From owner-freebsd-net@freebsd.org Mon Mar 18 21:13:01 2019 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3B2DD154E5CE for ; Mon, 18 Mar 2019 21:13:01 +0000 (UTC) (envelope-from eric.bautsch@pobox.com) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id 9701577294 for ; Mon, 18 Mar 2019 21:13:00 +0000 (UTC) (envelope-from eric.bautsch@pobox.com) Received: by mailman.ysv.freebsd.org (Postfix) id 56AA9154E5CD; Mon, 18 Mar 2019 21:13:00 +0000 (UTC) Delivered-To: net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 08876154E5CC for ; Mon, 18 Mar 2019 21:13:00 +0000 (UTC) (envelope-from eric.bautsch@pobox.com) Received: from pb-smtp20.pobox.com (pb-smtp20.pobox.com [173.228.157.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 9BB7977291 for ; Mon, 18 Mar 2019 21:12:58 +0000 (UTC) (envelope-from eric.bautsch@pobox.com) Received: from pb-smtp20.pobox.com (unknown [127.0.0.1]) by pb-smtp20.pobox.com (Postfix) with ESMTP id 833F859C0E; Mon, 18 Mar 2019 17:12:51 -0400 (EDT) (envelope-from eric.bautsch@pobox.com) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=subject:from :to:references:message-id:date:mime-version:in-reply-to :content-type; s=sasl; bh=PbmOpSec50TDdOAxW/jpWD80uS4=; b=NaGP97 KuyM/RUu2FdGkuiK0PEZHYlY0HR64NNhaymoo+QWCu1JcIulF64gHQSzctGQEE3h aV1GXJiZGcRKQSiGRyf8JlHljNxpmTTe8be+euYvyX5eQMPVoHeo1nywclC10sJf AUo+if8vvEbobUnFwibBplML+YwTnNDlKp3Vc= DomainKey-Signature: a=rsa-sha1; c=nofws; d=pobox.com; h=subject:from:to :references:message-id:date:mime-version:in-reply-to :content-type; q=dns; s=sasl; b=w0jU+fHkWMlHELiKdqtSA/8rNlmmsryW yRTLwCVcfnd4q0kkEsIyFHvdzyaYoTxiT6Wyw6ImYI9mGh4i6kPaRkwHBAE4bpmO JdQ8rwEhVZmVBeBPjk+wpFLNm9KKI0vkeZJTjdqinR7NkuSjph2jzdouHKKMMuCl tJ3Oie+GUsE= Received: from pb-smtp20.sea.icgroup.com (unknown [127.0.0.1]) by pb-smtp20.pobox.com (Postfix) with ESMTP id 7B39B59C0D; Mon, 18 Mar 2019 17:12:51 -0400 (EDT) (envelope-from eric.bautsch@pobox.com) Received: from swangage.co.uk (unknown [80.247.22.25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pb-smtp20.pobox.com (Postfix) with ESMTPSA id 90D4E59C0C; Mon, 18 Mar 2019 17:12:47 -0400 (EDT) (envelope-from eric.bautsch@pobox.com) Received: from [192.168.140.93] (host-93 [192.168.140.93]) (authenticated bits=0) by juliet.swangage.co.uk (8.14.7/8.14.7) with ESMTP id x2ILCbV2025329 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Mon, 18 Mar 2019 21:12:42 GMT Subject: Re: Bridges on VLAN-tagged interfaces. From: Eric Bautsch To: Harry Schmalzbauer , net@freebsd.org References: <716a2edd-96f5-c263-2bd4-38a30808f241@omnilan.de> <050a68a3-7581-4985-e54a-e045259e8cfd@omnilan.de> Message-ID: <77aa3369-a6f0-e9c4-e54e-9fab0d41a937@pobox.com> Date: Mon, 18 Mar 2019 21:12:32 +0000 User-Agent: Mozilla/5.0 (X11; SunOS i86pc; rv:52.0) Gecko/20100101 Thunderbird/52.0 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="------------ms060201070907080004020606" X-Pobox-Relay-ID: 9489B0E4-49C2-11E9-953D-D01F9763A999-54785156!pb-smtp20.pobox.com X-Rspamd-Queue-Id: 9BB7977291 X-Spamd-Bar: --------- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=pobox.com header.s=sasl header.b=NaGP97 K; dmarc=pass (policy=none) header.from=pobox.com; spf=pass (mx1.freebsd.org: domain of eric.bautsch@pobox.com designates 173.228.157.52 as permitted sender) smtp.mailfrom=eric.bautsch@pobox.com X-Spamd-Result: default: False [-9.82 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:173.228.157.0/24]; HAS_ATTACHMENT(0.00)[]; DKIM_TRACE(0.00)[pobox.com:+]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[pobox.com,none]; MX_GOOD(-0.01)[pb-mx11.pobox.com,pb-mx20.pobox.com,pb-mx22.pobox.com,pb-mx10.pobox.com,pb-mx14.pobox.com,pb-mx21.pobox.com,pb-mx23.pobox.com,pb-mx9.pobox.com]; NEURAL_HAM_SHORT(-0.98)[-0.982,0]; FROM_EQ_ENVFROM(0.00)[]; RCVD_TLS_LAST(0.00)[]; IP_SCORE(-3.62)[ip: (-9.89), ipnet: 173.228.157.0/24(-4.72), asn: 11403(-3.44), country: US(-0.07)]; RCVD_IN_DNSWL_LOW(-0.10)[52.157.228.173.list.dnswl.org : 127.0.5.1]; ASN(0.00)[asn:11403, ipnet:173.228.157.0/24, country:US]; MID_RHS_MATCH_FROM(0.00)[]; DWL_DNSWL_NONE(0.00)[pobox.com.dwl.dnswl.org : 127.0.5.0]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[pobox.com:s=sasl]; RCVD_COUNT_FIVE(0.00)[5]; FROM_HAS_DN(0.00)[]; SIGNED_SMIME(-2.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.20)[multipart/signed,multipart/alternative,text/plain]; MIME_TRACE(0.00)[0:+,1:+,2:+]; TO_MATCH_ENVRCPT_SOME(0.00)[] X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Mar 2019 21:13:01 -0000 This is a cryptographically signed message in MIME format. --------------ms060201070907080004020606 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: quoted-printable Hi All. OK, slight reset: I have no idea what I did wrong last time (I suspect so= mething=20 to do with my rc.conf settings, more on that later), but what I can now d= o is this: I can get my base interface re0 configured with an IP address and at the = same=20 time have an re0.33 interface (on VLAN 33) inside a bridge (bridge0 in th= is=20 case), then configure an IP on bridge0 and get both (!) to ping. I would have sworn I had tried this and it hadn't worked, but alas, it no= w does.