From 69d735ea0aa42e63d9c4f8068ff075b96c201ea9 Mon Sep 17 00:00:00 2001
From: Tom Eastep <teastep@shorewall.net>
Date: Thu, 10 May 2012 11:19:23 -0700
Subject: [PATCH] Make TPROXY actually work!

Signed-off-by: Tom Eastep <teastep@shorewall.net>
---
 Shorewall/Perl/Shorewall/Config.pm           |   2 +-
 Shorewall/Perl/Shorewall/Providers.pm        |  67 ++++++++++---------
 Shorewall/Perl/Shorewall/Tc.pm               |  63 +++++++----------
 Shorewall/manpages/shorewall-providers.xml   |  13 ++++
 Shorewall/manpages/shorewall-tcrules.xml     |  37 ++++------
 Shorewall6/manpages/shorewall6-providers.xml |  13 ++++
 Shorewall6/manpages/shorewall6-tcrules.xml   |  31 +++------
 docs/PacketMarking.xml                       |   4 ++
 docs/Shorewall_Squid_Usage.xml               |  46 ++++++++-----
 docs/images/MarkGeometry.dia                 | Bin 2328 -> 2496 bytes
 docs/images/MarkGeometry.png                 | Bin 18155 -> 19852 bytes
 11 files changed, 144 insertions(+), 132 deletions(-)

diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm
index d41ae9613..c3460773d 100644
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -4097,7 +4097,7 @@ sub get_configuration( $$$ ) {
     fatal_error 'Invalid Packet Mark layout' if $config{ZONE_BITS} + $globals{ZONE_OFFSET} > 30;
 
     $globals{EXCLUSION_MASK} = 1 << ( $globals{ZONE_OFFSET} + $config{ZONE_BITS} );
-    $globals{TPROXY_MASK}    = $globals{EXCLUSION_MASK} << 1;
+    $globals{TPROXY_MARK}    = $globals{EXCLUSION_MASK} << 1;
     $globals{PROVIDER_MIN}   = 1 << $config{PROVIDER_OFFSET};
 
     $globals{TC_MAX}         = make_mask( $config{TC_BITS} );
diff --git a/Shorewall/Perl/Shorewall/Providers.pm b/Shorewall/Perl/Shorewall/Providers.pm
index 187a63638..2e1b057aa 100644
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@@ -396,8 +396,8 @@ sub process_a_provider() {
 	$gateway = '';
     }
 
-    my ( $loose, $track,                   $balance , $default, $default_balance,                $optional,                           $mtu, $local , $load ) =
-	(0,      $config{TRACK_PROVIDERS}, 0 ,        0,        $config{USE_DEFAULT_RT} ? 1 : 0, interface_is_optional( $interface ), ''  , 0      , 0 );
+    my ( $loose, $track,                   $balance , $default, $default_balance,                $optional,                           $mtu, $tproxy , $load ) =
+	(0,      $config{TRACK_PROVIDERS}, 0 ,        0,        $config{USE_DEFAULT_RT} ? 1 : 0, interface_is_optional( $interface ), ''  , 0       , 0 );
 
     unless ( $options eq '-' ) {
 	for my $option ( split_list $options, 'option' ) {
@@ -434,10 +434,10 @@ sub process_a_provider() {
 	    } elsif ( $option eq 'fallback' ) {
 		$default = -1;
 		$default_balance = 0;
-	    } elsif ( $option eq 'local' ) {
-		$local = 1;
-		$track = 0           if $config{TRACK_PROVIDERS};
-		$default_balance = 0 if $config{USE_DEFAULT_RT};
+	    } elsif ( $option eq 'tproxy' ) {
+		$tproxy = 1;
+		$track  = 0           if $config{TRACK_PROVIDERS};
+		$default_balance = 0  if $config{USE_DEFAULT_RT};
 	    } elsif ( $option =~ /^load=(0?\.\d{1,8})/ ) {
 		$load = $1;
 		require_capability 'STATISTIC_MATCH', "load=$load", 's';
@@ -455,11 +455,12 @@ sub process_a_provider() {
 	$maxload += $load;
     }
 
-    if ( $local ) {
-	fatal_error "GATEWAY not valid with 'local' provider" unless $gatewaycase eq 'none';
-	fatal_error "'track' not valid with 'local'"          if $track;
-	fatal_error "DUPLICATE not valid with 'local'"        if $duplicate ne '-';
-	fatal_error "MARK required with 'local'"              unless $mark;
+    if ( $tproxy ) {
+	fatal_error "GATEWAY not valid with 'tproxy' provider" unless $gatewaycase eq 'none';
+	fatal_error "'track' not valid with 'tproxy'"          if $track;
+	fatal_error "DUPLICATE not valid with 'tproxy'"        if $duplicate ne '-';
+	fatal_error "MARK not allowed with 'tproxy'"           if $mark ne '-';
+	$mark = $globals{TPROXY_MARK};
     }
 
     my $val = 0;
@@ -471,24 +472,29 @@ sub process_a_provider() {
 
 	require_capability( 'MANGLE_ENABLED' , 'Provider marks' , '' );
 
-	$val = numeric_value $mark;
+	if ( $tproxy ) {
+	    $val = $globals{TPROXY_MARK};
+	    $pref = 1;
+	} else {
+	    $val = numeric_value $mark;
 
-	fatal_error "Invalid Mark Value ($mark)" unless defined $val && $val;
+	    fatal_error "Invalid Mark Value ($mark)" unless defined $val && $val;
 
-	verify_mark $mark;
+	    verify_mark $mark;
 
-	fatal_error "Invalid Mark Value ($mark)" unless ( $val & $globals{PROVIDER_MASK} ) == $val;
+	    fatal_error "Invalid Mark Value ($mark)" unless ( $val & $globals{PROVIDER_MASK} ) == $val;
 
-	fatal_error "Provider MARK may not be specified when PROVIDER_BITS=0" unless $config{PROVIDER_BITS};
+	    fatal_error "Provider MARK may not be specified when PROVIDER_BITS=0" unless $config{PROVIDER_BITS};
 
-	for my $providerref ( values %providers  ) {
-	    fatal_error "Duplicate mark value ($mark)" if numeric_value( $providerref->{mark} ) == $val;
+	    for my $providerref ( values %providers  ) {
+		fatal_error "Duplicate mark value ($mark)" if numeric_value( $providerref->{mark} ) == $val;
+	    }
+
+	    $lastmark = $val;
+	    
+	    $pref = 10000 + $number - 1;
 	}
 
-	$pref = 10000 + $number - 1;
-
-	$lastmark = $val;
-
     }
 
     unless ( $loose ) {
@@ -526,7 +532,7 @@ sub process_a_provider() {
 			   loose       => $loose ,
 			   duplicate   => $duplicate ,
 			   address     => $address ,
-			   local       => $local ,
+			   tproxy      => $tproxy ,
 			   load        => $load ,
 			   rules       => [] ,
 			   routes      => [] ,
@@ -578,7 +584,7 @@ sub add_a_provider( $$ ) {
     my $loose       = $providerref->{loose};
     my $duplicate   = $providerref->{duplicate};
     my $address     = $providerref->{address};
-    my $local       = $providerref->{local};
+    my $tproxy      = $providerref->{tproxy};
     my $load        = $providerref->{load};
 
     my $dev         = chain_base $physical;
@@ -600,7 +606,7 @@ sub add_a_provider( $$ ) {
 	$provider_interfaces{$interface} = $table;
 
 	if ( $gatewaycase eq 'none' ) {
-	    if ( $local ) {
+	    if ( $tproxy ) {
 		emit 'run_ip route add local ' . ALLIP . " dev $physical table $number";
 	    } else {
 		emit "run_ip route add default dev $physical table $number";
@@ -632,12 +638,13 @@ CEOF
     setup_interface_proc( $interface );
 
     if ( $mark ne '-' ) {
-	my $mask = have_capability 'FWMARK_RT_MASK' ? '/' . in_hex $globals{PROVIDER_MASK} : '';
+	my $hexmark = in_hex( $mark );
+	my $mask = have_capability 'FWMARK_RT_MASK' ? '/' . in_hex( $globals{ $tproxy ? 'TPROXY_MARK' : 'PROVIDER_MASK' } ) : '';
 
-	emit ( "qt \$IP -$family rule del fwmark ${mark}${mask}" ) if $config{DELETE_THEN_ADD};
+	emit ( "qt \$IP -$family rule del fwmark ${hexmark}${mask}" ) if $config{DELETE_THEN_ADD};
 
-	emit ( "run_ip rule add fwmark ${mark}${mask} pref $pref table $number",
-	       "echo \"qt \$IP -$family rule del fwmark ${mark}${mask}\" >> \${VARDIR}/undo_${table}_routing"
+	emit ( "run_ip rule add fwmark ${hexmark}${mask} pref $pref table $number",
+	       "echo \"qt \$IP -$family rule del fwmark ${hexmark}${mask}\" >> \${VARDIR}/undo_${table}_routing"
 	     );
     }
 
@@ -697,7 +704,7 @@ CEOF
 	  qq(    qt \$IP -6 rule add from all table ) . DEFAULT_TABLE . qq( prio 32767\n) ,
 	  qq(fi) ) if $family == F_IPV6;
 
-    unless ( $local ) {
+    unless ( $tproxy ) {
 	emit '';
 
 	if ( $loose ) {
diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm
index 6da363341..ed880fa75 100644
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -163,18 +163,16 @@ my  @tcclasses;
 my  %tcclasses;
 
 my  %restrictions = ( tcpre      => PREROUTE_RESTRICT ,
+		      tproxy     => PREROUTE_RESTRICT ,
 		      tcpost     => POSTROUTE_RESTRICT ,
 		      tcfor      => NO_RESTRICT ,
 		      tcin       => INPUT_RESTRICT ,
-		      tcout      => OUTPUT_RESTRICT );
+		      tcout      => OUTPUT_RESTRICT ,
+		    );
 
 my $family;
 
-#
-# Variables supporting DIVERT
-#
-my $divert;          #Next chain sequence number
-my %diversions;      #Map of marks -> chains. We use a hash rather than an array because mark values can be huge
+my $divertref; # DIVERT chain
 
 #
 # Rather than initializing globals in an INIT block or during declaration,
@@ -187,18 +185,17 @@ my %diversions;      #Map of marks -> chains. We use a hash rather than an array
 #      able to re-initialize its dependent modules' state.
 #
 sub initialize( $ ) {
-    $family     = shift;
-    %classids   = ();
-    @tcdevices  = ();
-    %tcdevices  = ();
-    @tcclasses  = ();
-    %tcclasses  = ();
-    %diversions = ();
-    @devnums    = ();
-    $devnum = 0;
-    $sticky = 0;
-    $ipp2p  = 0;
-    $divert = 0;
+    $family    = shift;
+    %classids  = ();
+    @tcdevices = ();
+    %tcdevices = ();
+    @tcclasses = ();
+    %tcclasses = ();
+    @devnums   = ();
+    $devnum    = 0;
+    $sticky    = 0;
+    $ipp2p     = 0;
+    $divertref = 0;
 }
 
 sub process_tc_rule( ) {
@@ -305,30 +302,18 @@ sub process_tc_rule( ) {
 				      },
 		       DIVERT => sub() {
 			                  fatal_error "Invalid DIVERT specification( $cmd/$rest )" if $rest;
-					  fatal_error "DIVERT requires TC_EXPERT=Yes" unless $config{TC_EXPERT};
 
-					  $chain = 'tcpre';
+					  $chain = 'tproxy';
 
-					  $cmd =~ /DIVERT\((.+?)\)$/;
+					  $mark = in_hex( $globals{TPROXY_MARK} ) . '/' . in_hex( $globals{TPROXY_MARK} );
 
-					  $mark = $1;
-
-					  fatal_error "Invalid DIVERT specification( $cmd )" unless defined $mark;
-
-					  my $val = numeric_value( $mark );
-
-					  validate_mark $val . '/' . in_hex( $globals{PROVIDER_MASK} );
-
-					  my $divertref = $diversions{$val};
-					  
 					  unless ( $divertref ) {
-					      $divertref = $diversions{$val} = new_chain( 'mangle', 'DIVERT' . ( $divert ? $divert : '' ) );
-					      $divert++;
-					      add_ijump( $divertref , j => 'MARK', targetopts => '--set-mark ' . in_hex( $val ) . '/' . in_hex( $globals{PROVIDER_MASK} ) );
+					      $divertref = new_chain( 'mangle', 'divert' );
+					      add_ijump( $divertref , j => 'MARK', targetopts => "--set-mark $mark"  );
 					      add_ijump( $divertref , j => 'ACCEPT' );
 					  }
 
-					  $target = $divertref->{name};
+					  $target = 'divert';
 
 					  $matches = '! --tcp-flags FIN,SYN,RST,ACK SYN  -m socket --transparent ';
 				      },					      
@@ -337,7 +322,7 @@ sub process_tc_rule( ) {
 
 			                  fatal_error "Invalid TPROXY specification( $cmd/$rest )" if $rest;
 
-					  $chain = 'tcpre';
+					  $chain = 'tproxy';
 
 					  $cmd =~ /TPROXY\((.+?)\)$/;
 
@@ -345,7 +330,7 @@ sub process_tc_rule( ) {
 
 					  fatal_error "Invalid TPROXY specification( $cmd )" unless defined $params;
 
-					  ( $mark, my $port, my $ip, my $bad ) = split ',', $params;
+					  ( my $port, my $ip, my $bad ) = split ',', $params;
 
 					  fatal_error "Invalid TPROXY specification( $cmd )" if defined $bad;
 
@@ -368,7 +353,7 @@ sub process_tc_rule( ) {
 
 					  $target .= ' --tproxy-mark';
 
-					  $mark = "$mark/" . in_hex( $globals{PROVIDER_MASK} );
+					  $mark = in_hex( $globals{TPROXY_MARK} ) . '/' . in_hex( $globals{TPROXY_MARK} );
 				      },
 		       TTL => sub() {
 			                  fatal_error "TTL is not supported in IPv6 - use HL instead" if $family == F_IPV6;
@@ -1958,6 +1943,7 @@ sub setup_tc() {
 	    ensure_mangle_chain 'tcfor';
 	    ensure_mangle_chain 'tcpost';
 	    ensure_mangle_chain 'tcin';
+	    ensure_mangle_chain 'tproxy';
 	}
 
 	my @mark_part;
@@ -1975,6 +1961,7 @@ sub setup_tc() {
 	    }
 	}
 
+	add_ijump $mangle_table->{PREROUTING} , j => 'tproxy' if $mangle_table->{tproxy}{referenced};
 	add_ijump $mangle_table->{PREROUTING} , j => 'tcpre', @mark_part;
 	add_ijump $mangle_table->{OUTPUT} ,     j => 'tcout', @mark_part;
 
diff --git a/Shorewall/manpages/shorewall-providers.xml b/Shorewall/manpages/shorewall-providers.xml
index bf4d5be78..337a472a0 100644
--- a/Shorewall/manpages/shorewall-providers.xml
+++ b/Shorewall/manpages/shorewall-providers.xml
@@ -270,6 +270,19 @@
                 <filename>shorewall.conf</filename>.</para>
               </listitem>
             </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">tproxy</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.5.4. Used for supporting the TPROXY
+                action in shorewall-tcrules(5). See <ulink
+                url="http://www.shorewall.net/Shorewall_Squid_Usage.html">http://www.shorewall.net/Shorewall_Squid_Usage.html</ulink>.
+                When specified, the MARK, DUPLICATE and GATEWAY columns should
+                be empty, INTERFACE should be set to 'lo' and
+                <option>tproxy</option> should be the only OPTION.</para>
+              </listitem>
+            </varlistentry>
           </variablelist>
         </listitem>
       </varlistentry>
diff --git a/Shorewall/manpages/shorewall-tcrules.xml b/Shorewall/manpages/shorewall-tcrules.xml
index 770a44d0c..299ea104a 100644
--- a/Shorewall/manpages/shorewall-tcrules.xml
+++ b/Shorewall/manpages/shorewall-tcrules.xml
@@ -408,36 +408,29 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
             </listitem>
 
             <listitem>
-              <para><emphasis
-              role="bold">DIVERT</emphasis>(<replaceable>mark</replaceable>)</para>
+              <para><emphasis role="bold">DIVERT</emphasis></para>
 
-              <para>Added in Shorewall 4.5.3. A DIVERT rule should preceed
-              each TPROXY rule and should specify the same
-              <replaceable>mark</replaceable> value. DIVERT avoids sending
-              packets to the TPROXY target once a socket connection to Squid3
-              has been established by TPROXY. DIVERT marks the packet with the
-              specified <replaceable>mark</replaceable> and exempts it from
-              any rules that follow.</para>
+              <para>Added in Shorewall 4.5.3. Two DIVERT rule should preceed
+              the TPROXY rule and should select DEST PORT tcp 80 and SOURCE
+              PORT tcp 80 respectively (assuming that tcp port 80 is being
+              proxied). DIVERT avoids sending packets to the TPROXY target
+              once a socket connection to Squid3 has been established by
+              TPROXY. DIVERT marks the packet with a unique mark and exempts
+              it from any rules that follow.</para>
             </listitem>
 
             <listitem>
               <para><emphasis
-              role="bold">TPROXY</emphasis>(<replaceable>mark</replaceable>[,[<replaceable>port</replaceable>][,[<replaceable>address</replaceable>]]])</para>
+              role="bold">TPROXY</emphasis>([<replaceable>port</replaceable>][,<replaceable>address</replaceable>])</para>
 
               <para>Transparently redirects a packet without altering the IP
-              header. Requires a local provider to be defined in <ulink
+              header. Requires a tproxy provider to be defined in <ulink
               url="shorewall-providers.html">shorewall-providers</ulink>(5).</para>
 
-              <para>There are three parameters to TPROXY - only the first
-              (mark) is required:</para>
+              <para>There are three parameters to TPROXY - neither is
+              required:</para>
 
