From owner-freebsd-pf@FreeBSD.ORG Fri Aug 16 19:24:36 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 2CA685D8 for ; Fri, 16 Aug 2013 19:24:36 +0000 (UTC) (envelope-from jhellenthal@dataix.net) Received: from mail-ie0-x22c.google.com (mail-ie0-x22c.google.com [IPv6:2607:f8b0:4001:c03::22c]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id E3E302C27 for ; Fri, 16 Aug 2013 19:24:35 +0000 (UTC) Received: by mail-ie0-f172.google.com with SMTP id 17so4207457iea.3 for ; Fri, 16 Aug 2013 12:24:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dataix.net; s=rsa; h=references:mime-version:in-reply-to:content-type :content-transfer-encoding:message-id:cc:from:subject:date:to; bh=KmXcaEdqCxbN/3WrZOAJQBmffKUQLeWcD5JnE71uJ8c=; b=Th7Lru5NtB4i19KKnDIiaftaqRs2w/H5Jif1dknDzp6LieY20tqoNONzzD+EulzP9t STyyzZHrl4Mi2cldPGR9qjAQ4LJX6svqP5Y9/WeFSFnUgQykxo9VgIZD2GQDtd2aqdX6 17ALmPrTX+bYpK3vZGVpS0Zs5Fn0vldqvcnpo= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-gm-message-state:references:mime-version:in-reply-to:content-type :content-transfer-encoding:message-id:cc:from:subject:date:to; bh=KmXcaEdqCxbN/3WrZOAJQBmffKUQLeWcD5JnE71uJ8c=; b=l+OjyASFXQc9oELIQhAES+izW3SCtMvHPViFdtPDiFwSxwIRsEuv73U2yR3ZCjP1eX wVqE2goQDVXuvJf/mRg6aV5U8SlK9TxeE90vdh7CAZmaHGd8dMd3Xi/3KYrt2Ez+Q1UV TViv6xVSKeEh4nyd3JCkSSPNEY9MhQ3vDvWCeCJP5sQVj6z4ZvfKiO34u8Tz00gBteR4 kfeZ2FM9IY+0H//rvUrGD9g9cJYiaNqze7pUxW5hbjm6CIQ6yaUQEYHT7eM1XmzeywJl 1mH7sf/O2Ev1PRXbI3ASIWKYyBcA6vQ9SGzIQd/LIqvXQuo6DTQ5EjuEd9ePn1zFQc4M +xpQ== X-Gm-Message-State: ALoCoQl1UPEPL45aiU94qJk3tPUocj+C4dCWZe2EqBdb+QoEOx5DrW7Y4LTW3ciKWTyRuuFHGnyK X-Received: by 10.50.97.102 with SMTP id dz6mr365655igb.5.1376681075360; Fri, 16 Aug 2013 12:24:35 -0700 (PDT) Received: from [192.168.31.77] (75-128-120-29.dhcp.aldl.mi.charter.com. [75.128.120.29]) by mx.google.com with ESMTPSA id ri1sm348575igc.2.1969.12.31.16.00.00 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 16 Aug 2013 12:24:33 -0700 (PDT) References: <520E1822.7010505@yandex.ru> <20130816125058.GA28156@insomnia.benzedrine.cx> <520E35B3.4080607@yandex.ru> Mime-Version: 1.0 (1.0) In-Reply-To: <520E35B3.4080607@yandex.ru> Content-Type: multipart/signed; micalg=sha1; boundary=Apple-Mail-8B631183-69E4-48BB-843D-488986E5FCAA; protocol="application/pkcs7-signature" Content-Transfer-Encoding: 7bit Message-Id: X-Mailer: iPhone Mail (10B350) From: Jason Hellenthal Subject: Re: Windows 7 + freebsd-pf + windows scale SYN-ACK problem Date: Fri, 16 Aug 2013 15:24:26 -0400 To: Alexander X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: "freebsd-pf@freebsd.org" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Aug 2013 19:24:36 -0000 --Apple-Mail-8B631183-69E4-48BB-843D-488986E5FCAA Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Remove scrub on the interface. This is only an assumption that you have it i= n your rules file not appearing here ? But ice noticed a similar behavior be= fore with windows 7. Not sure if this might help either but turn off rxcsum and txcsum on lo0 --=20 Jason Hellenthal Inbox: jhellenthal@DataIX.net Voice: +1 (616) 953-0176 JJH48-ARIN On Aug 16, 2013, at 10:22, Alexander wrote: > On 16.08.2013 16:50, Daniel Hartmeier wrote: >> On Fri, Aug 16, 2013 at 04:16:34PM +0400, Alexander wrote: >>=20 >>> Now my question is, is there any solution to stop PF block syn-ack >>> packets that don't have wscale option in a connection where syn >>> packet has it (in my case wscale proposed by windows 7 host is 8) >> The missing wscale on the SYN-ACK is not the reason pf is blocking the >> packet. This case is quite common: if the client supports (and offers) >> window scaling, but the server doesn't support it. If pf would not work >> in this case, more people would have noticed already ;) >>=20 >> So, what other reasons could there be for the reply to arrive on the >> external interface but not get forwarded to the internal interface >> (that's what you verified, right?)? >>=20 >> Check pfctl -si output before and after reproducting the problem, >> are any counters increasing? If you simply disable pf for a test, >> does it work? >>=20 >> Same with netstat -sp ip|tcp >>=20 >> HTH, >> Daniel > Big thanks to your feedback. >> (that's what you verified, right?)? >=20 > Yes, I surely did. On $if_int my dump doesn't notice any [S.] packets from= server and on client using wireshark i don't see them as well. > tcpdump -i vlan1 host 172.29.67.67 and host 172.29.27.204 > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode= > listening on vlan1, link-type EN10MB (Ethernet), capture size 65535 bytes > 18:21:00.553449 IP 172.29.27.204.55111 > 172.29.67.67.6666: Flags [S], seq= 3377056805, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], lengt= h 0 > 18:21:03.559818 IP 172.29.27.204.55111 > 172.29.67.67.6666: Flags [S], seq= 3377056805, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], lengt= h 0 > 18:21:04.868003 IP 172.29.27.204.55114 > 172.29.67.67.6666: Flags [S], seq= 1159659251, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], lengt= h 0 > 18:21:05.003432 IP 172.29.27.204.55115 > 172.29.67.67.6666: Flags [S], seq= 3718401262, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], lengt= h 0 > 18:21:05.144330 IP 172.29.27.204.55116 > 172.29.67.67.6666: Flags [S], seq= 3444072516, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], lengt= h 0 >=20 > Turning off PF woks. > Some more info: > Before test: > root@gate:~ # pfctl -si > Status: Enabled for 0 days 00:26:54 Debug: Urgent >=20 > State Table Total Rate > current entries 927 > searches 365228065 226287.5/s > inserts 2898304 1795.7/s > removals 2897377 1795.2/s > Counters > match 3310402 2051.1/s > ............................................. > ip-option 108080 67.0/s > proto-cksum 0 0.0/s > state-mismatch 2648 1.6/s > state-insert 214 0.1/s > ............................................... > After test: > root@gate:~ # pfctl -si > Status: Enabled for 0 days 00:27:00 Debug: Urgent >=20 > State Table Total Rate > current entries 890 > searches 365299207 225493.3/s > inserts 2898323 1789.1/s > removals 2897433 1788.5/s > Counters > match 3310425 2043.5/s > ................................... > ip-option 108080 66.7/s > proto-cksum 0 0.0/s > state-mismatch 2650 1.6/s > state-insert 214 0.1/s > .................................. >=20 > As i understand we have 2 packets(syn-acks i suppose) dropped due to state= -mismatch. > My further investigation revealed if i put following rules: (where vlan1 =3D= $if_int, bge0 =3D $if_ext, and bridge0 to pass not natted traffic) > block drop all > pass quick on vlan1 inet proto tcp from 172.29.67.67 port =3D 6666 to no state > pass quick on bge0 inet proto tcp from 172.29.67.67 port =3D 6666 to no state > pass quick on bridge0 inet proto tcp from 172.29.67.67 port =3D 6666 to an= y no state > pass quick on bridge0 inet proto tcp from to 172.29.67.67 port =3D= 6666 no state > pass quick on vlan1 inet proto tcp from to 172.29.67.67 port =3D 6= 666 no state > pass quick on bge0 inet proto tcp from to 172.29.67.67 port =3D 6= 666 no state > .....omitted... > >=20 > My connection with server (port 6666) starts to work and i think i can be s= atisfied by this solution. But i still cannot understand why packets are dro= pped without no state rules. As i revealed they are dropped between bridge0 a= nd vlan 1 interfaces. >=20 > (to be more specific - clients that experience this problem are not natted= on gateway they are just filtered by pf) >=20 > PS: Do i need to add netstat -sp outputs? >=20 > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" --Apple-Mail-8B631183-69E4-48BB-843D-488986E5FCAA Content-Type: application/pkcs7-signature; name=smime.p7s Content-Disposition: attachment; filename=smime.p7s Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIUOTCCBjAw ggUYoAMCAQICAwaijjANBgkqhkiG9w0BAQsFADCBjDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0 YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcx ODA2BgNVBAMTL1N0YXJ0Q29tIENsYXNzIDEgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xpZW50IENB MB4XDTEzMDUxODA4NTA0OFoXDTE0MDUxOTIyMDk0N1owSDEfMB0GA1UEAwwWamhlbGxlbnRoYWxA