@push.rocks/smartproxy 12.0.0 → 13.1.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist_ts/00_commitinfo_data.js +1 -1
- package/dist_ts/certificate/acme/acme-factory.d.ts +17 -0
- package/dist_ts/certificate/acme/acme-factory.js +40 -0
- package/dist_ts/certificate/acme/challenge-handler.d.ts +44 -0
- package/dist_ts/certificate/acme/challenge-handler.js +92 -0
- package/dist_ts/certificate/acme/index.d.ts +4 -0
- package/dist_ts/certificate/acme/index.js +5 -0
- package/dist_ts/certificate/events/certificate-events.d.ts +33 -0
- package/dist_ts/certificate/events/certificate-events.js +38 -0
- package/dist_ts/certificate/index.d.ts +24 -0
- package/dist_ts/certificate/index.js +39 -0
- package/dist_ts/certificate/models/certificate-types.d.ts +77 -0
- package/dist_ts/certificate/models/certificate-types.js +2 -0
- package/dist_ts/certificate/providers/cert-provisioner.d.ts +93 -0
- package/dist_ts/certificate/providers/cert-provisioner.js +262 -0
- package/dist_ts/certificate/providers/index.d.ts +4 -0
- package/dist_ts/certificate/providers/index.js +5 -0
- package/dist_ts/certificate/storage/file-storage.d.ts +66 -0
- package/dist_ts/certificate/storage/file-storage.js +194 -0
- package/dist_ts/certificate/storage/index.d.ts +4 -0
- package/dist_ts/certificate/storage/index.js +5 -0
- package/dist_ts/certificate/utils/certificate-helpers.d.ts +17 -0
- package/dist_ts/certificate/utils/certificate-helpers.js +45 -0
- package/dist_ts/common/eventUtils.d.ts +1 -1
- package/dist_ts/common/port80-adapter.d.ts +1 -1
- package/dist_ts/core/events/index.d.ts +4 -0
- package/dist_ts/core/events/index.js +5 -0
- package/dist_ts/core/index.d.ts +6 -0
- package/dist_ts/core/index.js +8 -0
- package/dist_ts/core/models/common-types.d.ts +82 -0
- package/dist_ts/core/models/common-types.js +15 -0
- package/dist_ts/core/models/index.d.ts +4 -0
- package/dist_ts/core/models/index.js +5 -0
- package/dist_ts/core/utils/event-utils.d.ts +15 -0
- package/dist_ts/core/utils/event-utils.js +19 -0
- package/dist_ts/core/utils/index.d.ts +6 -0
- package/dist_ts/core/utils/index.js +7 -0
- package/dist_ts/core/utils/ip-utils.d.ts +53 -0
- package/dist_ts/core/utils/ip-utils.js +153 -0
- package/dist_ts/core/utils/validation-utils.d.ts +61 -0
- package/dist_ts/core/utils/validation-utils.js +149 -0
- package/dist_ts/forwarding/config/domain-config.d.ts +12 -0
- package/dist_ts/forwarding/config/domain-config.js +12 -0
- package/dist_ts/forwarding/config/domain-manager.d.ts +86 -0
- package/dist_ts/forwarding/config/domain-manager.js +242 -0
- package/dist_ts/forwarding/config/forwarding-types.d.ts +104 -0
- package/dist_ts/forwarding/config/forwarding-types.js +50 -0
- package/dist_ts/forwarding/config/index.d.ts +6 -0
- package/dist_ts/forwarding/config/index.js +7 -0
- package/dist_ts/forwarding/factory/forwarding-factory.d.ts +25 -0
- package/dist_ts/forwarding/factory/forwarding-factory.js +138 -0
- package/dist_ts/forwarding/factory/index.d.ts +4 -0
- package/dist_ts/forwarding/factory/index.js +5 -0
- package/dist_ts/forwarding/handlers/base-handler.d.ts +55 -0
- package/dist_ts/forwarding/handlers/base-handler.js +94 -0
- package/dist_ts/forwarding/handlers/http-handler.d.ts +30 -0
- package/dist_ts/forwarding/handlers/http-handler.js +131 -0
- package/dist_ts/forwarding/handlers/https-passthrough-handler.d.ts +29 -0
- package/dist_ts/forwarding/handlers/https-passthrough-handler.js +162 -0
- package/dist_ts/forwarding/handlers/https-terminate-to-http-handler.d.ts +36 -0
- package/dist_ts/forwarding/handlers/https-terminate-to-http-handler.js +229 -0
- package/dist_ts/forwarding/handlers/https-terminate-to-https-handler.d.ts +35 -0
- package/dist_ts/forwarding/handlers/https-terminate-to-https-handler.js +254 -0
- package/dist_ts/forwarding/handlers/index.d.ts +8 -0
- package/dist_ts/forwarding/handlers/index.js +9 -0
- package/dist_ts/forwarding/index.d.ts +19 -0
- package/dist_ts/forwarding/index.js +25 -0
- package/dist_ts/http/index.d.ts +15 -0
- package/dist_ts/http/index.js +20 -0
- package/dist_ts/http/models/http-types.d.ts +81 -0
- package/dist_ts/http/models/http-types.js +62 -0
- package/dist_ts/http/port80/acme-interfaces.d.ts +78 -0
- package/dist_ts/http/port80/acme-interfaces.js +6 -0
- package/dist_ts/http/port80/challenge-responder.d.ts +53 -0
- package/dist_ts/http/port80/challenge-responder.js +203 -0
- package/dist_ts/http/port80/index.d.ts +6 -0
- package/dist_ts/http/port80/index.js +9 -0
- package/dist_ts/http/port80/port80-handler.d.ts +121 -0
- package/dist_ts/http/port80/port80-handler.js +554 -0
- package/dist_ts/http/redirects/index.d.ts +4 -0
- package/dist_ts/http/redirects/index.js +5 -0
- package/dist_ts/http/router/index.d.ts +4 -0
- package/dist_ts/http/router/index.js +5 -0
- package/dist_ts/http/router/proxy-router.d.ts +115 -0
- package/dist_ts/http/router/proxy-router.js +325 -0
- package/dist_ts/index.d.ts +15 -8
- package/dist_ts/index.js +26 -10
- package/dist_ts/networkproxy/classes.np.certificatemanager.js +2 -2
- package/dist_ts/networkproxy/index.d.ts +1 -6
- package/dist_ts/networkproxy/index.js +4 -8
- package/dist_ts/plugins.d.ts +2 -1
- package/dist_ts/plugins.js +3 -2
- package/dist_ts/port80handler/classes.port80handler.d.ts +8 -136
- package/dist_ts/port80handler/classes.port80handler.js +14 -567
- package/dist_ts/proxies/index.d.ts +6 -0
- package/dist_ts/proxies/index.js +8 -0
- package/dist_ts/proxies/network-proxy/certificate-manager.d.ts +77 -0
- package/dist_ts/proxies/network-proxy/certificate-manager.js +373 -0
- package/dist_ts/proxies/network-proxy/connection-pool.d.ts +47 -0
- package/dist_ts/proxies/network-proxy/connection-pool.js +210 -0
- package/dist_ts/proxies/network-proxy/index.d.ts +10 -0
- package/dist_ts/proxies/network-proxy/index.js +12 -0
- package/dist_ts/proxies/network-proxy/models/index.d.ts +4 -0
- package/dist_ts/proxies/network-proxy/models/index.js +5 -0
- package/dist_ts/proxies/network-proxy/models/types.d.ts +80 -0
- package/dist_ts/proxies/network-proxy/models/types.js +35 -0
- package/dist_ts/proxies/network-proxy/network-proxy.d.ts +118 -0
- package/dist_ts/proxies/network-proxy/network-proxy.js +387 -0
- package/dist_ts/proxies/network-proxy/request-handler.d.ts +57 -0
- package/dist_ts/proxies/network-proxy/request-handler.js +394 -0
- package/dist_ts/proxies/network-proxy/websocket-handler.d.ts +38 -0
- package/dist_ts/proxies/network-proxy/websocket-handler.js +188 -0
- package/dist_ts/proxies/nftables-proxy/index.d.ts +5 -0
- package/dist_ts/proxies/nftables-proxy/index.js +6 -0
- package/dist_ts/proxies/nftables-proxy/models/errors.d.ts +15 -0
- package/dist_ts/proxies/nftables-proxy/models/errors.js +28 -0
- package/dist_ts/proxies/nftables-proxy/models/index.d.ts +5 -0
- package/dist_ts/proxies/nftables-proxy/models/index.js +6 -0
- package/dist_ts/proxies/nftables-proxy/models/interfaces.d.ts +75 -0
- package/dist_ts/proxies/nftables-proxy/models/interfaces.js +5 -0
- package/dist_ts/proxies/nftables-proxy/nftables-proxy.d.ts +136 -0
- package/dist_ts/proxies/nftables-proxy/nftables-proxy.js +1516 -0
- package/dist_ts/proxies/smart-proxy/connection-handler.d.ts +39 -0
- package/dist_ts/proxies/smart-proxy/connection-handler.js +894 -0
- package/dist_ts/proxies/smart-proxy/connection-manager.d.ts +78 -0
- package/dist_ts/proxies/smart-proxy/connection-manager.js +378 -0
- package/dist_ts/proxies/smart-proxy/domain-config-manager.d.ts +95 -0
- package/dist_ts/proxies/smart-proxy/domain-config-manager.js +255 -0
- package/dist_ts/proxies/smart-proxy/index.d.ts +13 -0
- package/dist_ts/proxies/smart-proxy/index.js +17 -0
- package/dist_ts/proxies/smart-proxy/models/index.d.ts +4 -0
- package/dist_ts/proxies/smart-proxy/models/index.js +5 -0
- package/dist_ts/proxies/smart-proxy/models/interfaces.d.ts +107 -0
- package/dist_ts/proxies/smart-proxy/models/interfaces.js +2 -0
- package/dist_ts/proxies/smart-proxy/network-proxy-bridge.d.ts +62 -0
- package/dist_ts/proxies/smart-proxy/network-proxy-bridge.js +316 -0
- package/dist_ts/proxies/smart-proxy/port-range-manager.d.ts +56 -0
- package/dist_ts/proxies/smart-proxy/port-range-manager.js +176 -0
- package/dist_ts/proxies/smart-proxy/security-manager.d.ts +64 -0
- package/dist_ts/proxies/smart-proxy/security-manager.js +149 -0
- package/dist_ts/proxies/smart-proxy/smart-proxy.d.ts +63 -0
- package/dist_ts/proxies/smart-proxy/smart-proxy.js +523 -0
- package/dist_ts/proxies/smart-proxy/timeout-manager.d.ts +47 -0
- package/dist_ts/proxies/smart-proxy/timeout-manager.js +154 -0
- package/dist_ts/proxies/smart-proxy/tls-manager.d.ts +57 -0
- package/dist_ts/proxies/smart-proxy/tls-manager.js +132 -0
- package/dist_ts/smartproxy/classes.pp.networkproxybridge.d.ts +2 -2
- package/dist_ts/smartproxy/classes.pp.networkproxybridge.js +1 -1
- package/dist_ts/smartproxy/classes.pp.tlsmanager.js +2 -2
- package/dist_ts/smartproxy/classes.smartproxy.js +3 -3
- package/dist_ts/tls/alerts/index.d.ts +4 -0
- package/dist_ts/tls/alerts/index.js +5 -0
- package/dist_ts/tls/alerts/tls-alert.d.ts +150 -0
- package/dist_ts/tls/alerts/tls-alert.js +226 -0
- package/dist_ts/tls/index.d.ts +18 -0
- package/dist_ts/tls/index.js +27 -0
- package/dist_ts/tls/sni/client-hello-parser.d.ts +100 -0
- package/dist_ts/tls/sni/client-hello-parser.js +463 -0
- package/dist_ts/tls/sni/index.d.ts +4 -0
- package/dist_ts/tls/sni/index.js +5 -0
- package/dist_ts/tls/sni/sni-extraction.d.ts +58 -0
- package/dist_ts/tls/sni/sni-extraction.js +275 -0
- package/dist_ts/tls/sni/sni-handler.d.ts +154 -0
- package/dist_ts/tls/sni/sni-handler.js +191 -0
- package/dist_ts/tls/utils/index.d.ts +4 -0
- package/dist_ts/tls/utils/index.js +5 -0
- package/dist_ts/tls/utils/tls-utils.d.ts +158 -0
- package/dist_ts/tls/utils/tls-utils.js +187 -0
- package/package.json +1 -1
- package/readme.md +89 -21
- package/readme.plan.md +253 -469
- package/ts/00_commitinfo_data.ts +1 -1
- package/ts/certificate/acme/acme-factory.ts +48 -0
- package/ts/certificate/acme/challenge-handler.ts +110 -0
- package/ts/certificate/acme/index.ts +3 -0
- package/ts/certificate/events/certificate-events.ts +36 -0
- package/ts/certificate/index.ts +67 -0
- package/ts/certificate/models/certificate-types.ts +88 -0
- package/ts/certificate/providers/cert-provisioner.ts +326 -0
- package/ts/certificate/providers/index.ts +3 -0
- package/ts/certificate/storage/file-storage.ts +234 -0
- package/ts/certificate/storage/index.ts +3 -0
- package/ts/certificate/utils/certificate-helpers.ts +50 -0
- package/ts/common/eventUtils.ts +1 -1
- package/ts/common/port80-adapter.ts +1 -1
- package/ts/core/events/index.ts +3 -0
- package/ts/core/index.ts +8 -0
- package/ts/core/models/common-types.ts +91 -0
- package/ts/core/models/index.ts +5 -0
- package/ts/core/utils/event-utils.ts +34 -0
- package/ts/core/utils/index.ts +7 -0
- package/ts/core/utils/ip-utils.ts +175 -0
- package/ts/core/utils/validation-utils.ts +177 -0
- package/ts/{smartproxy/forwarding → forwarding/config}/domain-config.ts +1 -1
- package/ts/{smartproxy/forwarding → forwarding/config}/domain-manager.ts +8 -8
- package/ts/{smartproxy/types/forwarding.types.ts → forwarding/config/forwarding-types.ts} +6 -6
- package/ts/forwarding/config/index.ts +7 -0
- package/ts/{smartproxy/forwarding/forwarding.factory.ts → forwarding/factory/forwarding-factory.ts} +12 -11
- package/ts/forwarding/factory/index.ts +5 -0
- package/ts/{smartproxy/forwarding/forwarding.handler.ts → forwarding/handlers/base-handler.ts} +2 -2
- package/ts/{smartproxy/forwarding/http.handler.ts → forwarding/handlers/http-handler.ts} +13 -4
- package/ts/{smartproxy/forwarding/https-passthrough.handler.ts → forwarding/handlers/https-passthrough-handler.ts} +13 -4
- package/ts/{smartproxy/forwarding/https-terminate-to-http.handler.ts → forwarding/handlers/https-terminate-to-http-handler.ts} +3 -3
- package/ts/{smartproxy/forwarding/https-terminate-to-https.handler.ts → forwarding/handlers/https-terminate-to-https-handler.ts} +3 -3
- package/ts/forwarding/handlers/index.ts +9 -0
- package/ts/forwarding/index.ts +34 -0
- package/ts/http/index.ts +23 -0
- package/ts/http/models/http-types.ts +105 -0
- package/ts/http/port80/acme-interfaces.ts +85 -0
- package/ts/http/port80/challenge-responder.ts +246 -0
- package/ts/http/port80/index.ts +13 -0
- package/ts/{port80handler/classes.port80handler.ts → http/port80/port80-handler.ts} +164 -161
- package/ts/http/redirects/index.ts +3 -0
- package/ts/http/router/index.ts +5 -0
- package/ts/{classes.router.ts → http/router/proxy-router.ts} +27 -20
- package/ts/index.ts +32 -9
- package/ts/plugins.ts +2 -1
- package/ts/proxies/index.ts +8 -0
- package/ts/{networkproxy/classes.np.certificatemanager.ts → proxies/network-proxy/certificate-manager.ts} +17 -16
- package/ts/{networkproxy/classes.np.connectionpool.ts → proxies/network-proxy/connection-pool.ts} +3 -3
- package/ts/proxies/network-proxy/index.ts +13 -0
- package/ts/proxies/network-proxy/models/index.ts +4 -0
- package/ts/{networkproxy/classes.np.types.ts → proxies/network-proxy/models/types.ts} +7 -11
- package/ts/{networkproxy/classes.np.networkproxy.ts → proxies/network-proxy/network-proxy.ts} +31 -24
- package/ts/{networkproxy/classes.np.requesthandler.ts → proxies/network-proxy/request-handler.ts} +12 -7
- package/ts/{networkproxy/classes.np.websockethandler.ts → proxies/network-proxy/websocket-handler.ts} +6 -6
- package/ts/proxies/nftables-proxy/index.ts +5 -0
- package/ts/proxies/nftables-proxy/models/errors.ts +30 -0
- package/ts/proxies/nftables-proxy/models/index.ts +5 -0
- package/ts/proxies/nftables-proxy/models/interfaces.ts +94 -0
- package/ts/{nfttablesproxy/classes.nftablesproxy.ts → proxies/nftables-proxy/nftables-proxy.ts} +24 -126
- package/ts/{smartproxy/classes.pp.connectionhandler.ts → proxies/smart-proxy/connection-handler.ts} +12 -12
- package/ts/{smartproxy/classes.pp.connectionmanager.ts → proxies/smart-proxy/connection-manager.ts} +8 -8
- package/ts/{smartproxy/classes.pp.domainconfigmanager.ts → proxies/smart-proxy/domain-config-manager.ts} +15 -14
- package/ts/proxies/smart-proxy/index.ts +18 -0
- package/ts/proxies/smart-proxy/models/index.ts +4 -0
- package/ts/{smartproxy/classes.pp.interfaces.ts → proxies/smart-proxy/models/interfaces.ts} +12 -8
- package/ts/{smartproxy/classes.pp.networkproxybridge.ts → proxies/smart-proxy/network-proxy-bridge.ts} +14 -14
- package/ts/{smartproxy/classes.pp.portrangemanager.ts → proxies/smart-proxy/port-range-manager.ts} +1 -1
- package/ts/{smartproxy/classes.pp.securitymanager.ts → proxies/smart-proxy/security-manager.ts} +3 -3
- package/ts/{smartproxy/classes.smartproxy.ts → proxies/smart-proxy/smart-proxy.ts} +29 -24
- package/ts/{smartproxy/classes.pp.timeoutmanager.ts → proxies/smart-proxy/timeout-manager.ts} +3 -3
- package/ts/{smartproxy/classes.pp.tlsmanager.ts → proxies/smart-proxy/tls-manager.ts} +3 -3
- package/ts/tls/alerts/index.ts +3 -0
- package/ts/{smartproxy/classes.pp.tlsalert.ts → tls/alerts/tls-alert.ts} +44 -43
- package/ts/tls/index.ts +33 -0
- package/ts/tls/sni/client-hello-parser.ts +629 -0
- package/ts/tls/sni/index.ts +3 -0
- package/ts/tls/sni/sni-extraction.ts +353 -0
- package/ts/tls/sni/sni-handler.ts +264 -0
- package/ts/tls/utils/index.ts +3 -0
- package/ts/tls/utils/tls-utils.ts +201 -0
- package/ts/common/acmeFactory.ts +0 -23
- package/ts/helpers.certificates.ts +0 -30
- package/ts/networkproxy/index.ts +0 -7
- package/ts/smartproxy/classes.pp.certprovisioner.ts +0 -200
- package/ts/smartproxy/classes.pp.snihandler.ts +0 -1281
- package/ts/smartproxy/forwarding/index.ts +0 -52
|
@@ -0,0 +1,1516 @@
|
|
|
1
|
+
import { exec, execSync } from 'child_process';
|
|
2
|
+
import { promisify } from 'util';
|
|
3
|
+
import * as fs from 'fs';
|
|
4
|
+
import * as path from 'path';
|
|
5
|
+
import * as os from 'os';
|
|
6
|
+
import { NftBaseError, NftValidationError, NftExecutionError, NftResourceError } from './models/index.js';
|
|
7
|
+
const execAsync = promisify(exec);
|
|
8
|
+
/**
|
|
9
|
+
* NfTablesProxy sets up nftables NAT rules to forward TCP traffic.
|
|
10
|
+
* Enhanced with multi-port support, IPv6, connection tracking, metrics,
|
|
11
|
+
* and more advanced features.
|
|
12
|
+
*/
|
|
13
|
+
export class NfTablesProxy {
|
|
14
|
+
static { this.NFT_CMD = 'nft'; }
|
|
15
|
+
constructor(settings) {
|
|
16
|
+
this.rules = [];
|
|
17
|
+
this.ipSets = new Map(); // Store IP sets for tracking
|
|
18
|
+
// Validate inputs to prevent command injection
|
|
19
|
+
this.validateSettings(settings);
|
|
20
|
+
// Set default settings
|
|
21
|
+
this.settings = {
|
|
22
|
+
...settings,
|
|
23
|
+
toHost: settings.toHost || 'localhost',
|
|
24
|
+
protocol: settings.protocol || 'tcp',
|
|
25
|
+
enableLogging: settings.enableLogging !== undefined ? settings.enableLogging : false,
|
|
26
|
+
ipv6Support: settings.ipv6Support !== undefined ? settings.ipv6Support : false,
|
|
27
|
+
tableName: settings.tableName || 'portproxy',
|
|
28
|
+
logFormat: settings.logFormat || 'plain',
|
|
29
|
+
useIPSets: settings.useIPSets !== undefined ? settings.useIPSets : true,
|
|
30
|
+
maxRetries: settings.maxRetries || 3,
|
|
31
|
+
retryDelayMs: settings.retryDelayMs || 1000,
|
|
32
|
+
useAdvancedNAT: settings.useAdvancedNAT !== undefined ? settings.useAdvancedNAT : false,
|
|
33
|
+
};
|
|
34
|
+
// Generate a unique identifier for the rules added by this instance
|
|
35
|
+
this.ruleTag = `NfTablesProxy:${Date.now()}:${Math.random().toString(36).substr(2, 5)}`;
|
|
36
|
+
// Set table name
|
|
37
|
+
this.tableName = this.settings.tableName || 'portproxy';
|
|
38
|
+
// Create a temp file path for batch operations
|
|
39
|
+
this.tempFilePath = path.join(os.tmpdir(), `nft-rules-${Date.now()}.nft`);
|
|
40
|
+
// Register cleanup handlers if deleteOnExit is true
|
|
41
|
+
if (this.settings.deleteOnExit) {
|
|
42
|
+
const cleanup = () => {
|
|
43
|
+
try {
|
|
44
|
+
this.stopSync();
|
|
45
|
+
}
|
|
46
|
+
catch (err) {
|
|
47
|
+
this.log('error', 'Error cleaning nftables rules on exit:', { error: err.message });
|
|
48
|
+
}
|
|
49
|
+
};
|
|
50
|
+
process.on('exit', cleanup);
|
|
51
|
+
process.on('SIGINT', () => {
|
|
52
|
+
cleanup();
|
|
53
|
+
process.exit();
|
|
54
|
+
});
|
|
55
|
+
process.on('SIGTERM', () => {
|
|
56
|
+
cleanup();
|
|
57
|
+
process.exit();
|
|
58
|
+
});
|
|
59
|
+
}
|
|
60
|
+
}
|
|
61
|
+
/**
|
|
62
|
+
* Validates settings to prevent command injection and ensure valid values
|
|
63
|
+
*/
|
|
64
|
+
validateSettings(settings) {
|
|
65
|
+
// Validate port numbers
|
|
66
|
+
const validatePorts = (port) => {
|
|
67
|
+
if (Array.isArray(port)) {
|
|
68
|
+
port.forEach(p => validatePorts(p));
|
|
69
|
+
return;
|
|
70
|
+
}
|
|
71
|
+
if (typeof port === 'number') {
|
|
72
|
+
if (port < 1 || port > 65535) {
|
|
73
|
+
throw new NftValidationError(`Invalid port number: ${port}`);
|
|
74
|
+
}
|
|
75
|
+
}
|
|
76
|
+
else if (typeof port === 'object') {
|
|
77
|
+
if (port.from < 1 || port.from > 65535 || port.to < 1 || port.to > 65535 || port.from > port.to) {
|
|
78
|
+
throw new NftValidationError(`Invalid port range: ${port.from}-${port.to}`);
|
|
79
|
+
}
|
|
80
|
+
}
|
|
81
|
+
};
|
|
82
|
+
validatePorts(settings.fromPort);
|
|
83
|
+
validatePorts(settings.toPort);
|
|
84
|
+
// Define regex patterns for validation
|
|
85
|
+
const ipRegex = /^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))?$/;
|
|
86
|
+
const ipv6Regex = /^(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))(\/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8]))?$/;
|
|
87
|
+
// Validate IP addresses
|
|
88
|
+
const validateIPs = (ips) => {
|
|
89
|
+
if (!ips)
|
|
90
|
+
return;
|
|
91
|
+
for (const ip of ips) {
|
|
92
|
+
if (!ipRegex.test(ip) && !ipv6Regex.test(ip)) {
|
|
93
|
+
throw new NftValidationError(`Invalid IP address format: ${ip}`);
|
|
94
|
+
}
|
|
95
|
+
}
|
|
96
|
+
};
|
|
97
|
+
validateIPs(settings.allowedSourceIPs);
|
|
98
|
+
validateIPs(settings.bannedSourceIPs);
|
|
99
|
+
// Validate toHost - only allow hostnames or IPs
|
|
100
|
+
if (settings.toHost) {
|
|
101
|
+
const hostRegex = /^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$/;
|
|
102
|
+
if (!hostRegex.test(settings.toHost) && !ipRegex.test(settings.toHost) && !ipv6Regex.test(settings.toHost)) {
|
|
103
|
+
throw new NftValidationError(`Invalid host format: ${settings.toHost}`);
|
|
104
|
+
}
|
|
105
|
+
}
|
|
106
|
+
// Validate table name to prevent command injection
|
|
107
|
+
if (settings.tableName) {
|
|
108
|
+
const tableNameRegex = /^[a-zA-Z0-9_]+$/;
|
|
109
|
+
if (!tableNameRegex.test(settings.tableName)) {
|
|
110
|
+
throw new NftValidationError(`Invalid table name: ${settings.tableName}. Only alphanumeric characters and underscores are allowed.`);
|
|
111
|
+
}
|
|
112
|
+
}
|
|
113
|
+
// Validate QoS settings if enabled
|
|
114
|
+
if (settings.qos?.enabled) {
|
|
115
|
+
if (settings.qos.maxRate) {
|
|
116
|
+
const rateRegex = /^[0-9]+[kKmMgG]?bps$/;
|
|
117
|
+
if (!rateRegex.test(settings.qos.maxRate)) {
|
|
118
|
+
throw new NftValidationError(`Invalid rate format: ${settings.qos.maxRate}. Use format like "10mbps", "1gbps", etc.`);
|
|
119
|
+
}
|
|
120
|
+
}
|
|
121
|
+
if (settings.qos.priority !== undefined) {
|
|
122
|
+
if (settings.qos.priority < 1 || settings.qos.priority > 10 || !Number.isInteger(settings.qos.priority)) {
|
|
123
|
+
throw new NftValidationError(`Invalid priority: ${settings.qos.priority}. Must be an integer between 1 and 10.`);
|
|
124
|
+
}
|
|
125
|
+
}
|
|
126
|
+
}
|
|
127
|
+
}
|
|
128
|
+
/**
|
|
129
|
+
* Normalizes port specifications into an array of port ranges
|
|
130
|
+
*/
|
|
131
|
+
normalizePortSpec(portSpec) {
|
|
132
|
+
const result = [];
|
|
133
|
+
if (Array.isArray(portSpec)) {
|
|
134
|
+
// If it's an array, process each element
|
|
135
|
+
for (const spec of portSpec) {
|
|
136
|
+
result.push(...this.normalizePortSpec(spec));
|
|
137
|
+
}
|
|
138
|
+
}
|
|
139
|
+
else if (typeof portSpec === 'number') {
|
|
140
|
+
// Single port becomes a range with the same start and end
|
|
141
|
+
result.push({ from: portSpec, to: portSpec });
|
|
142
|
+
}
|
|
143
|
+
else {
|
|
144
|
+
// Already a range
|
|
145
|
+
result.push(portSpec);
|
|
146
|
+
}
|
|
147
|
+
return result;
|
|
148
|
+
}
|
|
149
|
+
/**
|
|
150
|
+
* Execute a command with retry capability
|
|
151
|
+
*/
|
|
152
|
+
async executeWithRetry(command, maxRetries = 3, retryDelayMs = 1000) {
|
|
153
|
+
let lastError;
|
|
154
|
+
for (let i = 0; i < maxRetries; i++) {
|
|
155
|
+
try {
|
|
156
|
+
const { stdout } = await execAsync(command);
|
|
157
|
+
return stdout;
|
|
158
|
+
}
|
|
159
|
+
catch (err) {
|
|
160
|
+
lastError = err;
|
|
161
|
+
this.log('warn', `Command failed (attempt ${i + 1}/${maxRetries}): ${command}`, { error: err.message });
|
|
162
|
+
// Wait before retry, unless it's the last attempt
|
|
163
|
+
if (i < maxRetries - 1) {
|
|
164
|
+
await new Promise(resolve => setTimeout(resolve, retryDelayMs));
|
|
165
|
+
}
|
|
166
|
+
}
|
|
167
|
+
}
|
|
168
|
+
throw new NftExecutionError(`Failed after ${maxRetries} attempts: ${lastError?.message || 'Unknown error'}`);
|
|
169
|
+
}
|
|
170
|
+
/**
|
|
171
|
+
* Execute system command synchronously with multiple attempts
|
|
172
|
+
*/
|
|
173
|
+
executeWithRetrySync(command, maxRetries = 3, retryDelayMs = 1000) {
|
|
174
|
+
let lastError;
|
|
175
|
+
for (let i = 0; i < maxRetries; i++) {
|
|
176
|
+
try {
|
|
177
|
+
return execSync(command).toString();
|
|
178
|
+
}
|
|
179
|
+
catch (err) {
|
|
180
|
+
lastError = err;
|
|
181
|
+
this.log('warn', `Command failed (attempt ${i + 1}/${maxRetries}): ${command}`, { error: err.message });
|
|
182
|
+
// Wait before retry, unless it's the last attempt
|
|
183
|
+
if (i < maxRetries - 1) {
|
|
184
|
+
// A naive sleep in sync context
|
|
185
|
+
const waitUntil = Date.now() + retryDelayMs;
|
|
186
|
+
while (Date.now() < waitUntil) {
|
|
187
|
+
// busy wait - not great, but this is a fallback method
|
|
188
|
+
}
|
|
189
|
+
}
|
|
190
|
+
}
|
|
191
|
+
}
|
|
192
|
+
throw new NftExecutionError(`Failed after ${maxRetries} attempts: ${lastError?.message || 'Unknown error'}`);
|
|
193
|
+
}
|
|
194
|
+
/**
|
|
195
|
+
* Checks if nftables is available and the required modules are loaded
|
|
196
|
+
*/
|
|
197
|
+
async checkNftablesAvailability() {
|
|
198
|
+
try {
|
|
199
|
+
await this.executeWithRetry(`${NfTablesProxy.NFT_CMD} --version`, this.settings.maxRetries, this.settings.retryDelayMs);
|
|
200
|
+
// Check for conntrack support if we're using advanced NAT
|
|
201
|
+
if (this.settings.useAdvancedNAT) {
|
|
202
|
+
try {
|
|
203
|
+
await this.executeWithRetry('lsmod | grep nf_conntrack', this.settings.maxRetries, this.settings.retryDelayMs);
|
|
204
|
+
}
|
|
205
|
+
catch (err) {
|
|
206
|
+
this.log('warn', 'Connection tracking modules might not be loaded, advanced NAT features may not work');
|
|
207
|
+
}
|
|
208
|
+
}
|
|
209
|
+
return true;
|
|
210
|
+
}
|
|
211
|
+
catch (err) {
|
|
212
|
+
this.log('error', `nftables is not available: ${err.message}`);
|
|
213
|
+
return false;
|
|
214
|
+
}
|
|
215
|
+
}
|
|
216
|
+
/**
|
|
217
|
+
* Creates the necessary tables and chains
|
|
218
|
+
*/
|
|
219
|
+
async setupTablesAndChains(isIpv6 = false) {
|
|
220
|
+
const family = isIpv6 ? 'ip6' : 'ip';
|
|
221
|
+
try {
|
|
222
|
+
// Check if the table already exists
|
|
223
|
+
const stdout = await this.executeWithRetry(`${NfTablesProxy.NFT_CMD} list tables ${family}`, this.settings.maxRetries, this.settings.retryDelayMs);
|
|
224
|
+
const tableExists = stdout.includes(`table ${family} ${this.tableName}`);
|
|
225
|
+
if (!tableExists) {
|
|
226
|
+
// Create the table
|
|
227
|
+
await this.executeWithRetry(`${NfTablesProxy.NFT_CMD} add table ${family} ${this.tableName}`, this.settings.maxRetries, this.settings.retryDelayMs);
|
|
228
|
+
this.log('info', `Created table ${family} ${this.tableName}`);
|
|
229
|
+
// Create the nat chain for the prerouting hook
|
|
230
|
+
await this.executeWithRetry(`${NfTablesProxy.NFT_CMD} add chain ${family} ${this.tableName} nat_prerouting { type nat hook prerouting priority -100 ; }`, this.settings.maxRetries, this.settings.retryDelayMs);
|
|
231
|
+
this.log('info', `Created nat_prerouting chain in ${family} ${this.tableName}`);
|
|
232
|
+
// Create the nat chain for the postrouting hook if not preserving source IP
|
|
233
|
+
if (!this.settings.preserveSourceIP) {
|
|
234
|
+
await this.executeWithRetry(`${NfTablesProxy.NFT_CMD} add chain ${family} ${this.tableName} nat_postrouting { type nat hook postrouting priority 100 ; }`, this.settings.maxRetries, this.settings.retryDelayMs);
|
|
235
|
+
this.log('info', `Created nat_postrouting chain in ${family} ${this.tableName}`);
|
|
236
|
+
}
|
|
237
|
+
// Create the chain for NetworkProxy integration if needed
|
|
238
|
+
if (this.settings.netProxyIntegration?.enabled && this.settings.netProxyIntegration.redirectLocalhost) {
|
|
239
|
+
await this.executeWithRetry(`${NfTablesProxy.NFT_CMD} add chain ${family} ${this.tableName} nat_output { type nat hook output priority 0 ; }`, this.settings.maxRetries, this.settings.retryDelayMs);
|
|
240
|
+
this.log('info', `Created nat_output chain in ${family} ${this.tableName}`);
|
|
241
|
+
}
|
|
242
|
+
// Create the QoS chain if needed
|
|
243
|
+
if (this.settings.qos?.enabled) {
|
|
244
|
+
await this.executeWithRetry(`${NfTablesProxy.NFT_CMD} add chain ${family} ${this.tableName} qos_forward { type filter hook forward priority 0 ; }`, this.settings.maxRetries, this.settings.retryDelayMs);
|
|
245
|
+
this.log('info', `Created QoS forward chain in ${family} ${this.tableName}`);
|
|
246
|
+
}
|
|
247
|
+
}
|
|
248
|
+
else {
|
|
249
|
+
this.log('info', `Table ${family} ${this.tableName} already exists, using existing table`);
|
|
250
|
+
}
|
|
251
|
+
return true;
|
|
252
|
+
}
|
|
253
|
+
catch (err) {
|
|
254
|
+
this.log('error', `Failed to set up tables and chains: ${err.message}`);
|
|
255
|
+
return false;
|
|
256
|
+
}
|
|
257
|
+
}
|
|
258
|
+
/**
|
|
259
|
+
* Creates IP sets for efficient filtering of large IP lists
|
|
260
|
+
*/
|
|
261
|
+
async createIPSet(family, setName, ips, setType = 'ipv4_addr') {
|
|
262
|
+
try {
|
|
263
|
+
// Filter IPs based on family
|
|
264
|
+
const filteredIPs = ips.filter(ip => {
|
|
265
|
+
if (family === 'ip6' && ip.includes(':'))
|
|
266
|
+
return true;
|
|
267
|
+
if (family === 'ip' && ip.includes('.'))