               <itemizedlist>
-                <listitem>
-                  <para><replaceable>mark</replaceable> - the MARK value
-                  corresponding to the local provider in <ulink
-                  url="shorewall-providers.html">shorewall-providers</ulink>(5).</para>
-                </listitem>
-
                 <listitem>
                   <para><replaceable>port</replaceable> - the port on which
                   the proxy server is listening. If omitted, the original
@@ -451,12 +444,6 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
                   request arrives.</para>
                 </listitem>
               </itemizedlist>
-
-              <note>
-                <para>A DIVERT rule specifying the same
-                <replaceable>mark</replaceable> value and other column values
-                should preceed each TPROXY rule.</para>
-              </note>
             </listitem>
 
             <listitem>
diff --git a/Shorewall6/manpages/shorewall6-providers.xml b/Shorewall6/manpages/shorewall6-providers.xml
index 99c3b6f57..96d5cff99 100644
--- a/Shorewall6/manpages/shorewall6-providers.xml
+++ b/Shorewall6/manpages/shorewall6-providers.xml
@@ -245,6 +245,19 @@
                 column is assumed.</para>
               </listitem>
             </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">tproxy</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.5.4. Used for supporting the TPROXY
+                action in shorewall-tcrules(5). See <ulink
+                url="http://www.shorewall.net/Shorewall_Squid_Usage.html">http://www.shorewall.net/Shorewall_Squid_Usage.html</ulink>.
+                When specified, the MARK, DUPLICATE and GATEWAY columns should
+                be empty, INTERFACE should be set to 'lo' and
+                <option>tproxy</option> should be the only OPTION.</para>
+              </listitem>
+            </varlistentry>
           </variablelist>
         </listitem>
       </varlistentry>
diff --git a/Shorewall6/manpages/shorewall6-tcrules.xml b/Shorewall6/manpages/shorewall6-tcrules.xml
index ada019d7d..d16945e3e 100644
--- a/Shorewall6/manpages/shorewall6-tcrules.xml
+++ b/Shorewall6/manpages/shorewall6-tcrules.xml
@@ -305,21 +305,20 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
             </listitem>
 
             <listitem>
-              <para><emphasis
-              role="bold">DIVERT</emphasis>(<replaceable>mark</replaceable>)</para>
+              <para><emphasis role="bold">DIVERT</emphasis></para>
 
-              <para>Added in Shorewall 4.5.3. A DIVERT rule should preceed
-              each TPROXY rule and should specify the same
-              <replaceable>mark</replaceable> value. DIVERT avoids sending
-              packets to the TPROXY target once a socket connection to Squid3
-              has been established by TPROXY. DIVERT marks the packet with the
-              specified <replaceable>mark</replaceable> and exempts it from
-              any rules that follow.</para>
+              <para>Added in Shorewall 4.5.3. Two DIVERT rule should preceed
+              the TPROXY rule and should select DEST PORT tcp 80 and SOURCE
+              PORT tcp 80 respectively (assuming that tcp port 80 is being
+              proxied). DIVERT avoids sending packets to the TPROXY target
+              once a socket connection to Squid3 has been established by
+              TPROXY. DIVERT marks the packet with a unique mark and exempts
+              it from any rules that follow.</para>
             </listitem>
 
             <listitem>
               <para><emphasis
-              role="bold">TPROXY</emphasis>(<replaceable>mark</replaceable>][,[<replaceable>port</replaceable>][,[<replaceable>address</replaceable>]]])</para>
+              role="bold">TPROXY</emphasis>([<replaceable>port</replaceable>][,[<replaceable>address</replaceable>]]])</para>
 
               <para>Transparently redirects a packet without altering the IP
               header. Requires a local provider to be defined in <ulink
@@ -329,12 +328,6 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
               (mark) is required:</para>
 
               <itemizedlist>
-                <listitem>
-                  <para><replaceable>mark</replaceable> - the MARK value
-                  corresponding to the local provider in <ulink
-                  url="shorewall6-providers.html">shorewall6-providers</ulink>(5).</para>
-                </listitem>
-
                 <listitem>
                   <para><replaceable>port</replaceable> - the port on which
                   the proxy server is listening. If omitted, the original
@@ -348,12 +341,6 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
                   request arrives.</para>
                 </listitem>
               </itemizedlist>
-
-              <note>
-                <para>A DIVERT rule specifying the same
-                <replaceable>mark</replaceable> value and other column values
-                should preceed each TPROXY rule.</para>
-              </note>
             </listitem>
 
             <listitem>
diff --git a/docs/PacketMarking.xml b/docs/PacketMarking.xml
index 6c8e4815b..d05f85d5d 100644
--- a/docs/PacketMarking.xml
+++ b/docs/PacketMarking.xml
@@ -398,6 +398,10 @@ tcp      6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport=
     <command>shorewall update</command> (<command>shorewall6 update</command>)
     command will set the above options based on the settings of WIDE_TC_MARKS
     and HIGH_ROUTE_MARKS.</para>
+
+    <para>In Shorewall 4.5.4, a <firstterm>TPROXY mark</firstterm> was added
+    for TPROXY support. It is a single bit wide and is to the immediate left
+    of the exclusion mark.</para>
   </section>
 
   <section id="Shorewall">
diff --git a/docs/Shorewall_Squid_Usage.xml b/docs/Shorewall_Squid_Usage.xml
index 92e6f8851..1efbac6b8 100644
--- a/docs/Shorewall_Squid_Usage.xml
+++ b/docs/Shorewall_Squid_Usage.xml
@@ -312,15 +312,25 @@ ACCEPT    $FW      net    tcp      80,443</programlisting></para>
   <section id="TPROXY">
     <title>Transparent with TPROXY</title>
 
-    <para>Shorewall 4.4.7 contains support for TPROXY. TPROXY differs from
-    REDIRECT in that it does not modify the IP header. Because the IP header
-    stays intact, TPROXY requires policy routing to direct the packets to the
-    proxy server running on the firewall. This approach requires TPROXY
-    support in your kernel and iptables and Squid 3. See <ulink
+    <para>Shorewall 4.5.4 contains support for TPROXY. TPROXY differs from
+    REDIRECT in that it does not modify the IP header and requires Squid 3 or
+    later. Because the IP header stays intact, TPROXY requires policy routing
+    to direct the packets to the proxy server running on the firewall. This
+    approach requires TPROXY support in your kernel and iptables and Squid 3.
+    See <ulink
     url="http://wiki.squid-cache.org/Features/Tproxy4">http://wiki.squid-cache.org/Features/Tproxy4</ulink>.</para>
 
+    <note>
+      <para>Support for the TPROXY action in shorewall-tcrules(5) and the
+      <option>local</option> option in shorewall-providers(5) has been
+      available since Shoreall 4.4.7. That support required additional rules
+      to be added in the 'start' extention script to make it work
+      reliable.</para>
+    </note>
+
     <para>The following configuration works with Squid running on the firewall
-    itself (assume that Squid is listening on port 3128).</para>
+    itself (assume that Squid is listening on port 3129 for TPROXY
+    connections).</para>
 
     <para><filename>/etc/shorewall/interfaces:</filename></para>
 
@@ -330,21 +340,25 @@ ACCEPT    $FW      net    tcp      80,443</programlisting></para>
     <para><filename>/etc/shorewall/providers</filename>:</para>
 
     <programlisting>#NAME   NUMBER   MARK    DUPLICATE  INTERFACE  GATEWAY         OPTIONS               COPY
-Tproxy    1        1        -           lo        -            local</programlisting>
+Tproxy    1        -        -           lo        -            tproxy</programlisting>
+
+    <note>
+      <para>Notice that the MARK, DUPLICATE and GATEWAY columns are empty and
+      that the only option is <option>tproxy</option>.</para>
+    </note>
 
     <para><filename>/etc/shorewall/tcrules</filename> (assume loc interface is
     eth1):</para>
 
-    <programlisting>MARK            SOURCE      DEST        PROTO      PORT(S)
-DIVERT(1)       eth1        0.0.0.0/0   tcp        80
-TPROXY(1,3128)  eth1        0.0.0.0/0   tcp        80</programlisting>
+    <programlisting>MARK            SOURCE      DEST        PROTO      DEST        SOURCE
+                                                   PORT(S)     PORT(S)
+DIVERT          -           0.0.0.0/0   tcp        80
+DIVERT          -           0.0.0.0/0   tcp        -           80
+TPROXY(3129)    eth1        0.0.0.0/0   tcp        80</programlisting>
 
-    <note>
-      <para>The DIVERT action was added in Shorewall 4.5.3; user's running
-      earlier versions of Shorewall will need to use the <ulink
-      url="extension_scripts.htm">start extension script</ulink> to add the
-      DIVERT logic mentioned in the Squid article linked above.</para>
-    </note>
+    <para>The DIVERT rules are used to avoid unnecessary invocation of TPROXY
+    for request packets after the connection is established and to direct
+    response packets back to Squid3.</para>
 
     <para>/etc/shorewall/rules:</para>
 
diff --git a/docs/images/MarkGeometry.dia b/docs/images/MarkGeometry.dia
index c8528dedcf140819ccb50d336cc3618c1435b3c0..f41ca2e8f17f95de8e408a086e028fec86826c90 100644
GIT binary patch
literal 2496
zcmV;x2|xB9iwFP!000021MOW~bKAHTe)q4?C@<}d0^v#!tF?EUHks~px6UL^r`;C~
zCDAe)iu6$Q?WMoH07ykQ(v}E8Hf=CtJCtF31axrleFq27&%fNy;?8ZD&7(9q?IHlX
zoiG`vlPH;<cE4SGdhd6CIXn4z5(PiWuW1&{I`S`)xw<>;Ugi1qPyPPg-5rP@=0Toj
zAdYUpJna83h~uCy3-!BaC!Nk}1(P5T)NAFdL7r#P=q3+4NiYjfyQ5(IeVU~=$)sD9
zD$9-2IL$h@L44YMcd4&#zpSReR?j1KUkB50l!d|f`l_M4glJOrb(n2dJG)Njkt~uw
zTyGVrsYiWZDN~l3%R<TY?A>o+o`>1H;<3sXm-SUWY%Nee3$kgHY-7p(iHpv_fDxfC
z5BZEh%*mo(_J<oC7cM?7Ty|WzXg<77vpfr;d>e9<rg0b~1!|t%gw1j0;~<tM_E@t}
z^V%<?JWro^{>vbq@6v$c<sTz%-_bkGqRHcfcdbNCEqBo*zZ%|K>aL>p2TQfzM)PPC
zhgDA>CHcXse>hC_o9~YH;LATZw1%R#+9_h<hb(0KPZ86bXcEq!FthbCH8ow8#rjY6
z`ewOZJEnMPW5U)DaqtjkW%VDHQ+20&gG-Oo3C4MJySQ8FlXUdoaGaNo{h9~KB*-S6
z_ni;veRs)2Bnycqr`>b7-dUT?la)z7xYb+N>C&VK@K}$_Z<~Fv?Lq1gMx#xDOg14%
zrg69gQ5XY40AxMHf!_=*jKkS*oMy>3O*mkiG>Ud6+wJ<{NCY4Zu3X3f>ne<<SNS7g
z5HzfQlxCAKd#W+A`b8_KfCzaAH-n23`OXa2y+b91yu5_48N~c5y&G0g;HT&IYCqIp
z4!Rvi;YE0#uM9&}4nt%*3^4=*%aMTrw>b`dAUNR)20=E!2zcDX>egqt;b6&Ck32E?
zY?P^cXEj@2E4M-Jza=;Ga8g6=ADI#B=vA8JRdDL{&Sfx*;s^OuK{D@l=J|ti-M;j@
z#ozutjBmp{8VBz`r14~Rp4tC7wuXP@5cT2uMa@9h?Qv(DYy!3E4{BxQs!wPFB)RxB
znT6HwYM9*2DrnSWM5>Al>^C}Y^&@SLkL9C~-3Hw_m5x;shBTRP4YkE@I#<$5DI=9O
znx~o@be6xBw!2MoHY(lI7gjS8Z0ZV$v^S`yZ_lDDlqeq4C}=>0^naR_Ae*$rxM92S
z5)PoCT15-Ys35+hB|FoSU?PQ!_ljr<F&>K^z^t4Dkj>FZW&K>^AjAfQ1MaI^N#wmY
z5R=bYdMkBgcJh0WeRuriIQ*o>I2}W24MV|}8A^>?q{eQM1E%fHX3(SrK|nz55er1G
z6+-P9UEsC{e4Wm(!USJ~=Y#F>d<T(B%+wcA0)%z7q(BO-M7e#TWZI-%bP@()acP|-
zT>SP8$8SC3QOE$bFOw*h>fZMkGKqR}-a$miZ#@^kb^2%rn{?`^HR^~xOZ=7_yFw12
z{rIi)ePR*6WfY(z#BYro=Hj<5e!CYf@lD4fgHk0PA%05*@aQsr%aELT+7!RN_^XTD
z9+8>Un5E+;t>Gs8c_O!>Ee>%7M?1vjZ99~j3*b5*_!eTgFWCqF7A0YYKtu2l3XMV3
zLw?gd+?^$w5Wa#Tf)FLsFoU#*gp_Mu!#qdTslzat=;rL-$ck|&p9&V`ctgi5t!;e0
z`6yLM`+EtJJjn84kY(vzy?JA7T=_5#lj-9sj+uizsT7;0Y9|w0ee|Phdp)#-Fz%lN
z<uMy4GAkvhhm)|orC<dIGD)zoRGh`F58I(QhaY~u`05nrkz(Q1X6e}0OI|UrBS82N
zYvw)NIQqHklDSV6`w@Ucjurc%ka-H0GQn)KpY0Y_QXj$?Rpp@9l#n^{<H*k|AwS0H
z(o|)n_Aru^#ICMVD9VrM$P)GyByI)m`TZ|n|KW(wF^Nx=Njlo|l4(z!d!h%3`yfSv
zmAA0!pcXh#?XeoHz*6Xf-!AxFYl+S;wNZ|lr!d1G*5F(9OHiFYq1=!ZU|NuQkoPbK
z7(rrNkX5&_Qj}2yJzWq9--$9O%HFgn^9~T~@l|M8j&sXfBo;6bYF*}`;+D5!%hu;F
z=l}ZkZy&!5&p&<o`tic)vm-H~O6zn)sEq>c5UJC8l|mYWZ&#l!U@+ABY;h~x?oy}E
zY7NnOr8del{{RQ_c#u(@Nz-_lXxBq|7-KpYhkE*09>};_LBp6(%L1*ol@&#W<aA|G
z<krocM0?{B%{VKY5Wvdp3~u#EjU^6ZOgR{Yxu<RgY?VfHD`-bNX`|XW9T{q&M8n3p
z(}WdzU0MUP>Z%qvzS`$HSb^nk4b5q^dP{VEseOk4VdJ#x;s{gQXQoP!@)RHf1Ubf$
zsfNwkWyd`QkWjI_jIiF?miy7A`uB>q++*|PVg!7TA7Rfu1j1WxF{KiY;}-3?|2B8$
zr5-n^TWy$b*L{1=OGVFfq`PrqH0Dw}+omT9q@X9*2P%qeo1K`pY8Q3_<yb8p1g8u#
zYV@Ht?nI!r(-Y$)U`zq-F@S6aFEj>KYdHgg0TdFCv?6Np@qQfNs2=YqV$%5&>WrfN
z&yJuR=>uoBP18j)TDatljWdGf1df>U8kXsT?<<4DtY8dCMK`F2e9KGC6|Ji)!~uCp
zhf=te(}RZnyaS9AWg|9oG8PbOCf8?wb7qxO8?|V+cpqMy*0ALxHsNY;QE;2|8Ue%^
z6_haOV~l;y!uL&25Ph=&K;tY<0)eN4ELJz!VF5f*ME}TuAi!V|`{TR?Jo}F{30>^(
zn2Uu~Ht8aN?TP$(&vW1=_7CF?iQOX+7Ur!^L|6b~mnY%!Bx(%Mg%#QuRuBh}OCHl{
z+sv|Jl1yJ`u?tAFa1x9bdF+VV4=!xCvHHVkDI-O?J90VfE{FY1=dcra0N=uu9<!Xn
zzJx)=>I%p0$zT8D{GT6P?)ouTR4R?qv7Z*Et`p-NQ6CW2BS2X6P9+3^Y@q*3CF^!7
z%&D*{<8xl9jb6w&JyxC2%~{V=OBEJ9Q3=BU^9Ps%OtHcwxDC<qi_c%q|NS4Ag7OS*
zs@gi8t7>7mh#VqoRZdz~Q&v47d`P965>$9tc`7b%<#%d73uUu))kR2=;!0c=%FBy=
zG+9wX<%$y7_;^`#q!lGX55OQ;58K^-t1*z?dRxM|ZMROy)L5UR2kqN(OU!drxxu`+
zV}`0mP^>`j+mb(gyZc!TTD03{7TJ!~(aMp_y?d3pcg1}iJcQZVNpT~;rdcpMJNZA_
K<3~?Zr2qgk8_?kZ

