From nobody Fri Apr 19 13:39:51 2024 X-Original-To: freebsd-stable@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4VLbNx2xjYz5H4xn for ; Fri, 19 Apr 2024 13:40:01 +0000 (UTC) (envelope-from gerrit.kuehn@aei.mpg.de) Received: from umail2.aei.mpg.de (umail2.aei.mpg.de [194.94.224.8]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4VLbNw3NkDz49jm for ; Fri, 19 Apr 2024 13:40:00 +0000 (UTC) (envelope-from gerrit.kuehn@aei.mpg.de) Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of gerrit.kuehn@aei.mpg.de designates 194.94.224.8 as permitted sender) smtp.mailfrom=gerrit.kuehn@aei.mpg.de Received: from arc.aei.uni-hannover.de (ahgate1.aei.uni-hannover.de [130.75.117.49]) by umail2.aei.mpg.de (Postfix) with ESMTPS id DEE02200E671 for ; Fri, 19 Apr 2024 15:39:57 +0200 (CEST) Date: Fri, 19 Apr 2024 15:39:51 +0200 From: Gerrit =?UTF-8?B?S8O8aG4=?= To: freebsd-stable@freebsd.org Subject: possible regression handling packet fragmentation in 14.0 with tftp/pxe Message-ID: <20240419153951.5a23ce5f@arc.aei.uni-hannover.de> Organization: MPG X-Mailer: Claws Mail 3.19.0 (GTK+ 2.24.33; amd64-portbld-freebsd13.1) List-Id: Production branch of FreeBSD source code List-Archive: https://lists.freebsd.org/archives/freebsd-stable List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-stable@freebsd.org Sender: owner-freebsd-stable@FreeBSD.org MIME-Version: 1.0 Content-Type: multipart/signed; boundary="Sig_/J_HhMHjp0FHYYB.x_9v55wV"; protocol="application/pkcs7-signature"; micalg=SHA384 X-Spamd-Bar: ----- X-Spamd-Result: default: False [-5.79 / 15.00]; SIGNED_SMIME(-2.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-0.998]; NEURAL_HAM_LONG(-1.00)[-0.998]; NEURAL_HAM_SHORT(-0.99)[-0.991]; R_SPF_ALLOW(-0.20)[+ip4:194.94.224.8]; RWL_MAILSPIKE_VERYGOOD(-0.20)[194.94.224.8:from]; RCVD_IN_DNSWL_MED(-0.20)[194.94.224.8:from]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; ASN(0.00)[asn:680, ipnet:194.94.0.0/15, country:DE]; HAS_ORG_HEADER(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; RCVD_COUNT_ONE(0.00)[1]; MIME_TRACE(0.00)[0:+,1:+,2:~]; RCVD_TLS_ALL(0.00)[]; R_DKIM_NA(0.00)[]; ARC_NA(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; MLMMJ_DEST(0.00)[freebsd-stable@freebsd.org]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-stable@freebsd.org]; TO_MATCH_ENVRCPT_ALL(0.00)[]; DMARC_NA(0.00)[mpg.de]; HAS_ATTACHMENT(0.00)[] X-Rspamd-Queue-Id: 4VLbNw3NkDz49jm --Sig_/J_HhMHjp0FHYYB.x_9v55wV Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Hello, I have found something that looks like a regression to me (but it may also be a bugfix, and