=20 I think this is because I tested something slightly different last time a= nd had=20 a bridge created on re0 via settings in rc.conf. If I do that, I can't se= em to=20 get my networking to work after. But that's a problem for a different day= =2E.. The problem that still persists and that I need to fix (in order to be ab= le to=20 use FreeBSD as my host for my VMs, which is where this is all going) is t= his: I now have a bridge0 on re0.33 which works, great. I now configure a bridge1 which contains re0 and put an IP on that bridge= , and=20 hey presto, that IP pings, but the IP on bridge0 on VLAN 33 stops pinging= =2E It seems that at the point where I put re0 inside a bridge, the other bri= dge=20 doesn't get any IP traffic any more. Funnily enough, if I configure a bridge0 on re0 and then plumb up an re0.= 33,=20 both of them ping, too. But no matter what I do, a bridge on re0 prevents another bridge on any o= f the=20 vlan tagged interfaces from working. Someone at some point told me that the untagged network on FreeBSD cannot= really=20 be used if I also have tagged VLANs on the same hardware, but I hope that= 's not=20 true and that I need some magic incantation.... I was considering if I could somehow "clone" my re0 interface and put tha= t clone=20 into my bridge, but I haven't been able to find a way of doing that. I al= so=20 tried to create an re0.0 in the hopes that that would signify untagged, b= ut=20 FreeBSD doesn't allow this. Any pointers greatly appreciated. Thanks. Eric P.S. Yes, I appreciate that I can just present that untagged VLAN as a ta= gged=20 one and then my problems go away, but then I need to create a new VLAN to= use=20 untagged, so that I can do network installations on that, which would nee= d to=20 either be routed or have DNS, YP, etc. services on it as well as of cours= e an=20 installation server, so that'd be a huge amount of work.... On 16/03/2019 20:09, Eric Bautsch wrote: > Thanks, Harry. > > I'll hopefully get a chance to try this tomorrow.... I'll let the list = know=20 > the outcome. > > > Eric > > > P.S. Sorry for the formatting, no idea why that got re-formatted on the= list..... > > > > On 15/03/19 11:02, Harry Schmalzbauer wrote: >> Am 15.03.2019 um 11:21 schrieb Harry Schmalzbauer: >>> Am 11.03.2019 um 11:48 schrieb Eric Bautsch: >>> =E2=80=A6 >>>> |ifconfig bridge create ifconfig bridge1 addm re0.33| >>>> >>>> If I now put an IP on that bridge instead of re0.33, it does not pin= g. >>>> >>>> If I do a broadcast ping from another host on that network thus (Sol= aris=20 >>>> system issuing the ping): >>>> ping -sn 192.168.33.255 >>>> >>>> I can see packets arriving if I |tcpdump -i re0.33| and if I |tcpdum= p -i=20 >>>> bridge1| >>>> However, on neither interface do I see any pings coming in when I