literal 2328
zcmV+z3Fr17iwFP!000021MOW~Z{s!=e$THEJTJR|hvroz>n6p{?hLlrwo`O6edvoJ
z+lr$dSqfz3_OicyNlG5yq{NX-CrYRw0p!s9MEdaX`wkE3AAh==$KFktEuu6z?I8er
zUYJbMX_U-Pdtc8#y%)Wo&Q5-uM!^s2ca{ZnPrV~q=)2S2Wu9OCFc{q4-h%jk5#(tG
z;^-PI!omN7I1UD?(4cpA;(6;8OoKeoua&O`d7ee%>pb+5U>=_K#=+#<EK9GGX|E_%
zmYbw;nt3-teA;_=VXoewtY)xL&jWQ|1+#FRg~7M_s-e21Y*O`Am~B@(ze*R8Dw5w{
z?G&l0NB><bQ<hq&Ldopx-7jIDhuOR0vC0=$^;JD=El@rWvRRbuVyXU#i_XA+5vea9
z2}U61WZ5rIhZ`RkE<P??c3ik<F}g~#JPV?H7jm4YaTp{8YMxz(&2bi!AXX;!P_t0;
z+ApF!Pak>yiy&U?(}3dT?<4N1qj#1?(}xG|Mv0nQZlh^_Il8mdT}AEpmTJF=7ST8k
ztDZhe@`F`>f0*jGKON)2S8s1=4MlCWQ^Zt+EM!lgB4*doG+aDlW}9VdYPu|o4Ib<D
z?Q;8eO!3mzgl!<=;6BXC>OZWeYOnl&OON9PlRUav-mUdXI{t4s$;-xm$%AAXWK-|G
z_aVLOt$2uHA<^`-_Ze<>)^_t$Wy%lk^ww3nGAROl*5~Tab|36|kUE6%cpD&7O$d@%
z9Iik##*h#ISs!sAnxTbpI3G>YEZL<A2W*o;G0tSSUEdvv1cbr03$?(y45Qg){s0&R
z4XYog*)+@^YmBOX*$OHlLO#OH;G#r*GNVoJP)Q*#E+A|MvA9fcM->$K@wvU)4-Hm>
zZjVuT9^U0^!w{9j5VakK7y^RT$iRTx9ESo(PPm3akPR^cKKHS{6%02VEV=HHM<$=G
zGIgJ<Ve1>^w#fb0<a!ZKYsmcrGh!XRN|U?_PQUJ51oJ4qS5Flri=Ma0@3rd|%I_BM
z{dXAOgn2Xx-hW8r>H0kL^yk<a{*^;iz|D)c1KqU8y=}4y)V4pUm6hv0p$U-U;<IEP
zR)4Btay_r0Q4bNRDlYJ}(Q#uQX?uLE9);{T=q9OhtcozC$zo@yE&t<PDlestRM}{r
z8gAgN{;O<vm*i|!`b1w?%}8)tS4fn-K{I{(7G0r2@tHwELn4*`Gpq#Jq$RBzwhu4i
z07`09w8V@`A{;H*o0bGqC0zVhL`z8PvFHQL$~gep9F0`f&kYVjY)ClZLf<MP?{|Ti
z{GO#ZN=IfVzXsVi$4`#KPil<QF_g|Q6l|HH)VM|3+AVUxjNRD`nv@_2NN7A_f#`Qa
zs6C?#-1UI3)A?1H;A`-FusfdbAaaSd^+l8bX<aR8kU}d_ZeJ+1ZPGqE2?M#jj82j+
ze*1>ww|?tU$N;r3lPFc{UWlbkqQ07U5Hayv-^Fj8KH9@3ojU4_I%3ZfzvZo6AqUWY
z{8srsxs2a33eXYax2+rI;<qk-`y^T-+KxpAl}bE9{FX}K(^dSIAvN=KDSmtYPZzm8
zA~UHmOUF$*!%g_}L~dnQ9O4>|afqwiZYVVuz;!<GEyQqNvJd<vO2P_(hTtI-8iS~h
zMAJOny(OBILc<VAh?Z%XLE1-B$u+-Wo}=#6QJ73kbDrMFigBo(3Kr#fL&vPFZF05!
zC{;=OPZA_~kmaKw%hKC=^TxP!<)b)EW)G`4)*j?hrPwr8JDJ+*qwiJQ>!B4y>;5@V
z9&_tNW~~IxaFTYn6s+MurU({RinF*Cup5eV^x^08FHUhDDHdLBmX2+`<Q4Ne0)!8-
zX5Pn*qo4aOnG34fj|3cYtl1BR%-67#NoJe<?6$Cy`VhvbE(iUlgv^m2M}A%j`DvXl
zO?5_UA0tIc?CL6wqWy@8EMcJ`aVKccumAY+A4hzSNqnkI($SumOnd6w6ForO2Wb+l
zy@gc=wZwsXkJWGumO>Z&cERsjOLTszi*l@e3N!p}4Z^Blg8K9c?S_;9GlI;AypJ)!
z2ol?Zth$YrqKqQwn}SFRC(4{Cd()!KKR~cY=+Lkl=a#ofEMXuty39w#E$_sZt>6Fn
z{O8aA`uNA_^QTW=KAt;$b|fZLX`PM;by1)lB6ZrVQYd2(cJ<j321BFImbcRFE_M2>
z))1Xn>Y_Xo2RM+&hm4v`n#RjS`yR@}7&Eyz)HlcSK*se78pecL7HGAttSBlKrz?vh
zw{GSn+8dW>t+TQT0j$i<;8u^+Sm7YXw1YvI`}$VGPH8l^f_B7{HmZ%&k)aMsG~7CO
zny^BzD{Ej@UDXmt=zXrkHCXP}(40oAw?yZcx_1Z=Zk={r9ARqv%v1$Zo&rRGB*!>1
zwPmyR*>O(+Bvh`hR#<Os%l-I5|Gc6t_qcs>F#^KpN7!=@f%I2fOsRt7xI=sHzb@Q)
zsmBfKRvV_<b>E%yQql7q>E1dq8gr$cZPODCQqU7DfQ};DW+!c1wGTUiYOIzHf>Q<=
zZS|!#?nI!j)05Uoz?cHuX8_p@UKk9j*K&pg11J?9=|t4x<J}~_);;cNV&eS`dE+Sm
zyCWz^`ofuA({#~{4lX(4))~QS0!K`H4a;;v2yJkf6^sGt=mzzXu)Ne<(Ym@q9FUiE
zD1}=&J!sg^KfpNAHexd;V+o;Wa&z`KXI43Ns}}7S@539@8n%4ICR`6LN^X;0BY-%g
zk`e|5##nF`zHfSh=$j1yw$9=t5cnp@Vs(=pmcW-~^be6CL4aZX)s937Mk-%E)&46@
zLKpr!=6Ye3S-Rj~cY=TZ^PIVf#bF#Gv3n}Q(!BMd2unchQYBofM2!Ku$U+w*3-SPp
z$!8{Wn^_i3itL+2b_t2mPWtN#Oe#BK_Tvk?ZLI!2TFOX~@s3;?yGvt#(`oDk9>BM7
z$*gCwuV7HIz`}8NQrQ3c{M$#DzJAO_l}e*@?5Bg->!fv>r~riZ36K`OlY$_KAcca3
yPtednQUHY%+-WhV#db~5`J!j_Ma6v_+=toONpYioXIU^mJNZ8`F1=FzlmGxYnT1dQ