I was just relying on the bug earlier :-). Anyway, I don't fully understand what is going on, maybe someone here has more insight than I do. I have various router appliances based on FreeBSD. They act as NAT-routers, dns/dhcp-servers and vpn-servers (using tinc in switch mode as vpn solution). I use these in different incarnations for many years now (since 8.something afaicr), the systems work fine up to 13.3. With 14.0 I hit a strange issue: Some of my LANs that FreeBSD is acting as NAT-gateway for (using pf for nat, including scrubbing) contain diskless machines that need to boot off a NFS-server that is located outside the LAN. To make this possible, The router and the NFS-server run a tinc-connection. On the router, tinc's virtual TAP-interface is bridged with the physical interface of the LAN: --- bridge0: flags=3D1008843 metric 0 mtu 1500 options=3D0 ether 58:9c:fc:10:ff:ed id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200 root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0 member: tap0 flags=3D143 ifmaxaddr 0 port 7 priority 128 path cost 2000000 member: ix3 flags=3D143 ifmaxaddr 0 port 4 priority 128 path cost 2000 groups: bridge nd6 options=3D9 --- The remote server runs both nfsd for the diskless root and tftpd for PXE-booting. This was working fine up to 13.3. However, with the router under 14.0, the first step of the tftp-part (delivering pxelinux.0 from the syslinux package) fails and ends up in timeouts. For the following: 192.168.130.3 is the diskless client trying to boot (Linux) 192.168.130.253 is the server for nfsroot and tftp (FreeBSD) 192.168.130.254 is the router and dhcp-server (FreeBSD 13.3/14.0) The tftpd-server logs the follwoing events for this in /var/log/xferlog when the client tries to boot via pxe: --- Apr 19 11:37:40 192.168.130.253 tftpd[49562]: Filename: 'pxelinux.0' Apr 19 11:37:40 192.168.130.253 tftpd[49562]: Mode: 'octet' Apr 19 11:37:40 192.168.130.253 tftpd[49564]: Filename: 'pxelinux.0' Apr 19 11:37:40 192.168.130.253 tftpd[49564]: Mode: 'octet' Apr 19 11:37:40 192.168.130.253 tftpd[49564]: 192.168.130.3: read request for //pxelinux.0: success Apr 19 11:37:45 192.168.130.253 tftpd[49564]: receive_packet: timeout Apr 19 11:37:45 192.168.130.253 tftpd[49564]: Timeout #0 on ACK 1 Apr 19 11:37:50 192.168.130.253 tftpd[49564]: receive_packet: timeout Apr 19 11:37:50 192.168.130.253 tftpd[49564]: Timeout #1 on ACK 1 Apr 19 11:37:55 192.168.130.253 tftpd[49564]: receive_packet: timeout Apr 19 11:37:55 192.168.130.253 tftpd[49564]: Timeout #2 on ACK 1 Apr 19 11:38:00 192.168.130.253 tftpd[49564]: receive_packet: timeout Apr 19 11:38:00 192.168.130.253 tftpd[49564]: Timeout #3 on ACK 1 Apr 19 11:38:05 192.168.130.253 tftpd[49564]: receive_packet: timeout Apr 19 11:38:05 192.168.130.253 tftpd[49564]: Timeout #4 on ACK 1 Apr 19 11:38:10 192.168.130.253 tftpd[49564]: receive_packet: timeout Apr 19 11:38:10 192.168.130.253 tftpd[49564]: Timeout #5 send ACK 1 giving up --- A tcpdump for the MAC of the pxe client taken on the physical interface of the router looks like this: --- 11:37:36.843770 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:25:90:69:bf:ae, length 548 11:37:36.844639 IP 192.168.130.254.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 357 11:37:40.853302 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:25:90:69:bf:ae, length 548 11:37:40.855024 IP 192.168.130.254.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 357 11:37:40.855653 ARP, Request who-has 192.168.130.253 tell 192.168.130.3, length 46 11:37:40.856543 ARP, Reply 192.168.130.253 is-at 00:bd:df:ce:fa:03, length 28 11:37:40.856584 IP 192.168.130.3.2070 > 192.168.130.253.69: TFTP, length 27, RRQ "pxelinux.0" octet tsize 0 11:37:40.860701 IP 192.168.130.253.38476 > 192.168.130.3.2070: UDP, length 14 11:37:40.860737 IP 192.168.130.3.2070 > 192.168.130.253.38476: UDP, length 17 11:37:40.860908 IP 192.168.130.3.2071 > 192.168.130.253.69: TFTP, length 32, RRQ "pxelinux.0" octet blksize 1456 11:37:40.891419 IP 192.168.130.253.31448 > 192.168.130.3.2071: UDP, length 15 11:37:40.891455 IP 192.168.130.3.2071 > 192.168.130.253.31448: UDP, length 4 11:37:40.910020 IP 192.168.130.253.31448 > 192.168.130.3.2071: UDP, length 1460 11:37:40.910037 IP 192.168.130.253 > 192.168.130.3: ip-proto-17 11:37:45.910310 IP 192.168.130.253.31448 > 192.168.130.3.2071: UDP, length 1460 11:37:45.910327 IP 192.168.130.253 > 192.168.130.3: ip-proto-17 11:37:50.915422 IP 192.168.130.253.31448 > 192.168.130.3.2071: UDP, length 1460 11:37:50.915439 IP 192.168.130.253 > 192.168.130.3: ip-proto-17 11:37:55.919340 IP 192.168.130.253.31448 > 192.168.130.3.2071: UDP, length 1460 11:37:55.919359 IP 192.168.130.253 > 192.168.130.3: ip-proto-17 11:38:00.934017 IP 192.168.130.253.31448 > 192.168.130.3.2071: UDP, length 1460 11:38:00.934033 IP 192.168.130.253 > 192.168.130.3: ip-proto-17 11:38:05.943631 IP 192.168.130.253.31448 > 192.168.130.3.2071: UDP, length 1460 11:38:05.943651 IP 192.168.130.253 > 192.168.130.3: ip-proto-17 --- It looks like there are tftp packages transmitted that are somehow never picked up by the client. As 13.3 was running fine in this place, I compared the tcpdump