|
|
268
|
+
return true;
|
|
269
|
+
return false;
|
|
270
|
+
});
|
|
271
|
+
if (filteredIPs.length === 0) {
|
|
272
|
+
this.log('info', `No IP addresses of type ${setType} to add to set ${setName}`);
|
|
273
|
+
return true;
|
|
274
|
+
}
|
|
275
|
+
// Check if set already exists
|
|
276
|
+
try {
|
|
277
|
+
const sets = await this.executeWithRetry(`${NfTablesProxy.NFT_CMD} list sets ${family} ${this.tableName}`, this.settings.maxRetries, this.settings.retryDelayMs);
|
|
278
|
+
if (sets.includes(`set ${setName} {`)) {
|
|
279
|
+
this.log('info', `IP set ${setName} already exists, will add elements`);
|
|
280
|
+
}
|
|
281
|
+
else {
|
|
282
|
+
// Create the set
|
|
283
|
+
await this.executeWithRetry(`${NfTablesProxy.NFT_CMD} add set ${family} ${this.tableName} ${setName} { type ${setType}; }`, this.settings.maxRetries, this.settings.retryDelayMs);
|
|
284
|
+
this.log('info', `Created IP set ${setName} for ${family} with type ${setType}`);
|
|
285
|
+
}
|
|
286
|
+
}
|
|
287
|
+
catch (err) {
|
|
288
|
+
// Set might not exist yet, create it
|
|
289
|
+
await this.executeWithRetry(`${NfTablesProxy.NFT_CMD} add set ${family} ${this.tableName} ${setName} { type ${setType}; }`, this.settings.maxRetries, this.settings.retryDelayMs);
|
|
290
|
+
this.log('info', `Created IP set ${setName} for ${family} with type ${setType}`);
|
|
291
|
+
}
|
|
292
|
+
// Add IPs to the set in batches to avoid command line length limitations
|
|
293
|
+
const batchSize = 100;
|
|
294
|
+
for (let i = 0; i < filteredIPs.length; i += batchSize) {
|
|
295
|
+
const batch = filteredIPs.slice(i, i + batchSize);
|
|
296
|
+
const elements = batch.join(', ');
|
|
297
|
+
await this.executeWithRetry(`${NfTablesProxy.NFT_CMD} add element ${family} ${this.tableName} ${setName} { ${elements} }`, this.settings.maxRetries, this.settings.retryDelayMs);
|
|
298
|
+
this.log('info', `Added batch of ${batch.length} IPs to set ${setName}`);
|
|
299
|
+
}
|
|
300
|
+
// Track the IP set
|
|
301
|
+
this.ipSets.set(`${family}:${setName}`, filteredIPs);
|
|
302
|
+
return true;
|
|
303
|
+
}
|
|
304
|
+
catch (err) {
|
|
305
|
+
this.log('error', `Failed to create IP set ${setName}: ${err.message}`);
|
|
306
|
+
return false;
|
|
307
|
+
}
|
|
308
|
+
}
|
|
309
|
+
/**
|
|
310
|
+
* Adds source IP filtering rules, potentially using IP sets for efficiency
|
|
311
|
+
*/
|
|
312
|
+
async addSourceIPFilters(isIpv6 = false) {
|
|
313
|
+
if (!this.settings.allowedSourceIPs && !this.settings.bannedSourceIPs) {
|
|
314
|
+
return true; // Nothing to do
|
|
315
|
+
}
|
|
316
|
+
const family = isIpv6 ? 'ip6' : 'ip';
|
|
317
|
+
const chain = 'nat_prerouting';
|
|
318
|
+
const setType = isIpv6 ? 'ipv6_addr' : 'ipv4_addr';
|
|
319
|
+
try {
|
|
320
|
+
// Start building the ruleset file content
|
|
321
|
+
let rulesetContent = '';
|
|
322
|
+
// Using IP sets for more efficient rule processing with large IP lists
|
|
323
|
+
if (this.settings.useIPSets) {
|
|
324
|
+
// Create sets for banned and allowed IPs if needed
|
|
325
|
+
if (this.settings.bannedSourceIPs && this.settings.bannedSourceIPs.length > 0) {
|
|
326
|
+
const setName = 'banned_ips';
|
|
327
|
+
await this.createIPSet(family, setName, this.settings.bannedSourceIPs, setType);
|
|
328
|
+
// Add rule to drop traffic from banned IPs
|
|
329
|
+
const rule = `add rule ${family} ${this.tableName} ${chain} ip${isIpv6 ? '6' : ''} saddr @${setName} drop comment "${this.ruleTag}:BANNED_SET"`;
|
|
330
|
+
rulesetContent += `${rule}\n`;
|
|
331
|
+
this.rules.push({
|
|
332
|
+
tableFamily: family,
|
|
333
|
+
tableName: this.tableName,
|
|
334
|
+
chainName: chain,
|
|
335
|
+
ruleContents: rule,
|
|
336
|
+
added: false
|
|
337
|
+
});
|
|
338
|
+
}
|
|
339
|
+
if (this.settings.allowedSourceIPs && this.settings.allowedSourceIPs.length > 0) {
|
|
340
|
+
const setName = 'allowed_ips';
|
|
341
|
+
await this.createIPSet(family, setName, this.settings.allowedSourceIPs, setType);
|
|
342
|
+
// Add rule to allow traffic from allowed IPs
|
|
343
|
+
const rule = `add rule ${family} ${this.tableName} ${chain} ip${isIpv6 ? '6' : ''} saddr @${setName} ${this.settings.protocol} dport {${this.getAllPorts(this.settings.fromPort)}} accept comment "${this.ruleTag}:ALLOWED_SET"`;
|
|
344
|
+
rulesetContent += `${rule}\n`;
|
|
345
|
+
this.rules.push({
|
|
346
|
+
tableFamily: family,
|
|
347
|
+
tableName: this.tableName,
|
|
348
|
+
chainName: chain,
|
|
349
|
+
ruleContents: rule,
|
|
350
|
+
added: false
|
|
351
|
+
});
|
|
352
|
+
// Add default deny rule for unlisted IPs
|
|
353
|
+
const denyRule = `add rule ${family} ${this.tableName} ${chain} ${this.settings.protocol} dport {${this.getAllPorts(this.settings.fromPort)}} drop comment "${this.ruleTag}:DENY_ALL"`;
|
|
354
|
+
rulesetContent += `${denyRule}\n`;
|
|
355
|
+
this.rules.push({
|
|
356
|
+
tableFamily: family,
|
|
357
|
+
tableName: this.tableName,
|
|
358
|
+
chainName: chain,
|
|
359
|
+
ruleContents: denyRule,
|
|
360
|
+
added: false
|
|
361
|
+
});
|
|
362
|
+
}
|
|
363
|
+
}
|
|
364
|
+
else {
|
|
365
|
+
// Traditional approach without IP sets - less efficient for large IP lists
|
|
366
|
+
// Ban specific IPs first
|
|
367
|
+
if (this.settings.bannedSourceIPs && this.settings.bannedSourceIPs.length > 0) {
|
|
368
|
+
for (const ip of this.settings.bannedSourceIPs) {
|
|
369
|
+
// Skip IPv4 addresses for IPv6 rules and vice versa
|
|
370
|
+
if (isIpv6 && ip.includes('.'))
|
|
371
|
+
continue;
|
|
372
|
+
if (!isIpv6 && ip.includes(':'))
|
|
373
|
+
continue;
|
|
374
|
+
const rule = `add rule ${family} ${this.tableName} ${chain} ip${isIpv6 ? '6' : ''} saddr ${ip} drop comment "${this.ruleTag}:BANNED"`;
|
|
375
|
+
rulesetContent += `${rule}\n`;
|
|
376
|
+
this.rules.push({
|
|
377
|
+
tableFamily: family,
|
|
378
|
+
tableName: this.tableName,
|
|
379
|
+
chainName: chain,
|
|
380
|
+
ruleContents: rule,
|
|
381
|
+
added: false
|
|
382
|
+
});
|
|
383
|
+
}
|
|
384
|
+
}
|
|
385
|
+
// Allow specific IPs
|
|
386
|
+
if (this.settings.allowedSourceIPs && this.settings.allowedSourceIPs.length > 0) {
|
|
387
|
+
// Add rules to allow specific IPs
|
|
388
|
+
for (const ip of this.settings.allowedSourceIPs) {
|
|
389
|
+
// Skip IPv4 addresses for IPv6 rules and vice versa
|
|
390
|
+
if (isIpv6 && ip.includes('.'))
|
|
391
|
+
continue;
|
|
392
|
+
if (!isIpv6 && ip.includes(':'))
|
|
393
|
+
continue;
|
|
394
|
+
const rule = `add rule ${family} ${this.tableName} ${chain} ip${isIpv6 ? '6' : ''} saddr ${ip} ${this.settings.protocol} dport {${this.getAllPorts(this.settings.fromPort)}} accept comment "${this.ruleTag}:ALLOWED"`;
|
|
395
|
+
rulesetContent += `${rule}\n`;
|
|
396
|
+
this.rules.push({
|
|
397
|
+
tableFamily: family,
|
|
398
|
+
tableName: this.tableName,
|
|
399
|
+
chainName: chain,
|
|
400
|
+
ruleContents: rule,
|
|
401
|
+
added: false
|
|
402
|
+
});
|
|
403
|
+
}
|
|
404
|
+
// Add default deny rule for unlisted IPs
|
|
405
|
+
const denyRule = `add rule ${family} ${this.tableName} ${chain} ${this.settings.protocol} dport {${this.getAllPorts(this.settings.fromPort)}} drop comment "${this.ruleTag}:DENY_ALL"`;
|
|
406
|
+
rulesetContent += `${denyRule}\n`;
|
|
407
|
+
this.rules.push({
|
|
408
|
+
tableFamily: family,
|
|
409
|
+
tableName: this.tableName,
|
|
410
|
+
chainName: chain,
|
|
411
|
+
ruleContents: denyRule,
|
|
412
|
+
added: false
|
|
413
|
+
});
|
|
414
|
+
}
|
|
415
|
+
}
|
|
416
|
+
// Only write and apply if we have rules to add
|
|
417
|
+
if (rulesetContent) {
|
|
418
|
+
// Write the ruleset to a temporary file
|
|
419
|
+
fs.writeFileSync(this.tempFilePath, rulesetContent);
|
|
420
|
+
// Apply the ruleset
|
|
421
|
+
await this.executeWithRetry(`${NfTablesProxy.NFT_CMD} -f ${this.tempFilePath}`, this.settings.maxRetries, this.settings.retryDelayMs);
|
|
422
|
+
this.log('info', `Added source IP filter rules for ${family}`);
|
|
423
|
+
// Mark rules as added
|
|
424
|
+
for (const rule of this.rules) {
|
|
425
|
+
if (rule.tableFamily === family && !rule.added) {
|
|
426
|
+
rule.added = true;
|
|
427
|
+
// Verify the rule was applied
|
|
428
|
+
await this.verifyRuleApplication(rule);
|
|
429
|
+
}
|
|
430
|
+
}
|
|
431
|
+
// Remove the temporary file
|
|
432
|
+
fs.unlinkSync(this.tempFilePath);
|
|
433
|
+
}
|
|
434
|
+
return true;
|
|
435
|
+
}
|
|
436
|
+
catch (err) {
|
|
437
|
+
this.log('error', `Failed to add source IP filter rules: ${err.message}`);
|
|
438
|
+
// Try to clean up any rules that might have been added
|
|
439
|
+
this.rollbackRules();
|
|
440
|
+
return false;
|
|
441
|
+
}
|
|
442
|
+
}
|
|
443
|
+
/**
|
|
444
|
+
* Gets a comma-separated list of all ports from a port specification
|
|
445
|
+
*/
|
|
446
|
+
getAllPorts(portSpec) {
|
|
447
|
+
const portRanges = this.normalizePortSpec(portSpec);
|
|
448
|
+
const ports = [];
|
|
449
|
+
for (const range of portRanges) {
|
|
450
|
+
if (range.from === range.to) {
|
|
451
|
+
ports.push(range.from.toString());
|
|
452
|
+
}
|
|
453
|
+
else {
|
|
454
|
+
ports.push(`${range.from}-${range.to}`);
|
|
455
|
+
}
|
|
456
|
+
}
|
|
457
|
+
return ports.join(', ');
|
|
458
|
+
}
|
|
459
|
+
/**
|
|
460
|
+
* Configures advanced NAT with connection tracking
|
|
461
|
+
*/
|
|
462
|
+
async setupAdvancedNAT(isIpv6 = false) {
|
|
463
|
+
if (!this.settings.useAdvancedNAT) {
|
|
464
|
+
return true; // Skip if not using advanced NAT
|
|
465
|
+
}
|
|
466
|
+
const family = isIpv6 ? 'ip6' : 'ip';
|
|
467
|
+
const preroutingChain = 'nat_prerouting';
|
|
468
|
+
try {
|
|
469
|
+
// Get the port ranges
|
|
470
|
+
const fromPortRanges = this.normalizePortSpec(this.settings.fromPort);
|
|
471
|
+
const toPortRanges = this.normalizePortSpec(this.settings.toPort);
|
|
472
|
+
let rulesetContent = '';
|
|
473
|
+
// Simple case - one-to-one mapping with connection tracking
|
|
474
|
+
if (fromPortRanges.length === 1 && toPortRanges.length === 1) {
|
|
475
|
+
const fromRange = fromPortRanges[0];
|
|
476
|
+
const toRange = toPortRanges[0];
|
|
477
|
+
// Single port to single port with connection tracking
|
|
478
|
+
if (fromRange.from === fromRange.to && toRange.from === toRange.to) {
|
|
479
|
+
const rule = `add rule ${family} ${this.tableName} ${preroutingChain} ${this.settings.protocol} dport ${fromRange.from} ct state new dnat to ${this.settings.toHost}:${toRange.from} comment "${this.ruleTag}:DNAT_CT"`;
|
|
480
|
+
rulesetContent += `${rule}\n`;
|
|
481
|
+
this.rules.push({
|
|
482
|
+
tableFamily: family,
|
|
483
|
+
tableName: this.tableName,
|
|
484
|
+
chainName: preroutingChain,
|
|
485
|
+
ruleContents: rule,
|
|
486
|
+
added: false
|
|
487
|
+
});
|
|
488
|
+
}
|
|
489
|
+
// Port range with same size
|
|
490
|
+
else if ((fromRange.to - fromRange.from) === (toRange.to - toRange.from)) {
|
|
491
|
+
const rule = `add rule ${family} ${this.tableName} ${preroutingChain} ${this.settings.protocol} dport ${fromRange.from}-${fromRange.to} ct state new dnat to ${this.settings.toHost}:${toRange.from}-${toRange.to} comment "${this.ruleTag}:DNAT_RANGE_CT"`;
|
|
492
|
+
rulesetContent += `${rule}\n`;
|
|
493
|
+
this.rules.push({
|
|
494
|
+
tableFamily: family,
|
|
495
|
+
tableName: this.tableName,
|
|
496
|
+
chainName: preroutingChain,
|
|
497
|
+
ruleContents: rule,
|
|
498
|
+
added: false
|
|
499
|
+
});
|
|
500
|
+
}
|
|
501
|
+
// Add related and established connection rule for efficient connection handling
|
|
502
|
+
const ctRule = `add rule ${family} ${this.tableName} ${preroutingChain} ct state established,related accept comment "${this.ruleTag}:CT_ESTABLISHED"`;
|
|
503
|
+
rulesetContent += `${ctRule}\n`;
|
|
504
|
+
this.rules.push({
|
|
505
|
+
tableFamily: family,
|
|
506
|
+
tableName: this.tableName,
|
|
507
|
+
chainName: preroutingChain,
|
|
508
|
+
ruleContents: ctRule,
|
|
509
|
+
added: false
|
|
510
|
+
});
|
|
511
|
+
// Apply the rules if we have any
|
|
512
|
+
if (rulesetContent) {
|
|
513
|
+
fs.writeFileSync(this.tempFilePath, rulesetContent);
|
|
514
|
+
await this.executeWithRetry(`${NfTablesProxy.NFT_CMD} -f ${this.tempFilePath}`, this.settings.maxRetries, this.settings.retryDelayMs);
|
|
515
|
+
this.log('info', `Added advanced NAT rules for ${family}`);
|
|
516
|
+
// Mark rules as added
|
|
517
|
+
for (const rule of this.rules) {
|
|
518
|
+
if (rule.tableFamily === family && !rule.added) {
|
|
519
|
+
rule.added = true;
|
|
520
|
+
// Verify the rule was applied
|
|
521
|
+
await this.verifyRuleApplication(rule);
|
|
522
|
+
}
|
|
523
|
+
}
|
|
524
|
+
// Remove the temporary file
|
|
525
|
+
fs.unlinkSync(this.tempFilePath);
|
|
526
|
+
}
|
|
527
|
+
}
|
|
528
|
+
return true;
|
|
529
|
+
}
|
|
530
|
+
catch (err) {
|
|
531
|
+
this.log('error', `Failed to set up advanced NAT: ${err.message}`);
|
|
532
|
+
return false;
|
|
533
|
+
}
|
|
534
|
+
}
|
|
535
|
+
/**
|
|
536
|
+
* Adds port forwarding rules
|
|
537
|
+
*/
|
|
538
|
+
async addPortForwardingRules(isIpv6 = false) {
|
|
539
|
+
// Skip if using advanced NAT as that already handles the port forwarding
|
|
540
|
+
if (this.settings.useAdvancedNAT) {
|
|
541
|
+
return true;
|
|
542
|
+
}
|
|
543
|
+
const family = isIpv6 ? 'ip6' : 'ip';
|
|
544
|
+
const preroutingChain = 'nat_prerouting';
|
|
545
|
+
const postroutingChain = 'nat_postrouting';
|
|
546
|
+
try {
|
|
547
|
+
// Normalize port specifications
|
|
548
|
+
const fromPortRanges = this.normalizePortSpec(this.settings.fromPort);
|
|
549
|
+
const toPortRanges = this.normalizePortSpec(this.settings.toPort);
|
|
550
|
+
// Handle the case where fromPort and toPort counts don't match
|
|
551
|
+
if (fromPortRanges.length !== toPortRanges.length) {
|
|
552
|
+
if (toPortRanges.length === 1) {
|
|
553
|
+
// If there's only one toPort, use it for all fromPorts
|
|
554
|
+
const singleToRange = toPortRanges[0];
|
|
555
|
+
return await this.addPortMappings(family, preroutingChain, postroutingChain, fromPortRanges, singleToRange);
|
|
556
|
+
}
|
|
557
|
+
else {
|
|
558
|
+
throw new NftValidationError('Mismatched port counts: fromPort and toPort arrays must have equal length or toPort must be a single value');
|
|
559
|
+
}
|
|
560
|
+
}
|
|
561
|
+
else {
|
|
562
|
+
// Add port mapping rules for each port pair
|
|
563
|
+
return await this.addPortPairMappings(family, preroutingChain, postroutingChain, fromPortRanges, toPortRanges);
|
|
564
|
+
}
|
|
565
|
+
}
|
|
566
|
+
catch (err) {
|
|
567
|
+
this.log('error', `Failed to add port forwarding rules: ${err.message}`);
|
|
568
|
+
return false;
|
|
569
|
+
}
|
|
570
|
+
}
|
|
571
|
+
/**
|
|
572
|
+
* Adds port forwarding rules for the case where one toPortRange maps to multiple fromPortRanges
|
|
573
|
+
*/
|
|
574
|
+
async addPortMappings(family, preroutingChain, postroutingChain, fromPortRanges, toPortRange) {
|
|
575
|
+
try {
|
|
576
|
+
let rulesetContent = '';
|
|
577
|
+
// For each from port range, create a mapping to the single to port range
|
|
578
|
+
for (const fromRange of fromPortRanges) {
|
|
579
|
+
// Simple case: single port to single port
|
|
580
|
+
if (fromRange.from === fromRange.to && toPortRange.from === toPortRange.to) {
|
|
581
|
+
const rule = `add rule ${family} ${this.tableName} ${preroutingChain} ${this.settings.protocol} dport ${fromRange.from} dnat to ${this.settings.toHost}:${toPortRange.from} comment "${this.ruleTag}:DNAT"`;
|
|
582
|
+
rulesetContent += `${rule}\n`;
|
|
583
|
+
this.rules.push({
|
|
584
|
+
tableFamily: family,
|
|
585
|
+
tableName: this.tableName,
|
|
586
|
+
chainName: preroutingChain,
|
|
587
|
+
ruleContents: rule,
|
|
588
|
+
added: false
|
|
589
|
+
});
|
|
590
|
+
}
|
|
591
|
+
// Multiple ports in from range, but only one port in to range
|
|
592
|
+
else if (toPortRange.from === toPortRange.to) {
|
|
593
|
+
// Map each port in from range to the single to port
|
|
594
|
+
for (let p = fromRange.from; p <= fromRange.to; p++) {
|
|
595
|
+
const rule = `add rule ${family} ${this.tableName} ${preroutingChain} ${this.settings.protocol} dport ${p} dnat to ${this.settings.toHost}:${toPortRange.from} comment "${this.ruleTag}:DNAT"`;
|
|
596
|
+
rulesetContent += `${rule}\n`;
|
|
597
|
+
this.rules.push({
|
|
598
|
+
tableFamily: family,
|
|
599
|
+
tableName: this.tableName,
|
|
600
|
+
chainName: preroutingChain,
|
|
601
|
+
ruleContents: rule,
|
|
602
|
+
added: false
|
|
603
|
+
});
|
|
604
|
+
}
|
|
605
|
+
}
|
|
606
|
+
// Port range to port range mapping with modulo distribution
|
|
607
|
+
else {
|
|
608
|
+
const toRangeSize = toPortRange.to - toPortRange.from + 1;
|
|
609
|
+
for (let p = fromRange.from; p <= fromRange.to; p++) {
|
|
610
|
+
const offset = (p - fromRange.from) % toRangeSize;
|
|
611
|
+
const targetPort = toPortRange.from + offset;
|
|
612
|
+
const rule = `add rule ${family} ${this.tableName} ${preroutingChain} ${this.settings.protocol} dport ${p} dnat to ${this.settings.toHost}:${targetPort} comment "${this.ruleTag}:DNAT"`;
|
|
613
|
+
rulesetContent += `${rule}\n`;
|
|
614
|
+
this.rules.push({
|
|
615
|
+
tableFamily: family,
|
|
616
|
+
tableName: this.tableName,
|
|
617
|
+
chainName: preroutingChain,
|
|
618
|
+
ruleContents: rule,
|
|
619
|
+
added: false
|
|
620
|
+
});
|
|
621
|
+
}
|
|
622
|
+
}
|
|
623
|
+
}
|
|
624
|
+
// Add masquerade rule for source NAT if not preserving source IP
|
|
625
|
+
if (!this.settings.preserveSourceIP) {
|
|
626
|
+
const ports = this.getAllPorts(this.settings.toPort);
|
|
627
|
+
const masqRule = `add rule ${family} ${this.tableName} ${postroutingChain} ${this.settings.protocol} daddr ${this.settings.toHost} dport {${ports}} masquerade comment "${this.ruleTag}:MASQ"`;
|
|
628
|
+
rulesetContent += `${masqRule}\n`;
|
|
629
|
+
this.rules.push({
|
|
630
|
+
tableFamily: family,
|
|
631
|
+
tableName: this.tableName,
|
|
632
|
+
chainName: postroutingChain,
|
|
633
|
+
ruleContents: masqRule,
|
|
634
|
+
added: false
|
|
635
|
+
});
|
|
636
|
+
}
|
|
637
|
+
// Apply the ruleset if we have any rules
|
|
638
|
+
if (rulesetContent) {
|
|
639
|
+
// Write to temporary file
|
|
640
|
+
fs.writeFileSync(this.tempFilePath, rulesetContent);
|
|
641
|
+
// Apply the ruleset
|
|
642
|
+
await this.executeWithRetry(`${NfTablesProxy.NFT_CMD} -f ${this.tempFilePath}`, this.settings.maxRetries, this.settings.retryDelayMs);
|
|
643
|
+
this.log('info', `Added port forwarding rules for ${family}`);
|
|
644
|
+
// Mark rules as added
|
|
645
|
+
for (const rule of this.rules) {
|
|
646
|
+
if (rule.tableFamily === family && !rule.added) {
|
|
647
|
+
rule.added = true;
|
|
648
|
+
// Verify the rule was applied
|
|
649
|
+
await this.verifyRuleApplication(rule);
|
|
650
|
+
}
|
|
651
|
+
}
|
|
652
|
+
// Remove temporary file
|
|
653
|
+
fs.unlinkSync(this.tempFilePath);
|
|
654
|
+
}
|
|
655
|
+
return true;
|
|
656
|
+
}
|
|
657
|
+
catch (err) {
|
|
658
|
+
this.log('error', `Failed to add port mappings: ${err.message}`);
|
|
659
|
+
return false;
|
|
660
|
+
}
|
|
661
|
+
}
|
|
662
|
+
/**
|
|
663
|
+
* Adds port forwarding rules for pairs of fromPortRanges and toPortRanges
|
|
664
|
+
*/
|
|
665
|
+
async addPortPairMappings(family, preroutingChain, postroutingChain, fromPortRanges, toPortRanges) {
|
|
666
|
+
try {
|
|
667
|
+
let rulesetContent = '';
|
|
668
|
+
// Process each fromPort and toPort pair
|
|
669
|
+
for (let i = 0; i < fromPortRanges.length; i++) {
|
|
670
|
+
const fromRange = fromPortRanges[i];
|
|
671
|
+
const toRange = toPortRanges[i];
|
|
672
|
+
// Simple case: single port to single port
|
|
673
|
+
if (fromRange.from === fromRange.to && toRange.from === toRange.to) {
|
|
674
|
+
