From eba000ee582cb7388bd6b2bf7c7b35725c4bb6ab Mon Sep 17 00:00:00 2001 From: DL6ER Date: Sun, 4 Apr 2021 16:10:32 +0200 Subject: [PATCH] Add FTL interface configuration documentation Signed-off-by: DL6ER --- docs/ftldns/interfaces.md | 42 ++++++++++++++++++++++++++++ docs/images/interface-listening.png | Bin 0 -> 25635 bytes mkdocs.yml | 1 + 3 files changed, 43 insertions(+) create mode 100644 docs/ftldns/interfaces.md create mode 100644 docs/images/interface-listening.png diff --git a/docs/ftldns/interfaces.md b/docs/ftldns/interfaces.md new file mode 100644 index 0000000..ced9034 --- /dev/null +++ b/docs/ftldns/interfaces.md @@ -0,0 +1,42 @@ +# Interface binding behavior + +## Interface listening settings + +Pi-hole offers three choices for interface listening behavior on its dashboard: + +![Available interface listening behavior settings](/images/interface-listening.png) + +### Listen on all interfaces + +This setting accepts DNS queries only from hosts whose address is on a local subnet, i.e. a subnet for which an interface exists on the server. It is intended to be set as a default on installation, to allow unconfigured installations to be useful but also safe from being used for DNS amplification attacks if (accidentally) running public. + +The `dnsmasq` option `local-service` is used. + +### Listen only on interface `eth0` + +Listen only on the specified interface. The loopback (`lo`) interface is automatically added to the list of interfaces to use when this option is used. When the optional settings `bind-interfaces` or `bind-dynamic` are in effect, IP alias interface labels (e.g. `eth1:0`) are checked, rather than interface names. + +In the degenerate case when an interface has one address, this amounts to the same thing but when an interface has multiple addresses it allows control over which of those addresses are accepted. The same effect is achievable in default mode by using `listen-address`. + +The `dnsmasq` option `interface=eth0` is used (the interface may be different). + +### Listen on all interfaces, permit all origins + +We intentionally add this option to disable any possible `local-service` settings from other files. This truly allows any traffic to be replied to and a dangerous thing to do. You should always ask yourself if the first option doesn't work for you as well. + +The `dnsmasq` option `except-interface=nonexisting` is used. + +## Technical details + +By default, FTL binds the wildcard address, even when it is listening on only some interfaces. It then discards requests that it shouldn't reply to. This has the big advantage of working even when interfaces come and go and change address (this happens way more often than one would think). + +If this is not what you want, you can add the option + +``` plain +bind-interfaces +``` + +to some file like `/etc/dnsmasq.d/99-user.conf` and see [the comment above](#listen-only-on-interface-eth0). This config forces FTL to really bind only the interfaces it is listening on. +About the only time when this is useful is when running another nameserver on the same port on the same machine. + +{!abbreviations.md!