output to what is happening there: --- 13:34:34.112855 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:25:90:69:bf:ae (oui Unknown), length 548 13:34:36.145073 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:25:90:69:bf:ae (oui Unknown), length 548 13:34:40.154596 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:25:90:69:bf:ae (oui Unknown), length 548 13:34:40.155930 ARP, Request who-has 192.168.130.253 tell 192.168.130.3, length 46 13:34:40.156176 ARP, Reply 192.168.130.253 is-at 00:bd:7b:2d:f7:05 (oui Unknown), length 28 13:34:40.156239 IP 192.168.130.3.2070 > 192.168.130.253.tftp: 27 RRQ "pxelinux.0" octet tsize 0 13:34:40.159338 IP 192.168.130.253.16697 > 192.168.130.3.2070: UDP, length 14 13:34:40.159406 IP 192.168.130.3.2070 > 192.168.130.253.16697: UDP, length 17 13:34:40.159574 IP 192.168.130.3.2071 > 192.168.130.253.tftp: 32 RRQ "pxelinux.0" octet blksize 1456 13:34:40.162327 IP 192.168.130.253.33393 > 192.168.130.3.2071: UDP, length 15 13:34:40.162388 IP 192.168.130.3.2071 > 192.168.130.253.33393: UDP, length 4 13:34:40.162708 IP 192.168.130.253.33393 > 192.168.130.3.2071: UDP, bad length 1460 > 1392 13:34:40.162758 IP 192.168.130.253 > 192.168.130.3: udp 13:34:40.162837 IP 192.168.130.3.2071 > 192.168.130.253.33393: UDP, length 4 13:34:40.163089 IP 192.168.130.253.33393 > 192.168.130.3.2071: UDP, bad length 1460 > 1392 13:34:40.163124 IP 192.168.130.253 > 192.168.130.3: udp 13:34:40.163670 IP 192.168.130.3.2071 > 192.168.130.253.33393: UDP, length 4 13:34:40.163920 IP 192.168.130.253.33393 > 192.168.130.3.2071: UDP, bad length 1460 > 1392 13:34:40.163956 IP 192.168.130.253 > 192.168.130.3: udp 13:34:40.164515 IP 192.168.130.3.2071 > 192.168.130.253.33393: UDP, length 4 13:34:40.164765 IP 192.168.130.253.33393 > 192.168.130.3.2071: UDP, bad length 1460 > 1392 [...] --- Although this reports "bad length" all the time (whatever this means), it works and transfers bootloader, initramfs, kernel etc. for diskless Linux machines in the LAN. But this suspiciously looked like MTU problems. The VPN only offers an MTU of 1425 by default, while tftp appears to use 1460. After some searching and reading I found that the original tftp default was 512 byte packets, and the client obviously requests larger packets for speed reasons explicitely with the "blksize 1456" command. Unfortunately, I found no way to configure the PXE firmware to use smaller packets. However, adding the "-o" option to FreeBSD's tftpd could disable all extra options and forced both the server and the client to user smaller packets. TFTP and PXE-booting were