From 83d7cfa76ab7465129415a5d8d2d7fe5bb17807f Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sat, 19 Nov 2011 15:18:43 -0800 Subject: [PATCH] Update documentation Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Zones.pm | 2 +- docs/bridge-Shorewall-perl.xml | 218 ++++++++++++++++++++++++++++++ docs/images/veth1.dia | Bin 0 -> 2752 bytes docs/images/veth1.png | Bin 0 -> 24496 bytes manpages/shorewall-blrules.xml | 12 ++ manpages/shorewall.conf.xml | 16 ++- manpages6/shorewall6-blrules.xml | 12 ++ manpages6/shorewall6.conf.xml | 18 ++- 8 files changed, 264 insertions(+), 14 deletions(-) create mode 100644 docs/images/veth1.dia create mode 100644 docs/images/veth1.png diff --git a/Shorewall/Perl/Shorewall/Zones.pm b/Shorewall/Perl/Shorewall/Zones.pm index f284d4f3a..30936c1a8 100644 --- a/Shorewall/Perl/Shorewall/Zones.pm +++ b/Shorewall/Perl/Shorewall/Zones.pm @@ -444,7 +444,7 @@ sub process_zone( \$ ) { $type = IPSEC; } elsif ( $type =~ /^bport([46])?$/i ) { fatal_error "Invalid zone type ($type)" if $1 && $1 != $family; - warning_message "Bridge Port zones should have a parent zone" unless @parents; + warning_message "Bridge Port zones should have a parent zone" unless @parents || $config{ZONE_BITS}; $type = BPORT; push @bport_zones, $zone; } elsif ( $type eq 'firewall' ) { diff --git a/docs/bridge-Shorewall-perl.xml b/docs/bridge-Shorewall-perl.xml index c4d5c7787..050bcb0d6 100644 --- a/docs/bridge-Shorewall-perl.xml +++ b/docs/bridge-Shorewall-perl.xml @@ -770,6 +770,224 @@ ACCEPT $FW $DMZ tcp 53 +
+ Using Back-to-back veth Devices to Interface with a Bridge + + Beginning with Shorewall 4.4.26, Shorewall has limited support for + using back-to-back veth devices to interface with a bridge. This approach + has the advantage that traffic between any pair of zones can be filtered. + The disadvantage is the complexity of the approach. + + This configuration is shown in the following diagram. + + + + In this configuration, veth0 is assigned the internal IP address; + br0 does not have an IP address. + + Traffic from the net and fw zones to the zonei zones goes thru + veth0->veth1->ethN->. Traffic from the zonei zones to the fw and net zones + takes the reverse path: ethN->veth1->veth0. As a consequence, + traffic between net,fw and zonei goes through Netfilter + twice: once in the routed firewall (eth0,veth0) and once in the bridged + firewall (eth1,eth2,eth3,veth1). + + The back-to-back veth devices (veth0 and veth1) are created using + this command: + + ip link add type veth + + If you have veth devices and want to assign specific names to the + created devices, use this format: + + ip link add name FOO type veth peer name BAR + + Here's an /etc/network/interfaces stanza that configures veth0, + veth1 and the bridge: + + auto veth0 +iface veth0 inet static + address 10.10.10.1 + netmask 255.255.255.0 + network 10.10.10.0 + broadcast 10.10.10.255 + + pre-up /sbin/ip link add name veth0 type veth peer name veth1 + pre-up /sbin/ip link set eth1 up + pre-up /sbin/ip link set eth2 up + + pre-up /sbin/ip link set eth3 up + pre-up /sbin/ip link set veth1 up + pre-up /usr/sbin/brctl addbr br0 + pre-up /usr/sbin/brctl addif br0 eth1 + pre-up /usr/sbin/brctl addif br0 eth2 + pre-up /usr/sbin/brctl addif br0 eth3 + pre-up /usr/sbin/brctl addif br0 veth1 + + pre-down /usr/sbin/brctl delif br0 eth1 + pre-down /sbin/ip link set eth2 down + pre-down /usr/sbin/brctl delif br0 eth2 + pre-down /sbin/ip link set eth2 down + pre-down /usr/sbin/brctl delif br0 eth3 + pre-down /sbin/ip link set eth3 down + pre-down /usr/sbin/brctl delif br0 veth1 + pre-down /sbin/ip link set veth1 down + + post-down /usr/sbin/brctl delbr br0 + post-down /sbin/ip link del veth0 + + In shorewall.conf + (5), we need this: + + ZONE_BITS=3 + + This does two things: + + + + It enables automatic packet + marking. + + + + It allows up to 8 marked zones + (2**3). Zones are marked unless they have in + the OPTIONS column of their entry in shorewall-zones (5). + Packets originating in a marked zone have a mark assigned + automatically by Shorewall. + + + + For this configuration, we need several additional zones as shown + here: + + #ZONE TYPE OPTIONS IN OUT +# OPTIONS OPTIONS +fw firewall +net ipv4 +zone1 bport +zone2 bport +zone3 bport +loc ipv4 nomark +col ipv4 nomark + + + col is loc spelled backward. + + + #ZONE INTERFACES BROADCAST OPTIONS +net eth0 ... +- br0 ... +zone1 br0:eth1 ... +zone2 br0:eth2 ... +zone3 br0:eth3 ... +loc veth0 ... +col br0:veth1 ... + + Several things to note here + + + + We have defined two unmarked zones: loc and col. + This allows traffic from the zonei zones to the fw and net zones to + retain the mark of their originating bport zones. It also allows + traffic from the fw and net zones to the zonei zones to retain the fw and net + marks respectively. + + + + That means that traffic entering the bridge on veth1 will have a + different mark value, depending on whether it originated in the + net zone or in the fw zone. + + + + Similarly, traffic arriving on the veth0 interface will have a + mark that indicates which of the zonei zones each packet originated on. + + + + The basic idea here is that we want to filter traffic to the + zonei zones as it leaves veth1 and we + want to filter traffic from those zones as it leaves veth0. So we use this + type of polices: + + #SOURCE DEST POLICY +fw loc ACCEPT +net loc ACCEPT +net all DROP:info +zone1 col ACCEPT +zone2 col ACCEPT +zone3 col ACCEPT +all all REJECT:info + + Rules allowing traffic from the net to zone2 look like this: + + #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK +# PORT(S) PORT(S) DEST LIMIT GROUP +ACCEPT col zone2 tcp 22 - - - - net + + or more compactly: + + #ACTION SOURCE DEST PROTO DEST +# PORT(S) +ACCEPT col zone2 tcp 22 ; mark=net + + Similarly, rules allowing traffic from the firewall to zone3: + + #ACTION SOURCE DEST PROTO DEST +# PORT(S) +ACCEPT col zone3 tcp 22 ; mark=fw + + The important point here is that, when ZONE_BITS is non-zero, you + are allowed to place zone names in the MARK column. Shorewall will + automatically replae the name with the zone's mark value. + + Suppose that you want to forward tcp port 80 to 192.168.4.45 in + zone3: + + #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK +# PORT(S) PORT(S) DEST LIMIT GROUP +DNAT- net loc:172.168.4.45 tcp 80 +ACCEPT col zone3:172.168.4.45 tcp 80 - - - - net + + Rules allowing traffic from the zonei zones to the net zone look like this: + + #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK +# PORT(S) PORT(S) DEST LIMIT GROUP +ACCEPT loc net tcp 21 - - - - zone1 + + And to the firewall: + + #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK +# PORT(S) PORT(S) DEST LIMIT GROUP +ACCEPT zone2 col tcp - - - - zone2 +
+