diff --git a/docs/images/MarkGeometry.png b/docs/images/MarkGeometry.png
index fd921ee87d0a010e2d14a74bf3fdfd454ef0ecd2..70cdbe112390ee750a2c236ebd656ad631a7bf2a 100644
GIT binary patch
literal 19852
zcmeIabySsYw?4XTUqA(<k(82dq)`?v-7QFWcUg1@2uQay2uPQTG)RNANVjyunag+Y
zGxj-Sk8$?z{Jq!rjd!WA)_R`%p7)&Bb<Jz8AO$&zJ7`2`2n6Delq6CKfw;zoKwPoB
zeHH%2#^;?aJl!;ukw79YQU6P8$caWE$PrS=Cn|19>r<{G_m?hj{pr18ATMU0Mi)#e
zn$AAymtpqgL3JM``Eb73RAxoS?=K@`wFQ)PPSv;)_9|)2NokanuWr)?qemvcJ3Y7O
zYVvCS_~lBYzOUKN<dkFTgPQqdT3393V@=dGAoM!6by3d<^5`q@-=S;mMqg+-I5-x4
z!-%-@J#<%ASJ^Qf&yMW%@Zu=kb=F2p;yC$udF{h?mwHQv(VCl^3H`UXw`VsmE>5=^
zJoc4TRgDQgiiO|}FY9{@{QCNu(EoTgfQ(A{^k9Pl^LA8pbivs>1VRLjo$!ymynOFL
zv|KXZw$kgEn3$p>>u4HTi^>Tm?MfVc{QHVJI+HbyOZlV!bd^0#|FpAPqEY%P(4_mr
z*Qv0uFeZBXvQM9Kr^oX$!sgc27_ft`UcH(>C5%8|vJ(#7$`lW)z352bvJ6~a?$5+%
z=CmH)YYD+`X=!QjJTxINIanV<zK@RHT}t&0C+3mU)~<tVp7B1^?YLVro7>(lNm=W>
zhUZ$9mgX1u>h<ee_edwRr0&bg_7v;ZZO$~MYR``pY4`W{Z%sEm%(zD;v_8}1yWE%V
z;o)(gRt^IlJsL@A^WCf`fh#;bTsDD|kjF;H%F0SJqChH|CND2fBK!eGMi?;<w&LJN
z*=*B4+uLlctO}~C!$U*s@Wys_pNz1pGI|nu?mc*{AS(KhlJY5gknz|f<&UfwgV{21
zdwWjtF?!W@v*Q((u<B)>KhJB86zh7fjTFJ}sQi|HLP$s`8gSQoq;TxB`Cy8GJ7u|j
zcX#)<=H?)?{ncTN<`41lSdoc|i76?1c6N4JT3W_x5CGXvX|7$62zgbv(FWWjqsfST
zC~<Of(&%|;Gms@^Ia&;#l^+u`EH8Xcg&lPB?t{lRlhrTU!pHtTTH4y;hKrJt)(1})
zy5f{`<Qm*}7va-k%M6}BCl4aQewyC*_3PKc!Ckm)?~^@Vr{#AA1#5dNgV{^lyStXt
z_3k-x$roq4y-K1KZ4(pPii-BIKJoGK>FMcHb*@!qWl<@!(+!>n2L~Z|OhoKP?Xa6P
z@+oHr8`>*`i#>^Pv9XJ*tNF#nKPo;k^1JWM!>hElw8X{4R@T<K3isfnkVdAa>T0SB
ziCmUya&qBiWjjBT`A_#&9^!>$=Xkie5fBhyMuvs;6l#_W2nYm9l4I_zk15mPsCklO
zA`pRr8i<Pz2??D76jfGZ-(>0O=zcZYydV%)R_1v0D9Bi|qt3_3h>8a;9n1AK@hd);
zb%N8C9p=lk-FsbSJhs#Gn~O_J!ft>30x>W!4mPJe=UT(g&b*|kqgpOc)>v#V-n_XU
zYfSw@T~kvtYRt>qTQj!7e(omLBL;@0g@u@tY6y>|l@%$ZzRxi=*4sC49`o{I_1C-a
zR*zBLn4h2D+n9(8bXosNp&Jnr5~9HvYs1FPO_L$yePXx&p40A^2<3Q{ZR)erM(@)=
zNqPB_!loOem#|41u{~W~%8H5<8G(Vf<E^^{-%!iMO0v}1%|4|}5cG7>OumK?dCMwy
z^K6dtu7m^5`>3da46%^FKx0i;S65L{QA%lPX-Y~iE-vP;n2{pnbOqWrp|rxn`U8d*
z7JR-JXK<5bWMss|i63PXrG0hVXTw!T2L^tJTa{N<E{>-PdDF+|xNc2P3LsS!6v#QM
zsjW9BYmiQh-SKe85riD#CaVV<6C3O6pDQYchlekZm&hoC!^2}!z77w^7!a()N<@%i
zMOIbuR2@WB%YF|tQGFd2b_XjjH}^wg;(e^cbKAENbrQ&+prB#xN025O>)v>*L3~Uu
zhd>ZORF&v8NFz!3oX9gKCnp)yi|xu|JpOog#WDraF))M#Ru?uKXu3?*I>XVbvYpW@
zGm_HNo6c7)Fp6FHHUr0{`i=eC2vc!`_vt~Ddo^2D)J$0HP=)2_m1{RK`@7>gjDOFa
zpB~~fYG9I(G#E7d=jPHeW0YQc-dQr~N$7A|-q<KgOZ(HqGh-K!7c=xxmYA}$y*>9+
zrP5TRcVZwK8X6=XdF1)Yesug3P0e^|tAnN9R2j892*mK~XE)EHg;KgFCK4_8c6Ov?
zWOfe@rfVE?B&i%+U41Vv8X6h|dF;6Cetns34ydcEiy+~zGzyq>eJc~koXl?A*%`w?
zy`f&BSMm9C5=7}(x#`wqjVO}3Nx<38Zh54L7;7J5btqSH#%uQu7G$)%Li;?l8#iyJ
z2>VWtj;enY<mcCB#N)ttNK5OwGC<9Yq1rw?%*D$3sk-{-)YSQWM>MtRFVe_8dxy3N
zvcsL7@p999Sl&l}zILG=GK(T?LArG=yu7@G#KcQWOK=VKMl^F;kYZRNQ_T3BhFN-@
z9kIn!vRy%>?Y!&o^M&mSzIa2N0trr8L*qkw`YcP++3%GVUXQ)yp&=DpTicf+cC+8!
zzI%s>j~@s3d47I4lg#hRJT?n~TP=xCOkC%(p(RxZDG&<JQ&G|L^Yc_e&&7?6^Fevx
z4#tAqT(^~hY)CO$+S(FgVqpYqzoD4$yR7FPWLi#C7G-8;&XaowLFlmPH`ZHER6<gc
zmXabA@^Yi*-~03DXdzDj&C^+UO>c@I14jky!(P+O%hvDTuiv`m_%P(gjT?{-;bClC
zCY#9J(b3@zm3C*oLs3zYy6tLPDB;}Zrk;w*=ND~vH~$F58pEP=u!c4?cvF)>^?v{T
z(@}$rpE!~c4-&bs#~vLUTjVKeWo0t2W9!&hJbH=qCq9H<E83h9A}ly5X>uT2rp0g@
zj?<b+*hHoE3xd|(-Vz(NTZldlgCvZ!5&I>Fk)B*!te}?Puz=Lm)SEg1<FN?|^t80<
zJJRL|gaUQD5uzfzF6G7n7Xm?dtFi7nfQDaW?1U%?arv$T^>h^Q>?S;Y5jJ8+{q=(4
zFS7V^FCGK_=I7gPRNp@`Vj|69Gx?a3or5F#^Jl9uhu`0WqGmi}Q-*3BO<7n<{`|39
zNg)&RdhD@h_VD3DRaMpd_oJb7X6NKMMne%>fK0cr0IS|zu|D09Xh49A8v`|ZZ*vO%
zEF&WmDfwM?e}CVYKwMi}d*Jo6JO5AM(t5Lhc-WX=@o0Mv_Xi;<=?~V>h=_Zxhlex1
zTf+r$`T6wCtV~*;bHy(QqHo?K?Pl%1CwxX851CW{rN|fELtF$REtWibyLEhgd<6AS
zgYy`u_1Wy}6c;;tRQF)9F2AX%DO}XGTX&y*V5MMZSMnH0d-8g^(VO_egZ0_j$kf!{
z3JA7J?J65c9X=;}=1}^6&&?ffOqg0(b)Q#OMMn=p(r7U(4G55MaXE;lm4{p?ii8pm
z_zeB-T{TtJu%IB#a+5n)Vo0Q2Q$vGsS8Q4FKqEZ;{%uGZ91=3;6In~75sQoVHYU}#
zB^VdU`JxqL(*}@;qGIIRw_^Jva!55bwaUs$IMI)s^GixfB&pDD-_CWpguTLj@zNH~
z3rz-mh7?aiLIQSVNePSVXlG||p#L3W8jh8YXxhn{ZCFLdE<7BZ&o)yDf$-ibf}X8q
zRysO5fcb*j$Hx=a=!Jz-*9^YB`A5)Wk38e+>svA-b=DKyl-RegL(W<7K{xvzh(&F=
z=<(}mcdGA2N7;IoRCHjj`QS$+r|q<WO(kr7h4qA*n3$NTXeQv0Cr_S4kyi8aSdY&y
zFXw*z=(0J<TfFeI^o3!m8=N1ck(E_aY%ERrD!|nHijXOc#$jP4kbuvOtxbzBHzum;
zs;ie*R{?!;v9T$743xfTt8Sw<u(0SXLoH59N{R@%q^vAc!S0TM{xyUjnn6<GmB5Gy
zsARlYkksXBb?I=XtL<M068M*vmQrNEE;=~MB|R>MJb*MZG-P*}2N3DLYoexxhpOHI
z{{Hmz^#1<-dQCpM>gsVa97%A0cL3kf;qX0vOhrq}V>x2A^ds3A7cx*$Zf-UF7$93;
zU*G0bo#U9|Z^$$MKY&lngH(R+6HY9EXsYJK(%lJM479WonwswLQIJ`&LRtot1qB2E
zjRdy0wwjC-YLb$YBB?NMdmOAk!a*w##Jmj$pRG}p;ysTXjjW!Y5HD}dd=`K$32|`;
z84^K{_m=hEr<GX+%>nlu!(2BfBROlUtL?%Z7rP_#XqlK~wY3uyJ?7gZl`I!6G^%Wp
zb8=|0ypI>+kT}@bzvt(XN^?fX$H$XlNl8h7O0fIGN%*VrY|J`aTErOfWU2^=iSH`{
zJ}4_Ilh)n;^72}c*-WE1`$o(I+C*+^qOLM`cXwD>Bn}qVSLv|mQpW!VyTsi)B|;!n
zZqFI*6S)e+M@016Hl4>tMt=21?_gtNBV;ptlb>&4VqzjG8EE9Q*$Nv><tS|<gC`7k
zk*AzfP1XuW_Y`<QmO7l0%VBkWEXB5Pk{Y&3hwfzlxV2BtYa=gOLnGsBy-!{E`T4D_
zt(~3seJ_p!0y8o*vrX-sofkUax$P}uVYz#HTAG{3)V5}2QBnRDFVBBTte~Q($i~A%
zOSvMt*ZI}@=lAc(O&bRX_PfWo5Pk`7pQ)Ab^7E(iIa@#-+1%U&S`nQx|Ld3C-g19m
zp91B0gQu&81_4(5hYyfTqXG}MW>OOpq>;c&=5O}ax^Ddl^J(xoPvAeW?1-WUYDCY-
zn8a%E)W9I!X=!I?C(5^L^uOSg8&_ZMWt|>wv1oiE=i~Ee_P+!5NQb~s_zsc15h)Jp
z1{mn*ymotdfW|y>4znKrOpy^98j5DgFboGPC>KZ*|4O=klMg$GU5-wBlH(WehuuY5
zjCiigeNRqQpbq$5-i<FbAO@n5nfcKBq*zu;YGqX4HzqEw$$ris(0+Dyc3$4fV2(Vb
z{=?0wE~cIRQT-;5{Z4rF_HM!N4v&sD0bYcZt-nEZ_1d-GRN*b)frBZ@$xL`5g#MAy
z(REHM*!ceR^Q)^w1Oys7I_sO8K9C)vIPCNjrR8kMGv?YNJl)+l#>xW%g}jb_EubFM
zj%gph1IvSG3=Iq0-Q7*(vDIUbwr9F^_rV7t@7np3hY@7Lv4sh1nsRqf?*eD0sxRSm
zySTVOI$d6z1L?ww3<;5W_AC^N^2?V`o<4mFCrwaLaBgm{&UsB7*>rKT28mNuMFoCz
z{p!o`@E;fFr%=(jt;e0Vf48jS_ElPIOGrp`JUPJz@S)e}<qp*vpGgZaH@nx-A8D86
z+1c$bmZsZpzx8KIKowClv4D?W@ol;W72%(|cN-lR(6DfEZ~$h&BQB-`-Wn3j;r3h`
zd@?|pm{2u{R(n@h7JB;e(igW}6@>q?6C;Aw>FE?y9Zz#%WuKwGGURAj`g3yf3_b^d
z^W-p}#Y8-ZX;N~sL?{6q9vuaRw2X|5!a~Lx8lAV*FBU(QTtSHN{?Q~OB7igjOf|UW
zcae70NDon!^+YRcXlg2%D?Z>6gaR>ei8~P*jB>KFs!B?~<;-%effzeDI7BgI!(y13
zndKG~_?{h=MhQMof{>wq^X#Sq7i2Nus!)pn9OTYZ0vtgoP<UNlRp2_>#6}=2u1%{W
z^8JZ7qiTkj0E77ceGvgIB=B*+LtMZ7Cp7=vA0G)v!_KSjsAt*CG$zNzsYl1aZHW4#
zK5@a69e6n|gBk`2-yUQ=<9)l`MOl1&d|zK*_`!HSd@K=>5xZZ0-k-WIsJ+QT-Y8Ho
zJiHIYav&O542RRQ0uUb#(;tl5m4zdgHxPdQ*WxkKEa<z9fPlE#+Z$+dGctB}c3MCk
z)Hw~rdRSOk2&G933E_19JA`HR<8uVU4AYLp*Dv4wWG^p0-2jSfbaZrA!V<6|_&DPY
z9gOD5T4!_=%*sN+ISYEnX=)x7wGkDJD7YIbSgQpodHGa+*Uhdt7HXz!ld>H7)SK6@
z+eJSHk^>xe(cw}DJ)8<wC<;QLGZPXW+%TkLpTj9v+nL5}?0CjUk2>1gavYa_06uzm
z*8(n|43cN}XdGi#_yb<-*QgD_4yV1AE8^u<56oSIaip*B0|1@!a>oc#!CI#khxMPO
zT$Uqe2NSlGk?rm6%fLv0+zg-#x&284I5hCu6runQJqH(8(e5o!CH6_!2}N33!$~~<
z{Ccuk>F?hP90HgM{2G9qn$~yk-u-i*=Dki|PtOK`?EzOvd^)#o0AYO%#7LnOa+xc@
zro!Zw@89R4ibBexrnRSiF1`8NNd|B%I_i2q)YR0>v%jEb0w_NuBCaG6Gb;%ImX55o
z13|w4*SNU2IB+Y#zOV>|`;C8;yr&_gZzc!i`yREIW#VB(&hzb9@vR_yK(>x+N-HQ}
zXlA9AOUkVnfb;ZKl;&D);m@BM08dwRKLT4FE!Hit`wDl=hA{}|e7q2n2@y9$5<LMV
z#yz`HP`^N9X@4PzK=he`K&SF`e{IzBV7+5%bF6%6xIq25=oY->PLk_C3O4{+5pbGe
zx=zf@q|O+^2eN&AOeiv}Q{#{=pDF~bF(fo}z77w<NB{?9xZ~n0X%yyTWyVlhO@1T=
zdFQke5)tj_0<W;`tk1<ph>#5S_s`Z{e+SZBc2QA}E3PvW50AR6Y}gikJ|nO_W##BC
z`m{1wPujtqN71u`k3{mOqjL&!;QYMh07#=!VJjvpMt^>C8Kz5$i;K6d3v3}(npEK9
zpRG$NXI(Ur=1)m<*%mU_X97#?QjG6UDUk}U?~AeU^VeC#41W?67Z*n&&%F4Q>NFi2
zEnn`qjXTZSBnh}j%}B3ygL<Y`q_w|AGNu@MQq<9O`Jy-flFBm{<E@hRm9+68t_u1j
z2|c}+D4k_}W5co`?Sz(^`fZ>J7bin`QJN6os$X?)_#k`jT)Gl1x~}{zCt}t?zxE#_
z1)dORux0S{f68zE_ob*6`2VDV|GP~8gJnYV!tbN|fYpL^jBQO#nL$7)LrGaHKJ>aN
zpA^fPf-++iS$h_9rDCf!j2OfR`mxQ$MQ*6<wIw+hi5tJ)9Z<cjD=M0(*WU7p^(Hx~
z4b9EFXz=*p)9uk@W|<Z?_k87GsYAZ;yo?NMqwYXNIY&yisQAkE!GYXg8RG~<(7<JY
z3_w0<GJx0s!u+GFJGMF-;+5(7_V5$;kJAsjWetaM#g06iR2e*kEO)JEjvg=mDEMqj
zze?m!W714}nxJ)9xGQam1xfsMPI2*cwhVs9)M$x*ll!iJ;NJfJF+=_pv*}t{;>;iB
z@}v?ej~}@Iw!7be$6m6<*cBWiwuAO6|6uZKq4s8*l{3=@QC|7Dv6qcTEE6-cn!=Y;
zt=B{S_1Zo*%vjk1!T0g-EY`SfN3>D{wTK9?6~9escQv%(;NoB^7P$E56D8R5l&n>-