const rule = `add rule ${family} ${this.tableName} ${preroutingChain} ${this.settings.protocol} dport ${fromRange.from} dnat to ${this.settings.toHost}:${toRange.from} comment "${this.ruleTag}:DNAT"`;
|
|
675
|
+
rulesetContent += `${rule}\n`;
|
|
676
|
+
this.rules.push({
|
|
677
|
+
tableFamily: family,
|
|
678
|
+
tableName: this.tableName,
|
|
679
|
+
chainName: preroutingChain,
|
|
680
|
+
ruleContents: rule,
|
|
681
|
+
added: false
|
|
682
|
+
});
|
|
683
|
+
}
|
|
684
|
+
// Port range with equal size - can use direct mapping
|
|
685
|
+
else if ((fromRange.to - fromRange.from) === (toRange.to - toRange.from)) {
|
|
686
|
+
const rule = `add rule ${family} ${this.tableName} ${preroutingChain} ${this.settings.protocol} dport ${fromRange.from}-${fromRange.to} dnat to ${this.settings.toHost}:${toRange.from}-${toRange.to} comment "${this.ruleTag}:DNAT_RANGE"`;
|
|
687
|
+
rulesetContent += `${rule}\n`;
|
|
688
|
+
this.rules.push({
|
|
689
|
+
tableFamily: family,
|
|
690
|
+
tableName: this.tableName,
|
|
691
|
+
chainName: preroutingChain,
|
|
692
|
+
ruleContents: rule,
|
|
693
|
+
added: false
|
|
694
|
+
});
|
|
695
|
+
}
|
|
696
|
+
// Unequal port ranges - need to map individually
|
|
697
|
+
else {
|
|
698
|
+
const toRangeSize = toRange.to - toRange.from + 1;
|
|
699
|
+
for (let p = fromRange.from; p <= fromRange.to; p++) {
|
|
700
|
+
const offset = (p - fromRange.from) % toRangeSize;
|
|
701
|
+
const targetPort = toRange.from + offset;
|
|
702
|
+
const rule = `add rule ${family} ${this.tableName} ${preroutingChain} ${this.settings.protocol} dport ${p} dnat to ${this.settings.toHost}:${targetPort} comment "${this.ruleTag}:DNAT_INDIVIDUAL"`;
|
|
703
|
+
rulesetContent += `${rule}\n`;
|
|
704
|
+
this.rules.push({
|
|
705
|
+
tableFamily: family,
|
|
706
|
+
tableName: this.tableName,
|
|
707
|
+
chainName: preroutingChain,
|
|
708
|
+
ruleContents: rule,
|
|
709
|
+
added: false
|
|
710
|
+
});
|
|
711
|
+
}
|
|
712
|
+
}
|
|
713
|
+
// Add masquerade rule for this port range if not preserving source IP
|
|
714
|
+
if (!this.settings.preserveSourceIP) {
|
|
715
|
+
const masqRule = `add rule ${family} ${this.tableName} ${postroutingChain} ${this.settings.protocol} daddr ${this.settings.toHost} dport ${toRange.from}-${toRange.to} masquerade comment "${this.ruleTag}:MASQ"`;
|
|
716
|
+
rulesetContent += `${masqRule}\n`;
|
|
717
|
+
this.rules.push({
|
|
718
|
+
tableFamily: family,
|
|
719
|
+
tableName: this.tableName,
|
|
720
|
+
chainName: postroutingChain,
|
|
721
|
+
ruleContents: masqRule,
|
|
722
|
+
added: false
|
|
723
|
+
});
|
|
724
|
+
}
|
|
725
|
+
}
|
|
726
|
+
// Apply the ruleset if we have any rules
|
|
727
|
+
if (rulesetContent) {
|
|
728
|
+
// Write to temporary file
|
|
729
|
+
fs.writeFileSync(this.tempFilePath, rulesetContent);
|
|
730
|
+
// Apply the ruleset
|
|
731
|
+
await this.executeWithRetry(`${NfTablesProxy.NFT_CMD} -f ${this.tempFilePath}`, this.settings.maxRetries, this.settings.retryDelayMs);
|
|
732
|
+
this.log('info', `Added port forwarding rules for ${family}`);
|
|
733
|
+
// Mark rules as added
|
|
734
|
+
for (const rule of this.rules) {
|
|
735
|
+
if (rule.tableFamily === family && !rule.added) {
|
|
736
|
+
rule.added = true;
|
|
737
|
+
// Verify the rule was applied
|
|
738
|
+
await this.verifyRuleApplication(rule);
|
|
739
|
+
}
|
|
740
|
+
}
|
|
741
|
+
// Remove temporary file
|
|
742
|
+
fs.unlinkSync(this.tempFilePath);
|
|
743
|
+
}
|
|
744
|
+
return true;
|
|
745
|
+
}
|
|
746
|
+
catch (err) {
|
|
747
|
+
this.log('error', `Failed to add port pair mappings: ${err.message}`);
|
|
748
|
+
return false;
|
|
749
|
+
}
|
|
750
|
+
}
|
|
751
|
+
/**
|
|
752
|
+
* Setup quality of service rules
|
|
753
|
+
*/
|
|
754
|
+
async addTrafficShaping(isIpv6 = false) {
|
|
755
|
+
if (!this.settings.qos?.enabled) {
|
|
756
|
+
return true;
|
|
757
|
+
}
|
|
758
|
+
const family = isIpv6 ? 'ip6' : 'ip';
|
|
759
|
+
const qosChain = 'qos_forward';
|
|
760
|
+
try {
|
|
761
|
+
let rulesetContent = '';
|
|
762
|
+
// Add rate limiting rule if specified
|
|
763
|
+
if (this.settings.qos.maxRate) {
|
|
764
|
+
const ruleContent = `add rule ${family} ${this.tableName} ${qosChain} ip daddr ${this.settings.toHost} ${this.settings.protocol} dport {${this.getAllPorts(this.settings.toPort)}} limit rate over ${this.settings.qos.maxRate} drop comment "${this.ruleTag}:QOS_RATE"`;
|
|
765
|
+
rulesetContent += `${ruleContent}\n`;
|
|
766
|
+
this.rules.push({
|
|
767
|
+
tableFamily: family,
|
|
768
|
+
tableName: this.tableName,
|
|
769
|
+
chainName: qosChain,
|
|
770
|
+
ruleContents: ruleContent,
|
|
771
|
+
added: false
|
|
772
|
+
});
|
|
773
|
+
}
|
|
774
|
+
// Add priority marking if specified
|
|
775
|
+
if (this.settings.qos.priority !== undefined) {
|
|
776
|
+
// Check if the chain exists
|
|
777
|
+
const chainsOutput = await this.executeWithRetry(`${NfTablesProxy.NFT_CMD} list chains ${family} ${this.tableName}`, this.settings.maxRetries, this.settings.retryDelayMs);
|
|
778
|
+
// Check if we need to create priority queues
|
|
779
|
+
const hasPrioChain = chainsOutput.includes(`chain prio${this.settings.qos.priority}`);
|
|
780
|
+
if (!hasPrioChain) {
|
|
781
|
+
// Create priority chain
|
|
782
|
+
const prioChainRule = `add chain ${family} ${this.tableName} prio${this.settings.qos.priority} { type filter hook forward priority ${this.settings.qos.priority * 10}; }`;
|
|
783
|
+
rulesetContent += `${prioChainRule}\n`;
|
|
784
|
+
}
|
|
785
|
+
// Add the rules to mark packets with this priority
|
|
786
|
+
for (const range of this.normalizePortSpec(this.settings.toPort)) {
|
|
787
|
+
const markRule = `add rule ${family} ${this.tableName} ${qosChain} ${this.settings.protocol} dport ${range.from}-${range.to} counter goto prio${this.settings.qos.priority} comment "${this.ruleTag}:QOS_PRIORITY"`;
|
|
788
|
+
rulesetContent += `${markRule}\n`;
|
|
789
|
+
this.rules.push({
|
|
790
|
+
tableFamily: family,
|
|
791
|
+
tableName: this.tableName,
|
|
792
|
+
chainName: qosChain,
|
|
793
|
+
ruleContents: markRule,
|
|
794
|
+
added: false
|
|
795
|
+
});
|
|
796
|
+
}
|
|
797
|
+
}
|
|
798
|
+
// Apply the ruleset if we have any rules
|
|
799
|
+
if (rulesetContent) {
|
|
800
|
+
// Write to temporary file
|
|
801
|
+
fs.writeFileSync(this.tempFilePath, rulesetContent);
|
|
802
|
+
// Apply the ruleset
|
|
803
|
+
await this.executeWithRetry(`${NfTablesProxy.NFT_CMD} -f ${this.tempFilePath}`, this.settings.maxRetries, this.settings.retryDelayMs);
|
|
804
|
+
this.log('info', `Added QoS rules for ${family}`);
|
|
805
|
+
// Mark rules as added
|
|
806
|
+
for (const rule of this.rules) {
|
|
807
|
+
if (rule.tableFamily === family && !rule.added) {
|
|
808
|
+
rule.added = true;
|
|
809
|
+
// Verify the rule was applied
|
|
810
|
+
await this.verifyRuleApplication(rule);
|
|
811
|
+
}
|
|
812
|
+
}
|
|
813
|
+
// Remove temporary file
|
|
814
|
+
fs.unlinkSync(this.tempFilePath);
|
|
815
|
+
}
|
|
816
|
+
return true;
|
|
817
|
+
}
|
|
818
|
+
catch (err) {
|
|
819
|
+
this.log('error', `Failed to add traffic shaping: ${err.message}`);
|
|
820
|
+
return false;
|
|
821
|
+
}
|
|
822
|
+
}
|
|
823
|
+
/**
|
|
824
|
+
* Setup NetworkProxy integration rules
|
|
825
|
+
*/
|
|
826
|
+
async setupNetworkProxyIntegration(isIpv6 = false) {
|
|
827
|
+
if (!this.settings.netProxyIntegration?.enabled) {
|
|
828
|
+
return true;
|
|
829
|
+
}
|
|
830
|
+
const netProxyConfig = this.settings.netProxyIntegration;
|
|
831
|
+
const family = isIpv6 ? 'ip6' : 'ip';
|
|
832
|
+
const outputChain = 'nat_output';
|
|
833
|
+
try {
|
|
834
|
+
// Only proceed if we're redirecting localhost and have a port
|
|
835
|
+
if (netProxyConfig.redirectLocalhost && netProxyConfig.sslTerminationPort) {
|
|
836
|
+
const localhost = isIpv6 ? '::1' : '127.0.0.1';
|
|
837
|
+
// Create the redirect rule
|
|
838
|
+
const rule = `add rule ${family} ${this.tableName} ${outputChain} ${this.settings.protocol} daddr ${localhost} redirect to :${netProxyConfig.sslTerminationPort} comment "${this.ruleTag}:NETPROXY_REDIRECT"`;
|
|
839
|
+
// Apply the rule
|
|
840
|
+
await this.executeWithRetry(`${NfTablesProxy.NFT_CMD} ${rule}`, this.settings.maxRetries, this.settings.retryDelayMs);
|
|
841
|
+
this.log('info', `Added NetworkProxy redirection rule for ${family}`);
|
|
842
|
+
const newRule = {
|
|
843
|
+
tableFamily: family,
|
|
844
|
+
tableName: this.tableName,
|
|
845
|
+
chainName: outputChain,
|
|
846
|
+
ruleContents: rule,
|
|
847
|
+
added: true
|
|
848
|
+
};
|
|
849
|
+
this.rules.push(newRule);
|
|
850
|
+
// Verify the rule was actually applied
|
|
851
|
+
await this.verifyRuleApplication(newRule);
|
|
852
|
+
}
|
|
853
|
+
return true;
|
|
854
|
+
}
|
|
855
|
+
catch (err) {
|
|
856
|
+
this.log('error', `Failed to set up NetworkProxy integration: ${err.message}`);
|
|
857
|
+
return false;
|
|
858
|
+
}
|
|
859
|
+
}
|
|
860
|
+
/**
|
|
861
|
+
* Verify that a rule was successfully applied
|
|
862
|
+
*/
|
|
863
|
+
async verifyRuleApplication(rule) {
|
|
864
|
+
try {
|
|
865
|
+
const { tableFamily, tableName, chainName, ruleContents } = rule;
|
|
866
|
+
// Extract the distinctive parts of the rule to create a search pattern
|
|
867
|
+
const commentMatch = ruleContents.match(/comment "([^"]+)"/);
|
|
868
|
+
if (!commentMatch)
|
|
869
|
+
return false;
|
|
870
|
+
const commentTag = commentMatch[1];
|
|
871
|
+
// List the chain to check if our rule is there
|
|
872
|
+
const stdout = await this.executeWithRetry(`${NfTablesProxy.NFT_CMD} list chain ${tableFamily} ${tableName} ${chainName}`, this.settings.maxRetries, this.settings.retryDelayMs);
|
|
873
|
+
// Check if the comment appears in the output
|
|
874
|
+
const isApplied = stdout.includes(commentTag);
|
|
875
|
+
rule.verified = isApplied;
|
|
876
|
+
if (!isApplied) {
|
|
877
|
+
this.log('warn', `Rule verification failed: ${commentTag} not found in chain ${chainName}`);
|
|
878
|
+
}
|
|
879
|
+
else {
|
|
880
|
+
this.log('debug', `Rule verified: ${commentTag} found in chain ${chainName}`);
|
|
881
|
+
}
|
|
882
|
+
return isApplied;
|
|
883
|
+
}
|
|
884
|
+
catch (err) {
|
|
885
|
+
this.log('error', `Failed to verify rule application: ${err.message}`);
|
|
886
|
+
return false;
|
|
887
|
+
}
|
|
888
|
+
}
|
|
889
|
+
/**
|
|
890
|
+
* Rolls back rules in case of error during setup
|
|
891
|
+
*/
|
|
892
|
+
async rollbackRules() {
|
|
893
|
+
// Process rules in reverse order (LIFO)
|
|
894
|
+
for (let i = this.rules.length - 1; i >= 0; i--) {
|
|
895
|
+
const rule = this.rules[i];
|
|
896
|
+
if (rule.added) {
|
|
897
|
+
try {
|
|
898
|
+
// For nftables, create a delete rule by replacing 'add' with 'delete'
|
|
899
|
+
const deleteRule = rule.ruleContents.replace('add rule', 'delete rule');
|
|
900
|
+
await this.executeWithRetry(`${NfTablesProxy.NFT_CMD} ${deleteRule}`, this.settings.maxRetries, this.settings.retryDelayMs);
|
|
901
|
+
this.log('info', `Rolled back rule: ${deleteRule}`);
|
|
902
|
+
rule.added = false;
|
|
903
|
+
rule.verified = false;
|
|
904
|
+
}
|
|
905
|
+
catch (err) {
|
|
906
|
+
this.log('error', `Failed to roll back rule: ${err.message}`);
|
|
907
|
+
}
|
|
908
|
+
}
|
|
909
|
+
}
|
|
910
|
+
}
|
|
911
|
+
/**
|
|
912
|
+
* Checks if nftables table exists
|
|
913
|
+
*/
|
|
914
|
+
async tableExists(family, tableName) {
|
|
915
|
+
try {
|
|
916
|
+
const stdout = await this.executeWithRetry(`${NfTablesProxy.NFT_CMD} list tables ${family}`, this.settings.maxRetries, this.settings.retryDelayMs);
|
|
917
|
+
return stdout.includes(`table ${family} ${tableName}`);
|
|
918
|
+
}
|
|
919
|
+
catch (err) {
|
|
920
|
+
return false;
|
|
921
|
+
}
|
|
922
|
+
}
|
|
923
|
+
/**
|
|
924
|
+
* Get system metrics like connection counts
|
|
925
|
+
*/
|
|
926
|
+
async getSystemMetrics() {
|
|
927
|
+
const metrics = {};
|
|
928
|
+
try {
|
|
929
|
+
// Try to get connection metrics if conntrack is available
|
|
930
|
+
try {
|
|
931
|
+
const stdout = await this.executeWithRetry('conntrack -C', this.settings.maxRetries, this.settings.retryDelayMs);
|
|
932
|
+
metrics.activeConnections = parseInt(stdout.trim(), 10);
|
|
933
|
+
}
|
|
934
|
+
catch (err) {
|
|
935
|
+
// conntrack not available, skip this metric
|
|
936
|
+
}
|
|
937
|
+
// Try to get forwarded connections count from nftables counters
|
|
938
|
+
try {
|
|
939
|
+
// Look for counters in our rules
|
|
940
|
+
const stdout = await this.executeWithRetry(`${NfTablesProxy.NFT_CMD} list table ip ${this.tableName}`, this.settings.maxRetries, this.settings.retryDelayMs);
|
|
941
|
+
// Parse counter information from the output
|
|
942
|
+
const counterMatches = stdout.matchAll(/counter packets (\d+) bytes (\d+)/g);
|
|
943
|
+
let totalPackets = 0;
|
|
944
|
+
let totalBytes = 0;
|
|
945
|
+
for (const match of counterMatches) {
|
|
946
|
+
totalPackets += parseInt(match[1], 10);
|
|
947
|
+
totalBytes += parseInt(match[2], 10);
|
|
948
|
+
}
|
|
949
|
+
if (totalPackets > 0) {
|
|
950
|
+
metrics.forwardedConnections = totalPackets;
|
|
951
|
+
metrics.bytesForwarded = {
|
|
952
|
+
sent: totalBytes,
|
|
953
|
+
received: 0 // We can't easily determine this without additional rules
|
|
954
|
+
};
|
|
955
|
+
}
|
|
956
|
+
}
|
|
957
|
+
catch (err) {
|
|
958
|
+
// Failed to get counter info, skip this metric
|
|
959
|
+
}
|
|
960
|
+
return metrics;
|
|
961
|
+
}
|
|
962
|
+
catch (err) {
|
|
963
|
+
this.log('error', `Failed to get system metrics: ${err.message}`);
|
|
964
|
+
return metrics;
|
|
965
|
+
}
|
|
966
|
+
}
|
|
967
|
+
/**
|
|
968
|
+
* Get status of IP sets
|
|
969
|
+
*/
|
|
970
|
+
async getIPSetStatus() {
|
|
971
|
+
const result = [];
|
|
972
|
+
try {
|
|
973
|
+
for (const family of ['ip', 'ip6']) {
|
|
974
|
+
try {
|
|
975
|
+
const stdout = await this.executeWithRetry(`${NfTablesProxy.NFT_CMD} list sets ${family} ${this.tableName}`, this.settings.maxRetries, this.settings.retryDelayMs);
|
|
976
|
+
const setMatches = stdout.matchAll(/set (\w+) {\s*type (\w+)/g);
|
|
977
|
+
for (const match of setMatches) {
|
|
978
|
+
const setName = match[1];
|
|
979
|
+
const setType = match[2];
|
|
980
|
+
// Get element count from tracking map
|
|
981
|
+
const setKey = `${family}:${setName}`;
|
|
982
|
+
const elements = this.ipSets.get(setKey) || [];
|
|
983
|
+
result.push({
|
|
984
|
+
name: setName,
|
|
985
|
+
elementCount: elements.length,
|
|
986
|
+
type: setType
|
|
987
|
+
});
|
|
988
|
+
}
|
|
989
|
+
}
|
|
990
|
+
catch (err) {
|
|
991
|
+
// No sets for this family, or table doesn't exist
|
|
992
|
+
}
|
|
993
|
+
}
|
|
994
|
+
return result;
|
|
995
|
+
}
|
|
996
|
+
catch (err) {
|
|
997
|
+
this.log('error', `Failed to get IP set status: ${err.message}`);
|
|
998
|
+
return result;
|
|
999
|
+
}
|
|
1000
|
+
}
|
|
1001
|
+
/**
|
|
1002
|
+
* Get detailed status about the current state of the proxy
|
|
1003
|
+
*/
|
|
1004
|
+
async getStatus() {
|
|
1005
|
+
const result = {
|
|
1006
|
+
active: this.rules.some(r => r.added),
|
|
1007
|
+
ruleCount: {
|
|
1008
|
+
total: this.rules.length,
|
|
1009
|
+
added: this.rules.filter(r => r.added).length,
|
|
1010
|
+
verified: this.rules.filter(r => r.verified).length
|
|
1011
|
+
},
|
|
1012
|
+
tablesConfigured: [],
|
|
1013
|
+
metrics: {},
|
|
1014
|
+
qosEnabled: this.settings.qos?.enabled || false
|
|
1015
|
+
};
|
|
1016
|
+
try {
|
|
1017
|
+
// Get list of configured tables
|
|
1018
|
+
const stdout = await this.executeWithRetry(`${NfTablesProxy.NFT_CMD} list tables`, this.settings.maxRetries, this.settings.retryDelayMs);
|
|
1019
|
+
const tableRegex = /table (ip|ip6) (\w+)/g;
|
|
1020
|
+
let match;
|
|
1021
|
+
while ((match = tableRegex.exec(stdout)) !== null) {
|
|
1022
|
+
const [, family, name] = match;
|
|
1023
|
+
if (name === this.tableName) {
|
|
1024
|
+
result.tablesConfigured.push({ family, tableName: name });
|
|
1025
|
+
}
|
|
1026
|
+
}
|
|
1027
|
+
// Get system metrics
|
|
1028
|
+
result.metrics = await this.getSystemMetrics();
|
|
1029
|
+
// Get IP set status if using IP sets
|
|
1030
|
+
if (this.settings.useIPSets) {
|
|
1031
|
+
result.ipSetsConfigured = await this.getIPSetStatus();
|
|
1032
|
+
}
|
|
1033
|
+
return result;
|
|
1034
|
+
}
|
|
1035
|
+
catch (err) {
|
|
1036
|
+
this.log('error', `Failed to get status: ${err.message}`);
|
|
1037
|
+
return result;
|
|
1038
|
+
}
|
|
1039
|
+
}
|
|
1040
|
+
/**
|
|
1041
|
+
* Performs a dry run to see what commands would be executed without actually applying them
|
|
1042
|
+
*/
|
|
1043
|
+
async dryRun() {
|
|
1044
|
+
const commands = [];
|
|
1045
|
+
// Simulate all the necessary setup steps and collect commands
|
|
1046
|
+
// Tables and chains
|
|
1047
|
+
commands.push(`add table ip ${this.tableName}`);
|
|
1048
|
+
commands.push(`add chain ip ${this.tableName} nat_prerouting { type nat hook prerouting priority -100; }`);
|
|
1049
|
+
if (!this.settings.preserveSourceIP) {
|
|
1050
|
+
commands.push(`add chain ip ${this.tableName} nat_postrouting { type nat hook postrouting priority 100; }`);
|
|
1051
|
+
}
|
|
1052
|
+
if (this.settings.netProxyIntegration?.enabled && this.settings.netProxyIntegration.redirectLocalhost) {
|
|
1053
|
+
commands.push(`add chain ip ${this.tableName} nat_output { type nat hook output priority 0; }`);
|
|
1054
|
+
}
|
|
1055
|
+
if (this.settings.qos?.enabled) {
|
|
1056
|
+
commands.push(`add chain ip ${this.tableName} qos_forward { type filter hook forward priority 0; }`);
|
|
1057
|
+
}
|
|
1058
|
+
// Add IPv6 tables if enabled
|
|
1059
|
+
if (this.settings.ipv6Support) {
|
|
1060
|
+
commands.push(`add table ip6 ${this.tableName}`);
|
|
1061
|
+
commands.push(`add chain ip6 ${this.tableName} nat_prerouting { type nat hook prerouting priority -100; }`);
|
|
1062
|
+
if (!this.settings.preserveSourceIP) {
|
|
1063
|
+
commands.push(`add chain ip6 ${this.tableName} nat_postrouting { type nat hook postrouting priority 100; }`);
|
|
1064
|
+
}
|
|
1065
|
+
if (this.settings.netProxyIntegration?.enabled && this.settings.netProxyIntegration.redirectLocalhost) {
|
|
1066
|
+
commands.push(`add chain ip6 ${this.tableName} nat_output { type nat hook output priority 0; }`);
|
|
1067
|
+
}
|
|
1068
|
+
if (this.settings.qos?.enabled) {
|
|
1069
|
+
commands.push(`add chain ip6 ${this.tableName} qos_forward { type filter hook forward priority 0; }`);
|
|
1070
|
+
}
|
|
1071
|
+
}
|
|
1072
|
+
// Source IP filters
|
|
1073
|
+
if (this.settings.useIPSets) {
|
|
1074
|
+
if (this.settings.bannedSourceIPs?.length) {
|
|
1075
|
+
commands.push(`add set ip ${this.tableName} banned_ips { type ipv4_addr; }`);
|
|
1076
|
+
commands.push(`add element ip ${this.tableName} banned_ips { ${this.settings.bannedSourceIPs.join(', ')} }`);
|
|
1077
|
+
commands.push(`add rule ip ${this.tableName} nat_prerouting ip saddr @banned_ips drop comment "${this.ruleTag}:BANNED_SET"`);
|
|
1078
|
+
}
|
|
1079
|
+
if (this.settings.allowedSourceIPs?.length) {
|
|
1080
|
+
commands.push(`add set ip ${this.tableName} allowed_ips { type ipv4_addr; }`);
|
|
1081
|
+
commands.push(`add element ip ${this.tableName} allowed_ips { ${this.settings.allowedSourceIPs.join(', ')} }`);
|
|
1082
|
+
commands.push(`add rule ip ${this.tableName} nat_prerouting ip saddr @allowed_ips ${this.settings.protocol} dport {${this.getAllPorts(this.settings.fromPort)}} accept comment "${this.ruleTag}:ALLOWED_SET"`);
|
|
1083
|
+
commands.push(`add rule ip ${this.tableName} nat_prerouting ${this.settings.protocol} dport {${this.getAllPorts(this.settings.fromPort)}} drop comment "${this.ruleTag}:DENY_ALL"`);
|
|
1084
|
+
}
|
|
1085
|
+
}
|
|
1086
|
+