working fine again after that change. On the other hand, this feels like a workaround. What is the actual problem here, and why did the very same setup "just work" up to FreeBSD 13.3 on the router? The setup of pf.conf is quite minimal, the packet normalization part is just --- set block-policy return set optimization aggressive scrub in all --- Is this some kind of regression or rather the fix of a bug I was relying upon earlier? Any hints and insight would be greatly appreciated. cu Gerrit --Sig_/J_HhMHjp0FHYYB.x_9v55wV Content-Type: application/pkcs7-signature; name=smime.p7s Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename=smime.p7s MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgIFADCABgkqhkiG9w0B BwEAAKCCF/QwggQyMIIDGqADAgECAgEBMA0GCSqGSIb3DQEBBQUAMHsxCzAJBgNV BAYTAkdCMRswGQYDVQQIDBJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcMB1Nh bGZvcmQxGjAYBgNVBAoMEUNvbW9kbyBDQSBMaW1pdGVkMSEwHwYDVQQDDBhBQUEg Q2VydGlmaWNhdGUgU2VydmljZXMwHhcNMDQwMTAxMDAwMDAwWhcNMjgxMjMxMjM1 OTU5WjB7MQswCQYDVQQGEwJHQjEbMBkGA1UECAwSR3JlYXRlciBNYW5jaGVzdGVy MRAwDgYDVQQHDAdTYWxmb3JkMRowGAYDVQQKDBFDb21vZG8gQ0EgTGltaXRlZDEh MB8GA1UEAwwYQUFBIENlcnRpZmljYXRlIFNlcnZpY2VzMIIBIjANBgkqhkiG9w0B AQEFAAOCAQ8AMIIBCgKCAQEAvkCd9G7h6naHHE1FRI6+RsiDBp3BKv4YH47kAvrz q11QihYxC5oG0MVwIs1JLVRjzLZuaEYLU+rLTCTAvHJO6vEVrvRUmhIKw3qyM2Di 2olV8yJY897cz++DhqKMlE+faPKYkEaEJ8d2v+PMNSyLXgdkZYLASLCokflhn3Yg UKiRx2a163hiA1bwihoT6jGjHqCZ/Tj29icyWG8H9Wu4+xQrr7eqzNZjX3OM2gWZ qDioyxd4NlGs6Z70eDqNzw/ZQuKYDKsvnw4B3u+fmUnxLd+sdE0bmLVHxeUp0fmQ GMdinL6DxyZ7Poolx8DdneY1aBAgnY/Y3tLDhJwNXugvyQIDAQABo4HAMIG9MB0G A1UdDgQWBBSgEQojPpbxB+zirynvgqV/0DCktDAOBgNVHQ8BAf8EBAMCAQYwDwYD VR0TAQH/BAUwAwEB/zB7BgNVHR8EdDByMDigNqA0hjJodHRwOi8vY3JsLmNvbW9k b2NhLmNvbS9BQUFDZXJ0aWZpY2F0ZVNlcnZpY2VzLmNybDA2oDSgMoYwaHR0cDov L2NybC5jb21vZG8ubmV0L0FBQUNlcnRpZmljYXRlU2VydmljZXMuY3JsMA0GCSqG SIb3DQEBBQUAA4IBAQAIVvwC8Jvo/6T61nvGRIDOT8TF9gBYzKa2vBRJaAR26Obu XewCD2DWjVAYTyZOAePmsKXuv7x0VEG//fwSuMdPWvSJYAV/YLcFSvP28cK/xLl0 hrYtfWvM0vNG3S/G4GrDwzQDLH2W3VrCDqcKmcEFi6sML/NcOs9sN1UJh95TQGxY 7/y2q2VuBPYb3DzgWhXGntnxWUgwIWUDbOzpIXPsmwOh4DetoBUYj/q6As6nLKkQ EyzU5QgmqyKXYPiQXnTUoppTvfKpaOCibsLXbLGjD56/62jnVvKu8uMrODoJgbVr hde+Le0/GreyY+L1YiyC1GoAQVDxOYOflek2lphuMIIFgTCCBGmgAwIBAgIQOXJE Ovkit1HX02wQ3TE1lTANBgkqhkiG9w0BAQwFADB7MQswCQYDVQQGEwJHQjEbMBkG A1UECAwSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHDAdTYWxmb3JkMRowGAYD VQQKDBFDb21vZG8gQ0EgTGltaXRlZDEhMB8GA1UEAwwYQUFBIENlcnRpZmljYXRl IFNlcnZpY2VzMB4XDTE5MDMxMjAwMDAwMFoXDTI4MTIzMTIzNTk1OVowgYgxCzAJ BgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVyc2V5MRQwEgYDVQQHEwtKZXJzZXkg