ziO{^JAE5S-`JAw9o57EK9oYDA6><#*7M2+17}gYJ84YEI7o~B=^Ng7w8_b}<ajYKN
zgrmG>tBm`|fS`;ZouK+a5ATG%;AQ-b2BbK$e07uJYSXi4&nj(aeoXynZwI8vhjoXD
z)9mQaEb@I~qUS<qOkiN((UBW5F){E1`0u8-<<CzB0BH1m&-a06W8c4DR9Hy!>_cC=
z=q<|5uC6+-V+SK6BQGy6=rVx1VFl!LMzj!jYJ;RnuQnkNFPtc9kNiNTujJ#1U=0QH
z)|T32c>O!O!-EX#m*R_fJk0+3r)w&|&+G8K*FEo$T8xeA={@<hamwpUc3$2z@pxvK
zIEd~*I;$z7t~T}{#n&*3^gDz`>Mlh{VA*t|P`U3`OLJ3|)#$YQ@6mx9^Gja!_H1Wb
zM|t0W){R`d$s0;AF*XpKs8SYc({M6;jF)dYJ3EWdqUW`@tY~j<4*>}^o8PRDoc?gE
zT`<7g+Z#5W6d%9JVL_UKp`f<7&P0D+cvSt!_@%D{kICJY)8FPwTP(V?-dnvDI3aHm
z@w@5h>G~{RuzH@4$W7JWSDbEJUy_e@W2kcZ<yKbvTVg0F_kMpWa^`$1E6Vpx98x*R
z23z)F!V@Erz4<{ZtbRmB5b_anE=Ue@pQd)tJfFCqDB~(6S4N4&)>je1nCR$ox9#76
zUS(vuZlL2~MoLm8aG1)8h=}OuB-PZoBaz>usAafqrx_bmo<C26UQT1<1%O(Yt!Y^#
z^pXGu-MM|+?RY0UGjk4l9;V$N><>3}eMnWAWaOp24p*tMxGbl{2MG4&g5hiwp5DX0
zjdLy_VXY~^K(VM6$6{4{fs4o5vpb4AgB3aVp(Jqmq=w_$x2KfB0`6}D*Zsq=>FA{o
zn`{<GC0x#xR8(@aGER11U0%}HRBL?hw(MpJY3%Vz8F5_>B*t%Ua&`5_^cM5blp^fR
zx2UN8XEgu_lJ#WuHlX+7;^K$mp?!mco*-bTZjM!hN)74)RBw<u|ET!fX=tCrZRA{$
zl4l=O4l?tbc+C6`D>C2zqoTTu-desp0c`<;a!@7q6jd2TE%LoQmHWzb>F%@GTtCT(
z+-s4%kz|oOIa0p&rzo*8&*g@aBvZ{u`-LcPWng3!Ad!3bB6<5gGHy6;x2L6G1|fZX
zd;sj<ym=F7)1>52K#}+F-w!eangi`7piAhtZ$Acc0{Rj|Ll@qOuFlTM02wnSBA|KT
z0?_c=w{HOIXsM{^=;)4)kIgMDQQ`?eVmL~1*~Xb3Hw1`lx2%?hHY=0r>qCaf)ee2G
z;ceYEB%oPz_&ykLFVL)q%%EtTQ2c@LXXEWc^Z=h-o#oN749~>y<iQlG$>7JAZ>Rj0
zcTI!Z?f2YPRO@}u>1Q{YD7A1sy3>^7?!V+excnTIxcBQMChJxyWT+Zq7c=f*>-<sn
z<u+V6UxVG1t{v<a?lME@aKu5l;^X53A_V;6{Cm)STwL6sWsr4ng@`@(mP<YMEmC+?
z!s`ESLCHXhJx?w7LBF9<Swflwj>P-@6`NR<y6cDR1t9d@K-vaT1)Ky11=8tTm?&o)
zBTs|80s|#u%=jZ|v9RnPRy?I#*@_Iu+@J}jGz=OF>dqdyof-znai+mjU0a)<oLod#
zH`&r_`}Ykj*aZ8wSm({jc*|Zu;y+6tx=wU=hXz)Q1qTP0m6z9S{}U+*N-On>Fgv@$
z#o6)ICv&{{LHsGtw5v2nQ@raA)(gh6@{FQXFP}^j3mlrH<)@G3CsSZKb5{K_af?YA
zX$;AmTi!ms8Y`A8pu~ucJHOzvI?_-SS-MA0Ivr}FsivvglctPM$$s%ooPEXE0(fi4
zn{u6X>afvfd3o&`J@x^bN16S7{ryr>QlOB}Zc5uMFE67sW8e{xZ-meH?qfZA^r$DE
zqphPOkG;25ufbz@(?7o)-@X1@oOnst71z1x;oMdpZkjvsg*2fwCyC3c@?@dkf&$z9
za~p;PCU4QiW39&`2~%CRe6z+iGn|pa*e#eO)LOEiSCwfvs3<ALpbl^f_vlMf$q&T^
zQgl*CQ(MUFrTLRl51B$B-n(~CT}er++(Z_L6!k`tRs|)hhXh?(Z}0OrZ+zvs-=|1O
zNd*OF%?wm$S4aK>sz$LQ9ZqKlSAHf5Ra<mS*8ZbZd)u4tWaS(wg4X7JLf?+ve*LEx
zVCBhr)5eK)V7txF+;?{hwvgw^=NBX~1XK?*nAIvVnsMeA8av#IC(4{x=Om(}bb8UQ
zeoYGFR~hE47B^5#PddA_HDb#9@bmG{i3tdTLpbzr-@b)@9duc!C||soi)GR-W8`;U
z9kOjaUW9TFdJhE!1qdE?4i5R<<%-&MCUQA+%E|xch!YY%?or#s_!N)rb~0Vh1FqGB
z8{T{=g^^;M5V5QY%i0+#8F)yhK+^kI{cofhkEr|gGP035fp;Y<^r;~^%V)_r1q5aZ
zaqwblVoy<PiOwUbsDde?XdP%Q#D=1m=_48XpJ#j_@_M6CGF9*H2y!1XD=X`>aTlIc
zT}{m~G?VzDb^QK4C#Z8E)rd<--0y!!AxfpM6Wcj3Fwou(oe(xEs_*0DphO<Q4FOXW
z^!VdukMHwg?7+s<Dr#qW_HeV9Mon-NsY{h{VKWD`AV^YFyUpd-yRIC0fm%mpG1-QQ
zUDo)PM9$GQqkh5J%_2YZ6hKkTq{pJQO9wP2@?=7fYj^QOgbpYp>8LMWCe?endbZVi
z`8jt_Py0Y50R4R^5pD&oa}N(d0}md*3;g~2x6j3~DLOhj6BE-W`k~9lxT2st_sCd?
zfZnXk!xHij4K`~ITWpX7m`K+K@{`jOKB`$5KD~^55!sRU<|C})2&N#Fhn&&Vc{$D+
zY;<NydK$hbS<gPlnjPf02xibA(~)F>eAw>ynJze`B9|%qr81(C+Cex$&jRa(Wd)z@
zaVV1a>m!9Zzuk9CQ<)?t#xjOhh3Vzx4WG}SKjYxwfL8Q9xg1Jd12m0)j*acFYknP@
z1BOn_ZB^~DzZ%1!4pp57^EMDGe+)vUkcjj~CCuAu>%tCmXJeL2a>Dh_QzQ10^0fFX
zKj$BNd|Mc#4a|k5q{bbN5@b9wK3qBXghia&6pj;@O(d!I$je$<coJZ9PU5rsyM`nE
z6htwfHo5bF@S?=F7JM*W`1$z($2aXw0Y^dWmoLx1_+9z&;|DSeh<JLsJ@oiMtb?}J
zJwkS)v!iVl`IIo{1Ih^XBX+0C&*KgUJ72AdN!upfV=frC<|LHYNClIVj*AQYy-zA%
zEmWZSd06tge{_>3YgfVpxoopFQi6p($vu7IS5~!WN=nQsWI?$7yLYEaoU5c98-kZ^
zUQ`oS{kGAmb;>*AB@Qc4FJaa!o1fvovzEL)c*=WFcoH#DuAz27IFcKF7v-xlOZy-8
z#t>mItE#GAqaMxB33+6$^Xd7OQIyBRVvpDAC+n?S0U+Lt>crpau)@E^GpA<LS|oS<
z;&Np7(0+;NweMbuc&eV@v#C(+sp>!KJuzd?e?3Bbu&%ivLUYYbC7e`{9xo(_j+%M_
zmTP$Jjj?8=q)MhU*K^am*Fj1NqT7&qx*pTM>in(Ds#H<~exl+QeD#*68cID1gBFH3
zXyhs?I9MbCZtns)xwx`Tk5+P0Q83T#&vOVPGO|?Y-E~mew9o#TZHDg4<xUsN3qwPy
zXpPvZPX?&_%E?)RZrs{x{}B4B*0?QuioURGLZIB{gcy=&oNs``N}K(V_?D$BdUHvw
zYXZNO$oK8nQBsqphss~;)SnUY&!T7E;whG*DP^o1w0)UqUtrs`et2Lkt}94%G5hys
zQ7#rU0f^0vv@|<#<$#!mj?e70I+O>1ZGZ!mP;Cv3>bkm#pFiQxfJyaEsy+mo0epZH
z3;9t^an?sMUL#hw$>$uze~`A}%%Ym~!&7s4w@xA+<d9>&xv_Ea=b%T}K!X2+%f|B&
zSr32Hf3{638^pafEXPVN%ikPr2s0ji*w^#$Pa{*W?{G7i@_kpf+SJ6>S+*XYz1vHM
zVQp(zNk6YKh{v>2{xXNo?vrT@T9fNPeQuoQ14a<zP~D){1>HLUK0>aWNqZPgXFDMo
z8I&k(x8Cz`6B0QV78XFeC_-p@qhN%;0TmM{L{hS{Ts%DYZr`T6jO!w%-Z1Goc^nb=
z*vD?|(D99!7_*)-rTl}~6a(jF`<GGJSh$Nz4FGU1)b@s(z9qHFzVGg9nDJ}jf0e~!
zzWmV-C}OQs)v?c#&t_G(FxkHmkq7#1Uv4NNhd-*r;q2_Zv9V$NG3BwnA+(T~nVCiX
zF=|}5NU^{bB-7hhpw6-~`j}E$R+c)0Le$@@a?7Q7dIqyUxjjU7Piv2qUBzTozv%|k
zKEaBCwZL@Qi?bp#O6kxB2Eo?=E!Y$H+;{F%t_nNoT=Skdiui+b<L*HrN~9#h6%}n}
zX*_xrC?5VGFYS-;wOIfO(4vP{9VlBTy~3B!k$gt&a~+_M_Qz)U?DnoM+n=9a^50zM
zFzTxbaqksE?k%Vb?Vw#<k?JLFyH%ncPvF^R*<Yqg(H2^(r4%HaKb)2KEZ|%sJSI;4
z=StN({tt_eum9aI(3ksuGD7DU1UBe@#hLeZb-mDxH6ZXeFf=qI7534IpN5=S0XCXa
zje3WLPRJD_PaE!h3FS(Ry>Y>7^eXO|r;prS2E6;ttPT$MGD@ggrV5_fj+`fZjauP^
zgz)@G_SxNX#AWGQ{`VxaqwYEpbXmamx(?Srzk!$q#cg-72e9vG9E<(|v`wN&?gICO
zelcaF8EAZ9RO8aMy_N<DVN}nXIsjXSz}G;~rM2FKNt;ZgiGJ5Tp~vrQ%zB^APr6hx
zH9%l%rm~Iq_g!U2wP*f4Q|v<C_+7F5_+L!_CQA=@ch$$4uU}ttoomm;$Nf>?XKkl6
zDJb77y+3($9gGdPZf%9vPGr@P&QyrFPljsS^Dyhyez&D|UR)h6kcnkHK9p<rFg@Gz
z2^TE5m^)yMw|(&ssxJU)@0I^EI|1r7|EtvfuiW-u947x=NZ?$Y3&)SrBUXzJaUP%^
z-L52{tGBax;UoHf=2}{)K9<+B39qi!(ARGQH;%J{l6Q1$Y-~zOaen%vwqMk_dR-kC
zU#3vHaa9!GL+qfP-QCNE%x23+s{0o+m!+n|zLO~}Wrff9UznM-O9&#u6dW9eZzd&j
znp0xlw#fT%vJNE7u=K+gJ*cB9(liWX*Ac_J(EAHEjmpT&d&I(`FViw)3Y{$x8cRB8
zcZ1XIxHzMDVR11(FK=5{EC!I8rG>?g?hTdL@bGm>#{W1dcGJ|TJN}>gZ~nX0`4^s8
zi0kR;Rm6#*WbdPO@YvLQ9Y<}^6QzTw1Kc6t?OW9sn$V!Q`Pz64RFlR6x(Efj!mrbR
z_!lZ>A?-jv{)B~WAwB){X#0hTh#&ZL{rzvwRB%2e;dikb{1{eHP>`AV0z|EtSojb#
z1YnNCtr=Tu>tyi5xH2sSg@h18@`k?b<qKhGvy#Hg;1Q;BV*t!IzR(?oZWk16As(K%
zEr&EYSelEYxd?Do%=lh5#KpxWBoNKua>;?d0Ei8)`ZJ)Z^71;jZ9{5&Bs5?~HDU#Q
z&Z?oOk&|Nz{V1(Us}5JOh0;%-+zvOBfm=X98yFlc=oj_ys0BL={7aqd79$grW&Klf
zN?+eg&@G`ao(5jED_5?N3H!{~QRX^>eSw(AhLe+1r`~NF`o&Jp&d^%>;i?!09s`so
z(UqT`zO%o-6a)aEizROBsW<#Qq!{tY1U-hneS0;b3KujuIC#vQZx~hT0nRIZ{TV>x
z(#%J{TSCC90RAG)ou_IA&OVF&_sE#t@qrI-A0GC0cK)uT%f*F|(Wtc2M0ts4PN1#S
z<*FN|qofoiLjF!lhnt(*z`($;w7M`Gc6pT~U7^}?lo=eGE6MIZl6bvFRW(7_iYkM)
ze?UMREPYq}CG?g6Dyf1IhSAv8R^N2kCk4tGfq$gWD|2&mxLq(g#%>Lywc_C6*?<!c
z+z;#>BHG%-SoL?GC2|)Hm9m0i>({U6=?WSSSpLRi1GoARX+KICJ=cG-LE|)DH1B;(
zOmtL~R)s~2x`8S-7S`;qU*uC6xw(&xJKuv-yQ^LhOsythw**lrn)lPn+41hc*Si+Y
z;5PETJa>&3hgAXxxv+3kl<j<<AN0c0($Z85)UrQ*j7>TLw}5;yUxm>rbPB~N6*Wl~
z=jY#7)H>kd1R)o^crSPvHDZA|Ui@jk2jD8!1{E9lNJ_=$&woV-UwlYP(s2Nv#}?Qk
z3;K)TDDE98C)+zYF}iCMh>#QT*r2?0VWFYy?Ch~D`lL8GDk>^e9NIusGcz(QK79c4
zA7wcUE_Q&#Jb^dBbqDq!3%jq-m`oD(Z5*mXaB)?Dzo#cvSRZA=<$Bt%KVjR%q+9!W
zNFDnZNi!>B7dr-r)z43GNAU>>7riRrrke)TZ8w~+3P)zC4pY;@!U9y9VU15o_rih9
z!%~GrM6g);<1uOF=I6&+mALf1v`|n~j0c(@jLR@TZ%40jE&AQNPe3{$i<K42qO9af
zu55Si+_`b%trEVXf&$&rH^S8BSF5Y5)Dia>e4p6bZl$G>$BRQVA6l%8diCH<$@<%O
zKZ9oMS6Bu4q{m;qedue{EzHeTw~9((7fAJlM9DFS)?>Om)#b{-W<NMEa3X+T4?qZT
zi%ca0J-rWL6*#hjjg3})px2<*0u0UB^9*0WB?ksS_q^5J$b<w7Bct!$q3`SS`FVMZ
zG)ljXj8y&`#UZesuzv?tGd>K=%(3x%;K(6)Y?rnvLvL!9?*)ENKA$tU4i`tqT{52|
zun41!LvUiD70Sfh`^li0+h$UutYO^!hBS6a3y>NZVi*Vm8xc57Hz4p}a-db+K%rbo
zSsBg~G1x~mH0Y*$0OdJET{&}w9`96zCBAE-!3V`maoDz@$;tXxEvw6W*ATf$6IHf#
zwY3gQ-=%(pDk~^}BkiA=Y}FAk|H_1~YHDaa;B`QrQ2l|{BZ#ozChq8l+<*CJR+Mz@
z^1%asmuDV{V6buX^rWSw-POe(3f|k>1J{K#nbzw3{CCJIV<Gq~RB`(&kc^N><iD9M
z0;B~ntfR!bl60_edEu*S4vaQZW<Y_t-0c-M?qS3WkxvmYH#Vkj2uw`W*2Oy`jIy!=
z_td?65#Ts#WO$`@2<e8`aZxgy3Yrh>kV!$)>Y>bl9kS2qS0RNC&N&?QqIA&!hfL$E
zFUi63z7<T5M@-B>NL5}@A?UoSVjN4)%zOb>Tk0HgfZ|h4zD<=f=T_i~NSJ5`^Aaqy
zSKKvcK!NH&%2d?Vw`Q7zp+v~7tgL`FDPM2CW!ng`KLt)A^+FB%)uBfagFwo5bmeZq
zu>uM^4jCB&7sgOj%{5Ckyg&y8O`^56wYH`PHM<ZSeAW#!4h2xep$@Pw%{DL1!6*e}
zXeUR<wdn?a_%v>~?d+5hEkfY6cbWmYkAgUB)DZ<lc1Kqx-e$VK2Eh7O<7qLd4#S&o
zjK^TEqY$zcIIyBpV_zlgKp_IKO&NA&NVNJ7hDh^sL&GxL8KG;}t~H`Rk_T@Xto5<}
zRYEK_3=S~uKvnqtD!U>b0{ynp7j*E4edGk||D1`Wj7*|{dl|S75)!mPGy;kz)3LSG