ZGF0YWl4Lm5ldDElMCMGCSqGSIb3DQEJARYWamhlbGxlbnRoYWxAZGF0YWl4Lm5ldDCCASIwDQYJ KoZIhvcNAQEBBQADggEPADCCAQoCggEBALgnYFS1bWZr3KhKBzWAdRwrY+En+RRV8nCaYubqrMG+ YJbuenaIKSbIuFiDWipW4RHYTpE28pKaSnaVTG9WtAZvsWj0gYN9g2fYCnCOUceES2Yvi3RavxpB hsuzKIfsHb8iNNSEuczLu6gn4mQyaHwE4x6xSUKmbK8njR+YoF522F60wjsnq5dlOJdTrhDfObE5 5P23279WbRp8azgZX1VRB66wdKRDuSI1vBts4Nsha2paXd6HUUduHrPACBQREJTGXN8XtEKVwo63 aKUhRgtUwHNEuSWck/xwVl7PBUWH2dORAWTCqHjNuCKNOQ1/0LMiyMj7FdsBjN4dgL4YZpsCAwEA AaOCAtwwggLYMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgSwMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggr BgEFBQcDBDAdBgNVHQ4EFgQU29qUrmZtgQ7ZVoDKogfpJOSfk+YwHwYDVR0jBBgwFoAUU3Ltkpzg 2ssBXHx+ljVO8tS4UYIwIQYDVR0RBBowGIEWamhlbGxlbnRoYWxAZGF0YWl4Lm5ldDCCAUwGA1Ud IASCAUMwggE/MIIBOwYLKwYBBAGBtTcBAgMwggEqMC4GCCsGAQUFBwIBFiJodHRwOi8vd3d3LnN0 YXJ0c3NsLmNvbS9wb2xpY3kucGRmMIH3BggrBgEFBQcCAjCB6jAnFiBTdGFydENvbSBDZXJ0aWZp Y2F0aW9uIEF1dGhvcml0eTADAgEBGoG+VGhpcyBjZXJ0aWZpY2F0ZSB3YXMgaXNzdWVkIGFjY29y ZGluZyB0byB0aGUgQ2xhc3MgMSBWYWxpZGF0aW9uIHJlcXVpcmVtZW50cyBvZiB0aGUgU3RhcnRD b20gQ0EgcG9saWN5LCByZWxpYW5jZSBvbmx5IGZvciB0aGUgaW50ZW5kZWQgcHVycG9zZSBpbiBj b21wbGlhbmNlIG9mIHRoZSByZWx5aW5nIHBhcnR5IG9ibGlnYXRpb25zLjA2BgNVHR8ELzAtMCug KaAnhiVodHRwOi8vY3JsLnN0YXJ0c3NsLmNvbS9jcnR1MS1jcmwuY3JsMIGOBggrBgEFBQcBAQSB gTB/MDkGCCsGAQUFBzABhi1odHRwOi8vb2NzcC5zdGFydHNzbC5jb20vc3ViL2NsYXNzMS9jbGll bnQvY2EwQgYIKwYBBQUHMAKGNmh0dHA6Ly9haWEuc3RhcnRzc2wuY29tL2NlcnRzL3N1Yi5jbGFz czEuY2xpZW50LmNhLmNydDAjBgNVHRIEHDAahhhodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS8wDQYJ KoZIhvcNAQELBQADggEBAHsw8/Hw07gsNTKYnld74NBFtHnQOPkXYuccWx3j0PGQe9nqNxeingBf 2yvx+xBQzBoi4J1u84Jbrbe8Ii3+LLD/QMW9cN0SBIgRStPQLVee4STdjeabGmpXQa7omC02wYYO 83qh6CgJEIbmrsBSZH8ZSVrjkC4UmZS8wAQMS3qTWAPF0ZQGWx2+Gks2fXuacyt2LpNR+p9ogjAZ 1/rmUKjNhQZLswytaLRUdwAwSfQ3+TNs68h6Kv1LC3bNGBT3NEtr2q/nzzb5MzuFcDE6f9exroAC 4BHmokAprhna/vZdb6BrPjpXgRAlWAh3wEMxw75M9S/Nbzj/jNp+I+lvUJYwggY0MIIEHKADAgEC AgEeMA0GCSqGSIb3DQEBBQUAMH0xCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQu MSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMSkwJwYDVQQDEyBT dGFydENvbSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wNzEwMjQyMTAxNTVaFw0xNzEwMjQy MTAxNTVaMIGMMQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMi U2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20gQ2xh c3MgMSBQcmltYXJ5IEludGVybWVkaWF0ZSBDbGllbnQgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IB DwAwggEKAoIBAQDHCYPMzi3YGrEppC4Tq5a+ijKDjKaIQZZVR63UbxIP6uq/I0fhCu+cQhoUfE6E RKKnu8zPf1Jwuk0tsvVCk6U9b+0UjM0dLep3ZdE1gblK/1FwYT5Pipsu2yOMluLqwvsuz9/9f1+1 PKHG/FaR/wpbfuIqu54qzHDYeqiUfsYzoVflR80DAC7hmJ+SmZnNTWyUGHJbBpA8Q89lGxahNvur yGaC/o2/ceD2uYDX9U8Eg5DpIpGQdcbQeGarV04WgAUjjXX5r/2dabmtxWMZwhZna//jdiSyrrSM