Q2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMS4wLAYDVQQDEyVV U0VSVHJ1c3QgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIICIjANBgkqhkiG 9w0BAQEFAAOCAg8AMIICCgKCAgEAgBJlFzYOw9sIs9CsVw127c0n00ytUINh4qog TQktZAnczomfzD2p7PbPwdzx07HWezcoEStH2jnGvDoZtF+mvX2do2NCtnbyqTsr kfjib9DsFiCQCT7i6HTJGLSR1GJk23+jBvGIGGqQIjy8/hPwhxR79uQfjtTkUcYR Z0YIUcuGFFQ/vDP+fmyc/xadGL1RjjWmp2bIcmfbIWax1Jt4A8BQOujM8Ny8nkz+ rwWWNR9XWrf/zvk9tyy29lTdyOcSOk2uTIq3XJq0tyA9yn8iNK5+O2hmAUTnAU5G U5szYPeUvlM3kHND8zLDU+/bqv50TmnHa4xgk97Exwzf4TKuzJM7UXiVZ4vuPVb+ DNBpDxsP8yUmazNt925H+nND5X4OpWaxKXwyhGNVicQNwZNUMBkTrNN9N6frXTps NVzbQdcS2qlJC9/YgIoJk2KOtWbPJYjNhLixP6Q5D9kCnusSTJV882sFqV4Wg8y4 Z+LoE53MW4LTTLPtW//e5XOsIzstAL81VXQJSdhJWBp/kjbmUZIO8yZ9HE0XvMns QybQv0FfQKlERPSZ51eHnlAfV1SoPv10Yy+xUGUJ5lhCLkMaTLTwJUdZ+gQek9Qm RkpQgbLevni3/GcV4clXhB4PY9bpYrrWX1Uu6lzGKAgEJTm4Diup8kyXHAc/DVL1 7e8vgg8CAwEAAaOB8jCB7zAfBgNVHSMEGDAWgBSgEQojPpbxB+zirynvgqV/0DCk tDAdBgNVHQ4EFgQUU3m/WqorSs9UgOHYm8Cd8rIDZsswDgYDVR0PAQH/BAQDAgGG MA8GA1UdEwEB/wQFMAMBAf8wEQYDVR0gBAowCDAGBgRVHSAAMEMGA1UdHwQ8MDow OKA2oDSGMmh0dHA6Ly9jcmwuY29tb2RvY2EuY29tL0FBQUNlcnRpZmljYXRlU2Vy dmljZXMuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29j c3AuY29tb2RvY2EuY29tMA0GCSqGSIb3DQEBDAUAA4IBAQAYh1HcdCE9nIrgJ7cz 0C7M7PDmy14R3iJvm3WOnnL+5Nb+qh+cli3vA0p+rvSNb3I8QzvAP+u431yqqcau 8vzY7qN7Q/aGNnwU4M309z/+3ri0ivCRlv79Q2R+/czSAaF9ffgZGclCKxO/WIu6 pKJmBHaIkU4MiRTOok3JMrO66BQavHHxW/BBC5gACiIDEOUMsfnNkjcZ7Tvx5Dq2 +UUTJnWvu6rvP3t3O9LEApE9GQDTF1w52z97GA1FzZOFli9d31kWTz9RvdVFGD/t So7oBmF0Ixa1DVBzJ0RHfxBdiSprhTEUxOipakyAvGp4z7h/jnZymQyd/teRCBah o1+VMIIG5jCCBM6gAwIBAgIQMQJw1DW+mySa+FbQ4eKFSTANBgkqhkiG9w0BAQwF ADCBiDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcT C0plcnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAs BgNVBAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcN MjAwMjE4MDAwMDAwWhcNMzMwNTAxMjM1OTU5WjBGMQswCQYDVQQGEwJOTDEZMBcG A1UEChMQR0VBTlQgVmVyZW5pZ2luZzEcMBoGA1UEAxMTR0VBTlQgUGVyc29uYWwg Q0EgNDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALNK4iJeJ1vpBFsU BDUyIBSutNIxQMbNUMAeoUTKr55KYX8tkN5imzNqLaRCypYBPP9wED2AaO6e8njk bjzJwLgPqDBkW9sG3kmi3GW6cF4Hwr5ysZqve/5EJDhV+9OhfTu/4dMnoR4Q41Hc jMk9MzLOADAQ0awBZ/29r0d49AUmIKELNeqEqmnTN6fndL7x/2K0TLToZLxqS7sy /Jvi0wEFr0CfdjcAsioh7KaD+Jizyb1aRKQzJ6Q20VEHX7UqWc1SkzTkbz6xj0S5 ydBBFQh0fNiy+qM/deVpK4HgmPSJrrpQZ+LlbHfWabmwoDPxF71QZVYiqrrAoUrG RJ+47iLBiIg8miIYS7Hd2ppvAUt24CugMXUjETjQ+oYh09fNi5n/AvoER8UBvTHL xt+blL0bvL+2z2YiUWk+2Qtn+dD+JU5Z2y71qV7+cr+4YXjvGzF5bYsi8HiwflTb 4Php3y+k1twKtchdcq2QGc0eDG6Y01nRHUiyr8/PtMAsLHEPNZ2wzsA7fb8mftHi