Limitations diff --git a/docs/images/veth1.dia b/docs/images/veth1.dia new file mode 100644 index 0000000000000000000000000000000000000000..27727c3917a699ba141595014a23667062576067 GIT binary patch literal 2752 zcmV;x3P1H9iwFP!000021MOX1Z`(K)eebU@+}D)h_s4kB0Xo277nt3B*xBbmwiR1j zSu$ifY35;n`;e3z$F`K%lBh%*3TO+vG>=H#dw4E+N&WoGk5xRn53@~_CO2aQ;CK`! zvveLMi<|L({`l>S9RKq5)6erL_(}g+WWj2rf01m=r+#o5qtWvU=0P5q@5*n3JkO%(HV;QhunKR+(_r>}k)_*YJ}yd? zgi_XA+5oIop zBqII8QB%u9G|!i}KOA*eQTwB#+V7)HG>yZm zyN{B*v+5tass8xsSO(w!yrnf1wbc$0a~ZObT|PuCw$VJ?ykcgDWol|#mc_1L>-FPu z=XOl-)zN@$A>!aM%*yJ&?T6}7`G8Bt83nUEy5D_z)+g!ozu_z|8~g7(NajH{AAK2p zOMi^_Iz+3GXnr&P7d-5&(mYj-(PFrSiEUBEf?rG2>08z=IghDDsIYBM3mSMD5 z=JjC6^c>t@STzHirrA8qUTYczsKh~3L4-KM&ETR$KdIY8&ZrcYcXtprgV-$7huaEa z{Q8Jr%}&>QS3JWv{|JBN&zuvL&WTz(C(*Whg*f0YU9$jTKr+lG`d^B$1r-ggD>uFI z%5Zd4rtYa){eDpHNbZOE64r?Q7e>fBxs@h)6`1*cbQi3m_)*_ekZi`IP5x-8TxuRJ ze*3pDz7O+g7JT`Z#`EXn&gJ)ULIYJ)03f6SA;>sZ91=v@VICUdxyIN8>6iy;^F^`>tDk9@Y*!`CorzMZ3@-DGdwWaAzOla*(k(6h9wlLgX24x(25k!jyHpJv zK+3S;CPkp;CJZD*%Gw~64cTdyCdqA>%x!y`wDPp1zD>mhF(omhwAp=WBbcp^Z>LK6 zUoiDa%pG;nQ_b!=Xb;g<_ZSD!Zm20^ zb25nU{%5q*Bx43Z%_(_m*NLw2Gf`H~C>X83Rgb4>!kGv944jY=uD$Ik|G}%0wW+g+#yn9*6=S0b@P^>qovT@=S>KpZYmylJraQeRn} zUq3Fu6P~M_YP%`DZN_>XOzN5!Jx<{`>w%L;;ItqGC?!4NTQmq0`)13r`g9{DVCT>Nd-}iQZAfJ;tE^zE5+}5rMQNbL|axO z1Td*hLCXW`bfvfiGF-$=f*Gg6!V)qBY6|lu@>wjsWU>yMlMSi#YP>mED4$4@KC}D926RTk#tMwJDRhpz{s39^`>)lX<0%3VWIHji@ z3esBX>4Wle$;+iW8}xiML_We@C?t0t6N!VhloIGZwpE3?eI)HY@NQT zd5Tk7B+^5P+%h5)#ug-iL?~m4oM>bdTVhCDTVh>1t21>BdFmSzgJDG2mnGIk46Rf4 zFa^R!kOE-pbSudYhyy+3O|Z0i#0HlVF@TWawSv zvof62bm5exb~s#1C(TlOSnek_{KQ7RC3;?Z&%9K9nl5Uc$w#C)4pv zV6B~~1k%nkVBqvf-40rJ&MsM`g9Kil!S)4aW{AFq-`7c4!x8ddMWi@`i{L6bv2G61-R;CAT>aAKa%Qb zQ}!~HwrQXrOTCx2iNbN~6evmnm55#`AeGasOo{;_+FcYtSP!EUs{NCiBbT)i5K7*E z9R6pTgdca0FG7-F&XD39G37cUud_;jBG+I}I77?zI7$#Uv?4-Ejc2-Zh&(5!FXGKwcqsBp0<5dCw zdN==ix8c6t&G~d(9hr&FmiwJg#}V_kN?~VM7^jxZFoU9eDwR;eIB~XdVc;nMqSf6yi)-U?!Ws#qlCKt88YqHZweH zx1J;E>CDsFhodv(n9l0vz*^@^BMAs9Ub0Qyo}u%E#DFlbuYf>Wy~F_@#34HOVZMa^ z6rEm9(W$jcKO;84&1R%^&N$K%2y=Qxfm4PmQHa)EY_iAX%+J#MS^63)^o%q_MrxfO zkIl+8FGeW0$2C78F_Wl1!5lz)e1z6bWGK4Hzg(vu-BfFpo~4G!Qn-sv`mE5=#PJ?| zR)%)4*rQ*fQZJpnbgDH(&q@Q#Zy=-t?Svt;#(;(3E{RDG!L&Gb%}6JW%P=;$Oj6e~ z=(Vk^D2mKZI%$hSKZEXP(1$sL-jV8QpX^S7*?Y#E=5!hi36#m_EZ~IC<@8dg+WNfC z8DjL+MSeMF&WXr^luT3tdMff%RA+#mi{6xriqCQI7-nBT6(97UMHZ~Se)^7bb9TIYy=%=i=a^%RwV&TrSGlN-9kgVg^B5pNvWDgM*aEn=U2I9iqx8%T_63gzwZYa=@jR%va)7Y*v2FM5M>`hVTtxVvM-2kY@9$+vD6@ii{=Rhq zoorkF?^_Ln&>R20Go0XVGv(j6x}xF#e|yp9>2-8Dxplj*@60^#U`*b_@3r##xNpfl zLWAM<2&rdEJN|hAUP^!gE=k)xy-Y%)%~WCY25#B z&2a3x8zB|W6qc@oNgUVI7jD^qi!p9wMHv(L4(s1KmTCB#a=Nsy-!{zrw@OOJ7Rrmg zo08k;ck#9nH_-<$Ry0Lte6n!v;iF1W|-5!sieo6`H$;F ztl7L$ztD>EIwQJi>G;gceG_FlIcEQL=XCE?riPiVbmmIeb^7Kzk(X!DYkrw#mdPUS z3ek08Bq1WpjG7)wY|7&x$+0{TFEvG@&RqAAo*5a<`nu&-FZKUMQklF0D`{`=^X|9V z*~wyVH++vaAAjB{(B{}%8DM2(Y-R6?CoH*v)DPN8VaMbw-w>c+nwkw8dO>edS3gkY zUl6jW-C@%ajrk;azG`DHZe0MIX{re$t(5MFW?SsC(^*$8u4t1VQ+Q2!dPm@ z_wHn?BcGhb4Yrw>m`)ZVc#JA0BWN88>{s>Rf;8;MccgJ`3!jp&@m##+{ifdp+ULZiu!1gk?P)$FSU=B z@&5}W%C-8E(w8BXnv_J9FBz3Hr#L6pOsadyUERaic5?ao!$}S1Iw|(*hqDqscM>a& zGJf>GK|kc-3;h?2(=1ukyf_w5%5)>O2Xm?7U(kJS=c~h5jM`D>j$4Q8V9+ zW=hjJ8n*GA(Wz5478oLnPOXQ%PM3}}1{&jBl{@F^QjPv3ZKa~peh)FcF0S=S ze%C(d8X;Rfv&c~-yR7MrsMk-*tq00rb4^ysD=NC3JhBsbW7&j`g&z}R8YxdD>BXy4 zEUsUCho7a=#d#%+WT6ZFoa$DS;2<8=K%qWrf6rfB*jdPprKJmoD8Q++FEUw>a5dUjJT6@bTM=x;lwy zsY5D;faB`{0RcWul&)3GT*pvp;_O#1LB>P9{9|n5=TN z=u6^rnEpf_G@PrtH)`O#v)jwFxV-$j^OnF0?6F7&nT*VU-+1s9`T4A8$Rq3aaFXNS zzh`dhZ5=W8=UVRm$*#2Bt4n6|RlOl%nns^0ZAYGQ8B~?nj@;O6x(FyTs_QgxZjgUT zBa|fUNOSMrJ$2uLpdbW&z_Hn8?Fzkik>PW=c5&0Wc)ohN`DlS&b*L{%kFi|~WvtxS|r8%uUB`CJH9(~`t4{ev*W3(Jf9P`vz?%9wD1i<&P*mL9qBCUlUJ^yL1#dYlBl zJNE6MuAtDM)c54i!*i7X-PHSds(ESLRW#09^Tu+!nEyal-JUGY+?7F+W0Gy&N=A}c zcdfsW3auubmg3(OUU@pib-_GHt4lz}hx!2F-w(u|a$&Aw(qhn{ zuLUpUX)`m%vHwM6ae<-coS{cJcX7rsU-6?pq4vK|uwU__8o%@v5rFnNNk2ARDdF!- zD4mmHNTQ!&AERG&OoY;z^!JXJc=(zZsopfwmQcU5LXAlM&EG{mQIy=KEuqPlI9JF@ zK;5$Fzd2eW*3OdI#^~fck+JAY;bB~0{5wbO2YSJY!NoyusZ{5MgkVS{`Ty>E?C8d} z*j-FrtO|bAimm^{pGA&@yyV-61hkDWT#9ncb^lguEd{flxCUbu&FIh566}8=to?5? zD!dvr6O4wx@Ba7nS~Bq|WeLIrp^<736|SW2B2tI=6R!Ecv8f{Y+|CKJGEwofLcJye^Jp2+3v_dfT7N=l^|LX{MUmi#8nX8QNB|{>$)i z_P@8v>^zAki7AIxjL_JxQ0rbBS2ux$nxOC;Hgu+`Eet#Kb6ILFjw{yh%>ZF@FYFh7 z{CArY^6129O&AY?xn!