pi= ng it's=20 >>>> own address (in this case 192.168.33.20). >>> >>> IP stack processes them without passing it to the interface(s), so th= at's=20 >>> not unusual. >>> >>> >>>> The Solaris system issuing the pings has learned the arp address of = the=20 >>>> bridge though: >>>> Code: >>>> >>>> |root@gaspra # arp -an | grep 192.168.33.20 net1 192.168.33.20=20 >>>> 255.255.255.255 02:a7:91:b6:3a:01| >>>> >>>> If I |tcpdump -i bridge1|, I do get some packets, but not any echo r= equests: >>>> Code: >>>> >>>> |root@bianca # tcpdump -i bridge1 tcpdump: verbose output suppressed= , use=20 >>>> -v or -vv for full protocol decode listening on bridge1, link-type E= N10MB=20 >>>> (Ethernet), capture size 262144 bytes 11:05:26.081185 ARP, Request w= ho-has=20 >>>> 192.168.33.20 (Broadcast) tell juliet-punchin.swangage.co.uk, length= 46=20 >>>> 11:05:26.081197 ARP, Reply 192.168.33.20 is-at 02:a7:91:b6:3a:01 (ou= i=20 >>>> Unknown), length 28 11:05:38.201079 IP6 fe80::7285:c2ff:fea6:583c > = >>>> ff02::2: ICMP6, router solicitation, length 16 11:06:04.079441 ARP, = Request=20 >>>> who-has 192.168.33.20 (Broadcast) tell juliet-punchin.swangage.co.uk= ,=20 >>>> length 46 11:06:04.079464 ARP, Reply 192.168.33.20 is-at 02:a7:91:b6= :3a:01=20 >>>> (oui Unknown), length 28 11:06:17.588644 ARP, Request who-has 192.16= 8.33.20=20 >>>> (Broadcast) tell gaspra-punchin.swangage.co.uk, length 46 11:06:17.5= 88665=20 >>>> ARP, Reply 192.168.33.20 is-at 02:a7:91:b6:3a:01 (oui Unknown), leng= th 28| >>> >>> If I read it corretcly, all you get are ethernet broadcast frames. >>> (Hard) Reading next: >>> =E2=80=A6 >>>> |root@bianca # ifconfig -a re0:=20 >>>> flags=3D8943 metric = 0 mtu=20 >>>> 1500=20 >>>> options=3D8209b=20 >>>> ether 80=F0=9F=87=AA=F0=9F=87=AA73:63:5c:48 media: Ethernet autosele= ct (1000baseT=20 >>>> ) status: active nd6=20 >>>> options=3D29 lo0:=20 >>>> flags=3D8049 metric 0 mtu 16384=20 >>>> options=3D680003 in= et6 ::1=20 >>>> prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2 inet 127.0.= 0.1=20 >>>> netmask 0xff000000 groups: lo nd6 options=3D21=20 >>>> bridge0: flags=3D8843 metric= 0 mtu=20 >>>> 1500 ether 02:a7:91:b6:3a:00 inet 192.168.140.85 netmask 0xffffff00 = >>>> broadcast 192.168.140.255 id 00:00:00:00:00:00 priority 32768 hellot= ime 2=20 >>>> fwddelay 15 maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200= root=20 >>>> id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0 member: re0=20 >>>> flags=3D143 ifmaxaddr 0 port 1 p= riority=20 >>>> 128 path cost 55 groups: bridge nd6 options=3D9=20 >>>> re0.33: flags=3D8943= metric 0=20 >>>> mtu 1500 options=3D80003 ether 