V20ZFmYqknJ8AIOfwdTVA+E62JayOJ+sxadqcmFDorsz/mrPwGZ8+txr4xSuvVjg 0dlv0yuA+1YpBDIYNfL4bkX+IcZ1mTstL4Xw0f4N2iW3bBmnPnYmoYxMM8gflCiT gss73nBvG2f7v1PD7BDGYNO4iD4vAgMBAAGjggGLMIIBhzAfBgNVHSMEGDAWgBRT eb9aqitKz1SA4dibwJ3ysgNmyzAdBgNVHQ4EFgQUaQChxyFY+ODFGyCwCt2nUb8T 2eQwDgYDVR0PAQH/BAQDAgGGMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0lBBYw FAYIKwYBBQUHAwIGCCsGAQUFBwMEMDgGA1UdIAQxMC8wLQYEVR0gADAlMCMGCCsG AQUFBwIBFhdodHRwczovL3NlY3RpZ28uY29tL0NQUzBQBgNVHR8ESTBHMEWgQ6BB hj9odHRwOi8vY3JsLnVzZXJ0cnVzdC5jb20vVVNFUlRydXN0UlNBQ2VydGlmaWNh dGlvbkF1dGhvcml0eS5jcmwwdgYIKwYBBQUHAQEEajBoMD8GCCsGAQUFBzAChjNo dHRwOi8vY3J0LnVzZXJ0cnVzdC5jb20vVVNFUlRydXN0UlNBQWRkVHJ1c3RDQS5j cnQwJQYIKwYBBQUHMAGGGWh0dHA6Ly9vY3NwLnVzZXJ0cnVzdC5jb20wDQYJKoZI hvcNAQEMBQADggIBAAoFTnsNjx8TOQD9b+xixsPt7Req4wHMeNw/R5dddEPgQAQA YJZKz5BEv1cjGbH7nbPH3AxrxhN6OVH40p6OLIo9MXSrrfMzGs7/P+FTCjwgNxFE tLQ1KC9NboA3asJcl7mIs3l8h9iAgEH1zLUvq2s+5n++NQmbzudDsTFDMapY3kX1 TwyUCTRzmItqcbsYIyg2MeIXWfRtqPqC5R4bufmpzA5BPINLX340Sp/CNQ9QZqw3 VkfyHWwTo+vO9Gm2L6srNamJT6Lb+TeXZvl8UPL5a72O/pH0GgGHjt6z9QzPARna RKshVWviNK6ST4WmZHllu3CJg0BXqx1vWyswawgvNeWt1qxITacYe9mSWTbNR2Cf tvTUwerruDSY2jMaZPoNqbjUpuG/blYwWzzvVerBUhviAahPXJF/9V48ybWPBq6q KOEokW+s3B4ad5sY96KlovEijaIQDip1HO0SD+rLNYaiBcr9MV2aK+DfbZ8w9BaN CQyFEYwzxIKOVk3bYvzHRk5ihUDascmbk/bkiNl74c/KfuKQmJImaqWoWZR6jBcX cPV0WUIKz/nILTpFhGojZEQW77by3aezAi9jrEIUBHRG1LwzPbJc2V3SOzYyaJFQ atzuKZbN1Q9s9y/2x1QXtKwREY8jNgvx0iIfOK35gKgYJJcyDql4XfuEc2nVMIIH SzCCBTOgAwIBAgIRAMCEqCZW/bEp9AgcdlGEWuEwDQYJKoZIhvcNAQEMBQAwRjEL MAkGA1UEBhMCTkwxGTAXBgNVBAoTEEdFQU5UIFZlcmVuaWdpbmcxHDAaBgNVBAMT E0dFQU5UIFBlcnNvbmFsIENBIDQwHhcNMjMwODE1MDAwMDAwWhcNMjYwODE0MjM1 OTU5WjCB0zEOMAwGA1UEERMFODA1MzkxRzBFBgNVBAoMPk1heC1QbGFuY2stR2Vz ZWxsc2NoYWZ0IHp1ciBGw7ZyZGVydW5nIGRlciBXaXNzZW5zY2hhZnRlbiBlLlYu MRswGQYDVQQJDBJIb2ZnYXJ0ZW5zdHJhw59lIDgxDzANBgNVBAgTBkJheWVybjEL MAkGA1UEBhMCREUxFTATBgNVBAMTDEdlcnJpdCBLdWVobjEmMCQGCSqGSIb3DQEJ ARYXZ2Vycml0Lmt1ZWhuQGFlaS5tcGcuZGUwggIiMA0GCSqGSIb3DQEBAQUAA4IC DwAwggIKAoICAQCg7n7fRC0hIeomyBYF0RZ0L/jKjURwqPL3vBN+HvDxzp+Wcn0a Voeia3LPeXvf18d7BeIQ2SVFXWnWzVpVKzv7VUg4OD424GmcQrFXkChSvOc/rLaA FmNIaKWgYwUOAqmDh3t9JzQTVj6FrAeJwzXmnv42msNUfnhA2dRllOCmilLUqm/5 nOgrImuiA3R1S0CcljAmEr5PnUmKJaanbaq74Jb54gf622cRyWwylMJijMGboDYw uaGynrLgfo+rWbXc2TASO6pjSQDKAAfXO/NzLgp+BmneN1II9alVUAJRUpFDkgx9 peM+qUJryLtO+veOKElsOe2S4qvk0PaE/MVAcIJiThdY7qde8Q9FyOJsDN5kiX4g fsKmtF7EdB71Uc8N78L62r7/7Y5WL8gRxXCN8BsmLXSiCylvtIYsbJMDhK6C+37w 9Cg1A8AWeksg1TmCcvolEJy3+bfPx7NlmEfRdkdzuVb1KxfB0z4SbhSwOAR1WYVg mEAQuj1l9k7suUtdUY4ZeMnRLVPtmQh+bxcJPaRllpHSTYbYVQlSNXkP0al2/J8d jJHhulOsCX8oYfyQ9a33jHsKUf632Lpg8446ym19UrNPh9pntXRXVhhkw+/tPE8G