|WZxByE9wax!^!bBG9sX{sd;;$!pL}HAi2$8ilyLrY7*>|r~S%zVpjYh)>v+k+4oN#N^Qp& zFnfx;LdA6iQ^)x8-*%}DA@?FVrm#pj%?wufb6@%YyDwfcT?84LHU<}JWtfZq&I8F_ z!=*k#e>Rq^lft?JY8U7Ik zT;Z{lmKn4XIOYzy2J) zQ|V9);ogFKG=P?w?ZQ*7{wpF}%a-uZa2`fyLk1(Wc!>;M9mx+@64v}XOwn28NT-uq zvc#r*bC4L~uG&5f4tLwf9Q{T60d*UqlVVvIF4U{IoLG{7LeAu0+qhDTD~W4}*u>FB z%lNZ2&i^*H8>X3iuMD0b&M4woz`Ed+W`(RsRBl=__&14SBEiPZ!p)RSQ^*ul@@vfdyQQcpF(jjg z=$a%;u(k!tufeqc%@eUxtrBkpj}&C=JgB{I5B@4YE$w889?p<#au@HqdDiKXkYtqb ze_aOs)r%ub_d)emCRMk2tAdH;C7*9sgO66d-Rp|EDnE!=Km%W{dWEFt=uaRq&wjkD zlR9*3QaA8DvwcwwM(7uA_AxgeM0{r8>+wO;w+nA^xm>=j$3cuqy=;M|JJ#1L92tR$+ltGR}Dgle@B(C#TiOh_Qe;dQy(ocLx0_)$!e`KJNJR&(ry8V8A-+OW192sv+OC(U2Qvc=&tJ*u) z_@Mt3laChluUskkb9v>Zx*!H>>YmKN^PWWL-w&37kOl<7k0htSzodx;UR;PwG z%A5DY<5*NROU>nPY8QkT7xMsWTFCI-d~+{bf$Zk}?sjX`7Eb;qzH9s2ICEf$R9=+C z%tOfgzdJls54f-|=;}^9HYmzr50Ky(iqCa*b(K5MN_%Y0e94gV#l^*)YkyA4%*>p# zb}r&PvjpvvVWVHNKk{(e!=U8}mhJZnb}66zEWp5mj^D{5@6jHL+&{fXf9rJ=#;rGDpWa5tJv7AI#&C7 zdEKq^aNPW~#{FxoSOYqz_xImlS?*2D2S`Q6V=U=9n=0abg_gE2S2eN5{pS^!7Fu!l za2S;9>fm+M&^M>+s0FMDU*CMNFkzi(IoBNg_1!(D{LCuYGCBWkUA0)f{9D-Kg1hxw zs+CT>NCi7y$j#0&(`E50>{Bxj04{O(u<^g_h2%3bG3k{(#4`yz6O!;)uPF>|3^@B; z;V=4Pk5no?@*`ng!z=i*h<5S4(q1i@Kh%5ghwItz$B6od z2Jh83VXNOOIp`!ja$v&5G>BQ#y&Ai7Sq2yXF7I=^2iRDKMxdoRQ`&4o)@O1Fae}eX-kwe*v zr1bRaO#x@30jHw&qXlm~w`TI5`SPCYJ>K~K8t!u&dZ57^Wl|yrX*J~GhWFuwH69)w zU#0XP3_{|1$NT17v0nKz?LvLm{ndLkLU!#fAvk&^rnidHzZO|^MPXuM^4gDbzM$mk zU+9RiovPu3#pbOOgwOYIy{%NwgiNcLfp-io@xqWI0}DTY92y4p<;$04+n!ze!p(7K zb91wP_cI473~}haf`DcjDKe7yF_7u(VGG;Oyy~UNLiIL_U6-*?9i#$RG;hW^1__Ty z>rDTI@p0W5?-jZqUs4s{+z##I=J@ZXPEjBHFSU>znX9WSA+2Z(9_bBK3JecVY5^3X zzOX5fI#FwO$sqHc#&pfK@{dH(W*U6o8&q=xUm;LOn~z%Y2nw!N^V03__Qj>px&6s;v1ymdvCEB@ zCVpG$)_HKv%*;F&dCjAfz;*Fnu>ms_%41KOA>Foxx%m}?^_9Nl_?1t~`FR?d(rQV( z!7zAiB3h+~4|671pk69@;Md}7A$LcaHco!874K|s*H}<8EsfzfS=XLCc~awd!mm?o%)-VNUQ<)U`OTol#Z2Y(O?lvq-T_lqX+QP@ zGWa|yi$Cm%(-TLft&eU^YXNyC9NqixuTs+n#>}^c&6W=2me_nR_=J#^bGWUZ$Oa9C zVbP^yAlQTOuo9r>ukQ{LMne2GR7G1nc-^nTOx;Marm-)lVTX`(GVi(RBm{b^$V zp;!X?k6t?qWL)}WJUl#*MRs;}T6%kX=Lc~f26MaRH@cl^E}MdUl5PPBRxD`g~fMfHe5B)Wxpoy)lzO*VAKH80ak}C8ZZ# zY+8AQ4?f&~WB2XD{r8%opI>um<*8ABe#QP@C_XuxK^3Rv=T|M$Qua-o@7}SUpBa(f{;hB@^{8Fc=}Q+`CKh8vLfs2w(?Oa=Xa>B#YSno=UVphzo@K z`uNb2O4-2bQ1;1O2r)v`@0i!v*jTqvI}Dis1m>s5YnmUmx$Ge3jvo~23!#`yrUMFY zLn;#!6F+}{pw7NHR-eJwIZV~WUb-q=0!0osUR#=&+v?Z%q)ZBtS-|>>&E z;#WnS9xisiL{YM8slu0F+~um|(1$k#_75UwH{3VAAM{UhQoQ>X`K2`X4yWYbXJV;H}&I)VuzuEEJd;3D3=? zxt0*rvY`f9Y4?DWB4Q%fQm-eD#e1W2%!{pWN9~g&h|rotvP%b6cUJ zI?f3wR3+Ee+022ka=W%r+M-pDi?0rCqsNP!)W^I)2ofE6?=%n57OBX|^~JQlH+G{F zbwLCH4_hNQcSpJ0>I)UGDI#6MvvXizU^(MsYUyaKsm9~c`bqRB=n zu(K0F<>iL0&)DBCsAX(O-$-GwQdc+hSAt|%Y)HLLOfQK`g=VtbsF|y>(?%@A>og^L z<;oSWpSg*;m3FTuEFpJ2d|s_XqCFEIl=!WEbBk|?cjWkXu+>^af@Nmyl4fjuQYVr|n1q-dc)`V;#oBw{rbwTo-Pi|Hzs7Z_Kpq`3X0BywK23Bh|4OlmtS%aus&ymZl$XQo z?hIm}r|)-eI#ZC9Mfe`Bn+;@0VPawBBF{N=igJLmo_LUvWb=Ffr^9$jFc5#wjp{sx z$}Cm?lmq2tE=e3C;#{@o3q+pYS>B|hZoJmF8@Z;A>Wb-Mld1AenGi(3l{1SbW1WGl zJGS^WC=f7Q!0(@|kQPuZbZKd6^|W!>LuI?s0%a5ygaj#M_ccr5C5@N2_x$2w2r!vY zXS}?;=9ZV2`-Yh**&lo$<7qr*1ftvYaD4*Rl*IY!O=X!$1V}UVXRl$LeE4B@KC%-K zRwq4p>NM&av^hb&Yw^~sh-7nRAT!gv=7Nd>Bh__%Y{PawyQ%@FJBsQVlF2mRZ|0cuE^9!EvfE5}c#l2{QW|^Q3i+GHi@S^CkzO+X zF&`fvr%7WP1azroF9iTH1at*&q2#!4P9^(pH6%i+7O&KGr9&lDv$kiaunX2F%EORb zo~O4U(X`*EAdtx<);JZOF;^B?s6URKbecU-YT$Iy9x zIc;5lfa|0utFvf6Hc4!s9Z@|(68AnG?_`)Uc?33xmuM8V*AS7-l|NV?a+;?5o)i- zxIA|(Kd63?&vy3qEV^T^qbfMG7Uh6;q8McQ0cK?5?J&1NPQz)2Tw>=0tO_GFnRDrO z-%iDU=O6N1^$1R?TrL8?*ynLfFySup zg;#%&5-l-EcaDFXeDI0Hf6}s^rgWDH+y9C;%t%A@6f`%7u5hd(G*!ngsaFdAiH?c6 z!)KAqbi;(lpnBv!UK`zC8;ky^Q@q>F6kQT{5r9&d02ozpMm$VuFgS;nPOS(vor?