else if (this.settings.bannedSourceIPs?.length || this.settings.allowedSourceIPs?.length) {
|
|
1087
|
+
// Traditional approach without IP sets
|
|
1088
|
+
if (this.settings.bannedSourceIPs?.length) {
|
|
1089
|
+
for (const ip of this.settings.bannedSourceIPs) {
|
|
1090
|
+
commands.push(`add rule ip ${this.tableName} nat_prerouting ip saddr ${ip} drop comment "${this.ruleTag}:BANNED"`);
|
|
1091
|
+
}
|
|
1092
|
+
}
|
|
1093
|
+
if (this.settings.allowedSourceIPs?.length) {
|
|
1094
|
+
for (const ip of this.settings.allowedSourceIPs) {
|
|
1095
|
+
commands.push(`add rule ip ${this.tableName} nat_prerouting ip saddr ${ip} ${this.settings.protocol} dport {${this.getAllPorts(this.settings.fromPort)}} accept comment "${this.ruleTag}:ALLOWED"`);
|
|
1096
|
+
}
|
|
1097
|
+
commands.push(`add rule ip ${this.tableName} nat_prerouting ${this.settings.protocol} dport {${this.getAllPorts(this.settings.fromPort)}} drop comment "${this.ruleTag}:DENY_ALL"`);
|
|
1098
|
+
}
|
|
1099
|
+
}
|
|
1100
|
+
// Port forwarding rules
|
|
1101
|
+
if (this.settings.useAdvancedNAT) {
|
|
1102
|
+
// Advanced NAT with connection tracking
|
|
1103
|
+
const fromPortRanges = this.normalizePortSpec(this.settings.fromPort);
|
|
1104
|
+
const toPortRanges = this.normalizePortSpec(this.settings.toPort);
|
|
1105
|
+
if (fromPortRanges.length === 1 && toPortRanges.length === 1) {
|
|
1106
|
+
const fromRange = fromPortRanges[0];
|
|
1107
|
+
const toRange = toPortRanges[0];
|
|
1108
|
+
if (fromRange.from === fromRange.to && toRange.from === toRange.to) {
|
|
1109
|
+
commands.push(`add rule ip ${this.tableName} nat_prerouting ${this.settings.protocol} dport ${fromRange.from} ct state new dnat to ${this.settings.toHost}:${toRange.from} comment "${this.ruleTag}:DNAT_CT"`);
|
|
1110
|
+
}
|
|
1111
|
+
else if ((fromRange.to - fromRange.from) === (toRange.to - toRange.from)) {
|
|
1112
|
+
commands.push(`add rule ip ${this.tableName} nat_prerouting ${this.settings.protocol} dport ${fromRange.from}-${fromRange.to} ct state new dnat to ${this.settings.toHost}:${toRange.from}-${toRange.to} comment "${this.ruleTag}:DNAT_RANGE_CT"`);
|
|
1113
|
+
}
|
|
1114
|
+
commands.push(`add rule ip ${this.tableName} nat_prerouting ct state established,related accept comment "${this.ruleTag}:CT_ESTABLISHED"`);
|
|
1115
|
+
}
|
|
1116
|
+
}
|
|
1117
|
+
else {
|
|
1118
|
+
// Standard NAT rules
|
|
1119
|
+
const fromRanges = this.normalizePortSpec(this.settings.fromPort);
|
|
1120
|
+
const toRanges = this.normalizePortSpec(this.settings.toPort);
|
|
1121
|
+
if (fromRanges.length === 1 && toRanges.length === 1) {
|
|
1122
|
+
const fromRange = fromRanges[0];
|
|
1123
|
+
const toRange = toRanges[0];
|
|
1124
|
+
if (fromRange.from === fromRange.to && toRange.from === toRange.to) {
|
|
1125
|
+
commands.push(`add rule ip ${this.tableName} nat_prerouting ${this.settings.protocol} dport ${fromRange.from} dnat to ${this.settings.toHost}:${toRange.from} comment "${this.ruleTag}:DNAT"`);
|
|
1126
|
+
}
|
|
1127
|
+
else {
|
|
1128
|
+
commands.push(`add rule ip ${this.tableName} nat_prerouting ${this.settings.protocol} dport ${fromRange.from}-${fromRange.to} dnat to ${this.settings.toHost}:${toRange.from}-${toRange.to} comment "${this.ruleTag}:DNAT_RANGE"`);
|
|
1129
|
+
}
|
|
1130
|
+
}
|
|
1131
|
+
else if (toRanges.length === 1) {
|
|
1132
|
+
// One-to-many mapping
|
|
1133
|
+
for (const fromRange of fromRanges) {
|
|
1134
|
+
commands.push(`add rule ip ${this.tableName} nat_prerouting ${this.settings.protocol} dport ${fromRange.from}-${fromRange.to} dnat to ${this.settings.toHost}:${toRanges[0].from}-${toRanges[0].to} comment "${this.ruleTag}:DNAT_RANGE"`);
|
|
1135
|
+
}
|
|
1136
|
+
}
|
|
1137
|
+
else {
|
|
1138
|
+
// One-to-one mapping of multiple ranges
|
|
1139
|
+
for (let i = 0; i < fromRanges.length; i++) {
|
|
1140
|
+
commands.push(`add rule ip ${this.tableName} nat_prerouting ${this.settings.protocol} dport ${fromRanges[i].from}-${fromRanges[i].to} dnat to ${this.settings.toHost}:${toRanges[i].from}-${toRanges[i].to} comment "${this.ruleTag}:DNAT_RANGE"`);
|
|
1141
|
+
}
|
|
1142
|
+
}
|
|
1143
|
+
}
|
|
1144
|
+
// Masquerade rules if not preserving source IP
|
|
1145
|
+
if (!this.settings.preserveSourceIP) {
|
|
1146
|
+
commands.push(`add rule ip ${this.tableName} nat_postrouting ${this.settings.protocol} daddr ${this.settings.toHost} dport {${this.getAllPorts(this.settings.toPort)}} masquerade comment "${this.ruleTag}:MASQ"`);
|
|
1147
|
+
}
|
|
1148
|
+
// NetworkProxy integration
|
|
1149
|
+
if (this.settings.netProxyIntegration?.enabled &&
|
|
1150
|
+
this.settings.netProxyIntegration.redirectLocalhost &&
|
|
1151
|
+
this.settings.netProxyIntegration.sslTerminationPort) {
|
|
1152
|
+
commands.push(`add rule ip ${this.tableName} nat_output ${this.settings.protocol} daddr 127.0.0.1 redirect to :${this.settings.netProxyIntegration.sslTerminationPort} comment "${this.ruleTag}:NETPROXY_REDIRECT"`);
|
|
1153
|
+
}
|
|
1154
|
+
// QoS rules
|
|
1155
|
+
if (this.settings.qos?.enabled) {
|
|
1156
|
+
if (this.settings.qos.maxRate) {
|
|
1157
|
+
commands.push(`add rule ip ${this.tableName} qos_forward ip daddr ${this.settings.toHost} ${this.settings.protocol} dport {${this.getAllPorts(this.settings.toPort)}} limit rate over ${this.settings.qos.maxRate} drop comment "${this.ruleTag}:QOS_RATE"`);
|
|
1158
|
+
}
|
|
1159
|
+
if (this.settings.qos.priority !== undefined) {
|
|
1160
|
+
commands.push(`add chain ip ${this.tableName} prio${this.settings.qos.priority} { type filter hook forward priority ${this.settings.qos.priority * 10}; }`);
|
|
1161
|
+
for (const range of this.normalizePortSpec(this.settings.toPort)) {
|
|
1162
|
+
commands.push(`add rule ip ${this.tableName} qos_forward ${this.settings.protocol} dport ${range.from}-${range.to} counter goto prio${this.settings.qos.priority} comment "${this.ruleTag}:QOS_PRIORITY"`);
|
|
1163
|
+
}
|
|
1164
|
+
}
|
|
1165
|
+
}
|
|
1166
|
+
return commands;
|
|
1167
|
+
}
|
|
1168
|
+
/**
|
|
1169
|
+
* Starts the proxy by setting up all nftables rules
|
|
1170
|
+
*/
|
|
1171
|
+
async start() {
|
|
1172
|
+
// Check if nftables is available
|
|
1173
|
+
const nftablesAvailable = await this.checkNftablesAvailability();
|
|
1174
|
+
if (!nftablesAvailable) {
|
|
1175
|
+
throw new NftResourceError('nftables is not available or not properly configured');
|
|
1176
|
+
}
|
|
1177
|
+
// Optionally clean slate first
|
|
1178
|
+
if (this.settings.forceCleanSlate) {
|
|
1179
|
+
await NfTablesProxy.cleanSlate();
|
|
1180
|
+
}
|
|
1181
|
+
// Set up tables and chains for IPv4
|
|
1182
|
+
const setupSuccess = await this.setupTablesAndChains();
|
|
1183
|
+
if (!setupSuccess) {
|
|
1184
|
+
throw new NftExecutionError('Failed to set up nftables tables and chains');
|
|
1185
|
+
}
|
|
1186
|
+
// Set up IPv6 tables and chains if enabled
|
|
1187
|
+
if (this.settings.ipv6Support) {
|
|
1188
|
+
const setupIPv6Success = await this.setupTablesAndChains(true);
|
|
1189
|
+
if (!setupIPv6Success) {
|
|
1190
|
+
this.log('warn', 'Failed to set up IPv6 tables and chains, continuing with IPv4 only');
|
|
1191
|
+
}
|
|
1192
|
+
}
|
|
1193
|
+
// Add source IP filters
|
|
1194
|
+
await this.addSourceIPFilters();
|
|
1195
|
+
if (this.settings.ipv6Support) {
|
|
1196
|
+
await this.addSourceIPFilters(true);
|
|
1197
|
+
}
|
|
1198
|
+
// Set up advanced NAT with connection tracking if enabled
|
|
1199
|
+
if (this.settings.useAdvancedNAT) {
|
|
1200
|
+
const advancedNatSuccess = await this.setupAdvancedNAT();
|
|
1201
|
+
if (!advancedNatSuccess) {
|
|
1202
|
+
this.log('warn', 'Failed to set up advanced NAT, falling back to standard NAT');
|
|
1203
|
+
this.settings.useAdvancedNAT = false;
|
|
1204
|
+
}
|
|
1205
|
+
else if (this.settings.ipv6Support) {
|
|
1206
|
+
await this.setupAdvancedNAT(true);
|
|
1207
|
+
}
|
|
1208
|
+
}
|
|
1209
|
+
// Add port forwarding rules (skip if using advanced NAT)
|
|
1210
|
+
if (!this.settings.useAdvancedNAT) {
|
|
1211
|
+
const forwardingSuccess = await this.addPortForwardingRules();
|
|
1212
|
+
if (!forwardingSuccess) {
|
|
1213
|
+
throw new NftExecutionError('Failed to add port forwarding rules');
|
|
1214
|
+
}
|
|
1215
|
+
// Add IPv6 port forwarding rules if enabled
|
|
1216
|
+
if (this.settings.ipv6Support) {
|
|
1217
|
+
const forwardingIPv6Success = await this.addPortForwardingRules(true);
|
|
1218
|
+
if (!forwardingIPv6Success) {
|
|
1219
|
+
this.log('warn', 'Failed to add IPv6 port forwarding rules');
|
|
1220
|
+
}
|
|
1221
|
+
}
|
|
1222
|
+
}
|
|
1223
|
+
// Set up QoS if enabled
|
|
1224
|
+
if (this.settings.qos?.enabled) {
|
|
1225
|
+
const qosSuccess = await this.addTrafficShaping();
|
|
1226
|
+
if (!qosSuccess) {
|
|
1227
|
+
this.log('warn', 'Failed to set up QoS rules, continuing without traffic shaping');
|
|
1228
|
+
}
|
|
1229
|
+
else if (this.settings.ipv6Support) {
|
|
1230
|
+
await this.addTrafficShaping(true);
|
|
1231
|
+
}
|
|
1232
|
+
}
|
|
1233
|
+
// Set up NetworkProxy integration if enabled
|
|
1234
|
+
if (this.settings.netProxyIntegration?.enabled) {
|
|
1235
|
+
const netProxySetupSuccess = await this.setupNetworkProxyIntegration();
|
|
1236
|
+
if (!netProxySetupSuccess) {
|
|
1237
|
+
this.log('warn', 'Failed to set up NetworkProxy integration');
|
|
1238
|
+
}
|
|
1239
|
+
if (this.settings.ipv6Support) {
|
|
1240
|
+
await this.setupNetworkProxyIntegration(true);
|
|
1241
|
+
}
|
|
1242
|
+
}
|
|
1243
|
+
// Final check - ensure we have at least one rule added
|
|
1244
|
+
if (this.rules.filter(r => r.added).length === 0) {
|
|
1245
|
+
throw new NftExecutionError('No rules were added');
|
|
1246
|
+
}
|
|
1247
|
+
this.log('info', 'NfTablesProxy started successfully');
|
|
1248
|
+
}
|
|
1249
|
+
/**
|
|
1250
|
+
* Stops the proxy by removing all added rules
|
|
1251
|
+
*/
|
|
1252
|
+
async stop() {
|
|
1253
|
+
try {
|
|
1254
|
+
let rulesetContent = '';
|
|
1255
|
+
// Process rules in reverse order (LIFO)
|
|
1256
|
+
for (let i = this.rules.length - 1; i >= 0; i--) {
|
|
1257
|
+
const rule = this.rules[i];
|
|
1258
|
+
if (rule.added) {
|
|
1259
|
+
// Create delete rules by replacing 'add' with 'delete'
|
|
1260
|
+
const deleteRule = rule.ruleContents.replace('add rule', 'delete rule');
|
|
1261
|
+
rulesetContent += `${deleteRule}\n`;
|
|
1262
|
+
}
|
|
1263
|
+
}
|
|
1264
|
+
// Apply the ruleset if we have any rules to delete
|
|
1265
|
+
if (rulesetContent) {
|
|
1266
|
+
// Write to temporary file
|
|
1267
|
+
fs.writeFileSync(this.tempFilePath, rulesetContent);
|
|
1268
|
+
// Apply the ruleset
|
|
1269
|
+
await this.executeWithRetry(`${NfTablesProxy.NFT_CMD} -f ${this.tempFilePath}`, this.settings.maxRetries, this.settings.retryDelayMs);
|
|
1270
|
+
this.log('info', 'Removed all added rules');
|
|
1271
|
+
// Mark all rules as removed
|
|
1272
|
+
this.rules.forEach(rule => {
|
|
1273
|
+
rule.added = false;
|
|
1274
|
+
rule.verified = false;
|
|
1275
|
+
});
|
|
1276
|
+
// Remove temporary file
|
|
1277
|
+
fs.unlinkSync(this.tempFilePath);
|
|
1278
|
+
}
|
|
1279
|
+
// Clean up IP sets if we created any
|
|
1280
|
+
if (this.settings.useIPSets && this.ipSets.size > 0) {
|
|
1281
|
+
for (const [key, _] of this.ipSets) {
|
|
1282
|
+
const [family, setName] = key.split(':');
|
|
1283
|
+
try {
|
|
1284
|
+
await this.executeWithRetry(`${NfTablesProxy.NFT_CMD} delete set ${family} ${this.tableName} ${setName}`, this.settings.maxRetries, this.settings.retryDelayMs);
|
|
1285
|
+
this.log('info', `Removed IP set ${setName} from ${family} ${this.tableName}`);
|
|
1286
|
+
}
|
|
1287
|
+
catch (err) {
|
|
1288
|
+
this.log('warn', `Failed to remove IP set ${setName}: ${err.message}`);
|
|
1289
|
+
}
|
|
1290
|
+
}
|
|
1291
|
+
this.ipSets.clear();
|
|
1292
|
+
}
|
|
1293
|
+
// Optionally clean up tables if they're empty
|
|
1294
|
+
await this.cleanupEmptyTables();
|
|
1295
|
+
this.log('info', 'NfTablesProxy stopped successfully');
|
|
1296
|
+
}
|
|
1297
|
+
catch (err) {
|
|
1298
|
+
this.log('error', `Error stopping NfTablesProxy: ${err.message}`);
|
|
1299
|
+
throw err;
|
|
1300
|
+
}
|
|
1301
|
+
}
|
|
1302
|
+
/**
|
|
1303
|
+
* Synchronous version of stop, for use in exit handlers
|
|
1304
|
+
*/
|
|
1305
|
+
stopSync() {
|
|
1306
|
+
try {
|
|
1307
|
+
let rulesetContent = '';
|
|
1308
|
+
// Process rules in reverse order (LIFO)
|
|
1309
|
+
for (let i = this.rules.length - 1; i >= 0; i--) {
|
|
1310
|
+
const rule = this.rules[i];
|
|
1311
|
+
if (rule.added) {
|
|
1312
|
+
// Create delete rules by replacing 'add' with 'delete'
|
|
1313
|
+
const deleteRule = rule.ruleContents.replace('add rule', 'delete rule');
|
|
1314
|
+
rulesetContent += `${deleteRule}\n`;
|
|
1315
|
+
}
|
|
1316
|
+
}
|
|
1317
|
+
// Apply the ruleset if we have any rules to delete
|
|
1318
|
+
if (rulesetContent) {
|
|
1319
|
+
// Write to temporary file
|
|
1320
|
+
fs.writeFileSync(this.tempFilePath, rulesetContent);
|
|
1321
|
+
// Apply the ruleset
|
|
1322
|
+
this.executeWithRetrySync(`${NfTablesProxy.NFT_CMD} -f ${this.tempFilePath}`, this.settings.maxRetries, this.settings.retryDelayMs);
|
|
1323
|
+
this.log('info', 'Removed all added rules');
|
|
1324
|
+
// Mark all rules as removed
|
|
1325
|
+
this.rules.forEach(rule => {
|
|
1326
|
+
rule.added = false;
|
|
1327
|
+
rule.verified = false;
|
|
1328
|
+
});
|
|
1329
|
+
// Remove temporary file
|
|
1330
|
+
fs.unlinkSync(this.tempFilePath);
|
|
1331
|
+
}
|
|
1332
|
+
// Clean up IP sets if we created any
|
|
1333
|
+
if (this.settings.useIPSets && this.ipSets.size > 0) {
|
|
1334
|
+
for (const [key, _] of this.ipSets) {
|
|
1335
|
+
const [family, setName] = key.split(':');
|
|
1336
|
+
try {
|
|
1337
|
+
this.executeWithRetrySync(`${NfTablesProxy.NFT_CMD} delete set ${family} ${this.tableName} ${setName}`, this.settings.maxRetries, this.settings.retryDelayMs);
|
|
1338
|
+
}
|
|
1339
|
+
catch (err) {
|
|
1340
|
+
// Non-critical error, continue
|
|
1341
|
+
}
|
|
1342
|
+
}
|
|
1343
|
+
}
|
|
1344
|
+
// Optionally clean up tables if they're empty (sync version)
|
|
1345
|
+
this.cleanupEmptyTablesSync();
|
|
1346
|
+
this.log('info', 'NfTablesProxy stopped successfully');
|
|
1347
|
+
}
|
|
1348
|
+
catch (err) {
|
|
1349
|
+
this.log('error', `Error stopping NfTablesProxy: ${err.message}`);
|
|
1350
|
+
}
|
|
1351
|
+
}
|
|
1352
|
+
/**
|
|
1353
|
+
* Cleans up empty tables
|
|
1354
|
+
*/
|
|
1355
|
+
async cleanupEmptyTables() {
|
|
1356
|
+
// Check if tables are empty, and if so, delete them
|
|
1357
|
+
for (const family of ['ip', 'ip6']) {
|
|
1358
|
+
// Skip IPv6 if not enabled
|
|
1359
|
+
if (family === 'ip6' && !this.settings.ipv6Support) {
|
|
1360
|
+
continue;
|
|
1361
|
+
}
|
|
1362
|
+
try {
|
|
1363
|
+
// Check if table exists
|
|
1364
|
+
const tableExists = await this.tableExists(family, this.tableName);
|
|
1365
|
+
if (!tableExists) {
|
|
1366
|
+
continue;
|
|
1367
|
+
}
|
|
1368
|
+
// Check if the table has any rules
|
|
1369
|
+
const stdout = await this.executeWithRetry(`${NfTablesProxy.NFT_CMD} list table ${family} ${this.tableName}`, this.settings.maxRetries, this.settings.retryDelayMs);
|
|
1370
|
+
const hasRules = stdout.includes('rule');
|
|
1371
|
+
if (!hasRules) {
|
|
1372
|
+
// Table is empty, delete it
|
|
1373
|
+
await this.executeWithRetry(`${NfTablesProxy.NFT_CMD} delete table ${family} ${this.tableName}`, this.settings.maxRetries, this.settings.retryDelayMs);
|
|
1374
|
+
this.log('info', `Deleted empty table ${family} ${this.tableName}`);
|
|
1375
|
+
}
|
|
1376
|
+
}
|
|
1377
|
+
catch (err) {
|
|
1378
|
+
this.log('error', `Error cleaning up tables: ${err.message}`);
|
|
1379
|
+
}
|
|
1380
|
+
}
|
|
1381
|
+
}
|
|
1382
|
+
/**
|
|
1383
|
+
* Synchronous version of cleanupEmptyTables
|
|
1384
|
+
*/
|
|
1385
|
+
cleanupEmptyTablesSync() {
|
|
1386
|
+
// Check if tables are empty, and if so, delete them
|
|
1387
|
+
for (const family of ['ip', 'ip6']) {
|
|
1388
|
+
// Skip IPv6 if not enabled
|
|
1389
|
+
if (family === 'ip6' && !this.settings.ipv6Support) {
|
|
1390
|
+
continue;
|
|
1391
|
+
}
|
|
1392
|
+
try {
|
|
1393
|
+
// Check if table exists
|
|
1394
|
+
const tableExistsOutput = this.executeWithRetrySync(`${NfTablesProxy.NFT_CMD} list tables ${family}`, this.settings.maxRetries, this.settings.retryDelayMs);
|
|
1395
|
+
const tableExists = tableExistsOutput.includes(`table ${family} ${this.tableName}`);
|
|
1396
|
+
if (!tableExists) {
|
|
1397
|
+
continue;
|
|
1398
|
+
}
|
|
1399
|
+
// Check if the table has any rules
|
|
1400
|
+
const stdout = this.executeWithRetrySync(`${NfTablesProxy.NFT_CMD} list table ${family} ${this.tableName}`, this.settings.maxRetries, this.settings.retryDelayMs);
|
|
1401
|
+
const hasRules = stdout.includes('rule');
|
|
1402
|
+
if (!hasRules) {
|
|
1403
|
+
// Table is empty, delete it
|
|
1404
|
+
this.executeWithRetrySync(`${NfTablesProxy.NFT_CMD} delete table ${family} ${this.tableName}`, this.settings.maxRetries, this.settings.retryDelayMs);
|
|
1405
|
+
this.log('info', `Deleted empty table ${family} ${this.tableName}`);
|
|
1406
|
+
}
|
|
1407
|
+
}
|
|
1408
|
+
catch (err) {
|
|
1409
|
+
this.log('error', `Error cleaning up tables: ${err.message}`);
|
|
1410
|
+
}
|
|
1411
|
+
}
|
|
1412
|
+
}
|
|
1413
|
+
/**
|
|
1414
|
+
* Removes all nftables rules created by this module
|
|
1415
|
+
*/
|
|
1416
|
+
static async cleanSlate() {
|
|
1417
|
+
try {
|
|
1418
|
+
// Check for rules with our comment pattern
|
|
1419
|
+
const stdout = await execAsync(`${NfTablesProxy.NFT_CMD} list ruleset`);
|
|
1420
|
+
// Extract our tables
|
|
1421
|
+
const tableMatches = stdout.stdout.match(/table (ip|ip6) (\w+) {[^}]*NfTablesProxy:[^}]*}/g);
|
|
1422
|
+
if (tableMatches) {
|
|
1423
|
+
for (const tableMatch of tableMatches) {
|
|
1424
|
+
// Extract table family and name
|
|
1425
|
+
const familyMatch = tableMatch.match(/table (ip|ip6) (\w+)/);
|
|
1426
|
+
if (familyMatch) {
|
|
1427
|
+
const family = familyMatch[1];
|
|
1428
|
+
const tableName = familyMatch[2];
|
|
1429
|
+
// Delete the table
|
|
1430
|
+
await execAsync(`${NfTablesProxy.NFT_CMD} delete table ${family} ${tableName}`);
|
|
1431
|
+
console.log(`Deleted table ${family} ${tableName} containing NfTablesProxy rules`);
|
|
1432
|
+
}
|
|
1433
|
+
}
|
|
1434
|
+
}
|
|
1435
|
+
else {
|
|
1436
|
+
console.log('No NfTablesProxy rules found to clean up');
|
|
1437
|
+
}
|
|
1438
|
+
}
|
|
1439
|
+
catch (err) {
|
|
1440
|
+
console.error(`Error in cleanSlate: ${err}`);
|
|
1441
|
+
}
|
|
1442
|
+
}
|
|
1443
|
+
/**
|
|
1444
|
+
* Synchronous version of cleanSlate
|
|
1445
|
+
*/
|
|
1446
|
+
static cleanSlateSync() {
|
|
1447
|
+
try {
|
|
1448
|
+
// Check for rules with our comment pattern
|
|
1449
|
+
const stdout = execSync(`${NfTablesProxy.NFT_CMD} list ruleset`).toString();
|
|
1450
|
+
// Extract our tables
|
|
1451
|
+
const tableMatches = stdout.match(/table (ip|ip6) (\w+) {[^}]*NfTablesProxy:[^}]*}/g);
|
|
1452
|
+
if (tableMatches) {
|
|
1453
|
+
for (const tableMatch of tableMatches) {
|
|
1454
|
+
// Extract table family and name
|
|
1455
|
+
const familyMatch = tableMatch.match(/table (ip|ip6) (\w+)/);
|
|
1456
|
+
if (familyMatch) {
|
|
1457
|
+
const family = familyMatch[1];
|
|
1458
|
+
const tableName = familyMatch[2];
|
|
1459
|
+
// Delete the table
|
|
1460
|
+
execSync(`${NfTablesProxy.NFT_CMD} delete table ${family} ${tableName}`);
|
|
1461
|
+
console.log(`Deleted table ${family} ${tableName} containing NfTablesProxy rules`);
|
|
1462
|
+
}
|
|
1463
|
+
}
|
|
1464
|
+
}
|
|
1465
|
+
else {
|
|
1466
|
+
console.log('No NfTablesProxy rules found to clean up');