TGKkDiXm6/3/4ebfeZuCYKzN2P8O2F/Xe2AC/Y7zeEsnR7FOp+uXAgMBAAGjggGtMIIBqTAPBgNV HRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUU3Ltkpzg2ssBXHx+ljVO8tS4 UYIwHwYDVR0jBBgwFoAUTgvvGqRAW6UXaYcwyjRoQ9BBrvIwZgYIKwYBBQUHAQEEWjBYMCcGCCsG AQUFBzABhhtodHRwOi8vb2NzcC5zdGFydHNzbC5jb20vY2EwLQYIKwYBBQUHMAKGIWh0dHA6Ly93 d3cuc3RhcnRzc2wuY29tL3Nmc2NhLmNydDBbBgNVHR8EVDBSMCegJaAjhiFodHRwOi8vd3d3LnN0 YXJ0c3NsLmNvbS9zZnNjYS5jcmwwJ6AloCOGIWh0dHA6Ly9jcmwuc3RhcnRzc2wuY29tL3Nmc2Nh LmNybDCBgAYDVR0gBHkwdzB1BgsrBgEEAYG1NwECATBmMC4GCCsGAQUFBwIBFiJodHRwOi8vd3d3 LnN0YXJ0c3NsLmNvbS9wb2xpY3kucGRmMDQGCCsGAQUFBwIBFihodHRwOi8vd3d3LnN0YXJ0c3Ns LmNvbS9pbnRlcm1lZGlhdGUucGRmMA0GCSqGSIb3DQEBBQUAA4ICAQAKgwh9eKssBly4Y4xerhy5 I3dNoXHYfYa8PlVLL/qtXnkFgdtY1o95CfegFJTwqBBmf8pyTUnFsukDFUI22zF5bVHzuJ+GxhnS qN2sD1qetbYwBYK2iyYA5Pg7Er1A+hKMIzEzcduRkIMmCeUTyMyikfbUFvIBivtvkR8ZFAk22BZy +pJfAoedO61HTz4qSfQoCRcLN5A0t4DkuVhTMXIzuQ8CnykhExD6x4e6ebIbrjZLb7L+ocR0y4Yj Cl/Pd4MXU91y0vTipgr/O75CDUHDRHCCKBVmz/Rzkc/b970MEeHt5LC3NiWTgBSvrLEuVzBKM586 YoRD9Dy3OHQgWI270g+5MYA8GfgI/EPT5G7xPbCDz+zjdH89PeR3U4So4lSXur6H6vp+m9TQXPF3 a0LwZrp8MQ+Z77U1uL7TelWO5lApsbAonrqASfTpaprFVkL4nyGH+NHST2ZJPWIBk81i6Vw0ny0q ZW2Niy/QvVNKbb43A43ny076khXO7cNbBIRdJ/6qQNq9Bqb5C0Q5nEsFcj75oxQRqlKf6TcvGbjx kJh8BYtv9ePsXklAxtm8J7GCUBthHSQgepbkOexhJ0wP8imUkyiPHQ0GvEnd83129fZjoEhdGwXV 27ioRKbj/cIq7JRXun0NbeY+UdMYu9jGfIpDLtUUGSgsg2zMGs5R4jCCB8kwggWxoAMCAQICAQEw DQYJKoZIhvcNAQEFBQAwfTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzAp BgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxKTAnBgNVBAMTIFN0YXJ0 Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA2MDkxNzE5NDYzNloXDTM2MDkxNzE5NDYz NlowfTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3Vy ZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxKTAnBgNVBAMTIFN0YXJ0Q29tIENlcnRpZmlj YXRpb24gQXV0aG9yaXR5MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAwYjbCbxsRnx4 n5V7tTOQ8nJi1sE2ICIkXs7pd/JDCqIGZKTMjjb4OOYj8G5tsTzdcqOFHKHTPbQzK9Mvr/7qsEFZ Z7bEBn0KnnSF1nlMgDd63zkFUln39BtGQ6TShYXSw3HzdWI0uiyKfx6P7u000BHHls1SPboz1t1N 3gs7SkufwiYv+rUWHHI1d8o8XebK4SaLGjZ2XAHbdBQl/u21oIgP3XjKLR8HlzABLXJ5+kbWEyqo uaarg0kd5fLv3eQBjhgKj2NTFoViqQ4ZOsy1ZqbCa3QH5Cvhdj60bdj2ROFzYh87xL6gU1YlbFEJ 96qryr92/W2b853bvz1mvAxWqq+YSJU6S9+nWFDZOHWpW+pDDAL/mevobE1wWyllnN2qXcyvATHs DOvSjejqnHvmbvcnZgwaSNduQuM/3iE+e+ENcPtjqqhsGlS0XCV6yaLJixamuyx+F14FTVhuEh0B 7hIQDcYyfxj//PT6zW6R6DZJvhpIaYvClk0aErJpF8EKkNb6eSJIv7p7afhwx/p6N9jYDdJ2T1f/ kLfjkdLd78Jgt2c63f6qnPDUi39yIs7Gn5e2+K+KoBCo2fsYxra1XFI8ibYZKnMBCg8DsxJg8nov gdujbv8mMJf1i92JV7atPbOvK8W3dgLwpdYrmoYUKnL24zOMXQlLE9+7jHQTUksCAwEAAaOCAlIw ggJOMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgGuMB0GA1UdDgQWBBROC+8apEBbpRdphzDKNGhD 