=f z5=)*A6Oj+@EDBKWI?kU@_s6Hk`wRq4GwSc1I&F z+*)@=YDllnW-v&<2e6L1ZA*ikU-U{`#Dr6HlAF$%!8_@5Wx^UJF=3@GdqEw#imUBT4h zFJ4t2_S&4+Hadp+kOr`Zy4$>o@i)J{h)( zX~hf%b9%X3`o^Ox3X}oFS%L~%WW4J7Vvo>j7_wPa$>-VxGm{_6zKCB3)DQ_;JUXw< z;5F&9eJx2TDYpXN9tMCHVjk;MfW^KRo6N2QJtoJ`NkpK*z(ce?w-Z%Jw>eTDz$LEX z8*4IFxbk!O!Kz*!wx@SuYoT9U`t9rPZ2>CJ3RWUGR^Cm2xc6cHT;H8GT|09zrqzGc z5UtbV>1$P4*Q|6$g9c`#o@R~H9gq5hX3og%M;I0bJBY|pHQy0^*)rsK7t@7o)k{Sp z0s;%*0@O04)7@4gr6-m@zeepALV8Kjm%jOqV?{=Cii+h96a3JBb$~?V4SjRP3vKli zifsA%%O!D>1|7u{-1aPW(PzGjbUbkbK3k4;ks4)Og+y1)h^jWaM0Z@M7q{%C?p}Yn zsPs(Kp@jjIRlqtOZEYdWjVI4)-Bx}~xHy;U@=Hcu6FBN&udS`>+deqJy2g7~^%x5J zj3x0&l>TnD^Q?Nv?}PUxNZh8`k@VPase|2hWKrh6J6>Mxb+l`Cm2bpYeSO~swNlLYkQ4Sp4hpUZ zq(P2wgSr5)Lh<%(bkGR%d=7s3ZMWdSI*HCFE4>J4PYRtO)%}ugG^0Ant-(AQz&Np? z%yNOV%ogzKf6{Joj#=CL@sXl!ysHdVO< zZl^>%MY_z1cXH0=2V*o#o04u5D0rRFXNUR{ZIdX79FjC&ZH}NS50*ibBy>mDx4=B| zk-Zc->aNJo|7<*E{ZlpqL zcweTw5iyPdg*^XO2=>#^(4A?|*&TrTDSD||;|6sb8YAatkkgYzT^X(W)82S&eD?#w zpu&Ev-)ybstWo>pYk=;2zK0I|nKBw6n0hb2*6~^^tiG~k-2~YE2H>q5yu2|_pFS02 z5RvNAD6Fdg0NfL3qOU>3WIm^5zEJUdxw4U18P04OxTdl-d%zbddla(aqp+EpFgp{P zJ#jIScTGFtD^YGh=oQJqGV%z!X~lT+sFd#Ep6qL`&PUmHVMx5FsFjv))?zXL&7be7 zKS*k{VGm3f%lsA4#!#22Cy~i~bN$)Qbs0h?PDRs5zG%$1!EBQUsa2DYex07vM6xu+ zee5nwa8s=3Yppi2E4D^DPV#nAPEI$k9&SC`DOcWnQdreSwHWIeTgu&gSl!Q@i8l+( zfb{WPNV_A%m#uIf8Qa|;=oGYoCwW1^r2^yxn`REK{0p)-09~NFT-@AL-&yEzb#rU$ z>cSBb5qUw*@hmJ12f8FLA0JI@e<#q!)Yi6v&@@6*fceQcgZmnfi|24|J3GM7t&@C0f##Nm?z!CyeT2MuYJK@PfKWJnEEPit#yctiw~px`T@R&L+E4Slqd!+se%?BUkfDeT@(&eOp z=7@Hts|XAvX;QukKuX;$x4HwvVY~Mh^V^39i~B!Es;5PO3>nUKZg`Ww;wtdSPY3VV zvNr+6kN}#=6US49)@C;FLW-w;`-$q8Ti2>bCj6A|Dd>}FT3~%bT&0^D#mnwB)jsc_ z#guMYRX?Rx@a!)5O>3d%OwLNnQ75`~grU%U5xw#87WP(ZLWTbJSbyHcdk$q6@)J&NJRwbDSg2pEamzOIx#0VpdFh7e z)Y!$kCnz2U=qf01@#Zy6u8Y{vMVmvP2hHETB118seV4CY>W@B7*LjWreyVpfzadhE z9kJ&ZMzU#d(I+~Eu;7}@cbIIdHX3+$skw`4F|@_YQ!2GXzlAF7lwaYR4;GdDk1o!c zkRknJ3}dtL1F?CAv?%!TRgn&4KJEdI_v5FbTY1cg#FH6hOcv-6L^gj z$GZJ0FWnUHuE_iHv-%>lfR1gSrt*Wf)tb>vg~{V60^6sj`|s|4Bnp+FU~1)J?(O<~ zPl~VeP$q2Ww?h!$t2xXPa^1+G+qNsgd zzW{D-q{OVPey>)RIa-M<66726j}a>)PV0sr1Ezf zKO&2~rG|$MLZZbz1Za<*1F9VS>d}D5OX4-<;p>ADz}blxtidb29x_B;Ewe4&pG;j7 zS(vfKtA5Q7FA~$3X>s}j2c2gkD)#iKyxC)7*25dm0(&Py`LJ|=^IV_=qua(~BV!#| zKBceYeIGk|S*=vWtR>Z*&C#smlOs5>B3D;!W~w%O_pgV9gou%m%G2?zh$QWc`=%W= z6itoNq?kFrBwYjj#=5snlxt~4d6DltY^(X$BqqV9nW5+KOP_DgAoEyLl|Re!lC~oQ z0|WSFES?ckw*q5%0v4JRDBik&e6kf@F1*$;e&aGqYrsOt63^LH)t@m=h{oj9L{=WskebmvIl6GIcYaDp?cqRbp2*h&~ zP(hQ`&ejmv)t{&>Z$TB%bo3qqx)#mJ;QjosZy(jt#a~a9TeC(DKpBzRYD98xOje8J zs`u0bx2y?*IxL?ekRrC?~PUC+}5UPIbJWwDC!?)MQ=2o%U zrVwe2J}_RzlCI}>SwZB-RjQ`UmZ}YVN2I>;taAAWsYRgS-b>bQCndGcT6O^{q(ZZ`B)0hI6f`8=ZlP!xKzA&Mb1o?yR7S~X zy!yhurce81;x`iOg~p#OY9Ag@mD41)t_tg2ve3(W%8X=ozH~UJZSOKXxfdZ#wdk;c zHq2d!NRC(4ny|jCE`75*!(KDhW$npEQio$AC2uEnb*E^p3;FTo#e;2Cx=gxl>IT>JE%TsJ~3c5>BCnU#Z2Oh5nnr5KvKgRm>+cn|sDTYgBMEtL=y4c* z5`-dOw{fYZ@xJP#Llz@icI|?sHd5_S0?N*jk-ex55YO2Ae`F3PRX`!R(Vri4U;S(9 z7>G3jpvmQ_CEs>&;YE?RKR{B<2b-KM#f=HKuQU!iuO(`-wf(%5*r6sc8f|WlQnvLQYdjkkL>+Vjz=+L9p51n$1KhkD#%Pahi-v!8W}exX(8F7MA?uicgM@2Lbq$_g?Nfx`Gh^2>}JRfUU9s zmB{-OvU*7!nq)wmVNi?~7Z=-fO#I~`Hod{ue6pGyog`#W0q_YB>t@}SG)hOUwCiM5 zMecI+OeDIyGNVkzc&#~L38)47lWx+&!a^&pqFZ{%N7a$C zUX-L~8ZbTb4RWyaouZ?P|245uVw88l&xs$|Mn%L=pMCY*nQD5|1V>@~uqVB2i%sJsSGSntE2 z{e1E1{*%4i0f0xI6L)teIC!pPNQ$013pNBc%08S*-%185p&FEUXw2u=)_S1?;(;4v z#&=7ooZA(((et4mqKv?h(*w>=tUqWA>3$6}+P30!o*CC3=8xzUnz1&&Iw;hFP+LzNryZG3q zC5hFXs*~pX&jZeFijuxVf3(dsrM`mXj+UM0$zQcKT%MTV-=B|_Zz>xejmtExd?d`A zTS{ZQS2&h5B69ZrF7s6i?`qxVYRUX!May%ldm`IhM(D)E#OQ4nKN~kC-|%^!%YgZ; zp4F95x*2G}-luq^UJK7zkD=;(DNr?(Q&S@(pyYlC)@Psz?$$oC1kbWElqRkE0kFFy z3EEz9Tj^g0jlZV0b|_zi0c^>sD>_8o15Q&lEpS>QN!s6M;c}$!W^EYQA5bzbCxz;d zuEmM2*8FNAQK`ky5x2?zsLXa0ot!UK@!%a@?kwm#xx>~;;b+^2a-f6#X;dCI! z{*+{R7V*n^w}!