z$qLq3#$p(XF)+Y-@PLuSxiyp!w|EaA1Zd_Ehv3x*6Kh39#Z>7Fi4EHz_86Z9PDE~M
zXRVomV0vbzva&At3d)ST5?1dZ+)S;ldvqW1adTI~`GirI$$)2@^J_pxK$dn;S6&;+
z1FWN_qVgWRSINn`nj{GyKET`q2RHWtC<Rbhh#~cK+;dnc;Up)24u1z14!BN0Mnsu9
zpuB1}DQn_e?0n%y9NGRz5!7Dw;j<iJwDGU5u7(rhy#7;BObj-Sd3t&pDo9jI&GtRW
zIWX){{MM6K`?Fc(9>zc?Z?mF@2@_M1%~UN=h>m9{3$JEnq2=o^68>1@G3Zx-4+kb3
zU^t=%77{8O9JP|x*2v-<xF-mDxO!?@&@nq;#-ya_B1*3^X~V?URvrnF6_wHilnFV%
zxyigMnLV0aSU3soP2h-c-n^02pUX@N(=kZiKa)o&JmhoTWIQhe6DtUze@(1?eScth
zK<5RRWu2Uy@&qM?kA=OCz9g$tjqw{DjFqX;V+Vm65<~~?U&}{~jPL8+cCG@Q*$)J7
z?cUo5P}@_5edSVx29gCm!5XAWh27EBl^7r20%6<MMke5fdjEkqN+?fowuQj<tZCUl
zI0*Eg#I+8x%|e{Yj8IUe<>-&0p*=98fHwOWhB@FYQj=v)fO!ve3Rnw}uTtUsf_;DT
zMttXt4dlUKnCC!8_q@Ci<oR(3$|(#sVD^K(wv%2I%BQ+I4>R*71Qo>cG@PsB-KFdj
zU8Nu5%mqKnhN^_Gh=f5=St=$MG#|(!74)zRgN=uEUtq+=!eWD!1{DJA;&5!#_OmGA
zP(ddRJUuXkgh3`$4;DZ<IXT=$su5<=U2??xhfqdfCJ4!C{~H-=jE;s@JyQ$jS@(l=
z!mcvt7*5j4SXx@zU~LXk97aa+->)08X9u&Uah`1|(s-m@*8tTqWsgn~aR1g&O(N`5
z&pyG#!V*!S!0z<fX+?>Wot5>Mc#|{<?cC<a>}-3E`~6VNHGafC;+6XN1C7kV`{+Jm
zC@`v5sY5KZi-;gv(SdWkqvO%ThoT-9Z|iP$l|g_w+uKL#H0D6vJ-bUWN8sys0@ELB
z;I@P4bF#DhiJDsw^g4P+%#jFM2Y{2H_V3?~z}|{<0uBzSxT6fR90<<nc#L!fyO3HA
zkFvh4$=anNp@(~>FBF8`|NfCO9<)gpy9wRhk1sEzIE92#CWxX+>B1H0>QU1^Y#7bn
z--_+(V0y();?$w-b~$6$c_`Q;<K|s)Ix_&7EG>;@h@n&Rx$k7{W$o}dbnta43SVAF
zaJBdKy{of_R!t`h^|9LvE2{^jq>Wz3JNd<<-@Z{YGBN^g;^cG!d5J}@UZdL10Cq_A
zH1824!hQI7s7>>Lh)_N)=;CfxU%Y>hW0Sw985T7$ApF4Gz+f9HEui0`!g^GWU6u!X
zqNWcUY#t0#)VgdCVL5~1Ms&{<76ViuFbxV{9A$#}3s&l~D_$0!VD8}icPdzPJ-w7V
zy-K5~jEvua>L5dsf`vDkQXzh0ac)i&397|E|NH|08oE0e%}@^2KaxVuc=GxtR;1Bn
zh%y9e#Se#ngLG{m8=c341ctXrNP4(@j{dwnT~=zmOTuUO;yJvDs;;eqf&$zrFqGB^
zvL=J(o0OeBJ>L7Ps{eWKKj3VzKp}_X54KYXL&vbFD-@dznv2|r4m70}!}P|+3s4Z`
z=x}1!^*tn0`E~0b>~BPy!F_`t(%Z`mkV92yD8|Yy8*qOce!mUwK!_O_Kj}D|40EVV
zgmI)pV+ptp1qDp3I|Qt0QE?=Xn3)%a#=5ey9k?CxoMST^&;LPKB#DsU{^uXaJyLRV
zo6x(3hA7kv;0_HiLE;em+y5OLe>bR%lnFxK9;%~j8yl!L2{aWvJv}#_Qo&%az7;JW
z2AXfK{@M9Ch_2u^l}izLbpLVnl^DPwIUhe__d{sbTtm?t<{+CSQ2oIgjxweKs3?id
zU+tw;G&Nm<)C2a|wyCKG7y=lG2HFe-n23l-8VRqvi;kWtZOgN12N2_sjMw2!r(muA
zIEcPbxMAC#pxlc^^P+SWKhTC#A(dD!L(zZw^i@PeL|&e`mKMwa^`7jn@mLJyI^fOv
zzXP2ZR?_!mg_eh>D!<qXpf03O(6<0@v$C-rZ`N%=FaC^-^t-Rx=&eszM8?2M%VN`J
zHU2rT=shHsQbuAtyw>C~S{4?TnlBAt>3;SMqv|ow&vKh7zF6b(va$qj>&~8sj-gFp
z@Xta`nv@04ns9S*oi8TZJ|H2fQH4~j;9+4Lo<U6s;~P+jpnGdiXx9FYV)*Cd7y*|Q
zV@<H;QnK^#EZrR_v8yX(ge?B3<{&XV9K|{{lVvK?_Y_<2-o5)YUBSdZin!*CuggPc
ze@PyJs6ZS2hRBrwqel%f*eL=06=k7D0RmxG0_YVm2_NWfLpcKD=;3mIGdTJ9opk*{
zgh)+I-J4azhCzm?(8xe!#*PdyXLt+_4?DZKY(l{93kAVED0J;+!Q>0CaB*<~F0Z<g
zB@F?<qEl@L24UEaFhY)x>=Q+>nedl|*51jfDWINR`YiwjfaU<~HL<c102l{Deew6N
z(w9dXuQFQd-r1J_6OW1Z7Kr9A7kLCBU^NJP_-(a?R0<eELLmI|AJNmJdL%G63w1t$
z)BKw&Z<uDsV5%!nK6pdD;JkdG5MbXM7#($m{1hW)0yzhPh@r+o14h$iF`WPY{d+*`
z2H=(PQXgs;bo(RnF&pqE*Aa(J1w94D*P)@$pwH;)PQg3CuqeC4*G`CWKmT*7&-PzZ
z(=P4@AprpZJ_6v0%*x9<-dj<|h<b7ixR@$O9mEHK|K9M?#?%}@r_6q)B8hLE{j*vQ
zb^<Wqz$|MdzjItUBulXIZfoFj-UbPRn~e<)Y3%3s(cOPV5@}kzkb9&8)rKv>;Ng_2
zdhrf}zPGK77Up+9!jbLo>av8PF|aX2iT@pd(uC$9D=RB>-FK8R2f%8{3;I00GaZap
zxF$~n2LMo8tMlp8Csv3?B6OIenTOoI@CryaV4z_Q)IY;dZScCm5d`yUdG<1@s?H~S
zE0AF4d@}B!{Jy_@AN*HlXm$p46qr_(VG9~e)aj)D{S~LRk&O_RMi9pFgOC`?oxk2T
zHa2Et7{;97+`bNkZ<tOTu3uKRh#6l+NeKqIi&|fS+a5TPb4^-su=HE?`-NjSpmQDb
z{(b)Ec3^KLn3xJ>x>8c+V5$ey0*8fb^p!oBX8n}1va^fyn=Zho&vd-;6AaDO3>eqm
zm%uRK<fMR*kX~)65z*Y=ne+FM-OZttKuUW@$^n+<kf0!#g;=WN%iTgv{{d9!(1ji#
zz?$w4Y?(tc?Ubm2G8GZNczY%r8`SjFVikSv(s#pB5NjZ(1xdm%!CFa^UcFoCUQjGb
zF9-KHH7~C_<P$g`Pt)HSe1Heg#~odqA${MoZJ3DkG#((hg<8urG;qh(uyKIH`+@3B
zW0;Qt(1)6Pe)b<1tfFaRvIu@V+Gij9GCR{$U?}eq9bN8!-j7N&4BbXY&()!sQT?l`
z9R)bugG=~#AkNRD2MiXd{=f(*N#;%t4!?<DjFUyMJTZ}YbQ2~RrY=tQEkS7lvI*rM
zW|YRIV#hV$8w4Jqz87G8eDi0iXze8-hl!ml3{Um2hC=y-jNerfU_bz60v$aBbeH%%
z9a|Vqdu9$7s_r9|N{fm`KYs%t7~oq%f-(VvIyF%o^*-l(jEtdm=cijuGM87Mh=_av
z$^gz3APiGL^B}}^VI7U`ftl+B2Khm?fioclBi#<c&|?QO$HvYc92S-g^#f9f^p6*C
z2~a#OExXR&DZ-1Y>%heu!?Lpbat1XlXoi5y5S5UCng?Qg(P{-pE)a6^32K1b9k!bs
z2Mt>Lf8YWjC6MvEbWcqs2clHM%_$iqt$fP*XbBk>xM#AnvLso$%GP0^8}dtfaWM>b
zNI`RSXU!fkTCKCCi%aF-jC=v^x`maMM;yHXZEJ`DZUY>Eb}AH1j!~ufC?OuybO2me
zeM1AhFHDrZkB<i@G-{@Xfq^039eADu5||n>o8fgV7<hHq0Q)#3SS07aLKWa`P)!@5
zP!4q6ym4a#c1J>D>Dya$+?(u_0KPx)Ij_R^Aha0T11C&QO3L4}qgNhSy7@QOu9)>_
zysfJ{1pp2cx=_HEy5k>mG=sO9RKQIH3D*h2DI*qYautZ@+(+Q0V=XPzu<&hUzD_PK
zDDAELt2W?nB&fAUFJ36edw>oA0*~{?I2YwASP8jE72i^O+x!hhB7d-yWA}rWpjBm~
zyYrl7v)~J~Wne%WR$E_PU7Zon@u4Zw2q-5WUTjnpHW3jYG}}Q(Wz?x=g|V@+YN+cl
zNlNB>Haj;5Bl8T5t)ruH#$&KGFsBs|5P+J5&A*rP4HouqcE2ME`pGQ}0udyPKR}`x
zh(^igM|1ZmgCinL3B<`U0dV;TzIyel8a)!$4@N&wUl{;xe6Sm!Cb4x^uI=8sLxe*_
zl%JON3CbqaHyI!61}~V@UWVBUENUt$mHk;24Or8*BiKq#f|oB}LXZM-3V3!3T&cXg
zoY0?;&xx*?6*XIqNlJRLK2{D13%IX`rzg~e2G~6~EkH$(oY2RP-+Is%Mx2wM&j)cX
ze0j#f!m<S`2^yQR>NgVk*!S<9V8r=f@I@wLEPYb=H<NJ^fI}Ab{|*;`M9^tWdTjr6
z;3sGoFmiGI=1usxVy%i*2n`59xWGzKc+1OocXsH<A_@vDH8g%g%e?v9H$Ve0N0^?U
zuVq0ExEda{wYA`P07IO;qhrD9i##K#)O%-@*eD_Y(oW#N4Bw_XQTyVV177sPA2yqH
zgENnyn*wlVtOXn1BSW2f?ScHi!?|9r|NP%M>HjsPYmuTr=XHL<HKU67vjPbf&Nbi?
zUFszX)bLCK6_o4su@@jC(FRlz92EkcN2N#L1kl!VKRvL1yZa*G3j87kd?&}XYhWwl
zbl)+85p3}8?dW15dV%^dVh2H&cn}~ES~OwtTgc~^s&Jo@lI@_lf-D>;DJnV#4Fw1x
zBq!8MutLPw6%`j>Y*ftvII0?IfSC&fA|EQF9o#KQJI`cgV>nNak3l7T)s~M~jexE_
zz<;QvGFn5!!=_MoVUjf72xfX<UY_D_4PV~cg0CcCnF@cxjvxdvN(Y7$pJhfxMS(>D
zvLH&Eu0ZXq$go{o*p2Jg!GrWZi4W}6P>Y7vi5wjrLxO`XD&>EGrf-=!@oz03U*?5_
zLWeWrR>jz5Vr)F@R`vHA4Fr)Yufb6Vpv|&=0?z3A`g+1fd0N^p81l_lD=01&f;Wca
z$!$4;@%P?-LC67FXFTQzL?{SC(g89*UhB-@^ZEhYc^XIq`d-^&Fl8f2W%xl!=;s>L
z4tn~Lb!qq#5sP|x(Ddc3oxt1)<FRVQf&hNdufHPNg4VRP^#(i#0@zYfRkh4Cm6eqR
z8cMXK27pmnx!mLwe9Ss!MnO*KRa?+3he-7SL<4F3%@#8Z-xGnu3ToFSlvn^O?azo{
zbPlFx-SW`Ve4y#vhmsJq!AC?RoA4PFH8>H{M3Jb8vIJOJwGut=Utg~DUskv_QOJ55
zJou7YXX#t1r}FD#Mn(4LuTzDZ)~7el?Fq1~)DoWFW#^#?ygGx#iJZmm#E-P4&&3<$
zP1nL^4!!*(9TWd6)g;lK%lEY(S<n*Ft6e<pm)R?8n0&v{r}h?DFC}?4;$z)g(n)>W
zJQ*NB+PmQbCEb*j;HmH3xUTGev+61V(vtlARfsr@=I?vo6H0GWyorVNT83&Wl-g^?
z>2S*;Qt~>w0r~e?9}>FY{K7(~x+#$GL-pTX*^H)mgQ<lF!|6ReJtQO~kh^ijYNj^f
z{2TM(JS7z8?w|{%XJN6muu!6pk>Z<6z@T{3R|aY?MNYg&Ln90a4ccRNvNq`T&TSJB
z6T5DV$CPoT=u*PFa)Ydf7h-H^_>?~8qG6vM2kpkb3~UaRR_G^qML(l~-Spi4Ew-l-
z(Wb1c+u*#W26O4Gp&dpb+mXv^6~$)c0-{^KfTNR6*ZG{)4qw>wz^YrvOGuvzdt<6@
z)TT;eD+?Jwk)NMG&`ro9wX?SrY@QGw&z9H&g4f*cG0+~Outhj)9TL{ymXMwYhQ4yX
zcR>!>)TF$ou8u$X1|i}(6UH0Nr(Mseu)!-Mh#h3a*M3O}j!}o2wz<+VEAB)lVPW8`
z=Q`0U^gws4!Gi%``g3&jIJNhdAHW{q6OSL<9po%hpo1P>z1|i`58w)hf-g&>tgoLs
zxN^3$fS&ht_V5(6q&o<jX!BASEaZi&gRdTfIe1`1Wg3i7bV7@-z{KanNXd4~JQX5G
z^nV;%Wl{u^Yp}T?F>L@C2G5ato(jx!0@c{s*bwwSaf(u;k68uP48aPmJLo7TCNkiK
zT=7#0IjSoJwhhI%iOo+8qCx?uM&~X9atMWO2TdD%DUM;nnUC<X44`o3SmUL|MW|_4
zM2gga*p@T$3kcMMQxTz%r^49fb9s@B(^%_$%3ZSq2JtH*jCc~1kw@;CGcfWW<aE;y
zki;8a{JOUvlD3s-<b8|HX6-&q+WPtm9~=4jOfT(b*OOC3cOcSW;;;1XC8<Ci60Qet
zVc!FK16TYeeo)}y;ps5rBNT8TiCp<IxBV^!G~ujeoMu)ac8EW4=g=?RIrefujE;=l
zL@;)ZTX7>`v@(;9-aQn`E+8T(vWVr)&2Srs#}6*gf7?AayxF=G8prO==h(v2&#9}V
zbQJ;LPEZRb7J2!5vV&}OmL1I{oYgd<a4p!?@I^^tiWtq;uU<*`NK8bOkqC#}nw0>$
zY5My5dU~V?yP1m`_zIz7+CvW~Cmh7;+S--pc6NPByZeWS5n*A9IL4ergB{T^G0rgG
zhxm2S5cr(+@lhAV#|s+@A=7%NsGKAQ17%Cg0=*Jcn?yz?L@s9n0NkN~W+!^F$bVeO
zJ4q_O<YFK-<>efhx8IcuyfXL@9E|o-gjG;*s=xp1J}nExR&~mxCA&_MS~LfL!LUVz
z)|Irv!cYO0m;uOhl1xXC#Fu+BBQC2i?@2~+%qD+)mf}$SMpim|V8tmsENpD!0BADU
zra|Qhc$)6STzz#Gb+R#~MREoO;kbbm0^fo2G@Z3ps$kf~*?DZk1ySv~l`^<;9pP`#
zF0SI~iRwxI-KkgP01W0EWupXs%uG*T%y-<EJaO{<4CM9W$B!c92m}nJnomFdmb5+a
ztns>90T&J$%vyImXPvCJzlJa|HGTc{R}{;UZ8I0))7uoEaR96f+WkTxz?TSL76pd+
z$p+83kLGb*s?fbsQlgCO0_g(Uye)>a;>jRh0v}RVR!&zi19%JAx5L!_@dLECV4C{{
z${r$Z*rGR?AAj(rCl$jio7uA;M|aI>^si?2(_sg_mo|p7Z*Kkw@c?j@M=Fc)5$=sq
zBM65+?D!rN1T@p9pp$$>q-3;iY7<~=P>W$|FKu)Oh)^s09`N-!Kki_my`2<?dBPr0
zzN6)_Fm9gvG%3(g?RNks1Et20&o07<N$ox}4JrUwo;W&|i)Y5Cq`1_;peyv*ODih&
tU7JfDXta^R@;{~9wM#|q1N_0~YI)y*PV;;MF(4d-l$ac{`04Xk{}-7>?dt#l