|
|
1467
|
+
}
|
|
1468
|
+
}
|
|
1469
|
+
catch (err) {
|
|
1470
|
+
console.error(`Error in cleanSlateSync: ${err}`);
|
|
1471
|
+
}
|
|
1472
|
+
}
|
|
1473
|
+
/**
|
|
1474
|
+
* Improved logging with structured output
|
|
1475
|
+
*/
|
|
1476
|
+
log(level, message, meta) {
|
|
1477
|
+
if (!this.settings.enableLogging && (level === 'info' || level === 'debug')) {
|
|
1478
|
+
return;
|
|
1479
|
+
}
|
|
1480
|
+
const timestamp = new Date().toISOString();
|
|
1481
|
+
const logData = {
|
|
1482
|
+
timestamp,
|
|
1483
|
+
level: level.toUpperCase(),
|
|
1484
|
+
message,
|
|
1485
|
+
...meta,
|
|
1486
|
+
context: {
|
|
1487
|
+
instance: this.ruleTag,
|
|
1488
|
+
table: this.tableName
|
|
1489
|
+
}
|
|
1490
|
+
};
|
|
1491
|
+
// Determine if output should be JSON or plain text based on settings
|
|
1492
|
+
const useJson = this.settings.logFormat === 'json';
|
|
1493
|
+
if (useJson) {
|
|
1494
|
+
const logOutput = JSON.stringify(logData);
|
|
1495
|
+
console.log(logOutput);
|
|
1496
|
+
return;
|
|
1497
|
+
}
|
|
1498
|
+
// Plain text format
|
|
1499
|
+
const metaStr = meta ? ` ${JSON.stringify(meta)}` : '';
|
|
1500
|
+
switch (level) {
|
|
1501
|
+
case 'info':
|
|
1502
|
+
console.log(`[${timestamp}] [INFO] ${message}${metaStr}`);
|
|
1503
|
+
break;
|
|
1504
|
+
case 'warn':
|
|
1505
|
+
console.warn(`[${timestamp}] [WARN] ${message}${metaStr}`);
|
|
1506
|
+
break;
|
|
1507
|
+
case 'error':
|
|
1508
|
+
console.error(`[${timestamp}] [ERROR] ${message}${metaStr}`);
|
|
1509
|
+
break;
|
|
1510
|
+
case 'debug':
|
|
1511
|
+
console.log(`[${timestamp}] [DEBUG] ${message}${metaStr}`);
|
|
1512
|
+
break;
|
|
1513
|
+
}
|
|
1514
|
+
}
|
|
1515
|
+
}
|
|
1516
|
+
//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoibmZ0YWJsZXMtcHJveHkuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi90cy9wcm94aWVzL25mdGFibGVzLXByb3h5L25mdGFibGVzLXByb3h5LnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiJBQUFBLE9BQU8sRUFBRSxJQUFJLEVBQUUsUUFBUSxFQUFFLE1BQU0sZUFBZSxDQUFDO0FBQy9DLE9BQU8sRUFBRSxTQUFTLEVBQUUsTUFBTSxNQUFNLENBQUM7QUFDakMsT0FBTyxLQUFLLEVBQUUsTUFBTSxJQUFJLENBQUM7QUFDekIsT0FBTyxLQUFLLElBQUksTUFBTSxNQUFNLENBQUM7QUFDN0IsT0FBTyxLQUFLLEVBQUUsTUFBTSxJQUFJLENBQUM7QUFDekIsT0FBTyxFQUNMLFlBQVksRUFDWixrQkFBa0IsRUFDbEIsaUJBQWlCLEVBQ2pCLGdCQUFnQixFQUNqQixNQUFNLG1CQUFtQixDQUFDO0FBTzNCLE1BQU0sU0FBUyxHQUFHLFNBQVMsQ0FBQyxJQUFJLENBQUMsQ0FBQztBQWVsQzs7OztHQUlHO0FBQ0gsTUFBTSxPQUFPLGFBQWE7YUFPVCxZQUFPLEdBQUcsS0FBSyxBQUFSLENBQVM7SUFFL0IsWUFBWSxRQUE2QjtRQVBqQyxVQUFLLEdBQW1CLEVBQUUsQ0FBQztRQUMzQixXQUFNLEdBQTBCLElBQUksR0FBRyxFQUFFLENBQUMsQ0FBQyw2QkFBNkI7UUFPOUUsK0NBQStDO1FBQy9DLElBQUksQ0FBQyxnQkFBZ0IsQ0FBQyxRQUFRLENBQUMsQ0FBQztRQUVoQyx1QkFBdUI7UUFDdkIsSUFBSSxDQUFDLFFBQVEsR0FBRztZQUNkLEdBQUcsUUFBUTtZQUNYLE1BQU0sRUFBRSxRQUFRLENBQUMsTUFBTSxJQUFJLFdBQVc7WUFDdEMsUUFBUSxFQUFFLFFBQVEsQ0FBQyxRQUFRLElBQUksS0FBSztZQUNwQyxhQUFhLEVBQUUsUUFBUSxDQUFDLGFBQWEsS0FBSyxTQUFTLENBQUMsQ0FBQyxDQUFDLFFBQVEsQ0FBQyxhQUFhLENBQUMsQ0FBQyxDQUFDLEtBQUs7WUFDcEYsV0FBVyxFQUFFLFFBQVEsQ0FBQyxXQUFXLEtBQUssU0FBUyxDQUFDLENBQUMsQ0FBQyxRQUFRLENBQUMsV0FBVyxDQUFDLENBQUMsQ0FBQyxLQUFLO1lBQzlFLFNBQVMsRUFBRSxRQUFRLENBQUMsU0FBUyxJQUFJLFdBQVc7WUFDNUMsU0FBUyxFQUFFLFFBQVEsQ0FBQyxTQUFTLElBQUksT0FBTztZQUN4QyxTQUFTLEVBQUUsUUFBUSxDQUFDLFNBQVMsS0FBSyxTQUFTLENBQUMsQ0FBQyxDQUFDLFFBQVEsQ0FBQyxTQUFTLENBQUMsQ0FBQyxDQUFDLElBQUk7WUFDdkUsVUFBVSxFQUFFLFFBQVEsQ0FBQyxVQUFVLElBQUksQ0FBQztZQUNwQyxZQUFZLEVBQUUsUUFBUSxDQUFDLFlBQVksSUFBSSxJQUFJO1lBQzNDLGNBQWMsRUFBRSxRQUFRLENBQUMsY0FBYyxLQUFLLFNBQVMsQ0FBQyxDQUFDLENBQUMsUUFBUSxDQUFDLGNBQWMsQ0FBQyxDQUFDLENBQUMsS0FBSztTQUN4RixDQUFDO1FBRUYsb0VBQW9FO1FBQ3BFLElBQUksQ0FBQyxPQUFPLEdBQUcsaUJBQWlCLElBQUksQ0FBQyxHQUFHLEVBQUUsSUFBSSxJQUFJLENBQUMsTUFBTSxFQUFFLENBQUMsUUFBUSxDQUFDLEVBQUUsQ0FBQyxDQUFDLE1BQU0sQ0FBQyxDQUFDLEVBQUUsQ0FBQyxDQUFDLEVBQUUsQ0FBQztRQUV4RixpQkFBaUI7UUFDakIsSUFBSSxDQUFDLFNBQVMsR0FBRyxJQUFJLENBQUMsUUFBUSxDQUFDLFNBQVMsSUFBSSxXQUFXLENBQUM7UUFFeEQsK0NBQStDO1FBQy9DLElBQUksQ0FBQyxZQUFZLEdBQUcsSUFBSSxDQUFDLElBQUksQ0FBQyxFQUFFLENBQUMsTUFBTSxFQUFFLEVBQUUsYUFBYSxJQUFJLENBQUMsR0FBRyxFQUFFLE1BQU0sQ0FBQyxDQUFDO1FBRTFFLG9EQUFvRDtRQUNwRCxJQUFJLElBQUksQ0FBQyxRQUFRLENBQUMsWUFBWSxFQUFFLENBQUM7WUFDL0IsTUFBTSxPQUFPLEdBQUcsR0FBRyxFQUFFO2dCQUNuQixJQUFJLENBQUM7b0JBQ0gsSUFBSSxDQUFDLFFBQVEsRUFBRSxDQUFDO2dCQUNsQixDQUFDO2dCQUFDLE9BQU8sR0FBRyxFQUFFLENBQUM7b0JBQ2IsSUFBSSxDQUFDLEdBQUcsQ0FBQyxPQUFPLEVBQUUsd0NBQXdDLEVBQUUsRUFBRSxLQUFLLEVBQUUsR0FBRyxDQUFDLE9BQU8sRUFBRSxDQUFDLENBQUM7Z0JBQ3RGLENBQUM7WUFDSCxDQUFDLENBQUM7WUFFRixPQUFPLENBQUMsRUFBRSxDQUFDLE1BQU0sRUFBRSxPQUFPLENBQUMsQ0FBQztZQUM1QixPQUFPLENBQUMsRUFBRSxDQUFDLFFBQVEsRUFBRSxHQUFHLEVBQUU7Z0JBQ3hCLE9BQU8sRUFBRSxDQUFDO2dCQUNWLE9BQU8sQ0FBQyxJQUFJLEVBQUUsQ0FBQztZQUNqQixDQUFDLENBQUMsQ0FBQztZQUNILE9BQU8sQ0FBQyxFQUFFLENBQUMsU0FBUyxFQUFFLEdBQUcsRUFBRTtnQkFDekIsT0FBTyxFQUFFLENBQUM7Z0JBQ1YsT0FBTyxDQUFDLElBQUksRUFBRSxDQUFDO1lBQ2pCLENBQUMsQ0FBQyxDQUFDO1FBQ0wsQ0FBQztJQUNILENBQUM7SUFFRDs7T0FFRztJQUNLLGdCQUFnQixDQUFDLFFBQTZCO1FBQ3BELHdCQUF3QjtRQUN4QixNQUFNLGFBQWEsR0FBRyxDQUFDLElBQW9ELEVBQUUsRUFBRTtZQUM3RSxJQUFJLEtBQUssQ0FBQyxPQUFPLENBQUMsSUFBSSxDQUFDLEVBQUUsQ0FBQztnQkFDeEIsSUFBSSxDQUFDLE9BQU8sQ0FBQyxDQUFDLENBQUMsRUFBRSxDQUFDLGFBQWEsQ0FBQyxDQUFDLENBQUMsQ0FBQyxDQUFDO2dCQUNwQyxPQUFPO1lBQ1QsQ0FBQztZQUVELElBQUksT0FBTyxJQUFJLEtBQUssUUFBUSxFQUFFLENBQUM7Z0JBQzdCLElBQUksSUFBSSxHQUFHLENBQUMsSUFBSSxJQUFJLEdBQUcsS0FBSyxFQUFFLENBQUM7b0JBQzdCLE1BQU0sSUFBSSxrQkFBa0IsQ0FBQyx3QkFBd0IsSUFBSSxFQUFFLENBQUMsQ0FBQztnQkFDL0QsQ0FBQztZQUNILENBQUM7aUJBQU0sSUFBSSxPQUFPLElBQUksS0FBSyxRQUFRLEVBQUUsQ0FBQztnQkFDcEMsSUFBSSxJQUFJLENBQUMsSUFBSSxHQUFHLENBQUMsSUFBSSxJQUFJLENBQUMsSUFBSSxHQUFHLEtBQUssSUFBSSxJQUFJLENBQUMsRUFBRSxHQUFHLENBQUMsSUFBSSxJQUFJLENBQUMsRUFBRSxHQUFHLEtBQUssSUFBSSxJQUFJLENBQUMsSUFBSSxHQUFHLElBQUksQ0FBQyxFQUFFLEVBQUUsQ0FBQztvQkFDaEcsTUFBTSxJQUFJLGtCQUFrQixDQUFDLHVCQUF1QixJQUFJLENBQUMsSUFBSSxJQUFJLElBQUksQ0FBQyxFQUFFLEVBQUUsQ0FBQyxDQUFDO2dCQUM5RSxDQUFDO1lBQ0gsQ0FBQztRQUNILENBQUMsQ0FBQztRQUVGLGFBQWEsQ0FBQyxRQUFRLENBQUMsUUFBUSxDQUFDLENBQUM7UUFDakMsYUFBYSxDQUFDLFFBQVEsQ0FBQyxNQUFNLENBQUMsQ0FBQztRQUUvQix1Q0FBdUM7UUFDdkMsTUFBTSxPQUFPLEdBQUcseUlBQXlJLENBQUM7UUFDMUosTUFBTSxTQUFTLEdBQUcsa3NCQUFrc0IsQ0FBQztRQUVydEIsd0JBQXdCO1FBQ3hCLE1BQU0sV0FBVyxHQUFHLENBQUMsR0FBYyxFQUFFLEVBQUU7WUFDckMsSUFBSSxDQUFDLEdBQUc7Z0JBQUUsT0FBTztZQUVqQixLQUFLLE1BQU0sRUFBRSxJQUFJLEdBQUcsRUFBRSxDQUFDO2dCQUNyQixJQUFJLENBQUMsT0FBTyxDQUFDLElBQUksQ0FBQyxFQUFFLENBQUMsSUFBSSxDQUFDLFNBQVMsQ0FBQyxJQUFJLENBQUMsRUFBRSxDQUFDLEVBQUUsQ0FBQztvQkFDN0MsTUFBTSxJQUFJLGtCQUFrQixDQUFDLDhCQUE4QixFQUFFLEVBQUUsQ0FBQyxDQUFDO2dCQUNuRSxDQUFDO1lBQ0gsQ0FBQztRQUNILENBQUMsQ0FBQztRQUVGLFdBQVcsQ0FBQyxRQUFRLENBQUMsZ0JBQWdCLENBQUMsQ0FBQztRQUN2QyxXQUFXLENBQUMsUUFBUSxDQUFDLGVBQWUsQ0FBQyxDQUFDO1FBRXRDLGdEQUFnRDtRQUNoRCxJQUFJLFFBQVEsQ0FBQyxNQUFNLEVBQUUsQ0FBQztZQUNwQixNQUFNLFNBQVMsR0FBRyw2R0FBNkcsQ0FBQztZQUNoSSxJQUFJLENBQUMsU0FBUyxDQUFDLElBQUksQ0FBQyxRQUFRLENBQUMsTUFBTSxDQUFDLElBQUksQ0FBQyxPQUFPLENBQUMsSUFBSSxDQUFDLFFBQVEsQ0FBQyxNQUFNLENBQUMsSUFBSSxDQUFDLFNBQVMsQ0FBQyxJQUFJLENBQUMsUUFBUSxDQUFDLE1BQU0sQ0FBQyxFQUFFLENBQUM7Z0JBQzNHLE1BQU0sSUFBSSxrQkFBa0IsQ0FBQyx3QkFBd0IsUUFBUSxDQUFDLE1BQU0sRUFBRSxDQUFDLENBQUM7WUFDMUUsQ0FBQztRQUNILENBQUM7UUFFRCxtREFBbUQ7UUFDbkQsSUFBSSxRQUFRLENBQUMsU0FBUyxFQUFFLENBQUM7WUFDdkIsTUFBTSxjQUFjLEdBQUcsaUJBQWlCLENBQUM7WUFDekMsSUFBSSxDQUFDLGNBQWMsQ0FBQyxJQUFJLENBQUMsUUFBUSxDQUFDLFNBQVMsQ0FBQyxFQUFFLENBQUM7Z0JBQzdDLE1BQU0sSUFBSSxrQkFBa0IsQ0FBQyx1QkFBdUIsUUFBUSxDQUFDLFNBQVMsNkRBQTZELENBQUMsQ0FBQztZQUN2SSxDQUFDO1FBQ0gsQ0FBQztRQUVELG1DQUFtQztRQUNuQyxJQUFJLFFBQVEsQ0FBQyxHQUFHLEVBQUUsT0FBTyxFQUFFLENBQUM7WUFDMUIsSUFBSSxRQUFRLENBQUMsR0FBRyxDQUFDLE9BQU8sRUFBRSxDQUFDO2dCQUN6QixNQUFNLFNBQVMsR0FBRyxzQkFBc0IsQ0FBQztnQkFDekMsSUFBSSxDQUFDLFNBQVMsQ0FBQyxJQUFJLENBQUMsUUFBUSxDQUFDLEdBQUcsQ0FBQyxPQUFPLENBQUMsRUFBRSxDQUFDO29CQUMxQyxNQUFNLElBQUksa0JBQWtCLENBQUMsd0JBQXdCLFFBQVEsQ0FBQyxHQUFHLENBQUMsT0FBTywyQ0FBMkMsQ0FBQyxDQUFDO2dCQUN4SCxDQUFDO1lBQ0gsQ0FBQztZQUVELElBQUksUUFBUSxDQUFDLEdBQUcsQ0FBQyxRQUFRLEtBQUssU0FBUyxFQUFFLENBQUM7Z0JBQ3hDLElBQUksUUFBUSxDQUFDLEdBQUcsQ0FBQyxRQUFRLEdBQUcsQ0FBQyxJQUFJLFFBQVEsQ0FBQyxHQUFHLENBQUMsUUFBUSxHQUFHLEVBQUUsSUFBSSxDQUFDLE1BQU0sQ0FBQyxTQUFTLENBQUMsUUFBUSxDQUFDLEdBQUcsQ0FBQyxRQUFRLENBQUMsRUFBRSxDQUFDO29CQUN4RyxNQUFNLElBQUksa0JBQWtCLENBQUMscUJBQXFCLFFBQVEsQ0FBQyxHQUFHLENBQUMsUUFBUSx3Q0FBd0MsQ0FBQyxDQUFDO2dCQUNuSCxDQUFDO1lBQ0gsQ0FBQztRQUNILENBQUM7SUFDSCxDQUFDO0lBRUQ7O09BRUc7SUFDSyxpQkFBaUIsQ0FBQyxRQUF3RDtRQUNoRixNQUFNLE1BQU0sR0FBZ0IsRUFBRSxDQUFDO1FBRS9CLElBQUksS0FBSyxDQUFDLE9BQU8sQ0FBQyxRQUFRLENBQUMsRUFBRSxDQUFDO1lBQzVCLHlDQUF5QztZQUN6QyxLQUFLLE1BQU0sSUFBSSxJQUFJLFFBQVEsRUFBRSxDQUFDO2dCQUM1QixNQUFNLENBQUMsSUFBSSxDQUFDLEdBQUcsSUFBSSxDQUFDLGlCQUFpQixDQUFDLElBQUksQ0FBQyxDQUFDLENBQUM7WUFDL0MsQ0FBQztRQUNILENBQUM7YUFBTSxJQUFJLE9BQU8sUUFBUSxLQUFLLFFBQVEsRUFBRSxDQUFDO1lBQ3hDLDBEQUEwRDtZQUMxRCxNQUFNLENBQUMsSUFBSSxDQUFDLEVBQUUsSUFBSSxFQUFFLFFBQVEsRUFBRSxFQUFFLEVBQUUsUUFBUSxFQUFFLENBQUMsQ0FBQztRQUNoRCxDQUFDO2FBQU0sQ0FBQztZQUNOLGtCQUFrQjtZQUNsQixNQUFNLENBQUMsSUFBSSxDQUFDLFFBQVEsQ0FBQyxDQUFDO1FBQ3hCLENBQUM7UUFFRCxPQUFPLE1BQU0sQ0FBQztJQUNoQixDQUFDO0lBRUQ7O09BRUc7SUFDSyxLQUFLLENBQUMsZ0JBQWdCLENBQUMsT0FBZSxFQUFFLFVBQVUsR0FBRyxDQUFDLEVBQUUsWUFBWSxHQUFHLElBQUk7UUFDakYsSUFBSSxTQUE0QixDQUFDO1FBRWpDLEtBQUssSUFBSSxDQUFDLEdBQUcsQ0FBQyxFQUFFLENBQUMsR0FBRyxVQUFVLEVBQUUsQ0FBQyxFQUFFLEVBQUUsQ0FBQztZQUNwQyxJQUFJLENBQUM7Z0JBQ0gsTUFBTSxFQUFFLE1BQU0sRUFBRSxHQUFHLE1BQU0sU0FBUyxDQUFDLE9BQU8sQ0FBQyxDQUFDO2dCQUM1QyxPQUFPLE1BQU0sQ0FBQztZQUNoQixDQUFDO1lBQUMsT0FBTyxHQUFHLEVBQUUsQ0FBQztnQkFDYixTQUFTLEdBQUcsR0FBRyxDQUFDO2dCQUNoQixJQUFJLENBQUMsR0FBRyxDQUFDLE1BQU0sRUFBRSwyQkFBMkIsQ0FBQyxHQUFDLENBQUMsSUFBSSxVQUFVLE1BQU0sT0FBTyxFQUFFLEVBQUUsRUFBRSxLQUFLLEVBQUUsR0FBRyxDQUFDLE9BQU8sRUFBRSxDQUFDLENBQUM7Z0JBRXRHLGtEQUFrRDtnQkFDbEQsSUFBSSxDQUFDLEdBQUcsVUFBVSxHQUFHLENBQUMsRUFBRSxDQUFDO29CQUN2QixNQUFNLElBQUksT0FBTyxDQUFDLE9BQU8sQ0FBQyxFQUFFLENBQUMsVUFBVSxDQUFDLE9BQU8sRUFBRSxZQUFZLENBQUMsQ0FBQyxDQUFDO2dCQUNsRSxDQUFDO1lBQ0gsQ0FBQztRQUNILENBQUM7UUFFRCxNQUFNLElBQUksaUJBQWlCLENBQUMsZ0JBQWdCLFVBQVUsY0FBYyxTQUFTLEVBQUUsT0FBTyxJQUFJLGVBQWUsRUFBRSxDQUFDLENBQUM7SUFDL0csQ0FBQztJQUVEOztPQUVHO0lBQ0ssb0JBQW9CLENBQUMsT0FBZSxFQUFFLFVBQVUsR0FBRyxDQUFDLEVBQUUsWUFBWSxHQUFHLElBQUk7UUFDL0UsSUFBSSxTQUE0QixDQUFDO1FBRWpDLEtBQUssSUFBSSxDQUFDLEdBQUcsQ0FBQyxFQUFFLENBQUMsR0FBRyxVQUFVLEVBQUUsQ0FBQyxFQUFFLEVBQUUsQ0FBQztZQUNwQyxJQUFJLENBQUM7Z0JBQ0gsT0FBTyxRQUFRLENBQUMsT0FBTyxDQUFDLENBQUMsUUFBUSxFQUFFLENBQUM7WUFDdEMsQ0FBQztZQUFDLE9BQU8sR0FBRyxFQUFFLENBQUM7Z0JBQ2IsU0FBUyxHQUFHLEdBQUcsQ0FBQztnQkFDaEIsSUFBSSxDQUFDLEdBQUcsQ0FBQyxNQUFNLEVBQUUsMkJBQTJCLENBQUMsR0FBQyxDQUFDLElBQUksVUFBVSxNQUFNLE9BQU8sRUFBRSxFQUFFLEVBQUUsS0FBSyxFQUFFLEdBQUcsQ0FBQyxPQUFPLEVBQUUsQ0FBQyxDQUFDO2dCQUV0RyxrREFBa0Q7Z0JBQ2xELElBQUksQ0FBQyxHQUFHLFVBQVUsR0FBRyxDQUFDLEVBQUUsQ0FBQztvQkFDdkIsZ0NBQWdDO29CQUNoQyxNQUFNLFNBQVMsR0FBRyxJQUFJLENBQUMsR0FBRyxFQUFFLEdBQUcsWUFBWSxDQUFDO29CQUM1QyxPQUFPLElBQUksQ0FBQyxHQUFHLEVBQUUsR0FBRyxTQUFTLEVBQUUsQ0FBQzt3QkFDOUIsdURBQXVEO29CQUN6RCxDQUFDO2dCQUNILENBQUM7WUFDSCxDQUFDO1FBQ0gsQ0FBQztRQUVELE1BQU0sSUFBSSxpQkFBaUIsQ0FBQyxnQkFBZ0IsVUFBVSxjQUFjLFNBQVMsRUFBRSxPQUFPLElBQUksZUFBZSxFQUFFLENBQUMsQ0FBQztJQUMvRyxDQUFDO0lBRUQ7O09BRUc7SUFDSyxLQUFLLENBQUMseUJBQXlCO1FBQ3JDLElBQUksQ0FBQztZQUNILE1BQU0sSUFBSSxDQUFDLGdCQUFnQixDQUFDLEdBQUcsYUFBYSxDQUFDLE9BQU8sWUFBWSxFQUFFLElBQUksQ0FBQyxRQUFRLENBQUMsVUFBVSxFQUFFLElBQUksQ0FBQyxRQUFRLENBQUMsWUFBWSxDQUFDLENBQUM7WUFFeEgsMERBQTBEO1lBQzFELElBQUksSUFBSSxDQUFDLFFBQVEsQ0FBQyxjQUFjLEVBQUUsQ0FBQztnQkFDakMsSUFBSSxDQUFDO29CQUNILE1BQU0sSUFBSSxDQUFDLGdCQUFnQixDQUFDLDJCQUEyQixFQUFFLElBQUksQ0FBQyxRQUFRLENBQUMsVUFBVSxFQUFFLElBQUksQ0FBQyxRQUFRLENBQUMsWUFBWSxDQUFDLENBQUM7Z0JBQ2pILENBQUM7Z0JBQUMsT0FBTyxHQUFHLEVBQUUsQ0FBQztvQkFDYixJQUFJLENBQUMsR0FBRyxDQUFDLE1BQU0sRUFBRSxxRkFBcUYsQ0FBQyxDQUFDO2dCQUMxRyxDQUFDO1lBQ0gsQ0FBQztZQUVELE9BQU8sSUFBSSxDQUFDO1FBQ2QsQ0FBQztRQUFDLE9BQU8sR0FBRyxFQUFFLENBQUM7WUFDYixJQUFJLENBQUMsR0FBRyxDQUFDLE9BQU8sRUFBRSw4QkFBOEIsR0FBRyxDQUFDLE9BQU8sRUFBRSxDQUFDLENBQUM7WUFDL0QsT0FBTyxLQUFLLENBQUM7UUFDZixDQUFDO0lBQ0gsQ0FBQztJQUVEOztPQUVHO0lBQ0ssS0FBSyxDQUFDLG9CQUFvQixDQUFDLFNBQWtCLEtBQUs7UUFDeEQsTUFBTSxNQUFNLEdBQUcsTUFBTSxDQUFDLENBQUMsQ0FBQyxLQUFLLENBQUMsQ0FBQyxDQUFDLElBQUksQ0FBQztRQUVyQyxJQUFJLENBQUM7WUFDSCxvQ0FBb0M7WUFDcEMsTUFBTSxNQUFNLEdBQUcsTUFBTSxJQUFJLENBQUMsZ0JBQWdCLENBQ3hDLEdBQUcsYUFBYSxDQUFDLE9BQU8sZ0JBQWdCLE1BQU0sRUFBRSxFQUNoRCxJQUFJLENBQUMsUUFBUSxDQUFDLFVBQVUsRUFDeEIsSUFBSSxDQUFDLFFBQVEsQ0FBQyxZQUFZLENBQzNCLENBQUM7WUFFRixNQUFNLFdBQVcsR0FBRyxNQUFNLENBQUMsUUFBUSxDQUFDLFNBQVMsTUFBTSxJQUFJLElBQUksQ0FBQyxTQUFTLEVBQUUsQ0FBQyxDQUFDO1lBRXpFLElBQUksQ0FBQyxXQUFXLEVBQUUsQ0FBQztnQkFDakIsbUJBQW1CO2dCQUNuQixNQUFNLElBQUksQ0FBQyxnQkFBZ0IsQ0FDekIsR0FBRyxhQUFhLENBQUMsT0FBTyxjQUFjLE1BQU0sSUFBSSxJQUFJLENBQUMsU0FBUyxFQUFFLEVBQ2hFLElBQUksQ0FBQyxRQUFRLENBQUMsVUFBVSxFQUN4QixJQUFJLENBQUMsUUFBUSxDQUFDLFlBQVksQ0FDM0IsQ0FBQztnQkFFRixJQUFJLENBQUMsR0FBRyxDQUFDLE1BQU0sRUFBRSxpQkFBaUIsTUFBTSxJQUFJLElBQUksQ0FBQyxTQUFTLEVBQUUsQ0FBQyxDQUFDO2dCQUU5RCwrQ0FBK0M7Z0JBQy9DLE1BQU0sSUFBSSxDQUFDLGdCQUFnQixDQUN6QixHQUFHLGFBQWEsQ0FBQyxPQUFPLGNBQWMsTUFBTSxJQUFJLElBQUksQ0FBQyxTQUFTLDhEQUE4RCxFQUM1SCxJQUFJLENBQUMsUUFBUSxDQUFDLFVBQVUsRUFDeEIsSUFBSSxDQUFDLFFBQVEsQ0FBQyxZQUFZLENBQzNCLENBQUM7Z0JBRUYsSUFBSSxDQUFDLEdBQUcsQ0FBQyxNQUFNLEVBQUUsbUNBQW1DLE1BQU0sSUFBSSxJQUFJLENBQUMsU0FBUyxFQUFFLENBQUMsQ0FBQztnQkFFaEYsNEVBQTRFO2dCQUM1RSxJQUFJLENBQUMsSUFBSSxDQUFDLFFBQVEsQ0FBQyxnQkFBZ0IsRUFBRSxDQUFDO29CQUNwQyxNQUFNLElBQUksQ0FBQyxnQkFBZ0IsQ0FDekIsR0FBRyxhQUFhLENBQUMsT0FBTyxjQUFjLE1BQU0sSUFBSSxJQUFJLENBQUMsU0FBUywrREFBK0QsRUFDN0gsSUFBSSxDQUFDLFFBQVEsQ0FBQyxVQUFVLEVBQ3hCLElBQUksQ0FBQyxRQUFRLENBQUMsWUFBWSxDQUMzQixDQUFDO29CQUVGLElBQUksQ0FBQyxHQUFHLENBQUMsTUFBTSxFQUFFLG9DQUFvQyxNQUFNLElBQUksSUFBSSxDQUFDLFNBQVMsRUFBRSxDQUFDLENBQUM7Z0JBQ25GLENBQUM7Z0JBRUQsMERBQTBEO2dCQUMxRCxJQUFJLElBQUksQ0FBQyxRQUFRLENBQUMsbUJBQW1CLEVBQUUsT0FBTyxJQUFJLElBQUksQ0FBQyxRQUFRLENBQUMsbUJBQW1CLENBQUMsaUJBQWlCLEVBQUUsQ0FBQztvQkFDdEcsTUFBTSxJQUFJLENBQUMsZ0JBQWdCLENBQ3pCLEdBQUcsYUFBYSxDQUFDLE9BQU8sY0FBYyxNQUFNLElBQUksSUFBSSxDQUFDLFNBQVMsbURBQW1ELEVBQ2pILElBQUksQ0FBQyxRQUFRLENBQUMsVUFBVSxFQUN4QixJQUFJLENBQUMsUUFBUSxDQUFDLFlBQVksQ0FDM0IsQ0FBQztvQkFFRixJQUFJLENBQUMsR0FBRyxDQUFDLE1BQU0sRUFBRSwrQkFBK0IsTUFBTSxJQUFJLElBQUksQ0FBQyxTQUFTLEVBQUUsQ0FBQyxDQUFDO2dCQUM5RSxDQUFDO2dCQUVELGlDQUFpQztnQkFDakMsSUFBSSxJQUFJLENBQUMsUUFBUSxDQUFDLEdBQUcsRUFBRSxPQUFPLEVBQUUsQ0FBQztvQkFDL0IsTUFBTSxJQUFJLENBQUMsZ0JBQWdCLENBQ3pCLEdBQUcsYUFBYSxDQUFDLE9BQU8sY0FBYyxNQUFNLElBQUksSUFBSSxDQUFDLFNBQVMsd0RBQXdELEVBQ3RILElBQUksQ0FBQyxRQUFRLENBQUMsVUFBVSxFQUN4QixJQUFJLENBQUMsUUFBUSxDQUFDLFlBQVksQ0FDM0IsQ0FBQztvQkFFRixJQUFJLENBQUMsR0FBRyxDQUFDLE1BQU0sRUFBRSxnQ0FBZ0MsTUFBTSxJQUFJLElBQUksQ0FBQyxTQUFTLEVBQUUsQ0FBQyxDQUFDO2dCQUMvRSxDQUFDO1lBQ0gsQ0FBQztpQkFBTSxDQUFDO2dCQUNOLElBQUksQ0FBQyxHQUFHLENBQUMsTUFBTSxFQUFFLFNBQVMsTUFBTSxJQUFJLElBQUksQ0FBQyxTQUFTLHVDQUF1QyxDQUFDLENBQUM7WUFDN0YsQ0FBQztZQUVELE9BQU8sSUFBSSxDQUFDO1FBQ2QsQ0FBQztRQUFDLE9BQU8sR0FBRyxFQUFFLENBQUM7WUFDYixJQUFJLENBQUMsR0FBRyxDQUFDLE9BQU8sRUFBRSx1Q0FBdUMsR0FBRyxDQUFDLE9BQU8sRUFBRSxDQUFDLENBQUM7WUFDeEUsT0FBTyxLQUFLLENBQUM7UUFDZixDQUFDO0lBQ0gsQ0FBQztJQUVEOztPQUVHO0lBQ0ssS0FBSyxDQUFDLFdBQVcsQ0FDdkIsTUFBYyxFQUNkLE9BQWUsRUFDZixHQUFhLEVBQ2IsVUFBcUMsV0FBVztRQUVoRCxJQUFJLENBQUM7WUFDSCw2QkFBNkI7WUFDN0IsTUFBTSxXQUFXLEdBQUcsR0FBRyxDQUFDLE1BQU0sQ0FBQyxFQUFFLENBQUMsRUFBRTtnQkFDbEMsSUFBSSxNQUFNLEtBQUssS0FBSyxJQUFJLEVBQUUsQ0FBQyxRQUFRLENBQUMsR0FBRyxDQUFDO29CQUFFLE9BQU8sSUFBSSxDQUFDO2dCQUN0RCxJQUFJLE1BQU0sS0FBSyxJQUFJLElBQUksRUFBRSxDQUFDLFFBQVEsQ0FBQyxHQUFHLENBQUM7b0JBQUUsT0FBTyxJQUFJLENBQUM7Z0JBQ3JELE9BQU8sS0FBSyxDQUFDO1lBQ2YsQ0FBQyxDQUFDLENBQUM7WUFFSCxJQUFJLFdBQVcsQ0FBQyxNQUFNLEtBQUssQ0FBQyxFQUFFLENBQUM7Z0JBQzdCLElBQUksQ0FBQyxHQUFHLENBQUMsTUFBTSxFQUFFLDJCQUEyQixPQUFPLGtCQUFrQixPQUFPLEVBQUUsQ0FBQyxDQUFDO2dCQUNoRixPQUFPLElBQUksQ0FBQztZQUNkLENBQUM7WUFFRCw4QkFBOEI7WUFDOUIsSUFBSSxDQUFDO2dCQUNILE1BQU0sSUFBSSxHQUFHLE1BQU0sSUFBSSxDQUFDLGdCQUFnQixDQUN0QyxHQUFHLGFBQWEsQ0FBQyxPQUFPLGNBQWMsTUFBTSxJQUFJLElBQUksQ0FBQyxTQUFTLEVBQUUsRUFDaEUsSUFBSSxDQUFDLFFBQVEsQ0FBQyxVQUFVLEVBQ3hCLElBQUksQ0FBQyxRQUFRLENBQUMsWUFBWSxDQUMzQixDQUFDO2dCQUVGLElBQUksSUFBSSxDQUFDLFFBQVEsQ0FBQyxPQUFPLE9BQU8sSUFBSSxDQUFDLEVBQUUsQ0FBQztvQkFDdEMsSUFBSSxDQUFDLEdBQUcsQ0FBQyxNQUFNLEVBQUUsVUFBVSxPQUFPLG9DQUFvQyxDQUFDLENBQUM7Z0JBQzFFLENBQUM7cUJBQU0sQ0FBQztvQkFDTixpQkFBaUI7b0JBQ2pCLE1BQU0sSUFBSSxDQUFDLGdCQUFnQixDQUN6QixHQUFHLGFBQWEsQ0FBQyxPQUFPLFlBQVksTUFBTSxJQUFJLElBQUksQ0FBQyxTQUFTLElBQUksT0FBTyxXQUFXLE9BQU8sS0FBSyxFQUM5RixJQUFJLENBQUMsUUFBUSxDQUFDLFVBQVUsRUFDeEIsSUFBSSxDQUFDLFFBQVEsQ0FBQyxZQUFZLENBQzNCLENBQUM7b0JBRUYsSUFBSSxDQUFDLEdBQUcsQ0FBQyxNQUFNLEVBQUUsa0JBQWtCLE9BQU8sUUFBUSxNQUFNLGNBQWMsT0FBTyxFQUFFLENBQUMsQ0FBQztnQkFDbkYsQ0FBQztZQUNILENBQUM7WUFBQyxPQUFPLEdBQUcsRUFBRSxDQUFDO2dCQUNiLHFDQUFxQztnQkFDckMsTUFBTSxJQUFJLENBQUMsZ0JBQWdCLENBQ3pCLEdBQUcsYUFBYSxDQUFDLE9BQU8sWUFBWSxNQUFNLElBQUksSUFBSSxDQUFDLFNBQVMsSUFBSSxPQUFPLFdBQVcsT0FBTyxLQUFLLEVBQzlGLElBQUksQ0FBQyxRQUFRLENBQUMsVUFBVSxFQUN4QixJQUFJLENBQUMsUUFBUSxDQUFDLFlBQVksQ0FDM0IsQ0FBQztnQkFFRixJQUFJLENBQUMsR0FBRyxDQUFDLE1BQU0sRUFBRSxrQkFBa0IsT0FBTyxRQUFRLE1BQU0sY0FBYyxPQUFPLEVBQUUsQ0FBQyxDQUFDO1lBQ25GLENBQUM7WUFFRCx5RUFBeUU7WUFDekUsTUFBTSxTQUFTLEdBQUcsR0FBRyxDQUFDO1lBQ3RCLEtBQUssSUFBSSxDQUFDLEdBQUcsQ0FBQyxFQUFFLENBQUMsR0FBRyxXQUFXLENBQUMsTUFBTSxFQUFFLENBQUMsSUFBSSxTQUFTLEVBQUUsQ0FBQztnQkFDdkQsTUFBTSxLQUFLLEdBQUcsV0FBVyxDQUFDLEtBQUssQ0FBQyxDQUFDLEVBQUUsQ0FBQyxHQUFHLFNBQVMsQ0FBQyxDQUFDO2dCQUNsRCxNQUFNLFFBQVEsR0FBRyxLQUFLLENBQUMsSUFBSSxDQUFDLElBQUksQ0FBQyxDQUFDO2dCQUVsQyxNQUFNLElBQUksQ0FBQyxnQkFBZ0IsQ0FDekIsR0FBRyxhQUFhLENBQUMsT0FBTyxnQkFBZ0IsTUFBTSxJQUFJLElBQUksQ0FBQyxTQUFTLElBQUksT0FBTyxNQUFNLFFBQVEsSUFBSSxFQUM3RixJQUFJLENBQUMsUUFBUSxDQUFDLFVBQVUsRUFDeEIsSUFBSSxDQUFDLFFBQVEsQ0FBQyxZQUFZLENBQzNCLENBQUM7Z0JBRUYsSUFBSSxDQUFDLEdBQUcsQ0FBQyxNQUFNLEVBQUUsa0JBQWtCLEtBQUssQ0FBQyxNQUFNLGVBQWUsT0FBTyxFQUFFLENBQUMsQ0FBQztZQUMzRSxDQUFDO1lBRUQsbUJBQW1CO1lBQ25CLElBQUksQ0FBQyxNQUFNLENBQUMsR0FBRyxDQUFDLEdBQUcsTUFBTSxJQUFJLE9BQU8sRUFBRSxFQUFFLFdBQVcsQ0FBQyxDQUFDO1lBRXJELE9BQU8sSUFBSSxDQUFDO1FBQ2QsQ0FBQztRQUFDLE9BQU8sR0FBRyxFQUFFLENBQUM7WUFDYixJQUFJLENBQUMsR0FBRyxDQUFDLE9BQU8sRUFBRSwyQkFBMkIsT0FBTyxLQUFLLEdBQUcsQ0FBQyxPQUFPLEVBQUUsQ0FBQyxDQUFDO1lBQ3hFLE9BQU8sS0FBSyxDQUFDO1FBQ2YsQ0FBQztJQUNILENBQUM7SUFFRDs7T0FFRztJQUNLLEtBQUssQ0FBQyxrQkFBa0IsQ0FBQyxTQUFrQixLQUFLO1FBQ3RELElBQUksQ0FBQyxJQUFJLENBQUMsUUFBUSxDQUFDLGdCQUFnQixJQUFJLENBQUMsSUFBSSxDQUFDLFFBQVEsQ0FBQyxlQUFlLEVBQUUsQ0FBQztZQUN0RSxPQUFPLElBQUksQ0FBQyxDQUFDLGdCQUFnQjtRQUMvQixDQUFDO1FBRUQsTUFBTSxNQUFNLEdBQUcsTUFBTSxDQUFDLENBQUMsQ0FBQyxLQUFLLENBQUMsQ0FBQyxDQUFDLElBQUksQ0FBQztRQUNyQyxNQUFNLEtBQUssR0FBRyxnQkFBZ0IsQ0FBQztRQUMvQixNQUFNLE9BQU8sR0FBRyxNQUFNLENBQUMsQ0FBQyxDQUFDLFdBQVcsQ0FBQyxDQUFDLENBQUMsV0FBVyxDQUFDO1FBRW5ELElBQUksQ0FBQztZQUNILDBDQUEwQztZQUMxQyxJQUFJLGNBQWMsR0FBRyxFQUFFLENBQUM7WUFFeEIsdUVBQXVFO1lBQ3ZFLElBQUksSUFBSSxDQUFDLFFBQVEsQ0FBQyxTQUFTLEVBQUUsQ0FBQztnQkFDNUIsbURBQW1EO2dCQUNuRCxJQUFJLElBQUksQ0FBQyxRQUFRLENBQUMsZUFBZSxJQUFJLElBQUksQ0FBQyxRQUFRLENBQUMsZUFBZSxDQUFDLE1BQU0sR0FBRyxDQUFDLEVBQUUsQ0FBQztvQkFDOUUsTUFBTSxPQUFPLEdBQUcsWUFBWSxDQUFDO29CQUM3QixNQUFNLElBQUksQ0FBQyxXQUFXLENBQUMsTUFBTSxFQUFFLE9BQU8sRUFBRSxJQUFJLENBQUMsUUFBUSxDQUFDLGVBQWUsRUFBRSxPQUFjLENBQUMsQ0FBQztvQkFFdkYsMkNBQTJDO29CQUMzQyxNQUFNLElBQUksR0FBRyxZQUFZLE1BQU0sSUFBSSxJQUFJLENBQUMsU0FBUyxJQUFJLEtBQUssTUFBTSxNQUFNLENBQUMsQ0FBQyxDQUFDLEdBQUcsQ0FBQyxDQUFDLENBQUMsRUFBRSxXQUFXLE9BQU8sa0JBQWtCLElBQUksQ0FBQyxPQUFPLGNBQWMsQ0FBQztvQkFDaEosY0FBYyxJQUFJLEdBQUcsSUFBSSxJQUFJLENBQUM7b0JBRTlCLElBQUksQ0FBQyxLQUFLLENBQUMsSUFBSSxDQUFDO3dCQUNkLFdBQVcsRUFBRSxNQUFNO3dCQUNuQixTQUFTLEVBQUUsSUFBSSxDQUFDLFNBQVM7d0JBQ3pCLFNBQVMsRUFBRSxLQUFLO3dCQUNoQixZQUFZLEVBQUUsSUFBSTt3QkFDbEIsS0FBSyxFQUFFLEtBQUs7cUJBQ2IsQ0FBQyxDQUFDO2dCQUNMLENBQUM7Z0JBRUQsSUFBSSxJQUFJLENBQUMsUUFBUSxDQUFDLGdCQUFnQixJQUFJLElBQUksQ0FBQyxRQUFRLENBQUMsZ0JBQWdCLENBQUMsTUFBTSxHQUFHLENBQUMsRUFBRSxDQUFDO29CQUNoRixNQUFNLE9BQU8sR0FBRyxhQUFhLENBQUM7b0JBQzlCLE1BQU0sSUFBSSxDQUFDLFdBQVcsQ0FBQyxNQUFNLEVBQUUsT0FBTyxFQUFFLElBQUksQ0FBQyxRQUFRLENBQUMsZ0JBQWdCLEVBQUUsT0FBYyxDQUFDLENBQUM7b0JBRXhGLDZDQUE2QztvQkFDN0MsTUFBTSxJQUFJLEdBQUcsWUFBWSxNQUFNLElBQUksSUFBSSxDQUFDLFNBQVMsSUFBSSxLQUFLLE1BQU0sTUFBTSxDQUFDLENBQUMsQ0FBQyxHQUFHLENBQUMsQ0FBQyxDQUFDLEVBQUUsV0FBVyxPQUFPLElBQUksSUFBSSxDQUFDLFFBQVEsQ0FBQyxRQUFRLFdBQVcsSUFBSSxDQUFDLFdBQVcsQ0FBQyxJQUFJLENBQUMsUUFBUSxDQUFDLFFBQVEsQ0FBQyxxQkFBcUIsSUFBSSxDQUFDLE9BQU8sZUFBZSxDQUFDO29CQUNqTyxjQUFjLElBQUksR0FBRyxJQUFJLElBQUksQ0FBQztvQkFFOUIsSUFBSSxDQUFDLEtBQUssQ0FBQyxJQUFJLENBQUM7d0JBQ2QsV0FBVyxFQUFFLE1BQU07d0JBQ25CLFNBQVMsRUFBRSxJQUFJLENBQUMsU0FBUzt3QkFDekIsU0FBUyxFQUFFLEtBQUs7d0JBQ2hCLFlBQVksRUFBRSxJQUFJO3dCQUNsQixLQUFLLEVBQUUsS0FBSztxQkFDYixDQUFDLENBQUM7b0JBRUgseUNBQXlDO29CQUN6QyxNQUFNLFFBQVEsR0FBRyxZQUFZLE1BQU0sSUFBSSxJQUFJLENBQUMsU0FBUyxJQUFJLEtBQUssSUFBSSxJQUFJLENBQUMsUUFBUSxDQUFDLFFBQVEsV0FBVyxJQUFJLENBQUMsV0FBVyxDQUFDLElBQUksQ0FBQyxRQUFRLENBQUMsUUFBUSxDQUFDLG1CQUFtQixJQUFJLENBQUMsT0FBTyxZQUFZLENBQUM7b0JBQ3ZMLGNBQWMsSUFBSSxHQUFHLFFBQVEsSUFBSSxDQUFDO29CQUVsQyxJQUFJLENBQUMsS0FBSyxDQUFDLElBQUksQ0FBQzt3QkFDZCxXQUFXLEVBQUUsTUFBTTt3QkFDbkIsU0FBUyxFQUFFLElBQUksQ0FBQyxTQUFTO3dCQUN6QixTQUFTLEVBQUUsS0FBSzt3QkFDaEIsWUFBWSxFQUFFLFFBQVE7d0JBQ3RCLEtBQUssRUFBRSxLQUFLO3FCQUNiLENBQUMsQ0FBQztnQkFDTCxDQUFDO1lBQ0gsQ0FBQztpQkFBTSxDQUFDO2dCQUNOLDJFQUEyRTtnQkFFM0UseUJBQXlCO2dCQUN6QixJQUFJLElBQUksQ0FBQyxRQUFRLENBQUMsZUFBZSxJQUFJLElBQUksQ0FBQyxRQUFRLENBQUMsZUFBZSxDQUFDLE1BQU0sR0FBRyxDQUFDLEVBQUUsQ0FBQztvQkFDOUUsS0FBSyxNQUFNLEVBQUUsSUFBSSxJQUFJLENBQUMsUUFBUSxDQUFDLGVBQWUsRUFBRSxDQUFDO3dCQUMvQyxvREFBb0Q7d0JBQ3BELElBQUksTUFBTSxJQUFJLEVBQUUsQ0FBQyxRQUFRLENBQUMsR0FBRyxDQUFDOzRCQUFFLFNBQVM7d0JBQ3pDLElBQUksQ0FBQyxNQUFNLElBQUksRUFBRSxDQUFDLFFBQVEsQ0FBQyxHQUFHLENBQUM7NEJBQUUsU0FBUzt3QkFFMUMsTUFBTSxJQUFJLEdBQUcsWUFBWSxNQUFNLElBQUksSUFBSSxDQUFDLFNBQVMsSUFBSSxLQUFLLE1BQU0sTUFBTSxDQUFDLENBQUMsQ0FBQyxHQUFHLENBQUMsQ0FBQyxDQUFDLEVBQUUsVUFBVSxFQUFFLGtCQUFrQixJQUFJLENBQUMsT0FBTyxVQUFVLENBQUM7d0JBQ3RJLGNBQWMsSUFBSSxHQUFHLElBQUksSUFBSSxDQUFDO3dCQUU5QixJQUFJLENBQUMsS0FBSyxDQUFDLElBQUksQ0FBQzs0QkFDZCxXQUFXLEVBQUUsTUFBTTs0QkFDbkIsU0FBUyxFQUFFLElBQUksQ0FBQyxTQUFTOzRCQUN6QixTQUFTLEVBQUUsS0FBSzs0QkFDaEIsWUFBWSxFQUFFLElBQUk7NEJBQ2xCLEtBQUssRUFBRSxLQUFLO3lCQUNiLENBQUMsQ0FBQztvQkFDTCxDQUFDO2dCQUNILENBQUM7Z0JBRUQscUJBQXFCO2dCQUNyQixJQUFJLElBQUksQ0FBQyxRQUFRLENBQUMsZ0JBQWdCLElBQUksSUFBSSxDQUFDLFFBQVEsQ0FBQyxnQkFBZ0IsQ0FBQyxNQUFNLEdBQUcsQ0FBQyxFQUFFLENBQUM7b0JBQ2hGLGtDQUFrQztvQkFDbEMsS0FBSyxNQUFNLEVBQUUsSUFBSSxJQUFJLENBQUMsUUFBUSxDQUFDLGdCQUFnQixFQUFFLENBQUM7d0JBQ2hELG9EQUFvRDt3QkFDcEQsSUFBSSxNQUFNLElBQUksRUFBRSxDQUFDLFFBQVEsQ0FBQyxHQUFHLENBQUM7NEJBQUUsU0FBUzt3QkFDekMsSUFBSSxDQUFDLE1BQU0sSUFBSSxFQUFFLENBQUMsUUFBUSxDQUFDLEdBQUcsQ0FBQzs0QkFBRSxTQUFTO3dCQUUxQyxNQUFNLElBQUksR0FBRyxZQUFZLE1BQU0sSUFBSSxJQUFJLENBQUMsU0FBUyxJQUFJLEtBQUssTUFBTSxNQUFNLENBQUMsQ0FBQyxDQUFDLEdBQUcsQ0FBQyxDQUFDLENBQUMsRUFBRSxVQUFVLEVBQUUsSUFBSSxJQUFJLENBQUMsUUFBUSxDQUFDLFFBQVEsV0FBVyxJQUFJLENBQUMsV0FBVyxDQUFDLElBQUksQ0FBQyxRQUFRLENBQUMsUUFBUSxDQUFDLHFCQUFxQixJQUFJLENBQUMsT0FBTyxXQUFXLENBQUM7d0JBQ3ZOLGNBQWMsSUFBSSxHQUFHLElBQUksSUFBSSxDQUFDO3dCQUU5QixJQUFJLENBQUMsS0FBSyxDQUFDLElBQUksQ0FBQzs0QkFDZCxXQUFXLEVBQUUsTUFBTTs0QkFDbkIsU0FBUyxFQUFFLElBQUksQ0FBQyxTQUFTOzRCQUN6QixTQUFTLEVBQUUsS0FBSzs0QkFDaEIsWUFBWSxFQUFFLElBQUk7NEJBQ2xCLEtBQUssRUFBRSxLQUFLO3lCQUNiLENBQUMsQ0FBQztvQkFDTCxDQUFDO29CQUVELHlDQUF5QztvQkFDekMsTUFBTSxRQUFRLEdBQUcsWUFBWSxNQUFNLElBQUksSUFBSSxDQUFDLFNBQVMsSUFBSSxLQUFLLElBQUksSUFBSSxDQUFDLFFBQVEsQ0FBQyxRQUFRLFdBQVcsSUFBSSxDQUFDLFdBQVcsQ0FBQyxJQUFJLENBQUMsUUFBUSxDQUFDLFFBQVEsQ0FBQyxtQkFBbUIsSUFBSSxDQUFDLE9BQU8sWUFBWSxDQUFDO29CQUN2TCxjQUFjLElBQUksR0FBRyxRQUFRLElBQUksQ0FBQztvQkFFbEMsSUFBSSxDQUFDLEtBQUssQ0FBQyxJQUFJLENBQUM7d0JBQ2QsV0FBVyxFQUFFLE1BQU07d0JBQ25CLFNBQVMsRUFBRSxJQUFJLENBQUMsU0FBUzt3QkFDekIsU0FBUyxFQUFFLEtBQUs7d0JBQ2hCLFlBQVksRUFBRSxRQUFRO3dCQUN0QixLQUFLLEVBQUUsS0FBSztxQkFDYixDQUFDLENBQUM7Z0JBQ0wsQ0FBQztZQUNILENBQUM7WUFFRCwrQ0FBK0M7WUFDL0MsSUFBSSxjQUFjLEVBQUUsQ0FBQztnQkFDbkIsd0NBQXdDO2dCQUN4QyxFQUFFLENBQUMsYUFBYSxDQUFDLElBQUksQ0FBQyxZQUFZLEVBQUUsY0FBYyxDQUFDLENBQUM7Z0JBRXBELG9CQUFvQjtnQkFDcEIsTUFBTSxJQUFJLENBQUMsZ0JBQWdCLENBQ3pCLEdBQUcsYUFBYSxDQUFDLE9BQU8sT0FBTyxJQUFJLENBQUMsWUFBWSxFQUFFLEVBQ2xELElBQUksQ0FBQyxRQUFRLENBQUMsVUFBVSxFQUN4QixJQUFJLENBQUMsUUFBUSxDQUFDLFlBQVksQ0FDM0IsQ0FBQztnQkFFRixJQUFJLENBQUMsR0FBRyxDQUFDLE1BQU0sRUFBRSxvQ0FBb0MsTUFBTSxFQUFFLENBQUMsQ0FBQztnQkFFL0Qsc0JBQXNCO2dCQUN0QixLQUFLLE1BQU0sSUFBSSxJQUFJLElBQUksQ0FBQyxLQUFLLEVBQUUsQ0FBQztvQkFDOUIsSUFBSSxJQUFJLENBQUMsV0FBVyxLQUFLLE1BQU0sSUFBSSxDQUFDLElBQUksQ0FBQyxLQUFLLEVBQUUsQ0FBQzt3QkFDL0MsSUFBSSxDQUFDLEtBQUssR0FBRyxJQUFJLENBQUM7d0JBRWxCLDhCQUE4Qjt3QkFDOUIsTUFBTSxJQUFJLENBQUMscUJBQXFCLENBQUMsSUFBSSxDQUFDLENBQUM7b0JBQ3pDLENBQUM7Z0JBQ0gsQ0FBQztnQkFFRCw0QkFBNEI7Z0JBQzVCLEVBQUUsQ0FBQyxVQUFVLENBQUMsSUFBSSxDQUFDLFlBQVksQ0FBQyxDQUFDO1lBQ25DLENBQUM7WUFFRCxPQUFPLElBQUksQ0FBQztRQUNkLENBQUM7UUFBQyxPQUFPLEdBQUcsRUFBRSxDQUFDO1lBQ2IsSUFBSSxDQUFDLEdBQUcsQ0FBQyxPQUFPLEVBQUUseUNBQXlDLEdBQUcsQ0FBQyxPQUFPLEVBQUUsQ0FBQyxDQUFDO1lBRTFFLHVEQUF1RDtZQUN2RCxJQUFJLENBQUMsYUFBYSxFQUFFLENBQUM7WUFFckIsT0FBTyxLQUFLLENBQUM7UUFDZixDQUFDO0lBQ0gsQ0FBQztJQUVEOztPQUVHO0lBQ0ssV0FBVyxDQUFDLFFBQXdEO1FBQzFFLE1BQU0sVUFBVSxHQUFHLElBQUksQ0FBQyxpQkFBaUIsQ0FBQyxRQUFRLENBQUMsQ0FBQztRQUNwRCxNQUFNLEtBQUssR0FBYSxFQUFFLENBQUM7UUFFM0IsS0FBSyxNQUFNLEtBQUssSUFBSSxVQUFVLEVBQUUsQ0FBQztZQUMvQixJQUFJLEtBQUssQ0FBQyxJQUFJLEtBQUssS0FBSyxDQUFDLEVBQUUsRUFBRSxDQUFDO2dCQUM1QixLQUFLLENBQUMsSUFBSSxDQUFDLEtBQUssQ0FBQyxJQUFJLENBQUMsUUFBUSxFQUFFLENBQUMsQ0FBQztZQUNwQyxDQUFDO2lCQUFNLENBQUM7Z0JBQ04sS0FBSyxDQUFDLElBQUksQ0FBQyxHQUFHLEtBQUssQ0FBQyxJQUFJLElBQUksS0FBSyxDQUFDLEVBQUUsRUFBRSxDQUFDLENBQUM7WUFDMUMsQ0FBQztRQUNILENBQUM7UUFFRCxPQUFPLEtBQUssQ0FBQyxJQUFJLENBQUMsSUFBSSxDQUFDLENBQUM7SUFDMUIsQ0FBQztJQUVEOztPQUVHO0lBQ0ssS0FBSyxDQUFDLGdCQUFnQixDQUFDLFNBQWtCLEtBQUs7UUFDcEQsSUFBSSxDQUFDLElBQUksQ0FBQyxRQUFRLENBQUMsY0FBYyxFQUFFLENBQUM7WUFDbEMsT0FBTyxJQUFJLENBQUMsQ0FBQyxpQ0FBaUM7UUFDaEQsQ0FBQztRQUVELE1BQU0sTUFBTSxHQUFHLE1BQU0sQ0FBQyxDQUFDLENBQUMsS0FBSyxDQUFDLENBQUMsQ0FBQyxJQUFJLENBQUM7UUFDckMsTUFBTSxlQUFlLEdBQUcsZ0JBQWdCLENBQUM7UUFFekMsSUFBSSxDQUFDO1lBQ0gsc0JBQXNCO1lBQ3RCLE1BQU0sY0FBYyxHQUFHLElBQUksQ0FBQyxpQkFBaUIsQ0FBQyxJQUFJLENBQUMsUUFBUSxDQUFDLFFBQVEsQ0FBQyxDQUFDO1lBQ3RFLE1BQU0sWUFBWSxHQUFHLElBQUksQ0FBQyxpQkFBaUIsQ0FBQyxJQUFJLENBQUMsUUFBUSxDQUFDLE1BQU0sQ0FBQyxDQUFDO1lBRWxFLElBQUksY0FBYyxHQUFHLEVBQUUsQ0FBQztZQUV4Qiw0REFBNEQ7WUFDNUQsSUFBSSxjQUFjLENBQUMsTUFBTSxLQUFLLENBQUMsSUFBSSxZQUFZLENBQUMsTUFBTSxLQUFLLENBQUMsRUFBRSxDQUFDO2dCQUM3RCxNQUFNLFNBQVMsR0FBRyxjQUFjLENBQUMsQ0FBQyxDQUFDLENBQUM7Z0JBQ3BDLE1BQU0sT0FBTyxHQUFHLFlBQVksQ0FBQyxDQUFDLENBQUMsQ0FBQztnQkFFaEMsc0RBQXNEO2dCQUN0RCxJQUFJLFNBQVMsQ0FBQyxJQUFJLEtBQUssU0FBUyxDQUFDLEVBQUUsSUFBSSxPQUFPLENBQUMsSUFBSSxLQUFLLE9BQU8sQ0FBQyxFQUFFLEVBQUUsQ0FBQztvQkFDbkUsTUFBTSxJQUFJLEdBQUcsWUFBWSxNQUFNLElBQUksSUFBSSxDQUFDLFNBQVMsSUFBSSxlQUFlLElBQUksSUFBSSxDQUFDLFFBQVEsQ0FBQyxRQUFRLFVBQVUsU0FBUyxDQUFDLElBQUkseUJBQXlCLElBQUksQ0FBQyxRQUFRLENBQUMsTUFBTSxJQUFJLE9BQU8sQ0FBQyxJQUFJLGFBQWEsSUFBSSxDQUFDLE9BQU8sV0FBVyxDQUFDO29CQUN4TixjQUFjLElBQUksR0FBRyxJQUFJLElBQUksQ0FBQztvQkFFOUIsSUFBSSxDQUFDLEtBQUssQ0FBQyxJQUFJLENBQUM7d0JBQ2QsV0FBVyxFQUFFLE1BQU07d0JBQ25CLFNBQVMsRUFBRSxJQUFJLENBQUMsU0FBUzt3QkFDekIsU0FBUyxFQUFFLGVBQWU7d0JBQzFCLFlBQVksRUFBRSxJQUFJO3dCQUNsQixLQUFLLEVBQUUsS0FBSztxQkFDYixDQUFDLENBQUM7Z0JBQ0wsQ0FBQztnQkFDRCw0QkFBNEI7cUJBQ3ZCLElBQUksQ0FBQyxTQUFTLENBQUMsRUFBRSxHQUFHLFNBQVMsQ0FBQyxJQUFJLENBQUMsS0FBSyxDQUFDLE9BQU8sQ0FBQyxFQUFFLEdBQUcsT0FBTyxDQUFDLElBQUksQ0FBQyxFQUFFLENBQUM7b0JBQ3pFLE1BQU0sSUFBSSxHQUFHLFlBQVksTUFBTSxJQUFJLElBQUksQ0FBQyxTQUFTLElBQUksZUFBZSxJQUFJLElBQUksQ0FBQyxRQUFRLENBQUMsUUFBUSxVQUFVLFNBQVMsQ0FBQyxJQUFJLElBQUksU0FBUyxDQUFDLEVBQUUseUJBQXlCLElBQUksQ0FBQyxRQUFRLENBQUMsTUFBTSxJQUFJLE9BQU8sQ0FBQyxJQUFJLElBQUksT0FBTyxDQUFDLEVBQUUsYUFBYSxJQUFJLENBQUMsT0FBTyxpQkFBaUIsQ0FBQztvQkFDNVAsY0FBYyxJQUFJLEdBQUcsSUFBSSxJQUFJLENBQUM7b0JBRTlCLElBQUksQ0FBQyxLQUFLLENBQUMsSUFBSSxDQUFDO3dCQUNkLFdBQVcsRUFBRSxNQUFNO3dCQUNuQixTQUFTLEVBQUUsSUFBSSxDQUFDLFNBQVM7d0JBQ3pCLFNBQVMsRUFBRSxlQUFlO3dCQUMxQixZQUFZLEVBQUUsSUFBSTt3QkFDbEIsS0FBSyxFQUFFLEtBQUs7cUJBQ2IsQ0FBQyxDQUFDO2dCQUNMLENBQUM7Z0JBQ0QsZ0ZBQWdGO2dCQUNoRixNQUFNLE1BQU0sR0FBRyxZQUFZLE1BQU0sSUFBSSxJQUFJLENBQUMsU0FBUyxJQUFJLGVBQWUsaURBQWlELElBQUksQ0FBQyxPQUFPLGtCQUFrQixDQUFDO2dCQUN0SixjQUFjLElBQUksR0FBRyxNQUFNLElBQUksQ0FBQztnQkFFaEMsSUFBSSxDQUFDLEtBQUssQ0FBQyxJQUFJLENBQUM7b0JBQ2QsV0FBVyxFQUFFLE1BQU07b0JBQ25CLFNBQVMsRUFBRSxJQUFJLENBQUMsU0FBUztvQkFDekIsU0FBUyxFQUFFLGVBQWU7b0JBQzFCLFlBQVksRUFBRSxNQUFNO29CQUNwQixLQUFLLEVBQUUsS0FBSztpQkFDYixDQUFDLENBQUM7Z0JBRUgsaUNBQWlDO2dCQUNqQyxJQUFJLGNBQWMsRUFBRSxDQUFDO29CQUNuQixFQUFFLENBQUMsYUFBYSxDQUFDLElBQUksQ0FBQyxZQUFZLEVBQUUsY0FBYyxDQUFDLENBQUM7b0JBRXBELE1BQU0sSUFBSSxDQUFDLGdCQUFnQixDQUN6QixHQUFHLGFBQWEsQ0FBQyxPQUFPLE9BQU8sSUFBSSxDQUFDLFlBQVksRUFBRSxFQUNsRCxJQUFJLENBQUMsUUFBUSxDQUFDLFVBQVUsRUFDeEIsSUFBSSxDQUFDLFFBQVEsQ0FBQyxZQUFZLENBQzNCLENBQUM7b0JBRUYsSUFBSSxDQUFDLEdBQUcsQ0FBQyxNQUFNLEVBQUUsZ0NBQWdDLE1BQU0sRUFBRSxDQUFDLENBQUM7b0JBRTNELHNCQUFzQjtvQkFDdEIsS0FBSyxNQUFNLElBQUksSUFBSSxJQUFJLENBQUMsS0FBSyxFQUFFLENBQUM7d0JBQzlCLElBQUksSUFBSSxDQUFDLFdBQVcsS0FBSyxNQUFNLElBQUksQ0FBQyxJQUFJLENBQUMsS0FBSyxFQUFFLENBQUM7NEJBQy9DLElBQUksQ0FBQyxLQUFLLEdBQUcsSUFBSSxDQUFDOzRCQUVsQiw4QkFBOEI7NEJBQzlCLE1BQU0sSUFBSSxDQUFDLHFCQUFxQixDQUFDLElBQUksQ0FBQyxDQUFDO3dCQUN6QyxDQUFDO29CQUNILENBQUM7b0JBRUQsNEJBQTRCO29CQUM1QixFQUFFLENBQUMsVUFBVSxDQUFDLElBQUksQ0FBQyxZQUFZLENBQUMsQ0FBQztnQkFDbkMsQ0FBQztZQUNILENBQUM7WUFFRCxPQUFPLElBQUksQ0FBQztRQUNkLENBQUM7UUFBQyxPQUFPLEdBQUcsRUFBRSxDQUFDO1lBQ2IsSUFBSSxDQUFDLEdBQUcsQ0FBQyxPQUFPLEVBQUUsa0NBQWtDLEdBQUcsQ0FBQyxPQUFPLEVBQUUsQ0FBQyxDQUFDO1lBQ25FLE9BQU8sS0FBSyxDQUFDO1FBQ2YsQ0FBQztJQUNILENBQUM7SUFFRDs7T0FFRztJQUNLLEtBQUssQ0FBQyxzQkFBc0IsQ0FBQyxTQUFrQixLQUFLO1FBQzFELHlFQUF5RTtRQUN6RSxJQUFJLElBQUksQ0FBQyxRQUFRLENBQUMsY0FBYyxFQUFFLENBQUM7WUFDakMsT0FBTyxJQUFJLENBQUM7UUFDZCxDQUFDO1FBRUQsTUFBTSxNQUFNLEdBQUcsTUFBTSxDQUFDLENBQUMsQ0FBQyxLQUFLLENBQUMsQ0FBQyxDQUFDLElBQUksQ0FBQztRQUNyQyxNQUFNLGVBQWUsR0FBRyxnQkFBZ0IsQ0FBQztRQUN6QyxNQUFNLGdCQUFnQixHQUFHLGlCQUFpQixDQUFDO1FBRTNDLElBQUksQ0FBQztZQUNILGdDQUFnQztZQUNoQyxNQUFNLGNBQWMsR0FBRyxJQUFJLENBQUMsaUJBQWlCLENBQUMsSUFBSSxDQUFDLFFBQVEsQ0FBQyxRQUFRLENBQUMsQ0FBQztZQUN0RSxNQUFNLFlBQVksR0FBRyxJQUFJLENBQUMsaUJBQWlCLENBQUMsSUFBSSxDQUFDLFFBQVEsQ0FBQyxNQUFNLENBQUMsQ0FBQztZQUVsRSwrREFBK0Q7WUFDL0QsSUFBSSxjQUFjLENBQUMsTUFBTSxLQUFLLFlBQVksQ0FBQyxNQUFNLEVBQUUsQ0FBQztnQkFDbEQsSUFBSSxZQUFZLENBQUMsTUFBTSxLQUFLLENBQUMsRUFBRSxDQUFDO29CQUM5Qix1REFBdUQ7b0JBQ3ZELE1BQU0sYUFBYSxHQUFHLFlBQVksQ0FBQyxDQUFDLENBQUMsQ0FBQztvQkFFdEMsT0FBTyxNQUFNLElBQUksQ0FBQyxlQUFlLENBQUMsTUFBTSxFQUFFLGVBQWUsRUFBRSxnQkFBZ0IsRUFBRSxjQUFjLEVBQUUsYUFBYSxDQUFDLENBQUM7Z0JBQzlHLENBQUM7cUJBQU0sQ0FBQztvQkFDTixNQUFNLElBQUksa0JBQWtCLENBQUMsNEdBQTRHLENBQUMsQ0FBQztnQkFDN0ksQ0FBQztZQUNILENBQUM7aUJBQU0sQ0FBQztnQkFDTiw0Q0FBNEM7Z0JBQzVDLE9BQU8sTUFBTSxJQUFJLENBQUMsbUJBQW1CLENBQUMsTUFBTSxFQUFFLGVBQWUsRUFBRSxnQkFBZ0IsRUFBRSxjQUFjLEVBQUUsWUFBWSxDQUFDLENBQUM7WUFDakgsQ0FBQztRQUNILENBQUM7UUFBQyxPQUFPLEdBQUcsRUFBRSxDQUFDO1lBQ2IsSUFBSSxDQUFDLEdBQUcsQ0FBQyxPQUFPLEVBQUUsd0NBQXdDLEdBQUcsQ0FBQyxPQUFPLEVBQUUsQ0FBQyxDQUFDO1lBQ3pFLE9BQU8sS0FBSyxDQUFDO1FBQ2YsQ0FBQztJQUNILENBQUM7SUFFRDs7T0FFRztJQUNLLEtBQUssQ0FBQyxlQUFlLENBQzNCLE1BQWMsRUFDZCxlQUF1QixFQUN2QixnQkFBd0IsRUFDeEIsY0FBMkIsRUFDM0IsV0FBc0I7UUFFdEIsSUFBSSxDQUFDO1lBQ0gsSUFBSSxjQUFjLEdBQUcsRUFBRSxDQUFDO1lBRXhCLHlFQUF5RTtZQUN6RSxLQUFLLE1BQU0sU0FBUyxJQUFJLGNBQWMsRUFBRSxDQUFDO2dCQUN2QywwQ0FBMEM7Z0JBQzFDLElBQUksU0FBUyxDQUFDLElBQUksS0FBSyxTQUFTLENBQUMsRUFBRSxJQUFJLFdBQVcsQ0FBQyxJQUFJLEtBQUssV0FBVyxDQUFDLEVBQUUsRUFBRSxDQUFDO29CQUMzRSxNQUFNLElBQUksR0FBRyxZQUFZLE1BQU0sSUFBSSxJQUFJLENBQUMsU0FBUyxJQUFJLGVBQWUsSUFBSSxJQUFJLENBQUMsUUFBUSxDQUFDLFFBQVEsVUFBVSxTQUFTLENBQUMsSUFBSSxZQUFZLElBQUksQ0FBQyxRQUFRLENBQUMsTUFBTSxJQUFJLFdBQVcsQ0FBQyxJQUFJLGFBQWEsSUFBSSxDQUFDLE9BQU8sUUFBUSxDQUFDO29CQUM1TSxjQUFjLElBQUksR0FBRyxJQUFJLElBQUksQ0FBQztvQkFFOUIsSUFBSSxDQUFDLEtBQUssQ0FBQyxJQUFJLENBQUM7d0JBQ2QsV0FBVyxFQUFFLE1BQU07d0JBQ25CLFNBQVMsRUFBRSxJQUFJLENBQUMsU0FBUzt3QkFDekIsU0FBUyxFQUFFLGVBQWU7d0JBQzFCLFlBQVksRUFBRSxJQUFJO3dCQUNsQixLQUFLLEVBQUUsS0FBSztxQkFDYixDQUFDLENBQUM7Z0JBQ0wsQ0FBQztnQkFDRCw4REFBOEQ7cUJBQ3pELElBQUksV0FBVyxDQUFDLElBQUksS0FBSyxXQUFXLENBQUMsRUFBRSxFQUFFLENBQUM7b0JBQzdDLG9EQUFvRDtvQkFDcEQsS0FBSyxJQUFJLENBQUMsR0FBRyxTQUFTLENBQUMsSUFBSSxFQUFFLENBQUMsSUFBSSxTQUFTLENBQUMsRUFBRSxFQUFFLENBQUMsRUFBRSxFQUFFLENBQUM7d0JBQ3BELE1BQU0sSUFBSSxHQUFHLFlBQVksTUFBTSxJQUFJLElBQUksQ0FBQyxTQUFTLElBQUksZUFBZSxJQUFJLElBQUksQ0FBQyxRQUFRLENBQUMsUUFBUSxVQUFVLENBQUMsWUFBWSxJQUFJLENBQUMsUUFBUSxDQUFDLE1BQU0sSUFBSSxXQUFXLENBQUMsSUFBSSxhQUFhLElBQUksQ0FBQyxPQUFPLFFBQVEsQ0FBQzt3QkFDL0wsY0FBYyxJQUFJLEdBQUcsSUFBSSxJQUFJLENBQUM7d0JBRTlCLElBQUksQ0FBQyxLQUFLLENBQUMsSUFBSSxDQUFDOzRCQUNkLFdBQVcsRUFBRSxNQUFNOzRCQUNuQixTQUFTLEVBQUUsSUFBSSxDQUFDLFNBQVM7NEJBQ3pCLFNBQVMsRUFBRSxlQUFlOzRCQUMxQixZQUFZLEVBQUUsSUFBSTs0QkFDbEIsS0FBSyxFQUFFLEtBQUs7eUJBQ2IsQ0FBQyxDQUFDO29CQUNMLENBQUM7Z0JBQ0gsQ0FBQztnQkFDRCw0REFBNEQ7cUJBQ3ZELENBQUM7b0JBQ0osTUFBTSxXQUFXLEdBQUcsV0FBVyxDQUFDLEVBQUUsR0FBRyxXQUFXLENBQUMsSUFBSSxHQUFHLENBQUMsQ0FBQztvQkFFMUQsS0FBSyxJQUFJLENBQUMsR0FBRyxTQUFTLENBQUMsSUFBSSxFQUFFLENBQUMsSUFBSSxTQUFTLENBQUMsRUFBRSxFQUFFLENBQUMsRUFBRSxFQUFFLENBQUM7d0JBQ3BELE1BQU0sTUFBTSxHQUFHLENBQUMsQ0FBQyxHQUFHLFNBQVMsQ0FBQyxJQUFJLENBQUMsR0FBRyxXQUFXLENBQUM7d0JBQ2xELE1BQU0sVUFBVSxHQUFHLFdBQVcsQ0FBQyxJQUFJLEdBQUcsTUFBTSxDQUFDO3dCQUU3QyxNQUFNLElBQUksR0FBRyxZQUFZLE1BQU0sSUFBSSxJQUFJLENBQUMsU0FBUyxJQUFJLGVBQWUsSUFBSSxJQUFJLENBQUMsUUFBUSxDQUFDLFFBQVEsVUFBVSxDQUFDLFlBQVksSUFBSSxDQUFDLFFBQVEsQ0FBQyxNQUFNLElBQUksVUFBVSxhQUFhLElBQUksQ0FBQyxPQUFPLFFBQVEsQ0FBQzt3QkFDekwsY0FBYyxJQUFJLEdBQUcsSUFBSSxJQUFJLENBQUM7d0JBRTlCLElBQUksQ0FBQyxLQUFLLENBQUMsSUFBSSxDQUFDOzRCQUNkLFdBQVcsRUFBRSxNQUFNOzRCQUNuQixTQUFTLEVBQUUsSUFBSSxDQUFDLFNBQVM7NEJBQ3pCLFNBQVMsRUFBRSxlQUFlOzRCQUMxQixZQUFZLEVBQUUsSUFBSTs0QkFDbEIsS0FBSyxFQUFFLEtBQUs7eUJBQ2IsQ0FBQyxDQUFDO29CQUNMLENBQUM7Z0JBQ0gsQ0FBQztZQUNILENBQUM7WUFFRCxpRUFBaUU7WUFDakUsSUFBSSxDQUFDLElBQUksQ0FBQyxRQUFRLENBQUMsZ0JBQWdCLEVBQUUsQ0FBQztnQkFDcEMsTUFBTSxLQUFLLEdBQUcsSUFBSSxDQUFDLFdBQVcsQ0FBQyxJQUFJLENBQUMsUUFBUSxDQUFDLE1BQU0sQ0FBQyxDQUFDO2dCQUNyRCxNQUFNLFFBQVEsR0FBRyxZQUFZLE1BQU0sSUFBSSxJQUFJLENBQUMsU0FBUyxJQUFJLGdCQUFnQixJQUFJLElBQUksQ0FBQyxRQUFRLENBQUMsUUFBUSxVQUFVLElBQUksQ0FBQyxRQUFRLENBQUMsTUFBTSxXQUFXLEtBQUsseUJBQXlCLElBQUksQ0FBQyxPQUFPLFFBQVEsQ0FBQztnQkFDL0wsY0FBYyxJQUFJLEdBQUcsUUFBUSxJQUFJLENBQUM7Z0JBRWxDLElBQUksQ0FBQyxLQUFLLENBQUMsSUFBSSxDQUFDO29CQUNkLFdBQVcsRUFBRSxNQUFNO29CQUNuQixTQUFTLEVBQUUsSUFBSSxDQUFDLFNBQVM7b0JBQ3pCLFNBQVMsRUFBRSxnQkFBZ0I7b0JBQzNCLFlBQVksRUFBRSxRQUFRO29CQUN0QixLQUFLLEVBQUUsS0FBSztpQkFDYixDQUFDLENBQUM7WUFDTCxDQUFDO1lBRUQseUNBQXlDO1lBQ3pDLElBQUksY0FBYyxFQUFFLENBQUM7Z0JBQ25CLDBCQUEwQjtnQkFDMUIsRUFBRSxDQUFDLGFBQWEsQ0FBQyxJQUFJLENBQUMsWUFBWSxFQUFFLGNBQWMsQ0FBQyxDQUFDO2dCQUVwRCxvQkFBb0I7Z0JBQ3BCLE1BQU0sSUFBSSxDQUFDLGdCQUFnQixDQUN6QixHQUFHLGFBQWEsQ0FBQyxPQUFPLE9BQU8sSUFBSSxDQUFDLFlBQVksRUFBRSxFQUNsRCxJQUFJLENBQUMsUUFBUSxDQUFDLFVBQVUsRUFDeEIsSUFBSSxDQUFDLFFBQVEsQ0FBQyxZQUFZLENBQzNCLENBQUM7Z0JBRUYsSUFBSSxDQUFDLEdBQUcsQ0FBQyxNQUFNLEVBQUUsbUNBQW1DLE1BQU0sRUFBRSxDQUFDLENBQUM7Z0JBRTlELHNCQUFzQjtnQkFDdEIsS0FBSyxNQUFNLElBQUksSUFBSSxJQUFJLENBQUMsS0FBSyxFQUFFLENBQUM7b0JBQzlCLElBQUksSUFBSSxDQUFDLFdBQVcsS0FBSyxNQUFNLElBQUksQ0FBQyxJQUFJLENBQUMsS0FBSyxFQUFFLENBQUM7d0JBQy9DLElBQUksQ0FBQyxLQUFLLEdBQUcsSUFBSSxDQUFDO3dCQUVsQiw4QkFBOEI7d0JBQzlCLE1BQU0sSUFBSSxDQUFDLHFCQUFxQixDQUFDLElBQUksQ0FBQyxDQUFDO29CQUN6QyxDQUFDO2dCQUNILENBQUM7Z0JBRUQsd0JBQXdCO2dCQUN4QixFQUFFLENBQUMsVUFBVSxDQUFDLElBQUksQ0FBQyxZQUFZLENBQUMsQ0FBQztZQUNuQyxDQUFDO1lBRUQsT0FBTyxJQUFJLENBQUM7UUFDZCxDQUFDO1FBQUMsT0FBTyxHQUFHLEVBQUUsQ0FBQztZQUNiLElBQUksQ0FBQyxHQUFHLENBQUMsT0FBTyxFQUFFLGdDQUFnQyxHQUFHLENBQUMsT0FBTyxFQUFFLENBQUMsQ0FBQztZQUNqRSxPQUFPLEtBQUssQ0FBQztRQUNmLENBQUM7SUFDSCxDQUFDO0lBRUQ7O09BRUc7SUFDSyxLQUFLLENBQUMsbUJBQW1CLENBQy9CLE1BQWMsRUFDZCxlQUF1QixFQUN2QixnQkFBd0IsRUFDeEIsY0FBMkIsRUFDM0IsWUFBeUI7UUFFekIsSUFBSSxDQUFDO1lBQ0gsSUFBSSxjQUFjLEdBQUcsRUFBRSxDQUFDO1lBRXhCLHdDQUF3QztZQUN4QyxLQUFLLElBQUksQ0FBQyxHQUFHLENBQUMsRUFBRSxDQUFDLEdBQUcsY0FBYyxDQUFDLE1BQU0sRUFBRSxDQUFDLEVBQUUsRUFBRSxDQUFDO2dCQUMvQyxNQUFNLFNBQVMsR0FBRyxjQUFjLENBQUMsQ0FBQyxDQUFDLENBQUM7Z0JBQ3BDLE1BQU0sT0FBTyxHQUFHLFlBQVksQ0FBQyxDQUFDLENBQUMsQ0FBQztnQkFFaEMsMENBQTBDO2dCQUMxQyxJQUFJLFNBQVMsQ0FBQyxJQUFJLEtBQUssU0FBUyxDQUFDLEVBQUUsSUFBSSxPQUFPLENBQUMsSUFBSSxLQUFLLE9BQU8sQ0FBQyxFQUFFLEVBQUUsQ0FBQztvQkFDbkUsTUFBTSxJQUFJLEdBQUcsWUFBWSxNQUFNLElBQUksSUFBSSxDQUFDLFNBQVMsSUFBSSxlQUFlLElBQUksSUFBSSxDQUFDLFFBQVEsQ0FBQyxRQUFRLFVBQVUsU0FBUyxDQUFDLElBQUksWUFBWSxJQUFJLENBQUMsUUFBUSxDQUFDLE1BQU0sSUFBSSxPQUFPLENBQUMsSUFBSSxhQUFhLElBQUksQ0FBQyxPQUFPLFFBQVEsQ0FBQztvQkFDeE0sY0FBYyxJQUFJLEdBQUcsSUFBSSxJQUFJLENBQUM7b0JBRTlCLElBQUksQ0FBQyxLQUFLLENBQUMsSUFBSSxDQUFDO3dCQUNkLFdBQVcsRUFBRSxNQUFNO3dCQUNuQixTQUFTLEVBQUUsSUFBSSxDQUFDLFNBQVM7d0JBQ3pCLFNBQVMsRUFBRSxlQUFlO3dCQUMxQixZQUFZLEVBQUUsSUFBSTt3QkFDbEIsS0FBSyxFQUFFLEtBQUs7cUJBQ2IsQ0FBQyxDQUFDO2dCQUNMLENBQUM7Z0JBQ0Qsc0RBQXNEO3FCQUNqRCxJQUFJLENBQUMsU0FBUyxDQUFDLEVBQUUsR0FBRyxTQUFTLENBQUMsSUFBSSxDQUFDLEtBQUssQ0FBQyxPQUFPLENBQUMsRUFBRSxHQUFHLE9BQU8sQ0FBQyxJQUFJLENBQUMsRUFBRSxDQUFDO29CQUN6RSxNQUFNLElBQUksR0FBRyxZQUFZLE1BQU0sSUFBSSxJQUFJLENBQUMsU0FBUyxJQUFJLGVBQWUsSUFBSSxJQUFJLENBQUMsUUFBUSxDQUFDLFFBQVEsVUFBVSxTQUFTLENBQUMsSUFBSSxJQUFJLFNBQVMsQ0FBQyxFQUFFLFlBQVksSUFBSSxDQUFDLFFBQVEsQ0FBQyxNQUFNLElBQUksT0FBTyxDQUFDLElBQUksSUFBSSxPQUFPLENBQUMsRUFBRSxhQUFhLElBQUksQ0FBQyxPQUFPLGNBQWMsQ0FBQztvQkFDNU8sY0FBYyxJQUFJLEdBQUcsSUFBSSxJQUFJLENBQUM7b0JBRTlCLElBQUksQ0FBQyxLQUFLLENBQUMsSUFBSSxDQUFDO3dCQUNkLFdBQVcsRUFBRSxNQUFNO3dCQUNuQixTQUFTLEVBQUUsSUFBSSxDQUFDLFNBQVM7d0JBQ3pCLFNBQVMsRUFBRSxlQUFlO3dCQUMxQixZQUFZLEVBQUUsSUFBSTt3QkFDbEIsS0FBSyxFQUFFLEtBQUs7cUJBQ2IsQ0FBQyxDQUFDO2dCQUNMLENBQUM7Z0JBQ0QsaURBQWlEO3FCQUM1QyxDQUFDO29CQUNKLE1BQU0sV0FBVyxHQUFHLE9BQU8sQ0FBQyxFQUFFLEdBQUcsT0FBTyxDQUFDLElBQUksR0FBRyxDQUFDLENBQUM7b0JBRWxELEtBQUssSUFBSSxDQUFDLEdBQUcsU0FBUyxDQUFDLElBQUksRUFBRSxDQUFDLElBQUksU0FBUyxDQUFDLEVBQUUsRUFBRSxDQUFDLEVBQUUsRUFBRSxDQUFDO3dCQUNwRCxNQUFNLE1BQU0sR0FBRyxDQUFDLENBQUMsR0FBRyxTQUFTLENBQUMsSUFBSSxDQUFDLEdBQUcsV0FBVyxDQUFDO3dCQUNsRCxNQUFNLFVBQVUsR0FBRyxPQUFPLENBQUMsSUFBSSxHQUFHLE1BQU0sQ0FBQzt3QkFFekMsTUFBTSxJQUFJLEdBQUcsWUFBWSxNQUFNLElBQUksSUFBSSxDQUFDLFNBQVMsSUFBSSxlQUFlLElBQUksSUFBSSxDQUFDLFFBQVEsQ0FBQyxRQUFRLFVBQVUsQ0FBQyxZQUFZLElBQUksQ0FBQyxRQUFRLENBQUMsTUFBTSxJQUFJLFVBQVUsYUFBYSxJQUFJLENBQUMsT0FBTyxtQkFBbUIsQ0FBQzt3QkFDcE0sY0FBYyxJQUFJLEdBQUcsSUFBSSxJQUFJLENBQUM7d0JBRTlCLElBQUksQ0FBQyxLQUFLLENBQUMsSUFBSSxDQUFDOzRCQUNkLFdBQVcsRUFBRSxNQUFNOzRCQUNuQixTQUFTLEVBQUUsSUFBSSxDQUFDLFNBQVM7NEJBQ3pCLFNBQVMsRUFBRSxlQUFlOzRCQUMxQixZQUFZLEVBQUUsSUFBSTs0QkFDbEIsS0FBSyxFQUFFLEtBQUs7eUJBQ2IsQ0FBQyxDQUFDO29CQUNMLENBQUM7Z0JBQ0gsQ0FBQztnQkFFRCxzRUFBc0U7Z0JBQ3RFLElBQUksQ0FBQyxJQUFJLENBQUMsUUFBUSxDQUFDLGdCQUFnQixFQUFFLENBQUM7b0JBQ3BDLE1BQU0sUUFBUSxHQUFHLFlBQVksTUFBTSxJQUFJLElBQUksQ0FBQyxTQUFTLElBQUksZ0JBQWdCLElBQUksSUFBSSxDQUFDLFFBQVEsQ0FBQyxRQUFRLFVBQVUsSUFBSSxDQUFDLFFBQVEsQ0FBQyxNQUFNLFVBQVUsT0FBTyxDQUFDLElBQUksSUFBSSxPQUFPLENBQUMsRUFBRSx3QkFBd0IsSUFBSSxDQUFDLE9BQU8sUUFBUSxDQUFDO29CQUNsTixjQUFjLElBQUksR0FBRyxRQUFRLElBQUksQ0FBQztvQkFFbEMsSUFBSSxDQUFDLEtBQUssQ0FBQyxJQUFJLENBQUM7d0JBQ2QsV0FBVyxFQUFFLE1BQU07d0JBQ25CLFNBQVMsRUFBRSxJQUFJLENBQUMsU0FBUzt3QkFDekIsU0FBUyxFQUFFLGdCQUFnQjt3QkFDM0IsWUFBWSxFQUFFLFFBQVE7d0JBQ3RCLEtBQUssRUFBRSxLQUFLO3FCQUNiLENBQUMsQ0FBQztnQkFDTCxDQUFDO1lBQ0gsQ0FBQztZQUVELHlDQUF5QztZQUN6QyxJQUFJLGNBQWMsRUFBRSxDQUFDO2dCQUNuQiwwQkFBMEI7Z0JBQzFCLEVBQUUsQ0FBQyxhQUFhLENBQUMsSUFBSSxDQUFDLFlBQVksRUFBRSxjQUFjLENBQUMsQ0FBQztnQkFFcEQsb0JBQW9CO2dCQUNwQixNQUFNLElBQUksQ0FBQyxnQkFBZ0IsQ0FDekIsR0FBRyxhQUFhLENBQUMsT0FBTyxPQUFPLElBQUksQ0FBQyxZQUFZLEVBQUUsRUFDbEQsSUFBSSxDQUFDLFFBQVEsQ0FBQyxVQUFVLEVBQ3hCLElBQUksQ0FBQyxRQUFRLENBQUMsWUFBWSxDQUMzQixDQUFDO2dCQUVGLElBQUksQ0FBQyxHQUFHLENBQUMsTUFBTSxFQUFFLG1DQUFtQyxNQUFNLEVBQUUsQ0FBQyxDQUFDO2dCQUU5RCxzQkFBc0I7Z0JBQ3RCLEtBQUssTUFBTSxJQUFJLElBQUksSUFBSSxDQUFDLEtBQUssRUFBRSxDQUFDO29CQUM5QixJQUFJLElBQUksQ0FBQyxXQUFXLEtBQUssTUFBTSxJQUFJLENBQUMsSUFBSSxDQUFDLEtBQUssRUFBRSxDQUFDO3dCQUMvQyxJQUFJLENBQUMsS0FBSyxHQUFHLElBQUksQ0FBQzt3QkFFbEIsOEJBQThCO3dCQUM5QixNQUFNLElBQUksQ0FBQyxxQkFBcUIsQ0FBQyxJQUFJLENBQUMsQ0FBQztvQkFDekMsQ0FBQztnQkFDSCxDQUFDO2dCQUVELHdCQUF3QjtnQkFDeEIsRUFBRSxDQUFDLFVBQVUsQ0FBQyxJQUFJLENBQUMsWUFBWSxDQUFDLENBQUM7WUFDbkMsQ0FBQztZQUVELE9BQU8sSUFBSSxDQUFDO1FBQ2QsQ0FBQztRQUFDLE9BQU8sR0FBRyxFQUFFLENBQUM7WUFDYixJQUFJLENBQUMsR0FBRyxDQUFDLE9BQU8sRUFBRSxxQ0FBcUMsR0FBRyxDQUFDLE9BQU8sRUFBRSxDQUFDLENBQUM7WUFDdEUsT0FBTyxLQUFLLENBQUM7UUFDZixDQUFDO0lBQ0gsQ0FBQztJQUVEOztPQUVHO0lBQ0ssS0FBSyxDQUFDLGlCQUFpQixDQUFDLFNBQWtCLEtBQUs7UUFDckQsSUFBSSxDQUFDLElBQUksQ0FBQyxRQUFRLENBQUMsR0FBRyxFQUFFLE9BQU8sRUFBRSxDQUFDO1lBQ2hDLE9BQU8sSUFBSSxDQUFDO1FBQ2QsQ0FBQztRQUVELE1BQU0sTUFBTSxHQUFHLE1BQU0sQ0FBQyxDQUFDLENBQUMsS0FBSyxDQUFDLENBQUMsQ0FBQyxJQUFJLENBQUM7UUFDckMsTUFBTSxRQUFRLEdBQUcsYUFBYSxDQUFDO1FBRS9CLElBQUksQ0FBQztZQUNILElBQUksY0FBYyxHQUFHLEVBQUUsQ0FBQztZQUV4QixzQ0FBc0M7WUFDdEMsSUFBSSxJQUFJLENBQUMsUUFBUSxDQUFDLEdBQUcsQ0FBQyxPQUFPLEVBQUUsQ0FBQztnQkFDOUIsTUFBTSxXQUFXLEdBQUcsWUFBWSxNQUFNLElBQUksSUFBSSxDQUFDLFNBQVMsSUFBSSxRQUFRLGFBQWEsSUFBSSxDQUFDLFFBQVEsQ0FBQyxNQUFNLElBQUksSUFBSSxDQUFDLFFBQVEsQ0FBQyxRQUFRLFdBQVcsSUFBSSxDQUFDLFdBQVcsQ0FBQyxJQUFJLENBQUMsUUFBUSxDQUFDLE1BQU0sQ0FBQyxxQkFBcUIsSUFBSSxDQUFDLFFBQVEsQ0FBQyxHQUFHLENBQUMsT0FBTyxrQkFBa0IsSUFBSSxDQUFDLE9BQU8sWUFBWSxDQUFDO2dCQUN6USxjQUFjLElBQUksR0FBRyxXQUFXLElBQUksQ0FBQztnQkFFckMsSUFBSSxDQUFDLEtBQUssQ0FBQyxJQUFJLENBQUM7b0JBQ2QsV0FBVyxFQUFFLE1BQU07b0JBQ25CLFNBQVMsRUFBRSxJQUFJLENBQUMsU0FBUztvQkFDekIsU0FBUyxFQUFFLFFBQVE7b0JBQ25CLFlBQVksRUFBRSxXQUFXO29CQUN6QixLQUFLLEVBQUUsS0FBSztpQkFDYixDQUFDLENBQUM7WUFDTCxDQUFDO1lBRUQsb0NBQW9DO1lBQ3BDLElBQUksSUFBSSxDQUFDLFFBQVEsQ0FBQyxHQUFHLENBQUMsUUFBUSxLQUFLLFNBQVMsRUFBRSxDQUFDO2dCQUM3Qyw0QkFBNEI7Z0JBQzVCLE1BQU0sWUFBWSxHQUFHLE1BQU0sSUFBSSxDQUFDLGdCQUFnQixDQUM5QyxHQUFHLGFBQWEsQ0FBQyxPQUFPLGdCQUFnQixNQUFNLElBQUksSUFBSSxDQUFDLFNBQVMsRUFBRSxFQUNsRSxJQUFJLENBQUMsUUFBUSxDQUFDLFVBQVUsRUFDeEIsSUFBSSxDQUFDLFFBQVEsQ0FBQyxZQUFZLENBQzNCLENBQUM7Z0JBRUYsNkNBQTZDO2dCQUM3QyxNQUFNLFlBQVksR0FBRyxZQUFZLENBQUMsUUFBUSxDQUFDLGFBQWEsSUFBSSxDQUFDLFFBQVEsQ0FBQyxHQUFHLENBQUMsUUFBUSxFQUFFLENBQUMsQ0FBQztnQkFFdEYsSUFBSSxDQUFDLFlBQVksRUFBRSxDQUFDO29CQUNsQix3QkFBd0I7b0JBQ3hCLE1BQU0sYUFBYSxHQUFHLGFBQWEsTUFBTSxJQUFJLElBQUksQ0FBQyxTQUFTLFFBQVEsSUFBSSxDQUFDLFFBQVEsQ0FBQyxHQUFHLENBQUMsUUFBUSx3Q0FBd0MsSUFBSSxDQUFDLFFBQVEsQ0FBQyxHQUFHLENBQUMsUUFBUSxHQUFHLEVBQUUsS0FBSyxDQUFDO29CQUMxSyxjQUFjLElBQUksR0FBRyxhQUFhLElBQUksQ0FBQztnQkFDekMsQ0FBQztnQkFFRCxtREFBbUQ7Z0JBQ25ELEtBQUssTUFBTSxLQUFLLElBQUksSUFBSSxDQUFDLGlCQUFpQixDQUFDLElBQUksQ0FBQyxRQUFRLENBQUMsTUFBTSxDQUFDLEVBQUUsQ0FBQztvQkFDakUsTUFBTSxRQUFRLEdBQUcsWUFBWSxNQUFNLElBQUksSUFBSSxDQUFDLFNBQVMsSUFBSSxRQUFRLElBQUksSUFBSSxDQUFDLFFBQVEsQ0FBQyxRQUFRLFVBQVUsS0FBSyxDQUFDLElBQUksSUFBSSxLQUFLLENBQUMsRUFBRSxxQkFBcUIsSUFBSSxDQUFDLFFBQVEsQ0FBQyxHQUFHLENBQUMsUUFBUSxhQUFhLElBQUksQ0FBQyxPQUFPLGdCQUFnQixDQUFDO29CQUNwTixjQUFjLElBQUksR0FBRyxRQUFRLElBQUksQ0FBQztvQkFFbEMsSUFBSSxDQUFDLEtBQUssQ0FBQyxJQUFJLENBQUM7d0JBQ2QsV0FBVyxFQUFFLE1BQU07d0JBQ25CLFNBQVMsRUFBRSxJQUFJLENBQUMsU0FBUzt3QkFDekIsU0FBUyxFQUFFLFFBQVE7d0JBQ25CLFlBQVksRUFBRSxRQUFRO3dCQUN0QixLQUFLLEVBQUUsS0FBSztxQkFDYixDQUFDLENBQUM7Z0JBQ0wsQ0FBQztZQUNILENBQUM7WUFFRCx5Q0FBeUM7WUFDekMsSUFBSSxjQUFjLEVBQUUsQ0FBQztnQkFDbkIsMEJBQTBCO2dCQUMxQixFQUFFLENBQUMsYUFBYSxDQUFDLElBQUksQ0FBQyxZQUFZLEVBQUUsY0FBYyxDQUFDLENBQUM7Z0JBRXBELG9CQUFvQjtnQkFDcEIsTUFBTSxJQUFJLENBQUMsZ0JBQWdCLENBQ3pCLEdBQUcsYUFBYSxDQUFDLE9BQU8sT0FBTyxJQUFJLENBQUMsWUFBWSxFQUFFLEVBQ2xELElBQUksQ0FBQyxRQUFRLENBQUMsVUFBVSxFQUN4QixJQUFJLENBQUMsUUFBUSxDQUFDLFlBQVksQ0FDM0IsQ0FBQztnQkFFRixJQUFJLENBQUMsR0FBRyxDQUFDLE1BQU0sRUFBRSx1QkFBdUIsTUFBTSxFQUFFLENBQUMsQ0FBQztnQkFFbEQsc0JBQXNCO2dCQUN0QixLQUFLLE1BQU0sSUFBSSxJQUFJLElBQUksQ0FBQyxLQUFLLEVBQUUsQ0FBQztvQkFDOUIsSUFBSSxJQUFJLENBQUMsV0FBVyxLQUFLLE1BQU0sSUFBSSxDQUFDLElBQUksQ0FBQyxLQUFLLEVBQUUsQ0FBQzt3QkFDL0MsSUFBSSxDQUFDLEtBQUssR0FBRyxJQUFJLENBQUM7d0JBRWxCLDhCQUE4Qjt3QkFDOUIsTUFBTSxJQUFJLENBQUMscUJBQXFCLENBQUMsSUFBSSxDQUFDLENBQUM7b0JBQ3pDLENBQUM7Z0JBQ0gsQ0FBQztnQkFFRCx3QkFBd0I7Z0JBQ3hCLEVBQUUsQ0FBQyxVQUFVLENBQUMsSUFBSSxDQUFDLFlBQVksQ0FBQyxDQUFDO1lBQ25DLENBQUM7WUFFRCxPQUFPLElBQUksQ0FBQztRQUNkLENBQUM7UUFBQyxPQUFPLEdBQUcsRUFBRSxDQUFDO1lBQ2IsSUFBSSxDQUFDLEdBQUcsQ0FBQyxPQUFPLEVBQUUsa0NBQWtDLEdBQUcsQ0FBQyxPQUFPLEVBQUUsQ0FBQyxDQUFDO1lBQ25FLE9BQU8sS0FBSyxDQUFDO1FBQ2YsQ0FBQztJQUNILENBQUM7SUFFRDs7T0FFRztJQUNLLEtBQUssQ0FBQyw0QkFBNEIsQ0FBQyxTQUFrQixLQUFLO1FBQ2hFLElBQUksQ0FBQyxJQUFJLENBQUMsUUFBUSxDQUFDLG1CQUFtQixFQUFFLE9BQU8sRUFBRSxDQUFDO1lBQ2hELE9BQU8sSUFBSSxDQUFDO1FBQ2QsQ0FBQztRQUVELE1BQU0sY0FBYyxHQUFHLElBQUksQ0FBQyxRQUFRLENBQUMsbUJBQW1CLENBQUM7UUFDekQsTUFBTSxNQUFNLEdBQUcsTUFBTSxDQUFDLENBQUMsQ0FBQyxLQUFLLENBQUMsQ0FBQyxDQUFDLElBQUksQ0FBQztRQUNyQyxNQUFNLFdBQVcsR0FBRyxZQUFZLENBQUM7UUFFakMsSUFBSSxDQUFDO1lBQ0gsOERBQThEO1lBQzlELElBQUksY0FBYyxDQUFDLGlCQUFpQixJQUFJLGNBQWMsQ0FBQyxrQkFBa0IsRUFBRSxDQUFDO2dCQUMxRSxNQUFNLFNBQVMsR0FBRyxNQUFNLENBQUMsQ0FBQyxDQUFDLEtBQUssQ0FBQyxDQUFDLENBQUMsV0FBVyxDQUFDO2dCQUUvQywyQkFBMkI7Z0JBQzNCLE1BQU0sSUFBSSxHQUFHLFlBQVksTUFBTSxJQUFJLElBQUksQ0FBQyxTQUFTLElBQUksV0FBVyxJQUFJLElBQUksQ0FBQyxRQUFRLENBQUMsUUFBUSxVQUFVLFNBQVMsaUJBQWlCLGNBQWMsQ0FBQyxrQkFBa0IsYUFBYSxJQUFJLENBQUMsT0FBTyxxQkFBcUIsQ0FBQztnQkFFOU0saUJBQWlCO2dCQUNqQixNQUFNLElBQUksQ0FBQyxnQkFBZ0IsQ0FDekIsR0FBRyxhQUFhLENBQUMsT0FBTyxJQUFJLElBQUksRUFBRSxFQUNsQyxJQUFJLENBQUMsUUFBUSxDQUFDLFVBQVUsRUFDeEIsSUFBSSxDQUFDLFFBQVEsQ0FBQyxZQUFZLENBQzNCLENBQUM7Z0JBRUYsSUFBSSxDQUFDLEdBQUcsQ0FBQyxNQUFNLEVBQUUsMkNBQTJDLE1BQU0sRUFBRSxDQUFDLENBQUM7Z0JBRXRFLE1BQU0sT0FBTyxHQUFHO29CQUNkLFdBQVcsRUFBRSxNQUFNO29CQUNuQixTQUFTLEVBQUUsSUFBSSxDQUFDLFNBQVM7b0JBQ3pCLFNBQVMsRUFBRSxXQUFXO29CQUN0QixZQUFZLEVBQUUsSUFBSTtvQkFDbEIsS0FBSyxFQUFFLElBQUk7aUJBQ1osQ0FBQztnQkFFRixJQUFJLENBQUMsS0FBSyxDQUFDLElBQUksQ0FBQyxPQUFPLENBQUMsQ0FBQztnQkFFekIsdUNBQXVDO2dCQUN2QyxNQUFNLElBQUksQ0FBQyxxQkFBcUIsQ0FBQyxPQUFPLENBQUMsQ0FBQztZQUM1QyxDQUFDO1lBRUQsT0FBTyxJQUFJLENBQUM7UUFDZCxDQUFDO1FBQUMsT0FBTyxHQUFHLEVBQUUsQ0FBQztZQUNiLElBQUksQ0FBQyxHQUFHLENBQUMsT0FBTyxFQUFFLDhDQUE4QyxHQUFHLENBQUMsT0FBTyxFQUFFLENBQUMsQ0FBQztZQUMvRSxPQUFPLEtBQUssQ0FBQztRQUNmLENBQUM7SUFDSCxDQUFDO0lBRUQ7O09BRUc7SUFDSyxLQUFLLENBQUMscUJBQXFCLENBQUMsSUFBa0I7UUFDcEQsSUFBSSxDQUFDO1lBQ0gsTUFBTSxFQUFFLFdBQVcsRUFBRSxTQUFTLEVBQUUsU0FBUyxFQUFFLFlBQVksRUFBRSxHQUFHLElBQUksQ0FBQztZQUVqRSx1RUFBdUU7WUFDdkUsTUFBTSxZQUFZLEdBQUcsWUFBWSxDQUFDLEtBQUssQ0FBQyxtQkFBbUIsQ0FBQyxDQUFDO1lBQzdELElBQUksQ0FBQyxZQUFZO2dCQUFFLE9BQU8sS0FBSyxDQUFDO1lBRWhDLE1BQU0sVUFBVSxHQUFHLFlBQVksQ0FBQyxDQUFDLENBQUMsQ0FBQztZQUVuQywrQ0FBK0M7WUFDL0MsTUFBTSxNQUFNLEdBQUcsTUFBTSxJQUFJLENBQUMsZ0JBQWdCLENBQ3hDLEdBQUcsYUFBYSxDQUFDLE9BQU8sZUFBZSxXQUFXLElBQUksU0FBUyxJQUFJLFNBQVMsRUFBRSxFQUM5RSxJQUFJLENBQUMsUUFBUSxDQUFDLFVBQVUsRUFDeEIsSUFBSSxDQUFDLFFBQVEsQ0FBQyxZQUFZLENBQzNCLENBQUM7WUFFRiw2Q0FBNkM7WUFDN0MsTUFBTSxTQUFTLEdBQUcsTUFBTSxDQUFDLFFBQVEsQ0FBQyxVQUFVLENBQUMsQ0FBQztZQUU5QyxJQUFJLENBQUMsUUFBUSxHQUFHLFNBQVMsQ0FBQztZQUUxQixJQUFJLENBQUMsU0FBUyxFQUFFLENBQUM7Z0JBQ2YsSUFBSSxDQUFDLEdBQUcsQ0FBQyxNQUFNLEVBQUUsNkJBQTZCLFVBQVUsdUJBQXVCLFNBQVMsRUFBRSxDQUFDLENBQUM7WUFDOUYsQ0FBQztpQkFBTSxDQUFDO2dCQUNOLElBQUksQ0FBQyxHQUFHLENBQUMsT0FBTyxFQUFFLGtCQUFrQixVQUFVLG1CQUFtQixTQUFTLEVBQUUsQ0FBQyxDQUFDO1lBQ2hGLENBQUM7WUFFRCxPQUFPLFNBQVMsQ0FBQztRQUNuQixDQUFDO1FBQUMsT0FBTyxHQUFHLEVBQUUsQ0FBQztZQUNiLElBQUksQ0FBQyxHQUFHLENBQUMsT0FBTyxFQUFFLHNDQUFzQyxHQUFHLENBQUMsT0FBTyxFQUFFLENBQUMsQ0FBQztZQUN2RSxPQUFPLEtBQUssQ0FBQztRQUNmLENBQUM7SUFDSCxDQUFDO0lBRUQ7O09BRUc7SUFDSyxLQUFLLENBQUMsYUFBYTtRQUN6Qix3Q0FBd0M7UUFDeEMsS0FBSyxJQUFJLENBQUMsR0FBRyxJQUFJLENBQUMsS0FBSyxDQUFDLE1BQU0sR0FBRyxDQUFDLEVBQUUsQ0FBQyxJQUFJLENBQUMsRUFBRSxDQUFDLEVBQUUsRUFBRSxDQUFDO1lBQ2hELE1BQU0sSUFBSSxHQUFHLElBQUksQ0FBQyxLQUFLLENBQUMsQ0FBQyxDQUFDLENBQUM7WUFFM0IsSUFBSSxJQUFJLENBQUMsS0FBSyxFQUFFLENBQUM7Z0JBQ2YsSUFBSSxDQUFDO29CQUNILHNFQUFzRTtvQkFDdEUsTUFBTSxVQUFVLEdBQUcsSUFBSSxDQUFDLFlBQVksQ0FBQyxPQUFPLENBQUMsVUFBVSxFQUFFLGFBQWEsQ0FBQyxDQUFDO29CQUN4RSxNQUFNLElBQUksQ0FBQyxnQkFBZ0IsQ0FDekIsR0FBRyxhQUFhLENBQUMsT0FBTyxJQUFJLFVBQVUsRUFBRSxFQUN4QyxJQUFJLENBQUMsUUFBUSxDQUFDLFVBQVUsRUFDeEIsSUFBSSxDQUFDLFFBQVEsQ0FBQyxZQUFZLENBQzNCLENBQUM7b0JBRUYsSUFBSSxDQUFDLEdBQUcsQ0FBQyxNQUFNLEVBQUUscUJBQXFCLFVBQVUsRUFBRSxDQUFDLENBQUM7b0JBRXBELElBQUksQ0FBQyxLQUFLLEdBQUcsS0FBSyxDQUFDO29CQUNuQixJQUFJLENBQUMsUUFBUSxHQUFHLEtBQUssQ0FBQztnQkFDeEIsQ0FBQztnQkFBQyxPQUFPLEdBQUcsRUFBRSxDQUFDO29CQUNiLElBQUksQ0FBQyxHQUFHLENBQUMsT0FBTyxFQUFFLDZCQUE2QixHQUFHLENBQUMsT0FBTyxFQUFFLENBQUMsQ0FBQztnQkFDaEUsQ0FBQztZQUNILENBQUM7UUFDSCxDQUFDO0lBQ0gsQ0FBQztJQUVEOztPQUVHO0lBQ0ssS0FBSyxDQUFDLFdBQVcsQ0FBQyxNQUFjLEVBQUUsU0FBaUI7UUFDekQsSUFBSSxDQUFDO1lBQ0gsTUFBTSxNQUFNLEdBQUcsTUFBTSxJQUFJLENBQUMsZ0JBQWdCLENBQ3hDLEdBQUcsYUFBYSxDQUFDLE9BQU8sZ0JBQWdCLE1BQU0sRUFBRSxFQUNoRCxJQUFJLENBQUMsUUFBUSxDQUFDLFVBQVUsRUFDeEIsSUFBSSxDQUFDLFFBQVEsQ0FBQyxZQUFZLENBQzNCLENBQUM7WUFFRixPQUFPLE1BQU0sQ0FBQyxRQUFRLENBQUMsU0FBUyxNQUFNLElBQUksU0FBUyxFQUFFLENBQUMsQ0FBQztRQUN6RCxDQUFDO1FBQUMsT0FBTyxHQUFHLEVBQUUsQ0FBQztZQUNiLE9BQU8sS0FBSyxDQUFDO1FBQ2YsQ0FBQztJQUNILENBQUM7SUFFRDs7T0FFRztJQUNLLEtBQUssQ0FBQyxnQkFBZ0I7UUFLNUIsTUFBTSxPQUFPLEdBSVQsRUFBRSxDQUFDO1FBRVAsSUFBSSxDQUFDO1lBQ0gsMERBQTBEO1lBQzFELElBQUksQ0FBQztnQkFDSCxNQUFNLE1BQU0sR0FBRyxNQUFNLElBQUksQ0FBQyxnQkFBZ0IsQ0FBQyxjQUFjLEVBQUUsSUFBSSxDQUFDLFFBQVEsQ0FBQyxVQUFVLEVBQUUsSUFBSSxDQUFDLFFBQVEsQ0FBQyxZQUFZLENBQUMsQ0FBQztnQkFDakgsT0FBTyxDQUFDLGlCQUFpQixHQUFHLFFBQVEsQ0FBQyxNQUFNLENBQUMsSUFBSSxFQUFFLEVBQUUsRUFBRSxDQUFDLENBQUM7WUFDMUQsQ0FBQztZQUFDLE9BQU8sR0FBRyxFQUFFLENBQUM7Z0JBQ2IsNENBQTRDO1lBQzlDLENBQUM7WUFFRCxnRUFBZ0U7WUFDaEUsSUFBSSxDQUFDO2dCQUNILGlDQUFpQztnQkFDakMsTUFBTSxNQUFNLEdBQUcsTUFBTSxJQUFJLENBQUMsZ0JBQWdCLENBQ3hDLEdBQUcsYUFBYSxDQUFDLE9BQU8sa0JBQWtCLElBQUksQ0FBQyxTQUFTLEVBQUUsRUFDMUQsSUFBSSxDQUFDLFFBQVEsQ0FBQyxVQUFVLEVBQ3hCLElBQUksQ0FBQyxRQUFRLENBQUMsWUFBWSxDQUMzQixDQUFDO2dCQUVGLDRDQUE0QztnQkFDNUMsTUFBTSxjQUFjLEdBQUcsTUFBTSxDQUFDLFFBQVEsQ0FBQyxvQ0FBb0MsQ0FBQyxDQUFDO2dCQUM3RSxJQUFJLFlBQVksR0FBRyxDQUFDLENBQUM7Z0JBQ3JCLElBQUksVUFBVSxHQUFHLENBQUMsQ0FBQztnQkFFbkIsS0FBSyxNQUFNLEtBQUssSUFBSSxjQUFjLEVBQUUsQ0FBQztvQkFDbkMsWUFBWSxJQUFJLFFBQVEsQ0FBQyxLQUFLLENBQUMsQ0FBQyxDQUFDLEVBQUUsRUFBRSxDQUFDLENBQUM7b0JBQ3ZDLFVBQVUsSUFBSSxRQUFRLENBQUMsS0FBSyxDQUFDLENBQUMsQ0FBQyxFQUFFLEVBQUUsQ0FBQyxDQUFDO2dCQUN2QyxDQUFDO2dCQUVELElBQUksWUFBWSxHQUFHLENBQUMsRUFBRSxDQUFDO29CQUNyQixPQUFPLENBQUMsb0JBQW9CLEdBQUcsWUFBWSxDQUFDO29CQUM1QyxPQUFPLENBQUMsY0FBYyxHQUFHO3dCQUN2QixJQUFJLEVBQUUsVUFBVTt3QkFDaEIsUUFBUSxFQUFFLENBQUMsQ0FBRSwwREFBMEQ7cUJBQ3hFLENBQUM7Z0JBQ0osQ0FBQztZQUNILENBQUM7WUFBQyxPQUFPLEdBQUcsRUFBRSxDQUFDO2dCQUNiLCtDQUErQztZQUNqRCxDQUFDO1lBRUQsT0FBTyxPQUFPLENBQUM7UUFDakIsQ0FBQztRQUFDLE9BQU8sR0FBRyxFQUFFLENBQUM7WUFDYixJQUFJLENBQUMsR0FBRyxDQUFDLE9BQU8sRUFBRSxpQ0FBaUMsR0FBRyxDQUFDLE9BQU8sRUFBRSxDQUFDLENBQUM7WUFDbEUsT0FBTyxPQUFPLENBQUM7UUFDakIsQ0FBQztJQUNILENBQUM7SUFFRDs7T0FFRztJQUNLLEtBQUssQ0FBQyxjQUFjO1FBSzFCLE1BQU0sTUFBTSxHQUlOLEVBQUUsQ0FBQztRQUVULElBQUksQ0FBQztZQUNILEtBQUssTUFBTSxNQUFNLElBQUksQ0FBQyxJQUFJLEVBQUUsS0FBSyxDQUFDLEVBQUUsQ0FBQztnQkFDbkMsSUFBSSxDQUFDO29CQUNILE1BQU0sTUFBTSxHQUFHLE1BQU0sSUFBSSxDQUFDLGdCQUFnQixDQUN4QyxHQUFHLGFBQWEsQ0FBQyxPQUFPLGNBQWMsTUFBTSxJQUFJLElBQUksQ0FBQyxTQUFTLEVBQUUsRUFDaEUsSUFBSSxDQUFDLFFBQVEsQ0FBQyxVQUFVLEVBQ3hCLElBQUksQ0FBQyxRQUFRLENBQUMsWUFBWSxDQUMzQixDQUFDO29CQUVGLE1BQU0sVUFBVSxHQUFHLE1BQU0sQ0FBQyxRQUFRLENBQUMsMkJBQTJCLENBQUMsQ0FBQztvQkFFaEUsS0FBSyxNQUFNLEtBQUssSUFBSSxVQUFVLEVBQUUsQ0FBQzt3QkFDL0IsTUFBTSxPQUFPLEdBQUcsS0FBSyxDQUFDLENBQUMsQ0FBQyxDQUFDO3dCQUN6QixNQUFNLE9BQU8sR0FBRyxLQUFLLENBQUMsQ0FBQyxDQUFDLENBQUM7d0JBRXpCLHNDQUFzQzt3QkFDdEMsTUFBTSxNQUFNLEdBQUcsR0FBRyxNQUFNLElBQUksT0FBTyxFQUFFLENBQUM7d0JBQ3RDLE1BQU0sUUFBUSxHQUFHLElBQUksQ0FBQyxNQUFNLENBQUMsR0FBRyxDQUFDLE1BQU0sQ0FBQyxJQUFJLEVBQUUsQ0FBQzt3QkFFL0MsTUFBTSxDQUFDLElBQUksQ0FBQzs0QkFDVixJQUFJLEVBQUUsT0FBTzs0QkFDYixZQUFZLEVBQUUsUUFBUSxDQUFDLE1BQU07NEJBQzdCLElBQUksRUFBRSxPQUFPO3lCQUNkLENBQUMsQ0FBQztvQkFDTCxDQUFDO2dCQUNILENBQUM7Z0JBQUMsT0FBTyxHQUFHLEVBQUUsQ0FBQztvQkFDYixrREFBa0Q7Z0JBQ3BELENBQUM7WUFDSCxDQUFDO1lBRUQsT0FBTyxNQUFNLENBQUM7UUFDaEIsQ0FBQztRQUFDLE9BQU8sR0FBRyxFQUFFLENBQUM7WUFDYixJQUFJLENBQUMsR0FBRyxDQUFDLE9BQU8sRUFBRSxnQ0FBZ0MsR0FBRyxDQUFDLE9BQU8sRUFBRSxDQUFDLENBQUM7WUFDakUsT0FBTyxNQUFNLENBQUM7UUFDaEIsQ0FBQztJQUNILENBQUM7SUFFRDs7T0FFRztJQUNJLEtBQUssQ0FBQyxTQUFTO1FBQ3BCLE1BQU0sTUFBTSxHQUFtQjtZQUM3QixNQUFNLEVBQUUsSUFBSSxDQUFDLEtBQUssQ0FBQyxJQUFJLENBQUMsQ0FBQyxDQUFDLEVBQUUsQ0FBQyxDQUFDLENBQUMsS0FBSyxDQUFDO1lBQ3JDLFNBQVMsRUFBRTtnQkFDVCxLQUFLLEVBQUUsSUFBSSxDQUFDLEtBQUssQ0FBQyxNQUFNO2dCQUN4QixLQUFLLEVBQUUsSUFBSSxDQUFDLEtBQUssQ0FBQyxNQUFNLENBQUMsQ0FBQyxDQUFDLEVBQUUsQ0FBQyxDQUFDLENBQUMsS0FBSyxDQUFDLENBQUMsTUFBTTtnQkFDN0MsUUFBUSxFQUFFLElBQUksQ0FBQyxLQUFLLENBQUMsTUFBTSxDQUFDLENBQUMsQ0FBQyxFQUFFLENBQUMsQ0FBQyxDQUFDLFFBQVEsQ0FBQyxDQUFDLE1BQU07YUFDcEQ7WUFDRCxnQkFBZ0IsRUFBRSxFQUFFO1lBQ3BCLE9BQU8sRUFBRSxFQUFFO1lBQ1gsVUFBVSxFQUFFLElBQUksQ0FBQyxRQUFRLENBQUMsR0FBRyxFQUFFLE9BQU8sSUFBSSxLQUFLO1NBQ2hELENBQUM7UUFFRixJQUFJLENBQUM7WUFDSCxnQ0FBZ0M7WUFDaEMsTUFBTSxNQUFNLEdBQUcsTUFBTSxJQUFJLENBQUMsZ0JBQWdCLENBQ3hDLEdBQUcsYUFBYSxDQUFDLE9BQU8sY0FBYyxFQUN0QyxJQUFJLENBQUMsUUFBUSxDQUFDLFVBQVUsRUFDeEIsSUFBSSxDQUFDLFFBQVEsQ0FBQyxZQUFZLENBQzNCLENBQUM7WUFFRixNQUFNLFVBQVUsR0FBRyx1QkFBdUIsQ0FBQztZQUMzQyxJQUFJLEtBQUssQ0FBQztZQUVWLE9BQU8sQ0FBQyxLQUFLLEdBQUcsVUFBVSxDQUFDLElBQUksQ0FBQyxNQUFNLENBQUMsQ0FBQyxLQUFLLElBQUksRUFBRSxDQUFDO2dCQUNsRCxNQUFNLENBQUMsRUFBRSxNQUFNLEVBQUUsSUFBSSxDQUFDLEdBQUcsS0FBSyxDQUFDO2dCQUMvQixJQUFJLElBQUksS0FBSyxJQUFJLENBQUMsU0FBUyxFQUFFLENBQUM7b0JBQzVCLE1BQU0sQ0FBQyxnQkFBZ0IsQ0FBQyxJQUFJLENBQUMsRUFBRSxNQUFNLEVBQUUsU0FBUyxFQUFFLElBQUksRUFBRSxDQUFDLENBQUM7Z0JBQzVELENBQUM7WUFDSCxDQUFDO1lBRUQscUJBQXFCO1lBQ3JCLE1BQU0sQ0FBQyxPQUFPLEdBQUcsTUFBTSxJQUFJLENBQUMsZ0JBQWdCLEVBQUUsQ0FBQztZQUUvQyxxQ0FBcUM7WUFDckMsSUFBSSxJQUFJLENBQUMsUUFBUSxDQUFDLFNBQVMsRUFBRSxDQUFDO2dCQUM1QixNQUFNLENBQUMsZ0JBQWdCLEdBQUcsTUFBTSxJQUFJLENBQUMsY0FBYyxFQUFFLENBQUM7WUFDeEQsQ0FBQztZQUVELE9BQU8sTUFBTSxDQUFDO1FBQ2hCLENBQUM7UUFBQyxPQUFPLEdBQUcsRUFBRSxDQUFDO1lBQ2IsSUFBSSxDQUFDLEdBQUcsQ0FBQyxPQUFPLEVBQUUseUJBQXlCLEdBQUcsQ0FBQyxPQUFPLEVBQUUsQ0FBQyxDQUFDO1lBQzFELE9BQU8sTUFBTSxDQUFDO1FBQ2hCLENBQUM7SUFDSCxDQUFDO0lBRUQ7O09BRUc7SUFDSSxLQUFLLENBQUMsTUFBTTtRQUNqQixNQUFNLFFBQVEsR0FBYSxFQUFFLENBQUM7UUFFOUIsOERBQThEO1FBRTlELG9CQUFvQjtRQUNwQixRQUFRLENBQUMsSUFBSSxDQUFDLGdCQUFnQixJQUFJLENBQUMsU0FBUyxFQUFFLENBQUMsQ0FBQztRQUNoRCxRQUFRLENBQUMsSUFBSSxDQUFDLGdCQUFnQixJQUFJLENBQUMsU0FBUyw2REFBNkQsQ0FBQyxDQUFDO1FBRTNHLElBQUksQ0FBQyxJQUFJLENBQUMsUUFBUSxDQUFDLGdCQUFnQixFQUFFLENBQUM7WUFDcEMsUUFBUSxDQUFDLElBQUksQ0FBQyxnQkFBZ0IsSUFBSSxDQUFDLFNBQVMsOERBQThELENBQUMsQ0FBQztRQUM5RyxDQUFDO1FBRUQsSUFBSSxJQUFJLENBQUMsUUFBUSxDQUFDLG1CQUFtQixFQUFFLE9BQU8sSUFBSSxJQUFJLENBQUMsUUFBUSxDQUFDLG1CQUFtQixDQUFDLGlCQUFpQixFQUFFLENBQUM7WUFDdEcsUUFBUSxDQUFDLElBQUksQ0FBQyxnQkFBZ0IsSUFBSSxDQUFDLFNBQVMsa0RBQWtELENBQUMsQ0FBQztRQUNsRyxDQUFDO1FBRUQsSUFBSSxJQUFJLENBQUMsUUFBUSxDQUFDLEdBQUcsRUFBRSxPQUFPLEVBQUUsQ0FBQztZQUMvQixRQUFRLENBQUMsSUFBSSxDQUFDLGdCQUFnQixJQUFJLENBQUMsU0FBUyx1REFBdUQsQ0FBQyxDQUFDO1FBQ3ZHLENBQUM7UUFFRCw2QkFBNkI7UUFDN0IsSUFBSSxJQUFJLENBQUMsUUFBUSxDQUFDLFdBQVcsRUFBRSxDQUFDO1lBQzlCLFFBQVEsQ0FBQyxJQUFJLENBQUMsaUJBQWlCLElBQUksQ0FBQyxTQUFTLEVBQUUsQ0FBQyxDQUFDO1lBQ2pELFFBQVEsQ0FBQyxJQUFJLENBQUMsaUJBQWlCLElBQUksQ0FBQyxTQUFTLDZEQUE2RCxDQUFDLENBQUM7WUFFNUcsSUFBSSxDQUFDLElBQUksQ0FBQyxRQUFRLENBQUMsZ0JBQWdCLEVBQUUsQ0FBQztnQkFDcEMsUUFBUSxDQUFDLElBQUksQ0FBQyxpQkFBaUIsSUFBSSxDQUFDLFNBQVMsOERBQThELENBQUMsQ0FBQztZQUMvRyxDQUFDO1lBRUQsSUFBSSxJQUFJLENBQUMsUUFBUSxDQUFDLG1CQUFtQixFQUFFLE9BQU8sSUFBSSxJQUFJLENBQUMsUUFBUSxDQUFDLG1CQUFtQixDQUFDLGlCQUFpQixFQUFFLENBQUM7Z0JBQ3RHLFFBQVEsQ0FBQyxJQUFJLENBQUMsaUJBQWlCLElBQUksQ0FBQyxTQUFTLGtEQUFrRCxDQUFDLENBQUM7WUFDbkcsQ0FBQztZQUVELElBQUksSUFBSSxDQUFDLFFBQVEsQ0FBQyxHQUFHLEVBQUUsT0FBTyxFQUFFLENBQUM7Z0JBQy9CLFFBQVEsQ0FBQyxJQUFJLENBQUMsaUJBQWlCLElBQUksQ0FBQyxTQUFTLHVEQUF1RCxDQUFDLENBQUM7WUFDeEcsQ0FBQztRQUNILENBQUM7UUFFRCxvQkFBb0I7UUFDcEIsSUFBSSxJQUFJLENBQUMsUUFBUSxDQUFDLFNBQVMsRUFBRSxDQUFDO1lBQzVCLElBQUksSUFBSSxDQUFDLFFBQVEsQ0FBQyxlQUFlLEVBQUUsTUFBTSxFQUFFLENBQUM7Z0JBQzFDLFFBQVEsQ0FBQyxJQUFJLENBQUMsY0FBYyxJQUFJLENBQUMsU0FBUyxpQ0FBaUMsQ0FBQyxDQUFDO2dCQUM3RSxRQUFRLENBQUMsSUFBSSxDQUFDLGtCQUFrQixJQUFJLENBQUMsU0FBUyxpQkFBaUIsSUFBSSxDQUFDLFFBQVEsQ0FBQyxlQUFlLENBQUMsSUFBSSxDQUFDLElBQUksQ0FBQyxJQUFJLENBQUMsQ0FBQztnQkFDN0csUUFBUSxDQUFDLElBQUksQ0FBQyxlQUFlLElBQUksQ0FBQyxTQUFTLHNEQUFzRCxJQUFJLENBQUMsT0FBTyxjQUFjLENBQUMsQ0FBQztZQUMvSCxDQUFDO1lBRUQsSUFBSSxJQUFJLENBQUMsUUFBUSxDQUFDLGdCQUFnQixFQUFFLE1BQU0sRUFBRSxDQUFDO2dCQUMzQyxRQUFRLENBQUMsSUFBSSxDQUFDLGNBQWMsSUFBSSxDQUFDLFNBQVMsa0NBQWtDLENBQUMsQ0FBQztnQkFDOUUsUUFBUSxDQUFDLElBQUksQ0FBQyxrQkFBa0IsSUFBSSxDQUFDLFNBQVMsa0JBQWtCLElBQUksQ0FBQyxRQUFRLENBQUMsZ0JBQWdCLENBQUMsSUFBSSxDQUFDLElBQUksQ0FBQyxJQUFJLENBQUMsQ0FBQztnQkFDL0csUUFBUSxDQUFDLElBQUksQ0FBQyxlQUFlLElBQUksQ0FBQyxTQUFTLHlDQUF5QyxJQUFJLENBQUMsUUFBUSxDQUFDLFFBQVEsV0FBVyxJQUFJLENBQUMsV0FBVyxDQUFDLElBQUksQ0FBQyxRQUFRLENBQUMsUUFBUSxDQUFDLHFCQUFxQixJQUFJLENBQUMsT0FBTyxlQUFlLENBQUMsQ0FBQztnQkFDL00sUUFBUSxDQUFDLElBQUksQ0FBQyxlQUFlLElBQUksQ0FBQyxTQUFTLG1CQUFtQixJQUFJLENBQUMsUUFBUSxDQUFDLFFBQVEsV0FBVyxJQUFJLENBQUMsV0FBVyxDQUFDLElBQUksQ0FBQyxRQUFRLENBQUMsUUFBUSxDQUFDLG1CQUFtQixJQUFJLENBQUMsT0FBTyxZQUFZLENBQUMsQ0FBQztZQUN0TCxDQUFDO1FBQ0gsQ0FBQzthQUFNLElBQUksSUFBSSxDQUFDLFFBQVEsQ0FBQyxlQUFlLEVBQUUsTUFBTSxJQUFJLElBQUksQ0FBQyxRQUFRLENBQUMsZ0JBQWdCLEVBQUUsTUFBTSxFQUFFLENBQUM7WUFDM0YsdUNBQXVDO1lBQ3ZDLElBQUksSUFBSSxDQUFDLFFBQVEsQ0FBQyxlQUFlLEVBQUUsTUFBTSxFQUFFLENBQUM7Z0JBQzFDLEtBQUssTUFBTSxFQUFFLElBQUksSUFBSSxDQUFDLFFBQVEsQ0FBQyxlQUFlLEVBQUUsQ0FBQztvQkFDL0MsUUFBUSxDQUFDLElBQUksQ0FBQyxlQUFlLElBQUksQ0FBQyxTQUFTLDRCQUE0QixFQUFFLGtCQUFrQixJQUFJLENBQUMsT0FBTyxVQUFVLENBQUMsQ0FBQztnQkFDckgsQ0FBQztZQUNILENBQUM7WUFFRCxJQUFJLElBQUksQ0FBQyxRQUFRLENBQUMsZ0JBQWdCLEVBQUUsTUFBTSxFQUFFLENBQUM7Z0JBQzNDLEtBQUssTUFBTSxFQUFFLElBQUksSUFBSSxDQUFDLFFBQVEsQ0FBQyxnQkFBZ0IsRUFBRSxDQUFDO29CQUNoRCxRQUFRLENBQUMsSUFBSSxDQUFDLGVBQWUsSUFBSSxDQUFDLFNBQVMsNEJBQTRCLEVBQUUsSUFBSSxJQUFJLENBQUMsUUFBUSxDQUFDLFFBQVEsV0FBVyxJQUFJLENBQUMsV0FBVyxDQUFDLElBQUksQ0FBQyxRQUFRLENBQUMsUUFBUSxDQUFDLHFCQUFxQixJQUFJLENBQUMsT0FBTyxXQUFXLENBQUMsQ0FBQztnQkFDdE0sQ0FBQztnQkFDRCxRQUFRLENBQUMsSUFBSSxDQUFDLGVBQWUsSUFBSSxDQUFDLFNBQVMsbUJBQW1CLElBQUksQ0FBQyxRQUFRLENBQUMsUUFBUSxXQUFXLElBQUksQ0FBQyxXQUFXLENBQUMsSUFBSSxDQUFDLFFBQVEsQ0FBQyxRQUFRLENBQUMsbUJBQW1CLElBQUksQ0FBQyxPQUFPLFlBQVksQ0FBQyxDQUFDO1lBQ3RMLENBQUM7UUFDSCxDQUFDO1FBRUQsd0JBQXdCO1FBQ3hCLElBQUksSUFBSSxDQUFDLFFBQVEsQ0FBQyxjQUFjLEVBQUUsQ0FBQztZQUNqQyx3Q0FBd0M7WUFDeEMsTUFBTSxjQUFjLEdBQUcsSUFBSSxDQUFDLGlCQUFpQixDQUFDLElBQUksQ0FBQyxRQUFRLENBQUMsUUFBUSxDQUFDLENBQUM7WUFDdEUsTUFBTSxZQUFZLEdBQUcsSUFBSSxDQUFDLGlCQUFpQixDQUFDLElBQUksQ0FBQyxRQUFRLENBQUMsTUFBTSxDQUFDLENBQUM7WUFFbEUsSUFBSSxjQUFjLENBQUMsTUFBTSxLQUFLLENBQUMsSUFBSSxZQUFZLENBQUMsTUFBTSxLQUFLLENBQUMsRUFBRSxDQUFDO2dCQUM3RCxNQUFNLFNBQVMsR0FBRyxjQUFjLENBQUMsQ0FBQyxDQUFDLENBQUM7Z0JBQ3BDLE1BQU0sT0FBTyxHQUFHLFlBQVksQ0FBQyxDQUFDLENBQUMsQ0FBQztnQkFFaEMsSUFBSSxTQUFTLENBQUMsSUFBSSxLQUFLLFNBQVMsQ0FBQyxFQUFFLElBQUksT0FBTyxDQUFDLElBQUksS0FBSyxPQUFPLENBQUMsRUFBRSxFQUFFLENBQUM7b0JBQ25FLFFBQVEsQ0FBQyxJQUFJLENBQUMsZUFBZSxJQUFJLENBQUMsU0FBUyxtQkFBbUIsSUFBSSxDQUFDLFFBQVEsQ0FBQyxRQUFRLFVBQVUsU0FBUyxDQUFDLElBQUkseUJBQXlCLElBQUksQ0FBQyxRQUFRLENBQUMsTUFBTSxJQUFJLE9BQU8sQ0FBQyxJQUFJLGFBQWEsSUFBSSxDQUFDLE9BQU8sV0FBVyxDQUFDLENBQUM7Z0JBQ2pOLENBQUM7cUJBQU0sSUFBSSxDQUFDLFNBQVMsQ0FBQyxFQUFFLEdBQUcsU0FBUyxDQUFDLElBQUksQ0FBQyxLQUFLLENBQUMsT0FBTyxDQUFDLEVBQUUsR0FBRyxPQUFPLENBQUMsSUFBSSxDQUFDLEVBQUUsQ0FBQztvQkFDM0UsUUFBUSxDQUFDLElBQUksQ0FBQyxlQUFlLElBQUksQ0FBQyxTQUFTLG1CQUFtQixJQUFJLENBQUMsUUFBUSxDQUFDLFFBQVEsVUFBVSxTQUFTLENBQUMsSUFBSSxJQUFJLFNBQVMsQ0FBQyxFQUFFLHlCQUF5QixJQUFJLENBQUMsUUFBUSxDQUFDLE1BQU0sSUFBSSxPQUFPLENBQUMsSUFBSSxJQUFJLE9BQU8sQ0FBQyxFQUFFLGFBQWEsSUFBSSxDQUFDLE9BQU8saUJBQWlCLENBQUMsQ0FBQztnQkFDclAsQ0FBQztnQkFFRCxRQUFRLENBQUMsSUFBSSxDQUFDLGVBQWUsSUFBSSxDQUFDLFNBQVMsZ0VBQWdFLElBQUksQ0FBQyxPQUFPLGtCQUFrQixDQUFDLENBQUM7WUFDN0ksQ0FBQztRQUNILENBQUM7YUFBTSxDQUFDO1lBQ04scUJBQXFCO1lBQ3JCLE1BQU0sVUFBVSxHQUFHLElBQUksQ0FBQyxpQkFBaUIsQ0FBQyxJQUFJLENBQUMsUUFBUSxDQUFDLFFBQVEsQ0FBQyxDQUFDO1lBQ2xFLE1BQU0sUUFBUSxHQUFHLElBQUksQ0FBQyxpQkFBaUIsQ0FBQyxJQUFJLENBQUMsUUFBUSxDQUFDLE1BQU0sQ0FBQyxDQUFDO1lBRTlELElBQUksVUFBVSxDQUFDLE1BQU0sS0FBSyxDQUFDLElBQUksUUFBUSxDQUFDLE1BQU0sS0FBSyxDQUFDLEVBQUUsQ0FBQztnQkFDckQsTUFBTSxTQUFTLEdBQUcsVUFBVSxDQUFDLENBQUMsQ0FBQyxDQUFDO2dCQUNoQyxNQUFNLE9BQU8sR0FBRyxRQUFRLENBQUMsQ0FBQyxDQUFDLENBQUM7Z0JBRTVCLElBQUksU0FBUyxDQUFDLElBQUksS0FBSyxTQUFTLENBQUMsRUFBRSxJQUFJLE9BQU8sQ0FBQyxJQUFJLEtBQUssT0FBTyxDQUFDLEVBQUUsRUFBRSxDQUFDO29CQUNuRSxRQUFRLENBQUMsSUFBSSxDQUFDLGVBQWUsSUFBSSxDQUFDLFNBQVMsbUJBQW1CLElBQUksQ0FBQyxRQUFRLENBQUMsUUFBUSxVQUFVLFNBQVMsQ0FBQyxJQUFJLFlBQVksSUFBSSxDQUFDLFFBQVEsQ0FBQyxNQUFNLElBQUksT0FBTyxDQUFDLElBQUksYUFBYSxJQUFJLENBQUMsT0FBTyxRQUFRLENBQUMsQ0FBQztnQkFDak0sQ0FBQztxQkFBTSxDQUFDO29CQUNOLFFBQVEsQ0FBQyxJQUFJLENBQUMsZUFBZSxJQUFJLENBQUMsU0FBUyxtQkFBbUIsSUFBSSxDQUFDLFFBQVEsQ0FBQyxRQUFRLFVBQVUsU0FBUyxDQUFDLElBQUksSUFBSSxTQUFTLENBQUMsRUFBRSxZQUFZLElBQUksQ0FBQyxRQUFRLENBQUMsTUFBTSxJQUFJLE9BQU8sQ0FBQyxJQUFJLElBQUksT0FBTyxDQUFDLEVBQUUsYUFBYSxJQUFJLENBQUMsT0FBTyxjQUFjLENBQUMsQ0FBQztnQkFDck8sQ0FBQztZQUNILENBQUM7aUJBQU0sSUFBSSxRQUFRLENBQUMsTUFBTSxLQUFLLENBQUMsRUFBRSxDQUFDO2dCQUNqQyxzQkFBc0I7Z0JBQ3RCLEtBQUssTUFBTSxTQUFTLElBQUksVUFBVSxFQUFFLENBQUM7b0JBQ25DLFFBQVEsQ0FBQyxJQUFJLENBQUMsZUFBZSxJQUFJLENBQUMsU0FBUyxtQkFBbUIsSUFBSSxDQUFDLFFBQVEsQ0FBQyxRQUFRLFVBQVUsU0FBUyxDQUFDLElBQUksSUFBSSxTQUFTLENBQUMsRUFBRSxZQUFZLElBQUksQ0FBQyxRQUFRLENBQUMsTUFBTSxJQUFJLFFBQVEsQ0FBQyxDQUFDLENBQUMsQ0FBQyxJQUFJLElBQUksUUFBUSxDQUFDLENBQUMsQ0FBQyxDQUFDLEVBQUUsYUFBYSxJQUFJLENBQUMsT0FBTyxjQUFjLENBQUMsQ0FBQztnQkFDN08sQ0FBQztZQUNILENBQUM7aUJBQU0sQ0FBQztnQkFDTix3Q0FBd0M7Z0JBQ3hDLEtBQUssSUFBSSxDQUFDLEdBQUcsQ0FBQyxFQUFFLENBQUMsR0FBRyxVQUFVLENBQUMsTUFBTSxFQUFFLENBQUMsRUFBRSxFQUFFLENBQUM7b0JBQzNDLFFBQVEsQ0FBQyxJQUFJLENBQUMsZUFBZSxJQUFJLENBQUMsU0FBUyxtQkFBbUIsSUFBSSxDQUFDLFFBQVEsQ0FBQyxRQUFRLFVBQVUsVUFBVSxDQUFDLENBQUMsQ0FBQyxDQUFDLElBQUksSUFBSSxVQUFVLENBQUMsQ0FBQyxDQUFDLENBQUMsRUFBRSxZQUFZLElBQUksQ0FBQyxRQUFRLENBQUMsTUFBTSxJQUFJLFFBQVEsQ0FBQyxDQUFDLENBQUMsQ0FBQyxJQUFJLElBQUksUUFBUSxDQUFDLENBQUMsQ0FBQyxDQUFDLEVBQUUsYUFBYSxJQUFJLENBQUMsT0FBTyxjQUFjLENBQUMsQ0FBQztnQkFDclAsQ0FBQztZQUNILENBQUM7UUFDSCxDQUFDO1FBRUQsK0NBQStDO1FBQy9DLElBQUksQ0FBQyxJQUFJLENBQUMsUUFBUSxDQUFDLGdCQUFnQixFQUFFLENBQUM7WUFDcEMsUUFBUSxDQUFDLElBQUksQ0FBQyxlQUFlLElBQUksQ0FBQyxTQUFTLG9CQUFvQixJQUFJLENBQUMsUUFBUSxDQUFDLFFBQVEsVUFBVSxJQUFJLENBQUMsUUFBUSxDQUFDLE1BQU0sV0FBVyxJQUFJLENBQUMsV0FBVyxDQUFDLElBQUksQ0FBQyxRQUFRLENBQUMsTUFBTSxDQUFDLHlCQUF5QixJQUFJLENBQUMsT0FBTyxRQUFRLENBQUMsQ0FBQztRQUNyTixDQUFDO1FBRUQsMkJBQTJCO1FBQzNCLElBQUksSUFBSSxDQUFDLFFBQVEsQ0FBQyxtQkFBbUIsRUFBRSxPQUFPO1lBQzFDLElBQUksQ0FBQyxRQUFRLENBQUMsbUJBQW1CLENBQUMsaUJBQWlCO1lBQ25ELElBQUksQ0FBQyxRQUFRLENBQUMsbUJBQW1CLENBQUMsa0JBQWtCLEVBQUUsQ0FBQztZQUV6RCxRQUFRLENBQUMsSUFBSSxDQUFDLGVBQWUsSUFBSSxDQUFDLFNBQVMsZUFBZSxJQUFJLENBQUMsUUFBUSxDQUFDLFFBQVEsaUNBQWlDLElBQUksQ0FBQyxRQUFRLENBQUMsbUJBQW1CLENBQUMsa0JBQWtCLGFBQWEsSUFBSSxDQUFDLE9BQU8scUJBQXFCLENBQUMsQ0FBQztRQUN2TixDQUFDO1FBRUQsWUFBWTtRQUNaLElBQUksSUFBSSxDQUFDLFFBQVEsQ0FBQyxHQUFHLEVBQUUsT0FBTyxFQUFFLENBQUM7WUFDL0IsSUFBSSxJQUFJLENBQUMsUUFBUSxDQUFDLEdBQUcsQ0FBQyxPQUFPLEVBQUUsQ0FBQztnQkFDOUIsUUFBUSxDQUFDLElBQUksQ0FBQyxlQUFlLElBQUksQ0FBQyxTQUFTLHlCQUF5QixJQUFJLENBQUMsUUFBUSxDQUFDLE1BQU0sSUFBSSxJQUFJLENBQUMsUUFBUSxDQUFDLFFBQVEsV0FBVyxJQUFJLENBQUMsV0FBVyxDQUFDLElBQUksQ0FBQyxRQUFRLENBQUMsTUFBTSxDQUFDLHFCQUFxQixJQUFJLENBQUMsUUFBUSxDQUFDLEdBQUcsQ0FBQyxPQUFPLGtCQUFrQixJQUFJLENBQUMsT0FBTyxZQUFZLENBQUMsQ0FBQztZQUMvUCxDQUFDO1lBRUQsSUFBSSxJQUFJLENBQUMsUUFBUSxDQUFDLEdBQUcsQ0FBQyxRQUFRLEtBQUssU0FBUyxFQUFFLENBQUM7Z0JBQzdDLFFBQVEsQ0FBQyxJQUFJLENBQUMsZ0JBQWdCLElBQUksQ0FBQyxTQUFTLFFBQVEsSUFBSSxDQUFDLFFBQVEsQ0FBQyxHQUFHLENBQUMsUUFBUSx3Q0FBd0MsSUFBSSxDQUFDLFFBQVEsQ0FBQyxHQUFHLENBQUMsUUFBUSxHQUFHLEVBQUUsS0FBSyxDQUFDLENBQUM7Z0JBRTVKLEtBQUssTUFBTSxLQUFLLElBQUksSUFBSSxDQUFDLGlCQUFpQixDQUFDLElBQUksQ0FBQyxRQUFRLENBQUMsTUFBTSxDQUFDLEVBQUUsQ0FBQztvQkFDakUsUUFBUSxDQUFDLElBQUksQ0FBQyxlQUFlLElBQUksQ0FBQyxTQUFTLGdCQUFnQixJQUFJLENBQUMsUUFBUSxDQUFDLFFBQVEsVUFBVSxLQUFLLENBQUMsSUFBSSxJQUFJLEtBQUssQ0FBQyxFQUFFLHFCQUFxQixJQUFJLENBQUMsUUFBUSxDQUFDLEdBQUcsQ0FBQyxRQUFRLGFBQWEsSUFBSSxDQUFDLE9BQU8sZ0JBQWdCLENBQUMsQ0FBQztnQkFDN00sQ0FBQztZQUNILENBQUM7UUFDSCxDQUFDO1FBRUQsT0FBTyxRQUFRLENBQUM7SUFDbEIsQ0FBQztJQUVEOztPQUVHO0lBQ0ksS0FBSyxDQUFDLEtBQUs7UUFDaEIsaUNBQWlDO1FBQ2pDLE1BQU0saUJBQWlCLEdBQUcsTUFBTSxJQUFJLENBQUMseUJBQXlCLEVBQUUsQ0FBQztRQUNqRSxJQUFJLENBQUMsaUJBQWlCLEVBQUUsQ0FBQztZQUN2QixNQUFNLElBQUksZ0JBQWdCLENBQUMsc0RBQXNELENBQUMsQ0FBQztRQUNyRixDQUFDO1FBRUQsK0JBQStCO1FBQy9CLElBQUksSUFBSSxDQUFDLFFBQVEsQ0FBQyxlQUFlLEVBQUUsQ0FBQztZQUNsQyxNQUFNLGFBQWEsQ0FBQyxVQUFVLEVBQUUsQ0FBQztRQUNuQyxDQUFDO1FBRUQsb0NBQW9DO1FBQ3BDLE1BQU0sWUFBWSxHQUFHLE1BQU0sSUFBSSxDQUFDLG9CQUFvQixFQUFFLENBQUM7UUFDdkQsSUFBSSxDQUFDLFlBQVksRUFBRSxDQUFDO1lBQ2xCLE1BQU0sSUFBSSxpQkFBaUIsQ0FBQyw2Q0FBNkMsQ0FBQyxDQUFDO1FBQzdFLENBQUM7UUFFRCwyQ0FBMkM7UUFDM0MsSUFBSSxJQUFJLENBQUMsUUFBUSxDQUFDLFdBQVcsRUFBRSxDQUFDO1lBQzlCLE1BQU0sZ0JBQWdCLEdBQUcsTUFBTSxJQUFJLENBQUMsb0JBQW9CLENBQUMsSUFBSSxDQUFDLENBQUM7WUFDL0QsSUFBSSxDQUFDLGdCQUFnQixFQUFFLENBQUM7Z0JBQ3RCLElBQUksQ0FBQyxHQUFHLENBQUMsTUFBTSxFQUFFLG9FQUFvRSxDQUFDLENBQUM7WUFDekYsQ0FBQztRQUNILENBQUM7UUFFRCx3QkFBd0I7UUFDeEIsTUFBTSxJQUFJLENBQUMsa0JBQWtCLEVBQUUsQ0FBQztRQUNoQyxJQUFJLElBQUksQ0FBQyxRQUFRLENBQUMsV0FBVyxFQUFFLENBQUM7WUFDOUIsTUFBTSxJQUFJLENBQUMsa0JBQWtCLENBQUMsSUFBSSxDQUFDLENBQUM7UUFDdEMsQ0FBQztRQUVELDBEQUEwRDtRQUMxRCxJQUFJLElBQUksQ0FBQyxRQUFRLENBQUMsY0FBYyxFQUFFLENBQUM7WUFDakMsTUFBTSxrQkFBa0IsR0FBRyxNQUFNLElBQUksQ0FBQyxnQkFBZ0IsRUFBRSxDQUFDO1lBQ3pELElBQUksQ0FBQyxrQkFBa0IsRUFBRSxDQUFDO2dCQUN4QixJQUFJLENBQUMsR0FBRyxDQUFDLE1BQU0sRUFBRSw2REFBNkQsQ0FBQyxDQUFDO2dCQUNoRixJQUFJLENBQUMsUUFBUSxDQUFDLGNBQWMsR0FBRyxLQUFLLENBQUM7WUFDdkMsQ0FBQztpQkFBTSxJQUFJLElBQUksQ0FBQyxRQUFRLENBQUMsV0FBVyxFQUFFLENBQUM7Z0JBQ3JDLE1BQU0sSUFBSSxDQUFDLGdCQUFnQixDQUFDLElBQUksQ0FBQyxDQUFDO1lBQ3BDLENBQUM7UUFDSCxDQUFDO1FBRUQseURBQXlEO1FBQ3pELElBQUksQ0FBQyxJQUFJLENBQUMsUUFBUSxDQUFDLGNBQWMsRUFBRSxDQUFDO1lBQ2xDLE1BQU0saUJBQWlCLEdBQUcsTUFBTSxJQUFJLENBQUMsc0JBQXNCLEVBQUUsQ0FBQztZQUM5RCxJQUFJLENBQUMsaUJBQWlCLEVBQUUsQ0FBQztnQkFDdkIsTUFBTSxJQUFJLGlCQUFpQixDQUFDLHFDQUFxQyxDQUFDLENBQUM7WUFDckUsQ0FBQztZQUVELDRDQUE0QztZQUM1QyxJQUFJLElBQUksQ0FBQyxRQUFRLENBQUMsV0FBVyxFQUFFLENBQUM7Z0JBQzlCLE1BQU0scUJBQXFCLEdBQUcsTUFBTSxJQUFJLENBQUMsc0JBQXNCLENBQUMsSUFBSSxDQUFDLENBQUM7Z0JBQ3RFLElBQUksQ0FBQyxxQkFBcUIsRUFBRSxDQUFDO29CQUMzQixJQUFJLENBQUMsR0FBRyxDQUFDLE1BQU0sRUFBRSwwQ0FBMEMsQ0FBQyxDQUFDO2dCQUMvRCxDQUFDO1lBQ0gsQ0FBQztRQUNILENBQUM7UUFFRCx3QkFBd0I7UUFDeEIsSUFBSSxJQUFJLENBQUMsUUFBUSxDQUFDLEdBQUcsRUFBRSxPQUFPLEVBQUUsQ0FBQztZQUMvQixNQUFNLFVBQVUsR0FBRyxNQUFNLElBQUksQ0FBQyxpQkFBaUIsRUFBRSxDQUFDO1lBQ2xELElBQUksQ0FBQyxVQUFVLEVBQUUsQ0FBQztnQkFDaEIsSUFBSSxDQUFDLEdBQUcsQ0FBQyxNQUFNLEVBQUUsZ0VBQWdFLENBQUMsQ0FBQztZQUNyRixDQUFDO2lCQUFNLElBQUksSUFBSSxDQUFDLFFBQVEsQ0FBQyxXQUFXLEVBQUUsQ0FBQztnQkFDckMsTUFBTSxJQUFJLENBQUMsaUJBQWlCLENBQUMsSUFBSSxDQUFDLENBQUM7WUFDckMsQ0FBQztRQUNILENBQUM7UUFFRCw2Q0FBNkM7UUFDN0MsSUFBSSxJQUFJLENBQUMsUUFBUSxDQUFDLG1CQUFtQixFQUFFLE9BQU8sRUFBRSxDQUFDO1lBQy9DLE1BQU0sb0JBQW9CLEdBQUcsTUFBTSxJQUFJLENBQUMsNEJBQTRCLEVBQUUsQ0FBQztZQUN2RSxJQUFJLENBQUMsb0JBQW9CLEVBQUUsQ0FBQztnQkFDMUIsSUFBSSxDQUFDLEdBQUcsQ0FBQyxNQUFNLEVBQUUsMkNBQTJDLENBQUMsQ0FBQztZQUNoRSxDQUFDO1lBRUQsSUFBSSxJQUFJLENBQUMsUUFBUSxDQUFDLFdBQVcsRUFBRSxDQUFDO2dCQUM5QixNQUFNLElBQUksQ0FBQyw0QkFBNEIsQ0FBQyxJQUFJLENBQUMsQ0FBQztZQUNoRCxDQUFDO1FBQ0gsQ0FBQztRQUVELHVEQUF1RDtRQUN2RCxJQUFJLElBQUksQ0FBQyxLQUFLLENBQUMsTUFBTSxDQUFDLENBQUMsQ0FBQyxFQUFFLENBQUMsQ0FBQyxDQUFDLEtBQUssQ0FBQyxDQUFDLE1BQU0sS0FBSyxDQUFDLEVBQUUsQ0FBQztZQUNqRCxNQUFNLElBQUksaUJBQWlCLENBQUMscUJBQXFCLENBQUMsQ0FBQztRQUNyRCxDQUFDO1FBRUQsSUFBSSxDQUFDLEdBQUcsQ0FBQyxNQUFNLEVBQUUsb0NBQW9DLENBQUMsQ0FBQztJQUN6RCxDQUFDO0lBRUQ7O09BRUc7SUFDSSxLQUFLLENBQUMsSUFBSTtRQUNmLElBQUksQ0FBQztZQUNILElBQUksY0FBYyxHQUFHLEVBQUUsQ0FBQztZQUV4Qix3Q0FBd0M7WUFDeEMsS0FBSyxJQUFJLENBQUMsR0FBRyxJQUFJLENBQUMsS0FBSyxDQUFDLE1BQU0sR0FBRyxDQUFDLEVBQUUsQ0FBQyxJQUFJLENBQUMsRUFBRSxDQUFDLEVBQUUsRUFBRSxDQUFDO2dCQUNoRCxNQUFNLElBQUksR0FBRyxJQUFJLENBQUMsS0FBSyxDQUFDLENBQUMsQ0FBQyxDQUFDO2dCQUUzQixJQUFJLElBQUksQ0FBQyxLQUFLLEVBQUUsQ0FBQztvQkFDZix1REFBdUQ7b0JBQ3ZELE1BQU0sVUFBVSxHQUFHLElBQUksQ0FBQyxZQUFZLENBQUMsT0FBTyxDQUFDLFVBQVUsRUFBRSxhQUFhLENBQUMsQ0FBQztvQkFDeEUsY0FBYyxJQUFJLEdBQUcsVUFBVSxJQUFJLENBQUM7Z0JBQ3RDLENBQUM7WUFDSCxDQUFDO1lBRUQsbURBQW1EO1lBQ25ELElBQUksY0FBYyxFQUFFLENBQUM7Z0JBQ25CLDBCQUEwQjtnQkFDMUIsRUFBRSxDQUFDLGFBQWEsQ0FBQyxJQUFJLENBQUMsWUFBWSxFQUFFLGNBQWMsQ0FBQyxDQUFDO2dCQUVwRCxvQkFBb0I7Z0JBQ3BCLE1BQU0sSUFBSSxDQUFDLGdCQUFnQixDQUN6QixHQUFHLGFBQWEsQ0FBQyxPQUFPLE9BQU8sSUFBSSxDQUFDLFlBQVksRUFBRSxFQUNsRCxJQUFJLENBQUMsUUFBUSxDQUFDLFVBQVUsRUFDeEIsSUFBSSxDQUFDLFFBQVEsQ0FBQyxZQUFZLENBQzNCLENBQUM7Z0JBRUYsSUFBSSxDQUFDLEdBQUcsQ0FBQyxNQUFNLEVBQUUseUJBQXlCLENBQUMsQ0FBQztnQkFFNUMsNEJBQTRCO2dCQUM1QixJQUFJLENBQUMsS0FBSyxDQUFDLE9BQU8sQ0FBQyxJQUFJLENBQUMsRUFBRTtvQkFDeEIsSUFBSSxDQUFDLEtBQUssR0FBRyxLQUFLLENBQUM7b0JBQ25CLElBQUksQ0FBQyxRQUFRLEdBQUcsS0FBSyxDQUFDO2dCQUN4QixDQUFDLENBQUMsQ0FBQztnQkFFSCx3QkFBd0I7Z0JBQ3hCLEVBQUUsQ0FBQyxVQUFVLENBQUMsSUFBSSxDQUFDLFlBQVksQ0FBQyxDQUFDO1lBQ25DLENBQUM7WUFFRCxxQ0FBcUM7WUFDckMsSUFBSSxJQUFJLENBQUMsUUFBUSxDQUFDLFNBQVMsSUFBSSxJQUFJLENBQUMsTUFBTSxDQUFDLElBQUksR0FBRyxDQUFDLEVBQUUsQ0FBQztnQkFDcEQsS0FBSyxNQUFNLENBQUMsR0FBRyxFQUFFLENBQUMsQ0FBQyxJQUFJLElBQUksQ0FBQyxNQUFNLEVBQUUsQ0FBQztvQkFDbkMsTUFBTSxDQUFDLE1BQU0sRUFBRSxPQUFPLENBQUMsR0FBRyxHQUFHLENBQUMsS0FBSyxDQUFDLEdBQUcsQ0FBQyxDQUFDO29CQUV6QyxJQUFJLENBQUM7d0JBQ0gsTUFBTSxJQUFJLENBQUMsZ0JBQWdCLENBQ3pCLEdBQUcsYUFBYSxDQUFDLE9BQU8sZUFBZSxNQUFNLElBQUksSUFBSSxDQUFDLFNBQVMsSUFBSSxPQUFPLEVBQUUsRUFDNUUsSUFBSSxDQUFDLFFBQVEsQ0FBQyxVQUFVLEVBQ3hCLElBQUksQ0FBQyxRQUFRLENBQUMsWUFBWSxDQUMzQixDQUFDO3dCQUVGLElBQUksQ0FBQyxHQUFHLENBQUMsTUFBTSxFQUFFLGtCQUFrQixPQUFPLFNBQVMsTUFBTSxJQUFJLElBQUksQ0FBQyxTQUFTLEVBQUUsQ0FBQyxDQUFDO29CQUNqRixDQUFDO29CQUFDLE9BQU8sR0FBRyxFQUFFLENBQUM7d0JBQ2IsSUFBSSxDQUFDLEdBQUcsQ0FBQyxNQUFNLEVBQUUsMkJBQTJCLE9BQU8sS0FBSyxHQUFHLENBQUMsT0FBTyxFQUFFLENBQUMsQ0FBQztvQkFDekUsQ0FBQztnQkFDSCxDQUFDO2dCQUVELElBQUksQ0FBQyxNQUFNLENBQUMsS0FBSyxFQUFFLENBQUM7WUFDdEIsQ0FBQztZQUVELDhDQUE4QztZQUM5QyxNQUFNLElBQUksQ0FBQyxrQkFBa0IsRUFBRSxDQUFDO1lBRWhDLElBQUksQ0FBQyxHQUFHLENBQUMsTUFBTSxFQUFFLG9DQUFvQyxDQUFDLENBQUM7UUFDekQsQ0FBQztRQUFDLE9BQU8sR0FBRyxFQUFFLENBQUM7WUFDYixJQUFJLENBQUMsR0FBRyxDQUFDLE9BQU8sRUFBRSxpQ0FBaUMsR0FBRyxDQUFDLE9BQU8sRUFBRSxDQUFDLENBQUM7WUFDbEUsTUFBTSxHQUFHLENBQUM7UUFDWixDQUFDO0lBQ0gsQ0FBQztJQUVEOztPQUVHO0lBQ0ksUUFBUTtRQUNiLElBQUksQ0FBQztZQUNILElBQUksY0FBYyxHQUFHLEVBQUUsQ0FBQztZQUV4Qix3Q0FBd0M7WUFDeEMsS0FBSyxJQUFJLENBQUMsR0FBRyxJQUFJLENBQUMsS0FBSyxDQUFDLE1BQU0sR0FBRyxDQUFDLEVBQUUsQ0FBQyxJQUFJLENBQUMsRUFBRSxDQUFDLEVBQUUsRUFBRSxDQUFDO2dCQUNoRCxNQUFNLElBQUksR0FBRyxJQUFJLENBQUMsS0FBSyxDQUFDLENBQUMsQ0FBQyxDQUFDO2dCQUUzQixJQUFJLElBQUksQ0FBQyxLQUFLLEVBQUUsQ0FBQztvQkFDZix1REFBdUQ7b0JBQ3ZELE1BQU0sVUFBVSxHQUFHLElBQUksQ0FBQyxZQUFZLENBQUMsT0FBTyxDQUFDLFVBQVUsRUFBRSxhQUFhLENBQUMsQ0FBQztvQkFDeEUsY0FBYyxJQUFJLEdBQUcsVUFBVSxJQUFJLENBQUM7Z0JBQ3RDLENBQUM7WUFDSCxDQUFDO1lBRUQsbURBQW1EO1lBQ25ELElBQUksY0FBYyxFQUFFLENBQUM7Z0JBQ25CLDBCQUEwQjtnQkFDMUIsRUFBRSxDQUFDLGFBQWEsQ0FBQyxJQUFJLENBQUMsWUFBWSxFQUFFLGNBQWMsQ0FBQyxDQUFDO2dCQUVwRCxvQkFBb0I7Z0JBQ3BCLElBQUksQ0FBQyxvQkFBb0IsQ0FDdkIsR0FBRyxhQUFhLENBQUMsT0FBTyxPQUFPLElBQUksQ0FBQyxZQUFZLEVBQUUsRUFDbEQsSUFBSSxDQUFDLFFBQVEsQ0FBQyxVQUFVLEVBQ3hCLElBQUksQ0FBQyxRQUFRLENBQUMsWUFBWSxDQUMzQixDQUFDO2dCQUVGLElBQUksQ0FBQyxHQUFHLENBQUMsTUFBTSxFQUFFLHlCQUF5QixDQUFDLENBQUM7Z0JBRTVDLDRCQUE0QjtnQkFDNUIsSUFBSSxDQUFDLEtBQUssQ0FBQyxPQUFPLENBQUMsSUFBSSxDQUFDLEVBQUU7b0JBQ3hCLElBQUksQ0FBQyxLQUFLLEdBQUcsS0FBSyxDQUFDO29CQUNuQixJQUFJLENBQUMsUUFBUSxHQUFHLEtBQUssQ0FBQztnQkFDeEIsQ0FBQyxDQUFDLENBQUM7Z0JBRUgsd0JBQXdCO2dCQUN4QixFQUFFLENBQUMsVUFBVSxDQUFDLElBQUksQ0FBQyxZQUFZLENBQUMsQ0FBQztZQUNuQyxDQUFDO1lBRUQscUNBQXFDO1lBQ3JDLElBQUksSUFBSSxDQUFDLFFBQVEsQ0FBQyxTQUFTLElBQUksSUFBSSxDQUFDLE1BQU0sQ0FBQyxJQUFJLEdBQUcsQ0FBQyxFQUFFLENBQUM7Z0JBQ3BELEtBQUssTUFBTSxDQUFDLEdBQUcsRUFBRSxDQUFDLENBQUMsSUFBSSxJQUFJLENBQUMsTUFBTSxFQUFFLENBQUM7b0JBQ25DLE1BQU0sQ0FBQyxNQUFNLEVBQUUsT0FBTyxDQUFDLEdBQUcsR0FBRyxDQUFDLEtBQUssQ0FBQyxHQUFHLENBQUMsQ0FBQztvQkFFekMsSUFBSSxDQUFDO3dCQUNILElBQUksQ0FBQyxvQkFBb0IsQ0FDdkIsR0FBRyxhQUFhLENBQUMsT0FBTyxlQUFlLE1BQU0sSUFBSSxJQUFJLENBQUMsU0FBUyxJQUFJLE9BQU8sRUFBRSxFQUM1RSxJQUFJLENBQUMsUUFBUSxDQUFDLFVBQVUsRUFDeEIsSUFBSSxDQUFDLFFBQVEsQ0FBQyxZQUFZLENBQzNCLENBQUM7b0JBQ0osQ0FBQztvQkFBQyxPQUFPLEdBQUcsRUFBRSxDQUFDO3dCQUNiLCtCQUErQjtvQkFDakMsQ0FBQztnQkFDSCxDQUFDO1lBQ0gsQ0FBQztZQUVELDZEQUE2RDtZQUM3RCxJQUFJLENBQUMsc0JBQXNCLEVBQUUsQ0FBQztZQUU5QixJQUFJLENBQUMsR0FBRyxDQUFDLE1BQU0sRUFBRSxvQ0FBb0MsQ0FBQyxDQUFDO1FBQ3pELENBQUM7UUFBQyxPQUFPLEdBQUcsRUFBRSxDQUFDO1lBQ2IsSUFBSSxDQUFDLEdBQUcsQ0FBQyxPQUFPLEVBQUUsaUNBQWlDLEdBQUcsQ0FBQyxPQUFPLEVBQUUsQ0FBQyxDQUFDO1FBQ3BFLENBQUM7SUFDSCxDQUFDO0lBRUQ7O09BRUc7SUFDSyxLQUFLLENBQUMsa0JBQWtCO1FBQzlCLG9EQUFvRDtRQUNwRCxLQUFLLE1BQU0sTUFBTSxJQUFJLENBQUMsSUFBSSxFQUFFLEtBQUssQ0FBQyxFQUFFLENBQUM7WUFDbkMsMkJBQTJCO1lBQzNCLElBQUksTUFBTSxLQUFLLEtBQUssSUFBSSxDQUFDLElBQUksQ0FBQyxRQUFRLENBQUMsV0FBVyxFQUFFLENBQUM7Z0JBQ25ELFNBQVM7WUFDWCxDQUFDO1lBRUQsSUFBSSxDQUFDO2dCQUNILHdCQUF3QjtnQkFDeEIsTUFBTSxXQUFXLEdBQUcsTUFBTSxJQUFJLENBQUMsV0FBVyxDQUFDLE1BQU0sRUFBRSxJQUFJLENBQUMsU0FBUyxDQUFDLENBQUM7Z0JBQ25FLElBQUksQ0FBQyxXQUFXLEVBQUUsQ0FBQztvQkFDakIsU0FBUztnQkFDWCxDQUFDO2dCQUVELG1DQUFtQztnQkFDbkMsTUFBTSxNQUFNLEdBQUcsTUFBTSxJQUFJLENBQUMsZ0JBQWdCLENBQ3hDLEdBQUcsYUFBYSxDQUFDLE9BQU8sZUFBZSxNQUFNLElBQUksSUFBSSxDQUFDLFNBQVMsRUFBRSxFQUNqRSxJQUFJLENBQUMsUUFBUSxDQUFDLFVBQVUsRUFDeEIsSUFBSSxDQUFDLFFBQVEsQ0FBQyxZQUFZLENBQzNCLENBQUM7Z0JBRUYsTUFBTSxRQUFRLEdBQUcsTUFBTSxDQUFDLFFBQVEsQ0FBQyxNQUFNLENBQUMsQ0FBQztnQkFFekMsSUFBSSxDQUFDLFFBQVEsRUFBRSxDQUFDO29CQUNkLDRCQUE0QjtvQkFDNUIsTUFBTSxJQUFJLENBQUMsZ0JBQWdCLENBQ3pCLEdBQUcsYUFBYSxDQUFDLE9BQU8saUJBQWlCLE1BQU0sSUFBSSxJQUFJLENBQUMsU0FBUyxFQUFFLEVBQ25FLElBQUksQ0FBQyxRQUFRLENBQUMsVUFBVSxFQUN4QixJQUFJLENBQUMsUUFBUSxDQUFDLFlBQVksQ0FDM0IsQ0FBQztvQkFFRixJQUFJLENBQUMsR0FBRyxDQUFDLE1BQU0sRUFBRSx1QkFBdUIsTUFBTSxJQUFJLElBQUksQ0FBQyxTQUFTLEVBQUUsQ0FBQyxDQUFDO2dCQUN0RSxDQUFDO1lBQ0gsQ0FBQztZQUFDLE9BQU8sR0FBRyxFQUFFLENBQUM7Z0JBQ2IsSUFBSSxDQUFDLEdBQUcsQ0FBQyxPQUFPLEVBQUUsNkJBQTZCLEdBQUcsQ0FBQyxPQUFPLEVBQUUsQ0FBQyxDQUFDO1lBQ2hFLENBQUM7UUFDSCxDQUFDO0lBQ0gsQ0FBQztJQUVEOztPQUVHO0lBQ0ssc0JBQXNCO1FBQzVCLG9EQUFvRDtRQUNwRCxLQUFLLE1BQU0sTUFBTSxJQUFJLENBQUMsSUFBSSxFQUFFLEtBQUssQ0FBQyxFQUFFLENBQUM7WUFDbkMsMkJBQTJCO1lBQzNCLElBQUksTUFBTSxLQUFLLEtBQUssSUFBSSxDQUFDLElBQUksQ0FBQyxRQUFRLENBQUMsV0FBVyxFQUFFLENBQUM7Z0JBQ25ELFNBQVM7WUFDWCxDQUFDO1lBRUQsSUFBSSxDQUFDO2dCQUNILHdCQUF3QjtnQkFDeEIsTUFBTSxpQkFBaUIsR0FBRyxJQUFJLENBQUMsb0JBQW9CLENBQ2pELEdBQUcsYUFBYSxDQUFDLE9BQU8sZ0JBQWdCLE1BQU0sRUFBRSxFQUNoRCxJQUFJLENBQUMsUUFBUSxDQUFDLFVBQVUsRUFDeEIsSUFBSSxDQUFDLFFBQVEsQ0FBQyxZQUFZLENBQzNCLENBQUM7Z0JBRUYsTUFBTSxXQUFXLEdBQUcsaUJBQWlCLENBQUMsUUFBUSxDQUFDLFNBQVMsTUFBTSxJQUFJLElBQUksQ0FBQyxTQUFTLEVBQUUsQ0FBQyxDQUFDO2dCQUVwRixJQUFJLENBQUMsV0FBVyxFQUFFLENBQUM7b0JBQ2pCLFNBQVM7Z0JBQ1gsQ0FBQztnQkFFRCxtQ0FBbUM7Z0JBQ25DLE1BQU0sTUFBTSxHQUFHLElBQUksQ0FBQyxvQkFBb0IsQ0FDdEMsR0FBRyxhQUFhLENBQUMsT0FBTyxlQUFlLE1BQU0sSUFBSSxJQUFJLENBQUMsU0FBUyxFQUFFLEVBQ2pFLElBQUksQ0FBQyxRQUFRLENBQUMsVUFBVSxFQUN4QixJQUFJLENBQUMsUUFBUSxDQUFDLFlBQVksQ0FDM0IsQ0FBQztnQkFFRixNQUFNLFFBQVEsR0FBRyxNQUFNLENBQUMsUUFBUSxDQUFDLE1BQU0sQ0FBQyxDQUFDO2dCQUV6QyxJQUFJLENBQUMsUUFBUSxFQUFFLENBQUM7b0JBQ2QsNEJBQTRCO29CQUM1QixJQUFJLENBQUMsb0JBQW9CLENBQ3ZCLEdBQUcsYUFBYSxDQUFDLE9BQU8saUJBQWlCLE1BQU0sSUFBSSxJQUFJLENBQUMsU0FBUyxFQUFFLEVBQ25FLElBQUksQ0FBQyxRQUFRLENBQUMsVUFBVSxFQUN4QixJQUFJLENBQUMsUUFBUSxDQUFDLFlBQVksQ0FDM0IsQ0FBQztvQkFFRixJQUFJLENBQUMsR0FBRyxDQUFDLE1BQU0sRUFBRSx1QkFBdUIsTUFBTSxJQUFJLElBQUksQ0FBQyxTQUFTLEVBQUUsQ0FBQyxDQUFDO2dCQUN0RSxDQUFDO1lBQ0gsQ0FBQztZQUFDLE9BQU8sR0FBRyxFQUFFLENBQUM7Z0JBQ2IsSUFBSSxDQUFDLEdBQUcsQ0FBQyxPQUFPLEVBQUUsNkJBQTZCLEdBQUcsQ0FBQyxPQUFPLEVBQUUsQ0FBQyxDQUFDO1lBQ2hFLENBQUM7UUFDSCxDQUFDO0lBQ0gsQ0FBQztJQUVEOztPQUVHO0lBQ0ksTUFBTSxDQUFDLEtBQUssQ0FBQyxVQUFVO1FBQzVCLElBQUksQ0FBQztZQUNILDJDQUEyQztZQUMzQyxNQUFNLE1BQU0sR0FBRyxNQUFNLFNBQVMsQ0FBQyxHQUFHLGFBQWEsQ0FBQyxPQUFPLGVBQWUsQ0FBQyxDQUFDO1lBRXhFLHFCQUFxQjtZQUNyQixNQUFNLFlBQVksR0FBRyxNQUFNLENBQUMsTUFBTSxDQUFDLEtBQUssQ0FBQyxrREFBa0QsQ0FBQyxDQUFDO1lBRTdGLElBQUksWUFBWSxFQUFFLENBQUM7Z0JBQ2pCLEtBQUssTUFBTSxVQUFVLElBQUksWUFBWSxFQUFFLENBQUM7b0JBQ3RDLGdDQUFnQztvQkFDaEMsTUFBTSxXQUFXLEdBQUcsVUFBVSxDQUFDLEtBQUssQ0FBQyxzQkFBc0IsQ0FBQyxDQUFDO29CQUM3RCxJQUFJLFdBQVcsRUFBRSxDQUFDO3dCQUNoQixNQUFNLE1BQU0sR0FBRyxXQUFXLENBQUMsQ0FBQyxDQUFDLENBQUM7d0JBQzlCLE1BQU0sU0FBUyxHQUFHLFdBQVcsQ0FBQyxDQUFDLENBQUMsQ0FBQzt3QkFFakMsbUJBQW1CO3dCQUNuQixNQUFNLFNBQVMsQ0FBQyxHQUFHLGFBQWEsQ0FBQyxPQUFPLGlCQUFpQixNQUFNLElBQUksU0FBUyxFQUFFLENBQUMsQ0FBQzt3QkFDaEYsT0FBTyxDQUFDLEdBQUcsQ0FBQyxpQkFBaUIsTUFBTSxJQUFJLFNBQVMsaUNBQWlDLENBQUMsQ0FBQztvQkFDckYsQ0FBQztnQkFDSCxDQUFDO1lBQ0gsQ0FBQztpQkFBTSxDQUFDO2dCQUNOLE9BQU8sQ0FBQyxHQUFHLENBQUMsMENBQTBDLENBQUMsQ0FBQztZQUMxRCxDQUFDO1FBQ0gsQ0FBQztRQUFDLE9BQU8sR0FBRyxFQUFFLENBQUM7WUFDYixPQUFPLENBQUMsS0FBSyxDQUFDLHdCQUF3QixHQUFHLEVBQUUsQ0FBQyxDQUFDO1FBQy9DLENBQUM7SUFDSCxDQUFDO0lBRUQ7O09BRUc7SUFDSSxNQUFNLENBQUMsY0FBYztRQUMxQixJQUFJLENBQUM7WUFDSCwyQ0FBMkM7WUFDM0MsTUFBTSxNQUFNLEdBQUcsUUFBUSxDQUFDLEdBQUcsYUFBYSxDQUFDLE9BQU8sZUFBZSxDQUFDLENBQUMsUUFBUSxFQUFFLENBQUM7WUFFNUUscUJBQXFCO1lBQ3JCLE1BQU0sWUFBWSxHQUFHLE1BQU0sQ0FBQyxLQUFLLENBQUMsa0RBQWtELENBQUMsQ0FBQztZQUV0RixJQUFJLFlBQVksRUFBRSxDQUFDO2dCQUNqQixLQUFLLE1BQU0sVUFBVSxJQUFJLFlBQVksRUFBRSxDQUFDO29CQUN0QyxnQ0FBZ0M7b0JBQ2hDLE1BQU0sV0FBVyxHQUFHLFVBQVUsQ0FBQyxLQUFLLENBQUMsc0JBQXNCLENBQUMsQ0FBQztvQkFDN0QsSUFBSSxXQUFXLEVBQUUsQ0FBQzt3QkFDaEIsTUFBTSxNQUFNLEdBQUcsV0FBVyxDQUFDLENBQUMsQ0FBQyxDQUFDO3dCQUM5QixNQUFNLFNBQVMsR0FBRyxXQUFXLENBQUMsQ0FBQyxDQUFDLENBQUM7d0JBRWpDLG1CQUFtQjt3QkFDbkIsUUFBUSxDQUFDLEdBQUcsYUFBYSxDQUFDLE9BQU8saUJBQWlCLE1BQU0sSUFBSSxTQUFTLEVBQUUsQ0FBQyxDQUFDO3dCQUN6RSxPQUFPLENBQUMsR0FBRyxDQUFDLGlCQUFpQixNQUFNLElBQUksU0FBUyxpQ0FBaUMsQ0FBQyxDQUFDO29CQUNyRixDQUFDO2dCQUNILENBQUM7WUFDSCxDQUFDO2lCQUFNLENBQUM7Z0JBQ04sT0FBTyxDQUFDLEdBQUcsQ0FBQywwQ0FBMEMsQ0FBQyxDQUFDO1lBQzFELENBQUM7UUFDSCxDQUFDO1FBQUMsT0FBTyxHQUFHLEVBQUUsQ0FBQztZQUNiLE9BQU8sQ0FBQyxLQUFLLENBQUMsNEJBQTRCLEdBQUcsRUFBRSxDQUFDLENBQUM7UUFDbkQsQ0FBQztJQUNILENBQUM7SUFFRDs7T0FFRztJQUNLLEdBQUcsQ0FBQyxLQUEwQyxFQUFFLE9BQWUsRUFBRSxJQUEwQjtRQUNqRyxJQUFJLENBQUMsSUFBSSxDQUFDLFFBQVEsQ0FBQyxhQUFhLElBQUksQ0FBQyxLQUFLLEtBQUssTUFBTSxJQUFJLEtBQUssS0FBSyxPQUFPLENBQUMsRUFBRSxDQUFDO1lBQzVFLE9BQU87UUFDVCxDQUFDO1FBRUQsTUFBTSxTQUFTLEdBQUcsSUFBSSxJQUFJLEVBQUUsQ0FBQyxXQUFXLEVBQUUsQ0FBQztRQUUzQyxNQUFNLE9BQU8sR0FBRztZQUNkLFNBQVM7WUFDVCxLQUFLLEVBQUUsS0FBSyxDQUFDLFdBQVcsRUFBRTtZQUMxQixPQUFPO1lBQ1AsR0FBRyxJQUFJO1lBQ1AsT0FBTyxFQUFFO2dCQUNQLFFBQVEsRUFBRSxJQUFJLENBQUMsT0FBTztnQkFDdEIsS0FBSyxFQUFFLElBQUksQ0FBQyxTQUFTO2FBQ3RCO1NBQ0YsQ0FBQztRQUVGLHFFQUFxRTtRQUNyRSxNQUFNLE9BQU8sR0FBRyxJQUFJLENBQUMsUUFBUSxDQUFDLFNBQVMsS0FBSyxNQUFNLENBQUM7UUFFbkQsSUFBSSxPQUFPLEVBQUUsQ0FBQztZQUNaLE1BQU0sU0FBUyxHQUFHLElBQUksQ0FBQyxTQUFTLENBQUMsT0FBTyxDQUFDLENBQUM7WUFDMUMsT0FBTyxDQUFDLEdBQUcsQ0FBQyxTQUFTLENBQUMsQ0FBQztZQUN2QixPQUFPO1FBQ1QsQ0FBQztRQUVELG9CQUFvQjtRQUNwQixNQUFNLE9BQU8sR0FBRyxJQUFJLENBQUMsQ0FBQyxDQUFDLElBQUksSUFBSSxDQUFDLFNBQVMsQ0FBQyxJQUFJLENBQUMsRUFBRSxDQUFDLENBQUMsQ0FBQyxFQUFFLENBQUM7UUFFdkQsUUFBUSxLQUFLLEVBQUUsQ0FBQztZQUNkLEtBQUssTUFBTTtnQkFDVCxPQUFPLENBQUMsR0FBRyxDQUFDLElBQUksU0FBUyxZQUFZLE9BQU8sR0FBRyxPQUFPLEVBQUUsQ0FBQyxDQUFDO2dCQUMxRCxNQUFNO1lBQ1IsS0FBSyxNQUFNO2dCQUNULE9BQU8sQ0FBQyxJQUFJLENBQUMsSUFBSSxTQUFTLFlBQVksT0FBTyxHQUFHLE9BQU8sRUFBRSxDQUFDLENBQUM7Z0JBQzNELE1BQU07WUFDUixLQUFLLE9BQU87Z0JBQ1YsT0FBTyxDQUFDLEtBQUssQ0FBQyxJQUFJLFNBQVMsYUFBYSxPQUFPLEdBQUcsT0FBTyxFQUFFLENBQUMsQ0FBQztnQkFDN0QsTUFBTTtZQUNSLEtBQUssT0FBTztnQkFDVixPQUFPLENBQUMsR0FBRyxDQUFDLElBQUksU0FBUyxhQUFhLE9BQU8sR0FBRyxPQUFPLEVBQUUsQ0FBQyxDQUFDO2dCQUMzRCxNQUFNO1FBQ1YsQ0FBQztJQUNILENBQUMifQ==
|