{X{%u1))qq5;sb;30mNt)?glDlSGMC{wrCW^AJB4S zIx9K^KRM=<%sA+8N8+ zP3)O{gH)%I*AgRJ2H3!O<;p)vbvj8g=6!ZBwsUxB^>a8EM3r3)O~#*|aE2rAPO1U~ z56V>!{gdQgp8&Wm*uJ?C-vtbYB1b`f>51TJ3YL z&_Er^08<4dM3jXG*yR%I0eX7xrPu;uykE9;eni=!B19IEd#J+;YKzJf`PW62M#l|& z70o%DDD3O{Y#zPU?6CauOMVMw5 zO5{E;{*nYUElg@fIcxJ?WlO&43UzA7sDp^-=!4o`8%NKwR!4)9o!fGwM4F`(d>y@e zs{@okUc+WRni_pVT&=&83O00brPK9a<~~t0HNA$iX~2082-8$(!SB5r+%O`7BRXQP z3z%Ke46N6#1;KQ^2EP)k$LuE9;(?u|FVtt*+DnrLe$4Fjcn1RV89>{7(d>pLX%qhg z^8cO@DyOl&0rDl1UMdBL!EbQ>JXtz*%dW5`uDS!Qj_<~7@6Eu-m<#bv=Fq5>Z?E=M zvax219-lC-*F0J&$#sv22pur7)UuTMHRV1dgBDRIk=vB6lAakNdevja$KDzdkRcD>Ld-=+xWb9ACi8EpE8G0gMVbc$`PDS`Lbx) zdx|QHg&gqg*=W_y2>{*R656Zf0i2-cQ3*8=slUAmTKY1u8R;x-Wzs zzdsznm;gkvrk?gyacUx6RA9ZZWea20oRIWgcq#2v9oy83&Za2qRER73PiCT-LKX>2 zv8jQ;kgheIYy0O&(*vh)&;F&y@|o+Ml~296XTvd7M`=ulNkK?u-l|<>`ft896lG-r ze(@5R7v8{f)b9_gT7A7yD|>N%wsUj@t8vZMU{`tU1sVHokjdVGiVxa%7R)sG>%Puk zvD16wl6h3&IGNBEMm&;rD`Y*8*Vl6)dbqT>L86rDeI>K#r$Suzff=3!LO{h~Qd48x zsOB{SR8oU}lib5|Ej{T9#dJF_nG3d#scF5TZRQ5zwlAE|z?^yvAFS<%Z7`qKS=%cJDpc)fw_ZI9N?sC0X>15 z*HrdJZw0U=OIM%IH z7&u|0oI|zUlJp=DYzRPD?t)cts6bBuT9O#8N@ecFm6a|)#Cr8!e9+)n0TV1}_ca_i zniP~tAY5$09NJ)_Hh;#5P;(6A_Fl}Jnr|PIi`po*cRE)N8om5QBhgu2NKEA$q$U(N zP`wNj;^r8DvxSCAAJ7=)-sfkSgE2@DP#g#cgYdl>f#=@+>AkJLKMDg1Q5TC^;zU03 zMB!c#u-w;1Up^;g{ZTt%04jf3JN>48qMFzg#v8sJ$(moZ7~Ha3QWv|kR#NUjNo?ldXxpVdd(>~x%qtg=C^!JK~@*!*}Ul!Uh z$u?SwpzUpt`GKO#(JeLiJNTvpzR3_p2LD%ZPG~+#d2IO6Qa1_8qy;DW-WxZFLkrx0 zf5$unjAPq-12O`(aeU?D@9t%znOzz#HyeW@bR1<{kKwl9D#yO8t@|lnwkpoIFDH z=s;1rxVbTbSO?@J5uJEDRFmH0Q!joP?|LJmq z(Y{w!ZX5Ek^GMwC=&bj?5{WsdzRxW==BCfv60*;)uuy?H71#`O0H1z9?4Ya@&{3D# zj}^JoWdnbUqHm#Twv#@HP4LA1aVf?Ylh@)ybf-|{ zcd@IR8|Ivw`_hI<E(P=lO4KK z-b*p8Yt>uou9;!qXS!Z=T`hmSXJz+lw|~?Jr1v9Up*b8J9E{E+KUX^NPS4e@WS}T| z*Tv3cBRHX;l%U5+0b4A|s)o4xhl?|%g=@Yi&GjZ&ll#TSQi{J|M@_YS4Pt;jn?*fl zGzc{E6F9nt%6g|#aJr`EZ5q*$hlu0#iJQMu4Nk)*Zlls_umn^m8Z`?tMy37TkzUlePmsnY*El>U`naax_ZiR>w zIhW~j_HA5Trf}CvgUm$P5_t4&Hb?x9V!K@k< z+u+TJ5p4DKU~wHp>2eyf8zc&^ai^ljx`dwRF~kGLBCysif)Mdd)G-wpUsSe`My?Bh z*U-X4Os~xEA^?sT*wAiiA;{WVdtC*F;la#haeB%1CIj)-g+c`UfACDQj zU9wJpOo4LIf)HSqNcsu1?Zo;m@GnkGOia0U(V@6G6qg5jDG|LSm3ipvNgxtH(Z!x? zL~e3;)4pX^KKSlSF!yc6Y^S$t_QzbKY3lkXq4H9*0<&=zr8uQ0L78!Jt??Stc+If4 zdSC|rD`GQjI_}^J?=a8F&qp~2P^M+4rZW%yDu*60Dp3RS2cP{S96z-LehP#|!S%Rk z6h0}cS-{`j-K7$=xhyj6t~Ji09QTSW#a$-)!naMN`~2I+l*gnaxzk9Vyg(VlDfgE8 zvGlA>rg1NMfS3-^x<>rh8|(I$HM4IiYd#;ukj5NPWe|3t0$Uq96q+C91JVR_IfEz$ zL6y7q>60hu=O+V!!%cyK^ns_Y03h1|DO2%3#KpqGLNzFcemfl~5)!PC5kNVF8Ht~q zoESdpVL^%a0MP|3ItjrwJZ^~^@72yG^TO}nzu(`Oj<8)L@RBOd zO5iAHoWIy(ETZufmXU6_iZsXeQ^q&Y#PkaSU2~+|S_4|l9sq>n^|j|7AyOL^BM4xP zJbTK(DaZG)`!c8)@&N(Tu-nYR5bf~2;yJ3WyA4Ps(o6a9g3JM**IN@BfJ)lvk1T^q z+AocCF!tRL0+{+>?Xgnat3GKCmE|%P`BTdw3GyNybf-Xj0gWQH&6X%#LIvWc$a53t zwqp;k(3JTZ+6r5QG)lR5;2Ge{Al#!C&504?8SppnxH|Oh@xj4nI z?&<4WN-%ITgXd7?(B$lw4r-o(;X)b0P#rMXY}&_5Es_Cu!iNh>eE__7AB>p{fVFhu z(_;>l1^~hE(9-hTI3J7hhu%YSp}9{-Bgyr1g%$~vXrA?zEI-@)p%^ML|lcp7G&mx;Wdi9nQfM6B7eZ;EC$i7NjWinR@TObcsY@ zW&_N~F1~7M7molh9xxbJQN*ED0J0Ft z!uzPj9x)%y2Fk#cp6v!AuDm*QQ2I2h631vZe^&C#z)WWcOJ;R6twP~t9RHMzn>R(Y zMtV=!RpCb}i-G|jy&@<3k(Q@L2e?r#qU*bucl~~;HC_y7#;o|Uw_szq#S6|+8Z`I_ z$(;0PB*_FyBT(4@6+VDhV^h#G;^W%@g?9J!T!(oD>Po<7Fze|?Q%Ok-K>0G4`P<;r z?uII^VMivz!V(&cfx{0XN8?`lRt(6hCHfDVyvq{rXU7T7v6e3cHF+cRPfx2ZOz+fr ztBE}(ls|u~P7mAft_XTSDXK{dV+cqBzdBtI_9Yq@U=!UyCgg|AD1P;DtU#}gDO$1> zf|(tbJw3I$v3zTF%xHW@&%uw|A6s6+PPR+k;@5rNS|J{)_!?A`CK_=X%B%jV)LYwiK_-|I~~Us@=)qen7V2Dmnf>zH3# zHz#5~=9r`G?eG5qAY(B)@RX^}WFGW!2&61OoPgfOX7QpGq%*DmEekFI%3pFi-$KMWH=ZgF?s$;#SGM0+J&=c3u zK4=f(!TV*^%u@v%C(7pzc{*9blN-$6l2-meLadGzGeGsshFswOb2yaS=u^z=*YY9Q zm6JN#kXbEIe9zfd;7a9~F_VNuYHRE5Yc?^SV7%eC>Z1Z5t?