literal 18155
zcmeHvbyU>-x9(tJf{KWUfFhuvf*_p+0z)@~gi1G3Lt}y>Ih2%0cStuXN{HmpDUvfV
zAT`7gcYl4)@2qp~UHATV{<!C^%e&q+I!t_GfA)T!XFng`swl~vIC}ml3WYj>mX%UN
zq4vk1P!z8ZAA)D%2m$l(aOjD=j1+1Q`R`**dKe0I5rvkzqv0AiKZ5bp(A?cyT2I04
zJ8+oo_Qj8CuM)0DI;-jp`iDDnytuvZRnUvWT%7y-FTS|Q)pa06J9Jdz!2JU|x=&O6
z-)Ur0+?D5^S(j;g9};bR+K!jiO`JJc?CY?{^l*E;{KD{hoX28+0FN|`0fl<-t$yU-
z-#;Ba`+^<$!)LVvipb-$)Wa}l_>n)wM}a&>vY78f9<Sf;IDkAp@c(!Oc`P_{hX#3k
z#PNUC2Q(cNh*cDbB?c|7C@q=w+H7wu6%JTi4wc$`=oz=HDzzE<VOnGX&-zpfpis*+
zu{;gsRfkbc^3ewmWV^i0Y$<S{i)HXKExFFj%*-h2qHyQV9g<t!-fop;cShpIhHDF<
z8DIJR+qVq42+m4}DSs*^v5dhIE3?^K5!bw`bQ_7pIPt}f#Cw(NqaL&;PkzLuD`(4w
zvgq`pP`B@Ve#8FkZp*o_@foG*p!0z|F?<$kl@?*_ij_tN*(VqTW|ya0EC&irDnmG?
z7Urfb$D9e>sx6T>oHv(EY=+Buv@I!6zm%jp4m=xLT^M-?Q@v&Svp_jk#5v1aAa-jN
zZ<J8_=*vES^N!oz-riYy6@{ZddtT{YA|gG@B#SB+Vpl!2WX_ZC{+Z^TN$%TAjU_fi
z0_nuCurU6|Uk_+zYblP7jvl3=>W#Il&77Q^Jl?KTY#zE$OSX0M@W{3usoeVgj$6<D
z#@DZ3S9i&abHBg8!=@ag<1!zub|Z{bmDQ6n^TX29(>b+rGQ4-T@LOwh^n_?0Bi}5o
zTuy50M!S1+y}4oe`T5n=)m=7zLpFoOXl!?dqghmMqo#c1b=8qd=c&25>|ehg)sPpe
z@YCrdXD!O!CKKay86ezLGR~o{8nZ_Kbn)Tg;Yqvm@=(Lj(9rxqQRDn*&5)~`TeR;9
zhM4~T2Sx!rxHQFEScO;to1dF2Gm27Dujs{G3vec~yaKT|a3Y+VS@1cq;_qi?&5Nx1
zxNw!uR_VmXU}ihk=<#~LSa|xDb^p!F&DERJvGgBs+1lKW6AdSdT!^}to4Yeq>r?w?
zefG!+ORKAV+_f7?JPq&RZ48EnhK^gS7Jm5?8%q<dUtUrwDkua*OZwD?8oQI`qZ7w=
zcgV2}g0@0>Wo+`1=aiL|Cl(j&BsM3*6y}Z}Ir6D5x~H<7rNo9zA|hk1aKd9P#%gOq
zjZJ^PA1`kI8M#!qx6_{5cLDY6#Vad5iZdd4ddY6v8&CPI`&D4ec^j@uNEmpmFKF7^
z7qD`$vP!{}`Z|+kG?S%Iq_^C($Qxf-UDbH<Bnc<5ySwWj9NedE=#}cRSfgEATN_QH
zzi=T(JzWVuT;Z6dlK7(SgLwAGj~5S8QqFyQON0NgLSC%9cJ-?4kt0WzmzF|XP2~lb
zqjh!?6B7rEEy73(BiV;eoWCk2rU$Fvvh3cFlEUid=9XzaQ0V{WjclJCOzB7Djo8O-
zMW(G?MeP#Vgr01xmFd<j_4FXzc{U^}{olS-)zgdf^z<y$i^@qU6?d6`pQW8|yN3xp
z&#wWqU=(-new+|}<1$PX#>}af@+K)cxhRJMmgJeb8O0f0_Ao2HZ0-EKS}!sICL-dq
zTa6qI>S(MJ><wD2#Iomlw%Ks`)8#*ZI(F8_^5H<>pHnh*1Tl)nl}dV$a#%TT-c-SA
z)Oxz1yP|KI@fIuAL<g6Zm8Hy&IGIg0h5GyZtHBf_!oyQeU6vNIF7sHo<+mMv080v=
z84?v0#fpccOh1@*BHH2vvxHv5ImI|3o|cg4k+r6vEX{1wjrC0RbO#e16zYr=WM2D6
zd%HU^0yZ(0eR;W%POM-(2g~ddyu2egHCdY_9A^DtEy-7tl5YwbH=We4_0$>jCg(N;
zGv_mVZ`^@n<2Y#e`Y0`Hv-gfMVX+wVrsOVhu%svP9%a0Qm+pQ_Dvj^{w2Y;5!xcp?
zi=(-;*R-y3akWXfN5$VPcUv)~y`ih|`0?Yxg2(qFiRxD96T4by22S<8cmdDp6mGM8
z1{CVxDL8?)G_<s-O7SAiIGnmwZ%!xd-_-bcVq3iEHBL@BET7Y?3c72hT{0h%!t9TT
zYwqK(>EcNAr%$tRu*u%Pf8XNgdmj41V!JT|^7>+**ZN30yJCzic6)m}jx<o?fkAhP
zE><VQ3092ey^rlKvm2YwcRDMv{pTLN(R_<ND+dP}t5Il-{@&0)h|o4@COJR~O=^u5
zY^krm2kE-|#ld5|He)aibQc761kuD~dTejEj7z^Vr6r2nYU9s1R!!oteVTDI7OSRI
zR5Q|N=yL<@{^twjjoeeHXQH|W1}BfAF#AR-pT0|GHVVLx)>MTWM_$)?;?ss@lMi6U
z!6?baZY$H#d+U3<2}?^$JWwL0A&lA!0yIQ13w$M3eF6ps2JEb?-@KFKifu}5M=W=D
z*XtN0B_-8UWKXS>)$O!;uJvdukpqH*1-WZhu}6*`<^AyCLmJc+)A{~S>>M1;c*i(J
zN78wd^i~paND=lj5b|oKZb?=&zg1+5VC&Ov?NFBc0j#$yx>(csQ*5KOa&?7?xK4pK
z%lNZ5bd47(W|$_3M4K#)%qM9I(O8Qb^)v;ZRJjO;@&I@#J=zokBASZ<NhGlp6sYCg
zjEt+Axw@L#`361D_fztEMx|9TN_akSp6k`bccnVR(Sa!G9$}+Eg<KJGK8p&mgD6tC
z=SQXK;81Abj%UL}g?)L)U3=9i0Mf8@(*e{O&VYXd58vOgqb|zRuq&v%J9}ewb0(px
z>I@1MLVXfIhK`8+uV*gv{fR3x?f>Cvz!v|_um_CzKf@=Nr%#^>yBk<r=X{TV-)#o~
zbSi+76eAtXlzUA(ue^J=DfIHuW5;l1W8SeX5s<>RUm>rV!=(qODJSIdn*7LkSZ1rV
ze<t*@j7FWeS5KCv{1v6R4x?c4$i|3$5U})cDj#WAI$4}J&nJs5e)9dOX1;-bvP`g+
zr)M=QlE~rn)pK=AihcIH(Oq--bql5L6sXVf&87i73tan9_A_q+0yJ*lzFlbnQ7fmQ
z5bo#ahYbrO;<B}Jv%;<@PdmRwp?*;{B3l^Wl`3xq<qx06#?CIM1~>%`C;ewpC7_$#
zFUTuiHZ{p2Bk0T1cO0A!m0{{!7^zw*;Dp^ayqR<a)%4K`-*sNh)jrLpTmTTHP(8fs
zbK*~Fe)?7bn9+}=Xi&dYOp{{*OksLIk+<0Y=*(bGjs~oJ4T+~X2fnOkb3m<4M=!^q
zo++g67_?R`RLa-wZe_<_1F(t_k%q8}mLu216q&WVIP$|gB_F}(hNQyaUcY{A0g!5e
z3jpxse#pJg<e`3O7MrVLq5$zOQ~V3h>LvegfUdy;7fL7g=HnL<d)toirjMv9`|%gH
z!{wn9Gf~%d)TVw!6cr?Wor4PC9}wUqvX}3(ll|i5%asC_Njg7jX02#mlQZYe%`T`d
zm(=@F&*fDuV579hg%u>A*7?(Mx9u@bHsO>da{&Tz*ROtEp$iXY6tcf9>N0PSp@%*H
z{Fdg*us+PxWo@qSiutt1IJUA9Q0&331Ly?#FYDdC$u@&k+r>85=&t>qU&N;Tz-YIn
z{yrKN8)ZizOl5OUFXp>=QC3x5n51b*3n<$Y1)u;)6l27{*#{A`=c;1(dZK)8N^-Z^
zn{pu3rEcQzom-L?-gA_woYI?9+EukLSIuKxxFmDUmwv~Pw+=^KS67ptx!#I=$vZmk
zESX>?%RaM^!8Nbmk*SLbLT-~GE_OQHXu@Dgb_~DO^tAtS`cz946b;U)FY=rh?l>l-
z&~oe<*S(yVtr~m!HzUDu`foxy{+EOQ|3L2g|5Ny{qrdiTE^u-dZZleHs`=?gT(_b;
zbF{kba<FSf73$+>^oSb+UHbmp5>6iW0M6B-{UcV*=X~&)W`4~>jg5*Cm&*7px}>nh
zjx$P8X>^CH%jh2HcpWYwMHOLFHu@jf7>H@_tv8#-i+d{^IkLp5nU<3^tSO)0W*AME
zIxPwr?sjd6`^h<l=VIlplxoyp^JEM<yP7A8UE28cgR65WjIPWK6jEGF?^=*iyEj85
zN6s?ztyu;KZSBnFAN4WGVX|1`cH4BF^O0QanSSlKQarl-3V=2SE$(a*no`B)CZBZ;
ze~i-Rf;e{%7n)k0lRYydrIF1>{??eRyNsG5S^}FT=Ppk#>9rG_Vp%rW9Z}3mId@<(
zDP9y~x<M~w|B;pB;>FLcJzwgap1D_xNn?v=k`+n#%=BFEYR|+i!3sl0D@rt0!J)9X
zH9n6*ky#_XQnRP7dB3ixSqwaDYfzQNwf=fGvr_X6{nIa_eG%{IRy9UA2@ZyD;CF;S
z;r*@erqfp4><WB~H>+y<3q<baHk`9D5Rz%%ov<S~*%csPGB=jMVYJ)NBa+RKM+S_t
zHeb}9WzrG}j6BtsnmKQ=Zf{g#>|AnBwstmDWy{W_*CLpOoQP}MX+u<sF?^~(<cqy`
z+?^MObrfR-oEx*sgVss=EP4VsM7(F8RUUU!4VE0y|GvF5HK#4LF3~M}*_7J_<A%BZ
zg8i3m6&o?4Sgz|5+RHXJp~v}*KAYENi`OYFSZTSK52m|ASc8z&H!0azceJ|>hn-4h
z8u~nYW@1W_oZHKxkR45m<t`a!uM|)nl-cCMJ0_cb0zS|i6?<+vi0`c8EJv#=kg-C}
z6%}*cnG91tbM|c7bZcz3S^I~rMW4Ocyo4O87vq)cb-PKJvW2dgdNWq^+-O4L)S^Pi
z*oTeu$eoRBCffn&YrD5p=Vn?pmawVa<u)E{SJ?0^idIA~&kBoNY#4U6Us5!~wONfm
z@{=>(^G1x2G(VxYuX;q%Vz|qBYoSP)w|J=dm-r3$Ip?0OmY2F)_1u<&iSHs6>GNTW
zjCBO{1Z{_f7)6|90mAe)1TxUVI01qV%;f8q$N_Cst8rf|HfcF4zVwYIMii5$mEX28
z{&{JlvBbQS#cOwS#;xM0aHEIE^X1m`hivHJQj5iDxn(+Jg^k!~qq<4G6GmmN?S%YQ
zUsgkOgk6cvbqo2J%_7?!rqpod`w4YxuBI^pi=$gRr74AF-lHzLo}U?Ox0mG+Mgj~w
zM(AnM-Me?^SF~~-Bmxb{M2E2tRyt=hdCc=b301zPmDAMG4%Cwmv!GW)8nhB|TQ;uz
z925WYk*r{zwB^#ne0eOKsP^M4RbqSCZU3`HlDn%fQ?V&NzUyJZ2?@LO5*J5SwI0{7
zp{oRTPw`=F^ulaMiKSf8SI~r|uIy!Q#t_~gTfejE2fYeeOb-0cH2V;hZ+NN%KdOyg
zU0S}c(|e*11gfT?p@)D(!T`+?`ttLS(6IN<*bSGfVqxdmL8ow@?^neZKfc$%*Ik9N
zqvcRzwL4n2Z;^OV&RFUdYo_r)p=}<k&n5GH3z6;uk?Xl*1B}<{)5Gf~$q^3zt^2Vq
zDbai6+%XKt6is(m8B>A+Zn`^nOcSRdPqzC-wG2X&IYO~lSGyVPsuM+=2`RC47V1AN
zVwJ_$!acpbdO-F;cR>i=T7?6}4Fiy(mfSA*3t35S1Hy;7eyS<+5PLFesXSLA2G<#K
zMw1)N%x4TmcJQsCbm~fPZ_tN0{L;!&__276u1y~MVlgk*gV{1Atd6O7=^mxie1~`Z
z));rzdY_EOTAnVIRfUs)N%tq~?~+Q6Hy(0KaO6j|r(4gM?JWs9XK12Fm=*BcfR^Y7
zM-2q^`d~<IuC5tAd%MW-KXm-uM`oYxP6^51y<a@c%`*_%S!$!MHUR3<tyRrJ<K}9P
zK~6}`S5sRe!dUgIoSIuBCb@@?A1=_PPmP;Cohj+Et!=y0)=c>rjm1VR`%cXM%)Nx&
zLJx9Vq^l{#<JmdZ3ez~TLGmKpnblz?8k#@SbJJNh>-dS`VWrO)7{y#w5L6Fbt090s
z85owSxg*GeXf+^bxSiU`U#P_ST;=qdYPC@++=sKVq>Dl~WGKJ9)={!+QqR&8)|c>6
z>dVtp%Pf3e>B440J`kS&$POoxQ%2=Uj;QS~AFQ>B3pADENL>Dk536)q2-tTm{eo(`
zZ+r0%jhvKsbqQVD`QBQYyi*PuK98pt7xU-(^5@`ya;hf1V#UKBuw9g2sTf5vAoYoO
zZ<l*-;jgsDi)!0dFZuT78*-zM9zPCJ-%PRXhzNNM&-iYgbeEWTHn-ThS&TSZX`oCx
zKfB<td;+k0wsXyzM~<43SH;u0G3*(_ANsb`4=2iX)WTDEs0NF*e=u}<Vb$z@;G;};
zLmt){s{L@jAjs;K6V7lf<-F(IdR@e_w7X8%AM4(ulZ8f&K^EWMobrG74)<rger+~6
zSj0NY-RNUeQ<GC&i|I;u`sdHL(Os3!b6q3Pu8!$lcJU*V!<5ljfg5qzugZmNbVD4x
zjNd7Z%-b-TZ&4pSq}jP}W3I%b#r>dGUKV9cvHhS~c838r<-1*APhfUv<x_q&dG^4T
zjy%Qn@MF`FN=*3~bA7Zl&gvd@+j>SGm`~O_M++hD<*^_uB!SR)Uq;4i>329T^kMOa
z5xIJckd3ULWp7R<sA;lT&n{1*q8}9_E821TXD8$sT1LiPySg2%dcU#fcDEtsEaNG6
z9wM;+2j+?e*{|h{<BIQZBO~WovK`;!N7R@oOyd(Nnu5V0xy?z()ZKF5q)N5X5Q8>T
z!xc91%bCe)644hpEJkf?wysVEPBWy&NvsH>E$TEMy-8t_tFTRmkjgmEF~z>mVu+P<
zs)2$wVwqj&ZkGrJCICcFBnZy)nTP0>TH}jHBzKpnZy46<fdHrF>ROISH)u8ByoDvz
z5FF+ZyD_)Sf?#5-)YR0(u{uMLk<geMR~*t-e$j=;#ii)S_FAqa2_HRtJwH8xA&<0k
zXlSTkOl(!ky!>okgoD&r-eOUqo6ufBwez}!oSa;@jQmXY`sMXZ&xkBShfhK6z^<yV
zi-foLmh0x-HA@ZU(OU1UohZsx<9v#WqQZkeKR@3;1>xH+LH_B@=>{qYEfZ5-o_^Kf
zP>Jn`F0#gn_xy~D1~kfS^~v!`so`}zkS=o#>kL4J2@4Jm2GPq*a%3mytA|IT*3U6R
z8ZDbnz(tUIU+eyv&X!Y<Re7tHs!9AHqJvS99XMXrUNr$F?8X%P*_O4&E0(B7skT@x
z+4eedbtq3W%ec~9y_|~tV3lTGwvxw+3kFrQgmrUvc6Q4zFAfgYdR67=RU{Rfv}D1D
z0GSU1*|kr5aB<X$&jyIBZk=}xC~_u}hZp)kB`?(NdCT|R$o)4GM%egyvt&;2YG35b
z7bb+dgr0>P9O)@R=lSJYWB45%?{BKZ)|{b*4gFYf0W&hVC$BbJpxwXt*(8%34`3mk
z9Ku11ux!suHmIKgAZ&u9pAOQ#NjA3(4iSBcp(@Zl;{T^<^zQ%IG&-6>Rl=EhFIR4X
zYrk-J3OeliqQHq^i~hy!=T&X{P`{of=Zk(x2y_24HAT!_ck#@AwoE&}!j&MIZl=4f
z`S!>WY)VO8oU?qOJ=dDu*OnG}kWe(BTS8o6VPWYmvC>8~iQkKdFjOSb1w>Z3Xei4#
z0-Ew`kpIGM4M2U?EjIshSXSb3K=I?zpH4V|pRpXZ1EPBmDjZBI8<{=-Jdfq1(5v^p
zvWQG%lZvupbI3^9rGwPd;!Je-L3v1<TgJRGhSqZQ)4O`o!?Shy$c&8Qe-L(>ykd3;
z_TPuAA15TZXAL&C&}I3Ak$XP5gw%UONQR2^9qUzh&Yqo^I+knr>2A{fcV`jUkY`ZC
zi3XLRyEpeCh&$K(h<!Oa$smemSm4qK9f>bNyF+pWdApnX4W!Y0kXp0hS5#z>OUqz7
ziKeYF7CT#Oz4_;k@{vT{f<ZrO(iUoJ-4j{$QG!JqEVeIYwZOd)=51~!+<f$=p7it+
zk2|J?PInV$M-W&wvDve)m=5;gzgP7iz#s3=p^~S8X<}oBaD2`Sn`M5OJ!?ypqh$f9
zS^e(a7a$?Bp|}3jQ%A(b<#cqY_z@?5|1L%#*mCm~0?1dT)&og+T)LS#2D%eBbc<yZ
ze0JS@-4eXFG9d?ChVB|D;;L|>id<4vetjBi_V`OwzTUCj)lRhJ7w;mVZ5~!g%_zrr
zlt#SkNm9@Fp^-6L;N`d5p6Sq9HAS4uuG^dAKz9WjTDN!PwXASA=bL{zjw^$+gy*JK
zt&of0UwYYExfojauu|f+qKZlg=<8WfobW%RZw;0|O&%<@$#$6fA#6RC`%n;C94(EF
zGQpC&<*fL<-NilL;yGw&`JdsyKHh=^$N%)VR0Ox70n)hGPc8O{cr;PvQC--2IsHip
zGqgv@P?{n`6qSRz`0mC8($*`bb{O+o*VoKYxr4}_(2jAwrvAqH+)b&fGTRO-aS={o
zVKk9U?b5&ShkDF%v-_>c(~XZ$l9P>X^;MiFERB6jcT@LYAboP}5~4Rcv-R~_mfni(
zoL17wV<%4Zm?e0nJ+AlV5Ej<auX1tjw;ikXih(v$5R-V;`}gO_q$=PczNOG(a_Vn{
z2AN5KYMuAa2Dv`rtM?T<9z=)3+`V^?mWF1c>&`;RrF-4b|Khh9)PS@Q_U+C>{6~kt
zs?|S|x^rC>Mefz|)Dc|TqmQdN?orOdXbGDfw@NJcj^u7H@}LWuH!6Nd47@`)4bI>~
z&Z3Lw6ZFn&eV8$ViS?^pRrj`MBsJ3%=>3QdL5$g6WRe9)h+C^T<+bK39Qi&jrDM=<
z<bWhw1I@O<BC}w&wPgDzbzx=Di+<+m_j35f`0Gr^Vj#SP%`PjYA=WEb&{%)kb!|_*
zxX3-TyQNW%i}wQgo{*jlh>7vJ$r^gqM#jqMjF<Eo;NZNh{k+vKWD^$dWJRXEmIggs
zsG;0LEfyUgpR+5xzX){*!RcEY6Tyypw?4z+M^x#})07pj>sP|evXGSkHtb%jNTZo`
z7Mtu%*jYOj_`c+U!RTm=u)}+Swgi)>srJS&C!}=>y<eoDK=WfJBLV81IW(J>Nu*xL
zcjY)f2U;?tm3<&P@c#4smf?uV3)Lp;jZ(M%zq|m@EmKnd)G9}~vjFNaP=7#^E{e*M
zJH_97&U)r~(r*!M2zx};nkr}QN{e6&eq60CXiHA~Ak{#b<4l`%nMHp=BD4U)Z3n}Y
zCGh|J@*0IbeDgZMdDQYjDhCQwlO&?y!_WU^4SX2Ue-_dIzYz6bCqyCp{og@TMHKdd
z4#lp!7&?lNw?#shtp>uEL_kDtQ6?Ktokn++wDhe)D`Q&P<aOKYV|3vmAs<Z^t1~kg
z`iAwXmfwy%>>b(@2LirB8nUy^Vc&y>?bgJX7A&bEH@v#&cd$?4*d3RYkwu{=w;JAy
zWgQgmh8mFj;1kQ7FX|UN6BE<&%8Da~{@@E9Y3OxBQ^X0wfkGKuY%WiMgl*-EKhWy=
z3xFijTdrzBsXX&qX%$46eo%s8k*Okd<2%0kAI*nUhX>N3G!q4-17w+|djAl^3(!<E
z`4O)A=+Vb2`Q|<<W{Di6ePLkmdgfalu$4^LrQh3QcY=y-hP1%{(R?%hUyd8W{eP`E
z|K%2(qZQx2Nhy91)1l+iD@c(<8X%t;e?zYygE{i7<@dw{KcZ!Tv;<9)vwxPCv8|@+
zYlI$t=tRehdytgZWWXC#J_3y%<b{~1#}%($9cWFEH2n1GQ$=Y2z%+A!4HdnT%e}x`
zAx~bm87gfZNku8826>J+_vs^T;?-_-<%%lS2b0leA3_0WrYXjzf%gDuYt`-TdIW7D
zMx^0s=!<AV>wRs#Zcjg0Vk@Jn<x?DV=7TN>CqZMu60ij@y`r2&;2)OIY(9GANGL#d
