmVkDQoNCiAgICBMQU4gICAtPiAgIHZyMCAg IC0+ICAgMTkyLjE2OC4xLjINCiAgICBXQU4gICAtPiAgIHZyMSAgIC0+ICAgMTkyLjE2OC4xMC45 Mg0KDQogICBPUFQxICAgLT4gICBhdWUwICAgLT4gICAxOTIuMTY4LjIwMC4yKFN5bmMpDQoNCg0K DQpwZlNlbnNlIGNvbnNvbGUgc2V0dXANCioqKioqKioqKioqKioqKioqKioqKioNCjApICBMb2dv dXQgaWYgYWNjZXNzaW5nIHZpYSBTU0gNCjEpICBJbnRlcmZhY2VzOiBhc3NpZ24gbmV0d29yayBw b3J0cw0KMikgIFNldCB1cCBMQU4gSVAgYWRkcmVzcw0KMykgIFJlc2V0IHdlYkdVSSBwYXNzd29y ZA0KNCkgIFJlc2V0IHRvIGZhY3RvcnkgZGVmYXVsdHMNCjUpICBSZWJvb3Qgc3lzdGVtDQo2KSAg SGFsdCBzeXN0ZW0NCjcpICBQaW5nIGhvc3QNCjgpICBTaGVsbA0KOSkgIFBGdG9wDQoNCkVudGVy IGEgbnVtYmVyOg0KDQotLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ0KIyB1bmFtZSAt YQ0KRnJlZUJTRCByaWdodC1wZlNlbnNlLmxvY2FsIDUuNC1QUkVSRUxFQVNFIEZyZWVCU0QgNS40 LVBSRVJFTEVBU0UgIzE6IFR1ZSBNYXIgMjIgMDM6MjY6MzkgVVRDIDIwMDUgICAgIHN1bGxyaWNo QGJ1aWxkZXIubGl2ZWJzZC5jb206L3Vzci9vYmovdXNyL3NyYy9zeXMvRlJFRVNCSUUuNSAgaTM4 Ng0KDQotLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== ------_=_NextPart_001_01C5324A.360344F0--