|dl%01oxyXT?IrXB|R z%_8muRR^Us zMcn;n3F|S0cTC4DB>2+EG8rsjt;0p){WR$pb6+ahqDS|G?XSbIJp`w`)B z+_mp$7hYh1ZiAx=$DpB(SJ;voR5{E;sWpS7gen05VM=_DoIEzC^p;KHe*XN4ngrDB zy!j8OtgH+*Gq7B!L<~=kZELW|hyD4gu%KcLXN*MjKn$8^dNEOEaAyYsb2_L)La^J2 z;T+sW>nB}K1z7g(?rxVC4X+tcJ%lx1_hzGLuhZFi+BMtt|mCc7P zy|K)6y?>we#jm-1j7ddAOH@s(tjWIBlK4unoi6^T5_$As6G&)@IwQ8a_ z&wdv~!R3Y8ZurJAD+@W^a3P5y62vOPmgcO!6FE$P9*?KcmYSeJ@XiAl(mRK}x>AIgOKO8A3uMNaF71`E}WboNx0MbPZ)$tqkM;w924-`Tvr zPh6Ns3!c|j9T=V!$_74(ks^q`1xUdLFltSy}T=-DR&#Q+MA7r+fL$A>Fh)H)_2ObSg+Y%wYSPd8T{4)xph#~3@=MpBqx88j+O$x_ye3`N-`j6~(J zrHzJW%%grawwj0%N|Q3m+D}@Hq0lBpLRp3uDp|6Ob-d^Mb-nNZ?{z(YJ^j%&=DNT4 z-1j->d+u|8&gUG-Wum0uD+Haa;yiJ62Zy$R9z4GxW`j(^c-@9O{!zF9SG82W6N}jP zphSJ(nBA@6g|v#aFDV~XY5LaXgmdq4ZWHp@USif`12Shb$cx3kHdXQ^u6S*_sl{8X z*@l3{y%Div1IKE1_-*bpqWopjeVMHQ8Yi4EVh!l{O=`tE(?|?rjlC*!g)ia1-L@|jn zt-Uq5vOZu$Jmk{;K1~Y7kR&`KYdda3c1?+f?YDpoSZfAP@}+KA*4{nyIqLNVbwn}n z@}wJsMd5A#mWo(Cy)|m}sCaGstfMR#=f>;#$UAbaRdRaMs5QNw7v6V8i@Z042Qisz zQ>fU}ZSQD&b4CG`#ZH7bjYTZ{K6&fGj~;LSZ+OMn=fSq&yOUj*E)jL?IguIk>7dJ& zpiZzxcX{>IhaU^XqeMn^OuDzKnRH%uM{JBp=2*%lSYr<<>}n;f0+Hdh5rq)jiamL+ z!6bA<7uAq&Rh-|$(vc-jzLDWMFi5i{q5(1wuWu<_=KS8kyw}O`E)ZnQ7|0ebCS%U* zIMQ0Z8(G2$KgSL+xS14cQt{p*Pwf@{s2*sop3NWLwdEq~Gldc{`Vo;c@$8+|hN6R# z^U775KZFtsozX3l_TQ&_NnRUX(2UvA6-_KGMmI@{i>D8K8KKFpmo8gQ=D@)Q+i+ag zD}H9%yW^2&h_!?+4UFA|)0e2k_TrYE^GzkTEp1IZt-pYJ2s=V)wIp-IMd4Lpv0fLZ zn{;PmEs(vsd!eS59(P(Xac;$^8zr#nn}e$#1yw}!th{6Pu-r3HgS*tyv+axG#h6Ob zcI@1<4Lez^t0DogoR>vaKYDy@OpwJW8zQP9JqmXHbbLgf7l{tbSQ=KMYnaheK#e@- zlT6gsMJN1uu8-GD-^LJ+TZN8HK}Viw#PJ>Br+>?UlXTQsQj$jfZowAOkwDmq-ZRvh zKE5pmF1CPY%pU_6%RUGe2jq^Zfn-TxOB4FZ zW4(~s>Xs(E7uH%G%xgmQ7`S9#5w9^JB29GFghgenoa(TB*7>|5HHv7A_g+o$6OrigVEKrlgO;r-+>i_7Ae z;LhxFQPI6u5iJnurmOG{hdtIMl`qX!Da+58{*_1HiO4vVxiqjng+jCzpI7%*Ke7 zH3u;j{Uw_ccA}5hFFk%o#xRFZd-f%v1}qcr<3#tR7uy8=rE*wK7N;q?EYWKp{&u1t z9c&ZNEJ~1&!U|*f9N2jN4~F!W@HASr*m`mQ;x^`*CiLxT3lJ#odcWw~an?a`GbV<4 zW1!yZhQbSp+|-ghf~%h*1TkO+3o4?+;`}89O>9 z@M3gsxPwihJM*^l-ba6q6luU{e3=Uula;Vq`>=Z}&zrB#$1@79>?DOpbXNSdF4t3q zaHl--E}N~8RNrhb^n~|3lcK~fM|P^`nmB5HYIu=K5Jw-MJd__^iU}JZ?0}?M0Z8z9AmzUw{%g+Z>29XBgZke zRW%CUV(QEq{}lm38?iade^c-@!l+u*p}3i2!If$*3d18JCeH;=L}SD|Rt5O05ES+w z+*60@fqnV_TsIIPVF;?A1LwMcoMGA%qXm$tV~3T;?pAuXRNcZloYrHEOn=GcgbJyG zuDsnxylMY1;;S+H$%Z*xZQDF)`tIP$tE#m4M9PGvido7HUn^d|^ptPh>I3qlrx;1H zn3}?&zuitO{p4j2A$LGos;?~Y*T?%oaLYk%Wsu&y1{LHcfpcem7T(F)7%W|Vda~cQ zcXl~s+|Sfa-Pg;qjY^AOX_y_9Ctju{oXv>tb(@c+ip{O-o#gt=PdZ!;R*4Vrp*oiq zlcJ192c{1#J|d>07R+J(Oq^DJgqe1sY^aTI`I{7fup@^zDP?Bg1;Dc!ATGfCM7Tb1 zgXapWM*w2Dn5coQEP0h_>W2^R!ihW9?*URiCr@|_V6E~=S&hcLgiAP8rjQV2_h=Gg zhDDEvnVMJk4T=IEHLEOSM{3ZTz9l`B#?w3+i2JnWgEGKqL)|u5n5;K7%|!Cx_kB$Z zoO2x4FaJ`I9dQ7lUkgFkF(}j>`zo*0&W)$$#`H@e7b$t#^!ApPmMmcFLs3FVM`<9G z5UmMpbX6-+*e@Hp>)qXmJz}5n62fe$;Zp|5HD_wNW`F8&#VEv53vO>UZzF>wSa=;q zwW_V2At=3ZHkUjo+M8NZqo94!Zvw)_CqEroq20^*nK%J{Kva#_{^j-K%+BE$ErH#) zkIh<=BTn>g=siWn?QTppec&k>CKe*{Q1Q6#;vtn^2JLn}WXuVG(V z?ccuvrTh+bMT?M5sB`P67}(MMHZ;KB-_FZz;7P1q4``I?dOvihVSbE7lO&c_#z~IS$Li}<#F^F_e?5nD8(UYd8k5Fn)E(d#;oRnn z^55VW;C>4H(YM>>EuYs2RgUld)lsGe)daynLp2Wb=2AbYZa(~uo}8Slr}^{%a9j=o zfI2_*um))D8!!k}3uzPqX;UgUQ>lqG%VJ&9jU&S zAS0*uk5q^vTRBn4S$j&}$|f*yHB#X!Z#kg=FtOMTV3TwKyC!*s5hFeQ+STV&K2HQO zA06lG4gmULAQv;YtyBe zbPqwi47eC50nY#;&mM2@&Wse!R?xhQ zADlRQmm&a{w%8A1-EXfY(mIGt+H$%<%v2Voi(J@r{cJ38u7S!_u(e1l0u{yQddka~h4 z&oV0N^ld;A94hRWEsh>aMf+`t~nErfc!-Ai7Uw8W`K%6)3-%NSA>=8{=Wq{ zY7`64vO;@(0#*OA+Y#}@7Zp1DQ>O2X4vW)>>ZI`Fy?`34Atkm$C=e~m^5I{p%q4h? zNY-tH8w~R4zg8#z5feid%ff4vc@HK2N@6loJBz1}`MGh0kA>q7to+)gm)Tj6f_8K5;7YPLfeos ziE&`dt5=L{YPPrxXpytC^UHD|oInT&Bkf<7U%#$?plrn<$i*A=F19!sWPE6?IvNC3 zgSAjnW*+_3VcViCT-b~eBXC>^-uD~yInn{}5Spy8zCp4D@v}f6AA|b#W7DI72pJJ# zLUUja0KdWRWhLYcuzbimk$g;mjE(`=(yjbn%tCOc-^pEaY1YD+mvfN#DF?DM!U=$) zwLYAX%_3@}*8%PQW0Em5C9l?dm(pj(2i*4Tv4I{YFWrSu#eO+6v(Zw}1qb~q1ab$S zI{)gS+`y5Z>MlsRXwR)BjHbbv3UvlAU%a3|@w&FwSpBc0hX$39A7KR%ppg);c2?1$ z`Zu?Wzyt_rz3126QQ%c?JI&Ti7K}Qyj@t&)0wKd@Q?S@0JapT0D=sD z{2UyEEI`762t4zto!bzUX4&9En{|U@{kfg0-ws%e&!cE<0Qhc0z7d1R<42*<$sg$F zI{s2OFADmgvVz!bc6wZ85|>C)LzSyk9D{p0?