BxH81BCvvSUhVu0Nckx8zOWiI1+6Z5t71udnXOEv9lJFvqDlY71lkiu+jQIDAQAB o4IBpDCCAaAwHwYDVR0jBBgwFoAUaQChxyFY+ODFGyCwCt2nUb8T2eQwHQYDVR0O BBYEFOsacOXMtCWA1hWcY7A/tb8e/tTSMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMB Af8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMEBggrBgEFBQcDAjA/BgNVHSAEODA2 MDQGCysGAQQBsjEBAgJPMCUwIwYIKwYBBQUHAgEWF2h0dHBzOi8vc2VjdGlnby5j b20vQ1BTMEIGA1UdHwQ7MDkwN6A1oDOGMWh0dHA6Ly9HRUFOVC5jcmwuc2VjdGln by5jb20vR0VBTlRQZXJzb25hbENBNC5jcmwweAYIKwYBBQUHAQEEbDBqMD0GCCsG AQUFBzAChjFodHRwOi8vR0VBTlQuY3J0LnNlY3RpZ28uY29tL0dFQU5UUGVyc29u YWxDQTQuY3J0MCkGCCsGAQUFBzABhh1odHRwOi8vR0VBTlQub2NzcC5zZWN0aWdv LmNvbTAiBgNVHREEGzAZgRdnZXJyaXQua3VlaG5AYWVpLm1wZy5kZTANBgkqhkiG 9w0BAQwFAAOCAgEAbUB7zWvNZ98vh3u7hzpnbA1K4U9bga1YkpVbOgv7/UY5RiZP Rk06O18f5TnRSWiiF3XImBG1uVjbcwVKIemliCQRQzVVt2JXOJVT1EafDDe9DK5o QaXGHY7NAT1lPLEwtgv8hxBBvthMaMa6lpibT/IUi83jHPZUgsGajCgPXd05Bh/L jCzWDOmHuwFdjRAMQs1VsPYx+OVcRvS1jmw0bT6o5/nruRwF5brxUK39Mftj3sIN b+UvVkXdAGw5iQWFwllGpwBgo3iESa1R72qkBMWph8D6Jbg795WBgjMULCPTiZkq eOif9sW1/37AoutSh7VMh7WMrEW9QURVWYR1hYjS0/TMo8aXfPOLtLYoSg/R6i+j eXqREsJQxMAl0e/JJej1TAFCsWg0r6Dg4mYq636plAr6pu7pJATNVPT0HrsBMYWu PV2WRH8Obs+n1xe4ftGxE4yDWiL56lnp6tnfVR8qinEqpGBfj7BAwEcO/Na9b+oK tDEmWHzupKkdmoOWktURY+Q/5RVWoiozNujYljc9iaK3agqBbJ5ZzRyrCKOPLnw4 9b8koO03WkXPqlm59nxAOdJE6ZQ2aQ8ev6ji+UlGnlIvgk70MsRukY2shpAiowb6 bKjKyK3QGNnT4zmL6ixSRmnYhC95U923Yf+hy+6jqS1Ec6kgpREYG53Qv5IxggMs MIIDKAIBATBbMEYxCzAJBgNVBAYTAk5MMRkwFwYDVQQKExBHRUFOVCBWZXJlbmln aW5nMRwwGgYDVQQDExNHRUFOVCBQZXJzb25hbCBDQSA0AhEAwISoJlb9sSn0CBx2 UYRa4TANBglghkgBZQMEAgIFAKCBozAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcB MBwGCSqGSIb3DQEJBTEPFw0yNDA0MTkxMzM5NTFaMCgGCSqGSIb3DQEJDzEbMBkw CwYJYIZIAWUDBAECMAoGCCqGSIb3DQMHMD8GCSqGSIb3DQEJBDEyBDAZeXMKbrEM elQuLIU5VEhKdo0/srKmyDDdxRY8ywqUvlmNuLbwjDHnnV+Ca0Vf1pAwDQYJKoZI hvcNAQEBBQAEggIAT2qfHpQLedG12kzwDqp/68q9me7hdDUiR+54cFaOEt5V0j32 DvyHVXjfjqyRcBCCjHQb6CuLfKKPEzVruM5MQinRe45Lcnd0esIPPZmNkwzt+D2p Fk8UKetSIOHdG6uCODW9n6II09JWnEHcVPMPsui0lWLBGv3yEFgO6hsx+8zoKOYj RuNpt+c0nv05ttO97L5ywP5jDshBZ0BycsYn78IQxIRxIzue32+pXJiWeL289YAG xcMXlp3RcCrJBUARzZ/ThNqDehfVf07eIn91q14DvxEzc5IL6sRf3m60YSDXkwox 6KgaNLt49gLqwJ/rjVm1GECZrcQdfLFVnQ3orXzHv03+lVd2/NVZlBKFyWvnnaZP Th8mxXXEJHSlaBWhv048bMs5hQhOcx+k0RRqGWadNtjW0HefShwuoQO4MPwGllD6 FNpfbGJKrta9Borr2HuuNhMJX8t4hWuRCxTrc7g1XGGJz5ssY6mILjA+ycp4TSz8 3O2VJqrX2z1Ff/DapV/lb8FU30JtZCqGNDwakr4SzIHAqwZI4oqSpBe3av1Knuf0 mj0r5mHxU0pqgQendeoeBgxx01GXahoXDi9zy0tm/gUS8/sBSaGDf7rczpWGcm0y Z1XmUBuN7iZYqd1Gvh/qtwlV9g+1J9KL1IzfoMFNnNBQbPixXzA1Ibep1eIAAAAA AAA= --Sig_/J_HhMHjp0FHYYB.x_9v55wV--