80=F0=9F=87=AA= =F0=9F=87=AA73:63:5c:48=20 >>>> inet6 fe80::82ee:73ff:fe63:5c48%re0.33 prefixlen 64 scopeid 0x4 grou= ps:=20 >>>> vlan vlan: 33 vlanpcp: 0 parent interface: re0 media: Ethernet autos= elect=20 >>>> (1000baseT ) status: active nd6=20 >>>> options=3D21 bridge1:=20 >>>> flags=3D8843 metric 0 mtu 15= 00 ether=20 >>>> 02:a7:91:b6:3a:01 inet 192.168.33.20 netmask 0xffffff00 broadcast=20 >>>> 192.168.33.255 id 00:00:00:00:00:00 priority 32768 hellotime 2 fwdde= lay 15=20 >>>> maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200 root id=20 >>>> 00:00:00:00:00:00 priority 32768 ifcost 0 port 0 member: re0.33=20 >>>> flags=3D143 ifmaxaddr 0 port 4 p= riority=20 >>>> 128 path cost 20000 groups: bridge nd6 options=3D9=20 >>>> root@bianca #| >>> >>> Here you have a universally administered addresses (UAA) on the paren= t=20 >>> interface re0, which is the same for the vlan clone re0.33, and a loc= ally=20 >>> administered addresses (LAA) on if_bridge(4), which was verified to b= e=20 >>> announced. >>> In order to get through the MAC filter of the ethernet interface, re0= =2E33=20 >>> must be in PROMISC mode. >>> I remember having seen two different PROMISC interface status =E2=80=93= never=20 >>> tracked it down. But issuing 'ifconfig re0.33 promisc' might result = in a=20 >>> second PROMISC status report on re0.33 and a working setup... >> >> Should have read man page before posting, sorry. This is supposed to = be done=20 >> by ifconfig(8)'s "addm" command. >> But like mentioned, I can see PROMISC _two_ times in the interface sta= tus=20 >> line of ifconfig(8), after putting the interface manually in permanent= =20 >> promisc mode (stable/12). >> >> Don't know how the filter of the parent interface is involved in the v= lan=20 >> clone and I have no idea if "addm" respects it, in case it is involved= =2E >> Before code inspection, I'd try and put the parent re0 manually into=20 >> permanent promisc mode and see if you can see unicast frames afterward= s. >> >> -Harry >> >> -- =20 ____ / . Eric A. Bautsch /-- __ ___ __________________________________= ____ / / / / / (_____/____(___(__________________/ email: eric.bautsch@pobox.co= m --------------ms060201070907080004020606 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC DFIwggNiMIIC6KADAgECAggwtYJcB7vEnDAKBggqhkjOPQQDAzBSMQswCQYDVQQGEwJFUzEU MBIGA1UECgwLU3RhcnRDb20gQ0ExLTArBgNVBAMMJFN0YXJ0Q29tIENlcnRpZmljYXRpb24g QXV0aG9yaXR5IEVDQzAeFw0xNzA0MjgwODAwMzVaFw0zNzA0MjgwODAwMzVaMGkxCzAJBgNV BAYTAkVTMRQwEgYDVQQKDAtTdGFydENvbSBDQTEpMCcGA1UECwwgU3RhcnRDb20gQ2VydGlm aWNhdGlvbiBBdXRob3JpdHkxGTAXBgNVBAMMEFN0YXJ0Q29tIENDMiBJQ0EwdjAQBgcqhkjO