-e{N7zyb61C44lQUSg!1DyNx)R2$Tut-C)+A~;>eMH2tQJ?0G($dnF zS#7fPWyDizr-0NvtDeG)n6KZzd;aLJg}jzo^jArsY6Sz?YyZj4V8~}g*Q0|N-=jI=oe^^l#M zZb3EzNb<>$n9GRkJ+G*RkUnoWj%q>}uo18ySb8 sQx-o1NW}#dv_V|q|9$x1b831~&N|_|!8`Mn(1IUBwsYQ5yp6*6AKh$3u>b%7 literal 0 HcmV?d00001 diff --git a/manpages/shorewall-blrules.xml b/manpages/shorewall-blrules.xml index 36456d9b2..3145e5158 100644 --- a/manpages/shorewall-blrules.xml +++ b/manpages/shorewall-blrules.xml @@ -59,6 +59,18 @@ rule. Must be one of the following. + + blacklog + + + May only be used if BLACKLIST_LOGLEVEL is specified in + shorewall.conf (5). + Logs, audits (if specified) and applies the + BLACKLIST_DISPOSITION specified in shorewall.conf (5). + + + ACCEPT|CONTINUE|WHITELIST diff --git a/manpages/shorewall.conf.xml b/manpages/shorewall.conf.xml index 6bb401e3f..1ff32eacc 100644 --- a/manpages/shorewall.conf.xml +++ b/manpages/shorewall.conf.xml @@ -332,9 +332,11 @@ AUDIT_TARGET in the kernel and iptables. The BLACKLIST_DISPOSITION setting has no effect on entries in - the shorewall-blrules - (5) file or in the BLACKLIST section of shorewall-rules (5). + the BLACKLIST section of shorewall-rules (5). It + determines the disposition of packets sent to the blacklog target of shorewall-blrules (5). @@ -349,9 +351,11 @@ BLACKLIST_LOGLEVEL=debug). If you do not assign a value or if you assign an empty value then packets from blacklisted hosts are not logged. The BLACKLIST_LOGLEVEL setting has no effect on entries in - the shorewall-blrules - (5) file or in the BLACKLIST section of shorewall-rules (5). + the BLACKLIST section of shorewall-rules (5). It + determines the log level of packets sent to the blacklog target of shorewall-blrules(5). diff --git a/manpages6/shorewall6-blrules.xml b/manpages6/shorewall6-blrules.xml index f6ffa154d..15296b27f 100644 --- a/manpages6/shorewall6-blrules.xml +++ b/manpages6/shorewall6-blrules.xml @@ -60,6 +60,18 @@ rule. Must be one of the following. + + blacklog + + + May only be used if BLACKLIST_LOGLEVEL is specified in + shorewall6.conf (5). + Logs, audits (if specified) and applies the + BLACKLIST_DISPOSITION specified in shorewall6.conf (5). + + + ACCEPT|CONTINUE|WHITELIST diff --git a/manpages6/shorewall6.conf.xml b/manpages6/shorewall6.conf.xml index 7e6931d86..af1920814 100644 --- a/manpages6/shorewall6.conf.xml +++ b/manpages6/shorewall6.conf.xml @@ -262,10 +262,12 @@ be dropped or REJECT if the packets are to be replied with an ICMP port unreachable reply or a TCP RST (tcp only). If you do not assign a value or if you assign an empty value then DROP is assumed. The - BLACKLIST_DISPOSITION setting has no effect on entries in the shorewall-blrules (5) file or in the BLACKLIST - section of shorewall6-rules (5). + BLACKLIST_DISPOSITION setting has no effect on entries in the + BLACKLIST section of shorewall6-rules (5). It + determines the disposition of packets sent to the blacklog target of shorewall6-blrules(5). @@ -280,9 +282,11 @@ BLACKLIST_LOGLEVEL=debug). If you do not assign a value or if you assign an empty value then packets from blacklisted hosts are not logged. The BLACKLIST_LOGLEVEL setting has no effect on entries in - the shorewall-blrules (5) file and in the - BLACKLIST section of shorewall6-rules (5). + the BLACKLIST section of shorewall6-rules (5). It + determines the log level of packets sent to the blacklog target of shorewall6-blrules(5).