0EGu8jBkBgNVHR8EXTBbMCygKqAohiZodHRwOi8vY2VydC5zdGFydGNvbS5vcmcvc2ZzY2EtY3Js LmNybDAroCmgJ4YlaHR0cDovL2NybC5zdGFydGNvbS5vcmcvc2ZzY2EtY3JsLmNybDCCAV0GA1Ud IASCAVQwggFQMIIBTAYLKwYBBAGBtTcBAQEwggE7MC8GCCsGAQUFBwIBFiNodHRwOi8vY2VydC5z dGFydGNvbS5vcmcvcG9saWN5LnBkZjA1BggrBgEFBQcCARYpaHR0cDovL2NlcnQuc3RhcnRjb20u b3JnL2ludGVybWVkaWF0ZS5wZGYwgdAGCCsGAQUFBwICMIHDMCcWIFN0YXJ0IENvbW1lcmNpYWwg KFN0YXJ0Q29tKSBMdGQuMAMCAQEagZdMaW1pdGVkIExpYWJpbGl0eSwgcmVhZCB0aGUgc2VjdGlv biAqTGVnYWwgTGltaXRhdGlvbnMqIG9mIHRoZSBTdGFydENvbSBDZXJ0aWZpY2F0aW9uIEF1dGhv cml0eSBQb2xpY3kgYXZhaWxhYmxlIGF0IGh0dHA6Ly9jZXJ0LnN0YXJ0Y29tLm9yZy9wb2xpY3ku cGRmMBEGCWCGSAGG+EIBAQQEAwIABzA4BglghkgBhvhCAQ0EKxYpU3RhcnRDb20gRnJlZSBTU0wg Q2VydGlmaWNhdGlvbiBBdXRob3JpdHkwDQYJKoZIhvcNAQEFBQADggIBABZsmfRmDDT10IVefQrs 2hBOOBxe36YlBUuRMsHoO/E93UQJWwdJiinLZgK3sZr3JZgJPI4b4d02hytLu2jTOWY9oCbH8jmR HVGrgnt+1c5a5OIDV3Bplwj5XlimCt+MBppFFhY4Cl5X9mLHegIF5rwetfKe9Kkpg/iyFONuKIdE w5Aa3jipPKxDTWRFzt0oqVzyc3sE+Bfoq7HzLlxkbnMxOhK4vLMR5H2PgVGaO42J9E2TZns8A+3T mh2a82VQ9aDQdZ8vr/DqgkOY+GmciXnEQ45GcuNkNhKv9yUeOImQd37Da2q5w8tES6x4kIvnxywe SxFEyDRSJ80KXZ+FwYnVGnjylRBTMt2AhGZ12bVoKPthLr6EqDjAmRKGpR5nZK0GLi+pcIXHlg98 iWX1jkNUDqvdpYA5lGDANMmWcCyjEvUfSHu9HH5rt52Q9CI7rvj8Ksr6glKg769LVZPrwbXwIous NE4mIgShhyx1SrflfRPXuAxkwDbSyS+GEowjCcEbgjtzSaNqV4eU5dZ4xZlDY+NN4Hct4WWZcmkE GkcJ5g8BViT7H78OealYLrnECQF+lbptAAY+supKEDnY0Cv1v+x1v5cCxQkbCNxVN+KB+zeEQ2Ig yudWS2Xq/mzBJJMkoTTrBf+aIq6bfT/xZVEKpjBqs/SIHIAN/HKK6INeMYIDbzCCA2sCAQEwgZQw gYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSswKQYDVQQLEyJTZWN1cmUg RGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYDVQQDEy9TdGFydENvbSBDbGFzcyAxIFBy aW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBDQQIDBqKOMAkGBSsOAwIaBQCgggGvMBgGCSqGSIb3 DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTEzMDgxNjE5MjQyOFowIwYJKoZIhvcN AQkEMRYEFD6ub3tnM1bvQnJjBYeaGDwpG5wpMIGlBgkrBgEEAYI3EAQxgZcwgZQwgYwxCzAJBgNV BAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBD ZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYDVQQDEy9TdGFydENvbSBDbGFzcyAxIFByaW1hcnkgSW50 ZXJtZWRpYXRlIENsaWVudCBDQQIDBqKOMIGnBgsqhkiG9w0BCRACCzGBl6CBlDCBjDELMAkGA1UE BhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENl cnRpZmljYXRlIFNpZ25pbmcxODA2BgNVBAMTL1N0YXJ0Q29tIENsYXNzIDEgUHJpbWFyeSBJbnRl cm1lZGlhdGUgQ2xpZW50IENBAgMGoo4wDQYJKoZIhvcNAQEBBQAEggEANuLNe6x3FiHWig2KsgSz gHDf5czOJcjSbvfsOlzgFnTsJpT3qH80kISZ8FkrQvlte4Pgbpb3eoKQbXYsrOUgsn2FjBxsCodC WJsn2AhF7UDKKRJ3XRQYwDS5FtRi5WYVbjKUeP11t/Niyw/gPq403ynCkYm3NgFcwNm/YUN4UZAj 0raS+HwpRxOV9WbUKhnt52XyeZ3LUoqyrjK3TEynSqODLk/yHMv23jMJZlHfEu7FAk0fI21jvFaF eDAB8ygJY5yFjGOuDUSVHEWY4GOlrTXdT4Y2b8Ma9BUtPj5Ge/5JBJlhchQkvInaZrilrfxDznB/ dGJ8b/8Rq3RKAorM+wAAAAAAAA== --Apple-Mail-8B631183-69E4-48BB-843D-488986E5FCAA--