PQIBBgUrgQQAIgNiAAR7hlYvM7ymfqRetYHdncaz11zCyZQbJofX1jT1FiEsyKH7WFh7k9cN BMbe9RUh7mq6EcCcP7rHdV1yhkx9CNT8KSSDHIIWB1RbmK5XtKvK4BLQ1pLUbzvGVz/YBYro HK+jggFyMIIBbjBtBggrBgEFBQcBAQRhMF8wNQYIKwYBBQUHMAKGKWh0dHA6Ly9haWEuc3Rh cnRjb21jYS5jb20vY2VydHMvY2FjYzIuY3J0MCYGCCsGAQUFBzABhhpodHRwOi8vb2NzcC5z dGFydGNvbWNhLmNvbTAdBgNVHQ4EFgQUPLfG3okmWlcDidCvMGpGDgzq3GYwEgYDVR0TAQH/ BAgwBgEB/wIBADAfBgNVHSMEGDAWgBSeiMCybDMJy/8hfr/qnwiGu32qGTBBBgNVHSAEOjA4 MDYGBFUdIAAwLjAsBggrBgEFBQcCARYgaHR0cDovL3d3dy5zdGFydGNvbWNhLmNvbS9wb2xp Y3kwNwYDVR0fBDAwLjAsoCqgKIYmaHR0cDovL2NybC5zdGFydGNvbWNhLmNvbS9zZnNjYWNj Mi5jcmwwDgYDVR0PAQH/BAQDAgEGMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDAK BggqhkjOPQQDAwNoADBlAjEAxVHjDb7E+HcRO7j3UZg3lyI/6MgNJuD/Fc/5HTtjZc5B0iVz eeERiqV1sGJ/h9h8AjAlmjRwgkRXx8hJVcCzCCBl95zytvLdJdGPrBJHEaFJnsYX8FQZGB86 0clRb9QPXXQwggQzMIIDuKADAgECAghYh6dhuIrClTAKBggqhkjOPQQDAzBpMQswCQYDVQQG EwJFUzEUMBIGA1UECgwLU3RhcnRDb20gQ0ExKTAnBgNVBAsMIFN0YXJ0Q29tIENlcnRpZmlj YXRpb24gQXV0aG9yaXR5MRkwFwYDVQQDDBBTdGFydENvbSBDQzIgSUNBMB4XDTE3MDcwMzEw MzcyOVoXDTE5MDcwMzAyNDcwMFowSDElMCMGCSqGSIb3DQEJARYWZXJpYy5iYXV0c2NoQHBv Ym94LmNvbTEfMB0GA1UEAwwWZXJpYy5iYXV0c2NoQHBvYm94LmNvbTCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBAMghw1tHL4eLIUgcw9dnIy+JADzgH7YBJYhZWNH8J6Vq2kiU UTpBjjTALMNWxj7PakNtMXjWHqnQjWESwwzlvnaQnvf2bBjYafiC8+D3oocW3OyaDOLVRDqx dI2n+Zr2RNTZw2erl2/cHrToVvOkuqZVftcL8EocMHeLuaEUfgaXQBmFhUJpzDvPsSLp99fg z5zOY+j3sHa6HOGke8NvR4bi8pKnkgCu5lo9HWHgVJ/Ip8Cqk2EzwaZ0DSGfpvfXtv+OuBqO s6VBJ19TibT9wfFeYeoesgKnS73zQKLoZG3yKcfYfZs9TxS5BEhWDWr6JFP8hUlhL+ZUi+X9 AFNAAx8CAwEAAaOCAZ4wggGaMHQGCCsGAQUFBwEBBGgwZjA8BggrBgEFBQcwAoYwaHR0cDov L2FpYS5zdGFydGNvbWNhLmNvbS9jZXJ0cy9zY2EuY2xpZW50MjIuY3J0MCYGCCsGAQUFBzAB hhpodHRwOi8vb2NzcC5zdGFydGNvbWNhLmNvbTAdBgNVHQ4EFgQUS/x/U30ucvaPvk4aAXYu Q8qcFskwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBQ8t8beiSZaVwOJ0K8wakYODOrcZjBIBgNV HSAEQTA/MD0GCysGAQQBgbU3AgIBMC4wLAYIKwYBBQUHAgEWIGh0dHA6Ly93d3cuc3RhcnRj b21jYS5jb20vcG9saWN5MDsGA1UdHwQ0MDIwMKAuoCyGKmh0dHA6Ly9jcmwuc3RhcnRjb21j YS5jb20vc2NhLWNsaWVudDIyLmNybDAOBgNVHQ8BAf8EBAMCBLAwHQYDVR0lBBYwFAYIKwYB BQUHAwIGCCsGAQUFBwMEMCEGA1UdEQQaMBiBFmVyaWMuYmF1dHNjaEBwb2JveC5jb20wCgYI KoZIzj0EAwMDaQAwZgIxAKbrgOkZ5i8pHnjkbxiyZbOvisCA9Z+0/DZjPybtrKlk3l/dl7dd AqPaZHKFNjGkGgIxAITRkSRMx0zlIb1ajYqEe3lVeouUc253pu+FOlAr5qvvJjZ+Gyc4/7ud YIdBYQb4KzCCBLEwggKZoAMCAQICEEzFbU1ZMWzGD67YyYtePFkwDQYJKoZIhvcNAQEMBQAw fTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3Vy ZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxKTAnBgNVBAMTIFN0YXJ0Q29tIENlcnRp ZmljYXRpb24gQXV0aG9yaXR5MB4XDTE3MDQxMTA3MzAwMVoXDTIyMDQxMTA3MzAwMVowUjEL MAkGA1UEBhMCRVMxFDASBgNVBAoMC1N0YXJ0Q29tIENBMS0wKwYDVQQDDCRTdGFydENvbSBD ZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSBFQ0MwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAARtU/dM PcdNPiBafCl30C/R50Onc2/k4XgCYiJJrpw3hTs0B0P/+SZAknB0QU2BcIee3+22c5Ju/2UC meZoVbtekPtlX1g6CoN0fQbqaMUhBUIyxEFavSPBd3IQ4/Hi7KujggEEMIIBADAOBgNVHQ8B Af8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBAjAyBgNVHR8EKzApMCegJaAjhiFodHRwOi8v Y3JsLnN0YXJ0c3NsLmNvbS9zZnNjYS5jcmwwZgYIKwYBBQUHAQEEWjBYMCQGCCsGAQUFBzAB hhhodHRwOi8vb2NzcC5zdGFydHNzbC5jb20wMAYIKwYBBQUHMAKGJGh0dHA6Ly9haWEuc3Rh cnRzc2wuY29tL2NlcnRzL2NhLmNydDAdBgNVHQ4EFgQUnojAsmwzCcv/IX6/6p8Ihrt9qhkw HwYDVR0jBBgwFoAUTgvvGqRAW6UXaYcwyjRoQ9BBrvIwDQYJKoZIhvcNAQEMBQADggIBAJmQ Ot9REj3wllH11HazsdBP1WD+Wt98G651eGEhVIHupeiO3+fM9JUxYNXrqFCcjlaWABGFAOXv BAeBta7vT05Hk8TIC9/r2StixF+aQvbWq0DGiPOfX29FWKJEe/e0QHrqebP29cwwh2WbzsPz EBklt0xObEt+/6R7QB7kJkqYeggmFSOf7G6VBlKDMt1dabf2uWs0cYoNceBHWX+Bepkl+V16 MJ4eYtOOGMzfaqbszR7SP4zJWXVOXbSa0gvk8zcAveJBw2CQK8My7mKCPx3IEhtn70b5oEBU kGZpEbSCEI9XCs3VHpnZuB3s7PimeULw0Vkvkug0GdWBvGPgyCwDCdp9oXonZmCDkKVn2IuI PWpYfIwAD8hK6nn14mrHXnOcyr0BB93hC1Cv394cjnunn9DSEgTxLgQITvCcbVlZdUIBObMi hFFCz2EkySSYp5HmpUTFG+LhY9B2TevagHztoDbOg7BBvbLzetZh7kM7Dxqp2EVDJ7qhU0So OLH7zeMf93L8wmg9pK5niFIFY9KbRoc0s/lTl+o+pjSsIrXEOovlDBx3Eg4ysyyvQQErbuRD 0sRrpHYbaJySScoFK8nAEgkDO+Q4EC2/mlowjy5fM6X1+FmZFedPbd4G59OadRVe7sGEK/4G nvu0BZUbbkUhfoFg/iAUGX83w93l5bRJMYIDizCCA4cCAQEwdTBpMQswCQYDVQQGEwJFUzEU MBIGA1UECgwLU3RhcnRDb20gQ0ExKTAnBgNVBAsMIFN0YXJ0Q29tIENlcnRpZmljYXRpb24g QXV0aG9yaXR5MRkwFwYDVQQDDBBTdGFydENvbSBDQzIgSUNBAghYh6dhuIrClTANBglghkgB ZQMEAgEFAKCCAecwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN MTkwMzE4MjExMjMyWjAvBgkqhkiG9w0BCQQxIgQgYnCS9JAesR5gPeFjSv6Aqxk6i6HfkP/+ aMXAPhJo3scwbAYJKoZIhvcNAQkPMV8wXTALBglghkgBZQMEASowCwYJYIZIAWUDBAECMAoG CCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0DAgIBQDAHBgUrDgMCBzANBggq hkiG9w0DAgIBKDCBhAYJKwYBBAGCNxAEMXcwdTBpMQswCQYDVQQGEwJFUzEUMBIGA1UECgwL U3RhcnRDb20gQ0ExKTAnBgNVBAsMIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5 MRkwFwYDVQQDDBBTdGFydENvbSBDQzIgSUNBAghYh6dhuIrClTCBhgYLKoZIhvcNAQkQAgsx d6B1MGkxCzAJBgNVBAYTAkVTMRQwEgYDVQQKDAtTdGFydENvbSBDQTEpMCcGA1UECwwgU3Rh cnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxGTAXBgNVBAMMEFN0YXJ0Q29tIENDMiBJ Q0ECCFiHp2G4isKVMA0GCSqGSIb3DQEBAQUABIIBACW7d3iHuyNnHn3rH7bis7h02Y5EwYE9 ljsvLQjkkuqfpuHDGkDDTKRM7OBy3UGNzyGcp/Qa1nTSpkylT24VYFq1KV0K50y7UVoukhls qD53P2O+OK14JUhQaRSa1qScSR+8dztWwVfWnGudFC+Gk7zvdJJKi5q0aHr5RG/69xLK/9cL o6EYexZCy9bNcxdoKC22+pP92OErJ4VmYFovPIC5VVPKhSBj4KooUYWOYhJI3/6mz/KmY/Ym Nhn2cZBbSV/W2utM6T79XebIJICD1ZfYKmmYh2RW3+HX+t1iw+Jvt1teiBIYwx5YIn9qPv2O pW5FSVsWc7+HzuNRw+rKZNMAAAAAAAA= --------------ms060201070907080004020606--