zlbx?MyE}_MbHBd4MEE?oWuPs~X%tY^vX2!FKe~m+Z;{?RouQ{{x>9@>?5$?0wGJlg
z(7Q9x8*dj|3D{Wz;DGojPMo`W8=7!UT80AkqsLGojV=qrnb1duG)=^^Iui#qq1B9W
z)U22Qe+;K#ZS~)G_M|H(T=1(0^M^U1JJTKdzieojTn9jotFf)7=o<UFOZR-u0aKG2
z!I%Q8l)MT$U19wA+2-bE-4e?P1D_pdMqvlmk!t9<UA=j;1EgWWZw(Du00BiDrxhyk
zqu}0wZsN84>LjQx#sky{bQfCzEi?P+M1$pEai+MjT-R)8^2h_t1%!`7fw1t|Ms!a2
zj2Ll`QrK+$g&AO{?sK_i8a3|D9!=pXuqdH_R6hqWifV!5g48IvyO9j1ARVc002t(y
zlw6FQuPOxa=+?NGAYv1+DbvHz&>ChlK8rY!&htEx^2NhR(k*!O+_EPtl}X&)cw^6A
z6lv5|*n->Tyr@eKX?`H=u>puHkzD!&->hZiWFtcWF)JmO37jd~25$Eu-ke0f($ml+
z>lB&dbIV56q@<)O-5?xs?UH*69oL^BrU=z!Y2i3+AaH>fgw;T1j`X86I#lq1M;eyD
z+bX{%4Nj)8HPVeoGDOycPfwV%*ZunY`;U_~WdM`MOmWOY^VUBosI4&HsxQxE^RY7Y
zQ<IXC3g_p50s-&*QLG3y8l>xIVkl@gssW;4nhh3<bpkMcos2j{pzkZOHJg0ha17SN
z5^N)2b5ZhjLvU{1K&eeE0*3PIb_d5jxw*L!eFrn<g<;Z;TsLqXKUlNUCQ3DfSh6n5
z1Ze~_iBA%VH#nwHmThsuhz8k~Ai4O*4a^^x1jjdM7AE&MfF5Jj@$pV{DYt%Q@hD(V
zXMERvXzA*Zj+H+FqIjOy_zgH*A}y)_^=85@kQyPdD#6hdxg#SZW9C*<$s-Njf9Kps
z<@(V3Ew&!ujo{K38F7My@Yx~3bNQ_=6=Rm6_a+<8<;#~Ze@zpHyF@z|t>yLgsPuHR
z(gZrNhYS>%T?2a-&IPEnDlFO|YNj}gDiB#tFp6|b#6-s{XBCN<^f6Kfz^k}M;`@Gt
zzI~AdgaSc?nyGTMn5Y+?3+V~oYA|c0YmJHeeHy$Ih(y`q0uF{B%Ri|BEP@+>uccNl
z@_O`C^Z^M82{4^Ki1doMs>;$r{T2*n8c9-buah|qs>^p?%9)9Yiv#OVFfjzeuMVcH
z4_>4Jg)wd>?~TVu<^yw)gHQs}d+#2t@jygph~A2-GZ)n{TND!r+=eV>JSYI(CPamU
za4VXpv%gQUD1z<z=_F~8sm7N3u&ix&Zxoy;fV+Pd?g7V3t2#6gJ-q$-q>jhtRMcAU
zLp$NPzVfF=feeC5@PAt|_20G4#9Z}+-$S<NNGC$47y*4P`8)vu0ma32#d^Z`yF!tC
zwmjLaBZ2w)>WGN@YQ}VXLc-sz<PZ}Z-W@cV2_xhzxXuObm&ODr3^yZ&3IKsZaWi;)
zCd411N83;n4(m!e@0qjE`xq#^k0^7s<ONYbo9Um?$w2C-o|-h-K&jFKClPPla~ve<
zn%%8AP@<yccMwoq!48B27NWcS=|tRUye)+KR$tw2L}SEM4aNRL<`A1yGp}F0GKXM?
zL{yZp<pfiL)(9F*UXJeW1h77JgYii(n|=WY%Rn5h5gp+J0FJaw@@q&jh-*bq)A#G_
zM6hHp=*FSr?qsmt5Fn9yM%ht-nKHqN*+pXG*Gu=EwZ0w@MXcBELGhWa1bY<J@4LvH
zyx~_)D@Y#N1KZ8Pt+vc7${#djWo3OC+Piaf)R6-PSq6vWYL636ZVtO*wJ=;kzp$&F
zuEYq6RDx*m*_&V(mB-wk0dEtiR<l4P)S-fnJfJ^X1ui2**xp)h;U?k`{0=t6icg#m
z@E{9;%`s+2WC!>~HV{o=!aEE*oOQ%;_u#>M#3}my9bLNUh#jysL_1-~Zt;STm8auf
z1dHVjgX#x}JD~l8_^p~!Zm`)wy6Az<2B3)or@muM&=i4XZ0Q*cT?c`{cyGOKca0mG
zJIV+TKN4+U1!)^{l|Ew9oEN+w3t0mEd3SejIukU2-&(<LL8@+h+7y1S6YBLHNMDgR
z9;W^IV~<v=_dT%&9wxdb)mEA-O8s`-Pl^VL0f<PhIiERo>QoG`iT@7!2}n?7FpZ|Z
zhi6WDkmfs+gC(*AYzEDtSh>$8`VH%!{?(2638C0zf>@<9%E7Q%5B{Z|YBxvu(cmMX
z5|yD96uMzcR~s1YkYeXU2*ZhL0y!-P4;`FBIUqVtLAB?<ha!G0sFX1hUX=(I0Ce%N
zi+gx39y9v)dnuV*KLdo|0$0R)$i2h*hZb%kZjK=~R@Pa_9zP-$yPeX(N`{0waj2}l
zWbW$a%a==>=d@n?`cBL3p+cBV_*tUPKY#M%$!fyhwhSDxUdYE;<>f*M)d#$j4}RfD
z;*=|xU%?}Y)K8?ifJ-aY$}He%W+~7uJiwJsBtL+CDgw+OkQle{=?R57c%?6hDps~a
zB5~PYQkUEO5d_(Hn$YSl7saL61Qy<NM)Q(wX$ZN4d3W`HGU}=G@rf69l<vzn?1RuQ
z^tv+A?G0n*xBqn;B$Ot+{ulksTu9O2(|d_*9SB1<W3}RAUWQy?0}9Eu7I>H@X%R2t
zEH^$r4$dzu*eK7OIg<ig953ND_&5O)0FHQNdU!NHyTzr%8&ntwjBAk8pbh9;uBY9*
z3HA@bLGjx=J5!K2o;^c>nfUV>oj|O!hlj^doirP<FEzzx0uBb4lV&s1Km0XFu15Ee
zU}H5v!ZLxtfloW$J_bY{a2A}2EP$8kLq8xfg6gFSj>gq*G|J}Cx1e9>pZnp`+E!Vy
zB{CgFq`qin)DX}K5s(5AWbyeK1^9Hs{m<UWf_OKF*cT=gL8&HH{n>?x7tXVpX^Y3E
z08TXoSYipR7eutEiQVC^U^Z$T^(Na~Zq~?9`659C^C~;wCFC#jgC#A1nPOnsqrspP
zi~JAgY+y*Pa1Zd}W&N>CT)cQ&-cW+i%CzDwuti^P=Cka++A<{+J6dQWf4SLuxV#hj
z1gO1ViorVE=xkat{N~MJ8YU)N)@bPbiCEJyFj$Rxt|(q^MkFzPpFG<HNHYxRG-w;s
zTOuZyP-A3#e*9@(7wG8Bs4fUS`rxr3Y*aL$00ub)C#PcES_^@{$$CVOSpR;zXoq6^
z%fQ%USh@gK#Dx2>cO8;U>qEO56V_;ur_6L-7U98;$A?t_bCCiR&Y!T6t>9gC&`TFZ
zQnwqlfZe3A9Dof55M!x3ye5FP2z-!EL^^H*Yu4xw;vR$PskJ<k&{<7`Wu69{NIxy?
z5vL#Y!3Vt0mzy`XwoEH7nBly<yaH47MD6X1hoKmpLpO|#jagK|0f3imZl-$VWe?3j
zHcXRxd%B^ouTQVisd<!(h2<-}Kjt)>+<Qn;!g{4eeT1nfLjmkhP&taMV+X8$S&tOr
z{CGBv$on^57S-Lev$MP0%*x8Tjjy%aTUuM=9|JRcB)?E>tx+SDI;0FIFLw`*Sm?mb
zl=oIQWEKI|MGV?&i(^QY$07Z2_cg-6OzNo9B_dr<y4N<GOw(CAkkt{}FyhD_@BT4-
z8bAwxNpx4j7U3;KJX#GhWlxcra?Rc@8L#x+iOz9OV-l(6u?qwehfZON`}#sIWQiMk
z<sGB8<6mC`<xo$M@R|gGksAZO!i#8K@D7)Lz=)d7MKT`rBJY2VM%=k*AXpnXujq$;
z+6~{nAv^$SOF6cSL(~F$Ndt{k2Voze*dccZfJFtK<N2-J7h^UY>qvom{T=cVct(Sf
z#TY8HYri?x($XT!`}XZyeA*RO)_%!m#Z<loR6YO^SzfU2wcX?<8p%lJ*^`DvcW{KE
zC=YxW8+h6C6_n!xfhHvwfcNsV(~gN5`GTbPu&cX!3{cS)(AQ!oCymvC$xh($7D{nK
z<Hgcu`I-RcLX9D%@D{gPS5;QpMmOgVF@I)`+hL@l=Vcus`)PWORlDKv5>TUT*IT&j
zjL8AVF_(e2IUqh;8-Lnsrhvm*q1SeyG!y*gp~hSW)$eV$0O$v>s(*TNpIkgN_TFQS
zU;>WdpCF9sQE}&0?rZ{3G=;^I#=32c`xWUaX|+f?6T+i`uN*mi_$F52(W6H}R?fx4
z-OS*q2eTvptta0O(=ag1700t8e|3c1@pqQzj1*vfA@04%E-MfW=h10!_^GU%NJ2=Z
zB|4k*2o&{w9;mG7lF8aG{I_FgY@Cv5SXaBWvT_SBEf18~Tb-Sqrtp{sL{^v}N|Z<f
z6rj`l%i4XSA+VK_+4B+LbGzTafB%GS4PcF$tEBmhpDdyBr-1>o!L%qECM{yq2X^Ai
z&DZrS`9@Ze8v)Hr{4tq8Djq{g`w2pG$lM*=`|Tx*lI#}6p#?}*X#gIivC*O!+e(*#
z0f~llAUuqnLnCk%AvMz2O&~P4ayxZek!uN|yTkl3(YdkNUMWAQk-g$2iw5}n^TH@^
zfp<{wzW*5>FdiexaVpkVc<XkyMy49#x0r@Q`FB2WVM7rN^8pD72}^(e+<gB0c^a7e
z*x@vPFL6Pnf{WUzL9Z0!Mfh<paMwT({4)HsoEkTQCZxW7_wE*OVqWC$@W$!M<}gxe
z(CB+`YFa^HMW<hm!7Qiu2p@@QI7h?CXtQtse#P6jp9zDg;^ppAs+=Vqc%B}((Ztl0
z36tAo==G?0(o?t`Anf|*qX{Oy70DMe-UGX+U$%cqmBXrq-C#m-5VNFhC1%l<QzPRM
z@Bjrkc}Pa=((j8ZZ669`5+Ag1ZMGa3$dr`y)Q!h|v<UcQ*wPQt=7iH9k;qibPl%ZO
z6K-LKTos}R;z4ufj4^at9wWADAb1xf1dE6<@y;!TwPw2^X4GyDtn^nnGcy~T0!FqY
zFHV5UcDodwumYL@y`AE*OY{f*T1_2A@;^3afOpdpvJ)Zz^wfHJxVaiH9+Urj>FTxs
z8@#78>Aw3+JZ5#st_}|w_~_B24j7$hCbpy1nIR!3?@LL^Vzu)0GNI*HaY1O43CLuk
zY0*I3?#Ew7<jYmS!K++y7pfK|*5HB=B{h@A;%Lp0=&SbND@86u3^HSY6(Z0E*wT0x
zM*9}@0zldNaxNJ}2Xm-^aP7db(hY#N7Pv=7H0VP-fc0uXgG|51oquH2W1&JOSvpWH
zic5bIkH`P1_{ZX{bk3;w>4fyo6t|Bm(D_@heu9VmG_UF-#3PPSq?<ecSe?}YofI24
zpN3wYsX5Z5L!s;$i~^8$5sy)WIgFNSXk%kz7N(x1mMX`jt!+<l#2fHI=Mpb(VFw8z
z`jXBQNsxUJW$3TVI1O5SF~W{%(9oEgnqqtVS1wB_LQFz?+bdhdvN2v8IzT}%^eedi
zf8v?~3nC1+q;|EkwQj)qRRogF2003a%0zCkKpC`z%NPq>sU4hfEWLCy;7Isv9Wn!;
z+2l}Mf>|6zlzU(@>~BvYcjhj}L#{;H!}-<A{=hx7(}|qgc{vA<oxKXKwyvomYXPX+
zSt_KrqU}hR4;n>&D-f66aP$$t3+@+XL8NU5X6O+2^np)CjRd&mlV2|YO<b+@g%O}^
z7Z=4=JML}4zIG|DEHA48eL+0r5D<RtNPY$5^vwoy(8WMUvG!%yfAHWzJb)e&!$;J?
zW{_%nJ{if7jo>ID>J&m?0SMmm;xe>D-fH~Sv<TmPC7~PqHy@D(8C>luYZrB#4nTyM
z2Ew!9TcB)`>+apV=lti_9pEWKEg>986A9k?aB!{{a+T9$(<y0w)sNP&o?tdt17yYz
zsHrDY{mR33Gw@!6T{{hC-*PS)XfoVPa|p0Z`Yh})`G&MOmJdN<ENU$GPbm2ef~i2W
z%Ebn()x$jhx{mmia2-D5U-uM0J}VfohKqg6Yim6Ka=Kc{KwjYHn3bJl6?8`jW)u@7
z#Ot>KpJxKl`$wKg-?wjH_s2W?{aTa}84#k&A9mpaY0jEa%?AO>pfDjoS=^&{ywKLC
zjVPJdOFf6AZPc@U4d;@<=#?5P0L)yt%ChYoB0nLwU?6)!ir4Zj1z%bhsGEptf*3mB
z5M&wDxTiV8)wGAfV#{xUgQo#zv-<Pv%YZJWQ2@)o<9b;*5<iM<24n0JBEz;q9se<&
zpE;SCj6psWI!VsIza2Sv=n&!S>tpbtmF}yviJ-E`t5vF$LLu9kVBS*!gNSiJCsfvA
zc!u9@ba=F(y<HhJEKmjm5EzYL4*Z)Nkhb5sa~U@tmS({C26X+3*G8({)IpsNfs1)h
zjEv$-TdXUut<{VCvmFP2zBzUI3^Q{+hkBYU7HLOAxPz?L^_Wb5%TyK%@{TpLvqF3%
z=f#V+vB)KbwfO;c@Jf1Ds_Wp8bBTDrKr@?zjOHwCEb=e7g=GTHcws#(ersvwpI|z3
z(n4kh##ds2V<(POX~PLu0T0QJ$j@#8tkd!&8l;5`xP^$^jAG4%(TjL)6acA8gTp9?
zl_1aGf*kg9R2o}dQ^W5;vW8r7ZDd*9roZ5hvc#rwQ17@45Cx>c2sVk`<8y?0e%Y3Y
zt;dXr3<;Zz$QJ+e)h<Yti%6UG<)IUW$_#La5GuebJU5WeZ`G?Hxwl;enfR~f1=9zG
zlZp&Xs}gt*GHWQYGa0+xbJvWXJmCWt{{8!Re8tR%7FEN6TxK68P-mf1P&_4@8vrUP
zc3-nZ#_xUJW>5e&4!OPw#)Zj(I?(Izt9Tp)d+W_bNTV>_NB~G@XlTL`7r~{0m^gVG
z%mIjk=+e?DBFmB9ewN!n4@5D*myUy6MfkjK>N(^t1>84N0pgMvz(WdgtD=_JxDAP1
z4d4-OB(>*UGAIbwSXl0Y`iEr|C-oa4vNM-n`A2A)A~z7Q-AVV4`FUaHdKDQ2tU~~a
zLMVpXI`N4@+(6KYq18aoaP0OA-+@j2x9>Zd7ciY_v-0aDH367QAArE_RQV_;B2vW=
zVG6l<2f{)+2nn-rE|HcBsL+V|j(9xX$;2|`&*?2=V0b`!_P`!2Km&6J!Au{b7h&Uo
z6Yz*GFoGG2$5)EPF39Z^Pyr)`pGO=@@qe#6Klst|&z<M1VsTzxZ^PG4c!v1=J>7ry
zhN{X!*!ONy{Tge<i>0_+jB2pHe}z-}zN(t>D_#BVYl*r{U%%yCmHose^-?3_V`bL6
zA1oa5vR9QaMbNQGYslTVG|`FaYNoM_#!Y+g9dq=Vp|Z8i^&xxTp53WwA01nn&+?lY
zA)nq6ux5|nZx_!7h7}f;q^IAd!`}S;X`p3L{QDfsd2MUHw|}2A*Zb7T`p=Va>yEZ#
zZY_E1`adt@J$d&RY?TmZAud_{5({N^UY@URF7QCXd0Qd27wvR_&sZGX?;h5x^JWC`
zOUlOP27y5MsKLn?fA*Ach*ElewcE;{g%MHIZ6zftzVjzix<Y3n;>=Hj)+5Yw=>VXP
z0w=uM{BQ-0rl#hbckhhC&{84I#<FNM&jlH2=_i0vnwp#GpMGtA%MR}er8#}~V?n`5
z3kwTZU{#$JzP^V5OVr<qKGm5Zm5zH1+P>@FZcXRb_U6h{s1<O_Z9f+m7kk2l6tV<O
zZx3Hm(a?AW=<zW~)$EGXpu!FqpALPlz<y6!+P8TNNXtn^#y|kgzoDMZE-ng+wEy$f
zVdY+Afi4_QRY%8yR2>`3U}<HQsFvw%_hhwkZec;%&@ka1>FnK)$;tJXJoZ1+%D%6x
z99&OYBoKHletXl!EBWOc)+N=|F+&?@V-+9v{lV+I&w&+OVqw|G8yygc%&&7Sue|&m
z@GRGr>A;?HAc@x>6ny^eR$~y{*4DP9)NU#+F5Y2TLN!!ZROHy5?|v?uS<?F#a5Soc
z*d``m4PT(__5WSpoz@Q$UjE?H(9qNr7NOl@hJyYgHa7MiDN>g8z0gyPpwlG$LjiA)
ze-|L>9_bLOLXQe)jURDwV#0_d7*h9Af&FD!nIH-d3ng4=eA%-B_od^6p6-K-i2nr7
zu8VsO6WqLo?fL?3fg24R5poC%|DAm-MU4Z@w?3LNm*J-Bv#P49deZvZS_!^{s_sR0
z_BAj>{0gago0XMS;JWnW9nDTb!OfJ^)Js>dHWf7djn*dg;Y)DC)o*pxNz7+=*jmBG
zMF1{P`8b+NtzN;I^EI`$^6O9^IdVr=_dJODCJsS=S1>f})ZL4clFan<^z6#<CypQg
z28(kktocGX<Eb4qeBVc{?7-d}{`W68+-Z=gzj8TL_9PQi5QH!CKDZsu6K7>@{S9&|
z<9p;ikoe&mEmS-e1A`ze_H?!)`{#cm0>|K4HVx;40tEozzM|rZ^cX3nytK4KmL=!G
zZg|Jik`o|{_3rg6G0;4cQc_|GeFWGEPT1A!*Ixw(Q#&{~T!@dnC(C*|SyEeD8%W%-
z%*@PLB9WirN`xGb$&WLDb6V%sg&7zaPBAdNgLo*fsCW#wjNb$X-d9(rdG;Jbd+5-i
zyDXu<;Knz5LY>c^1ncP|KyVUq_~T@%_WPU>UvW4Zxzy9pk&<$8DQ&KQ=-Vf_YR6Zi
zb4zU`xwTpCCtz?`09#kNIUr7fX=|l=jf0zs9>VXImmR_*Ba@1YyYtv-P#6DZ3*XGV
zJQt^<R1~+5?{GWF%fEw>(4wS(vJVL5YFz_P#D#hTMy=#Iem=g#z-oAG2KiLAwAhPv
zbFW^zMsxJ_-K%GgcJ}vQeRc9TX!QG@y#b!s%)!g6hB^r&5s01Wm>3;3P}SGJ0TS?4
z*3)kfpEyA~R_9apU`%%GdC6eTr;>%vN#kY!K?hK(Dk>M@lQVL1&VUr@Vra(q$=HAF
z0vx4NoyyZO??@yUirawm9|XV=J&Sq;f!JvVRq_Dp=^8;Zc@1=>!>A_!@9!SIBqAd6
z3R=7&EmKJ)B|Rtmy1G~<9V-5iNN3~Y<4xB~yH5gdI)-B5=Xd`0z-sJy>OVu7HV)F`
zqC<THO})V>zVjQFV^l;Q*>67S-!n$aAVdWA0^K-<>IXHobL-bqjmJ9bcy;nEE-tE?
znwq8`KX|{Hn3yD%mC;pU7JZ@E=?jC7OpR*Tw!b1@qGMz=GGPHN85F8SHxN+fI5a6X
z;M#xr;=R(x$!O%8jPE>r$N&xg<BxvnznETKTN{TKvZ;~o!-o{xeFsjQ7qhjn;K>2O
z`t$ei2cx5-PwvMsvD~^v1DO%p6$PT}5Ll?2L)HUZ<a<`|jmjgWN#h&rqM{5C$u>4N
z<qlIvA+zp}kb4bkd9Wq-c?JpRNF*L+)5lNvy?b{oTn?!<_N%k1O;Zj<Pf;J$GF9~T
zPXH6BkEyGZl<?UNn4UIOh!^Q87#$uy{`xM3kB?8Xv`TX4ML|J2Ha51CcQ0PQejLtf
zBUBd!hYQ<w+kYnRoH%jfy|5#@1}80HZZ5Y$mrQlN$23sfc_=LGMy@;@0KgrgSnLbf
zW>5sjVQ?;njUOKHe*b$wPj%jWNpl|(@79((qC0gMQw3XDS>5yW6gz+ZyuycGhO=i6
z{i=J2raZv}xp~xFoPz_df$na*#Yy@wq3mZn5><Qb7lwsVw>31nGbAL{Y<l}2uDhyn
zM)X%<xS7OUQK(r0VavoL)a0L<c526X?u?bIp0YAEjM+(q(V*Iu0w(+DQC2xzk!dpK
zot&NqiJ#VW<Ig21hpX=5a5eGdxpU@DMBrx=@GmH!p20<*r0VKn!sxwV^46A$wzePi
z;eUZvcNntWojVj_Vq(^L?Y$6v=?hCS=7%ULjetl#sB(dN7V|18iN$)Pk`@>#HJ~(`
z+8}Wc?7v1A80zOod76f%b96Ka?&_cG)#Rjw?>}Dl+1<_UPIBiX5F}l<H$I`mjvQCG
z=`6zNBohDltHrTQjib;Aef9eFIG{iX*ssv)KCU>eLfV$@gf$6BTlfUlGie70UYIou
zuK>EK-@bkOBN#*V^`D(Mbt>?h(!T?a<_qyC<cOZyse4e>6E3K58nt~)Db9UIn_?sn
PK~w1aN>X`uAHDb=?9~TU