} diff --git a/docs/images/interface-listening.png b/docs/images/interface-listening.png new file mode 100644 index 0000000000000000000000000000000000000000..9b9984e9b46a4d0093ef34667168cdb988e73823 GIT binary patch literal 25635 zcmY(qV~{0Gv@E*Ynzn6Y+O}=mwr$%z)3(jswrx(^w(-96Zk!u&e^kV(jEeeGm02s+ z%8F8ymw<=Gfdv2n@KTbZ$^Zb!)_+438tgx$Lo(nD0H7uER@HP>Hu4~HbapVevNa=e z^>Q>LGV`=D2LL=bjAJz@Nb*2Hojr`vzb5V^uZCJ0H6~Pn4yk#l*M5 z!R5hrOL>0Y2v@%@41QqwRbARytGd-^1KLjrpbY-}e6H@~^`E?)d^ptA)eY3ub!PYW z#D3%P;QSiSlDYUB?%+qurb#HnhAqm*XKMN19{*f@br_K#qF<+-zv z4tfcDX;E0e(~#e>kAiqRdhYqU`kIA%oFobOnD}yg8hz^#@1^s{Gq{lq(3*U25%;~@ zbO^oASY3R17|m12?lDmMe8R;r`P#hl{p#`9>^^bvAk|QB_7_{yxxBq%>~d;6JoBr* zue$5Jb@S=v?wvyHUAw=^$oteTh#0HY#dKaX3dNoI@Ch3xKlU^}xWU52Em@^&Sv!#4 zD62Nu8%g)x7+;%2PcZp#j^3#w?|OLl=s}NVx#`m}*)sMY&$>No(ud@%OXq{h_XhR&%fKGGn)Qe0}2@qT7?OEoqyL zdO`pGE>?833&0N~-`@(0fr-MuWh+LpzNH_*0KKrZo!gx-nQ&?ZD@X;lk4c&@ooY9i zyFC2G*!D4rVmmjhkBXzJC>_~;WL>MyhPzvAL>4J3PL`o=X*RBXWVWtsPuI4o0&SmH zo~&u!&~94UtT$bcR&;#KE(<{qCn_nPGjPYnoxVd*;H} zYr3bYs%^D>VsqcJ0z>V*Znb;ilXrwF=6p+4QQ&cZ$Ij5~JUiC0@4ni&^6=ehsnh$~ ztP3z%9aya$Zd36#_~^0eI@kVik0j!x-e7U3JMN3;xB`ISw^(co&nWSf@jdV*qmer& ziTND3&&4-{y@hJpzxH?txL+qcPosYn`NjM+yU6Rj1T?tB*L-~Re3`GddfIp6f0!1m zEKxSzw2rOop5NK>SU6Mnt8aE{{z*dwV|RP?QKx=EaBwU3p&#O&(bsjV!iPMgb&}{$ zu~}U`G4$0v^_X{b>TL7PtkYGejF=l>maj}wH#DbCUoB{*bd>_U zZYke7Tso!2mG5ur(A^!5FkE1K!gvO+zE+N7pR$XAh-YXsJ1_*AP9LzzwTqX<+xG-T zmweCTRq0c$b|j|A!F+j3!2*;0iw(z}FYR!}3DXmi4|HI@9{gpoJJrcwUu+s$weHZv ztm;^8rQ&{b($l;oXdjGKgS$ zTcl(dET1gx7Df+Xnk`7=FVhSJo1lc)2ZQVK>a+&+R>A3TAU;} zShdxrQ4)*O`Z=eiv{cbie_U4PktX)yDrV*Uj!brpMNI5>Aq8<~7&?Bg$wr=~y0{27 zJg$=w?gD=~kPi5Q)ZqC-*W+kqyyBXwEM7GJ8_6VKQJv2|k116){@f z@(kh!TVT!<+-K zdLGGb*cR_8y`yWG`1<^Wun52R6|^9(6vHv(LZ#fmtUHtaQ^Xja|c3qb!spB!n}K%E?Vsr zy8&R_FmVkgy~v5MhYK6(DK>BvJm~97Zgh&Z8*}K{%jcJH$-|nubG59<#wG=n1NjK7 zH`SDo;0WGpUSLTx<+M}5;k%7{{N&79J?g6Fl&`RfkR| zJ;b&$DQTt;l?r1jX!G;zlQy!JFj^z~O}mA?dR2sfaEjLlc(7Boy&S@9phy3da4Nk} z$%=sW86Eid+6WMmnk3Rvc6%~vut3UXx8a`V?6Fh5s@iLEz^4*3YL@n?nRsz(COQdD z;G83*;|=;Y4Auk5n60}*&(*!;-WIgBZoVnm{oYEI^~X|!f#>eEVo*QbN;)W&YYMH09u0N5TRJVhn}V1PzgVzlS3;nZFD-g#7DF7~zO15JcNv!pTAH@aJYtHEethKjjBxSqWZJ(|f%PWX;5 zW8r(@_)kp=c}~8X?vBj8LTVD^hWz9?umd3XZm0Tg`@MU;td?AsUSoeVY7yKsE zWjR(ajHf6r3~aS40;S3^4BxVsJea?ja$_NxN8RCh1#UghR(b!OFP?xikk2-&9y}|k zenTq*2R>x~O;^PWAft|75FwGRXwyX&NCU6V+Yoy)U;^vQ#Y3YL8$lY})$GGBWbq|Gfz2c}g1NyR%Nt{#c)5!pHP)ywq_T+FB6Y5)3#VQH9xkPpoU?5B zTMQ7aVeJ$g=|xpJZC$UVEjHVIOf3Y0_<|+zL)SE=crA^UV&;kj)6mH&Xc1&vM~2<& z`SEyVdnlfC+EYPN%>gihabWs9nmC*`($X~G4E-Xm(FA=?pn+_(p$MKJss~c9;*^sc zOEn+KwUNWqm;HY%x1eG&Nq-D866t*hGa`xt9@{>?I0&w1pay8df9ZyOzg@u*-@{0T z_2`qNapzD&@AVu=<;L-d`Q$TEc%%DN$HD>6`4ZPmYZLHZ#nXt;H(yOJJ>hnnChO+< zB><#!e<;gHI(aZ?eZYRBC;Q{Qv3$Y{VjJ>ilPd=f8|yjo;^Vp2sYVTHc!uHJ*=R!S zb|#Aub<$5BGHqQJz^Aemlp_t_Cv#Y$SnkPY4ek}EUpXI2?19BAWY)KYLhnnqi_l~} zQ%dV$R9h3jxT6fi5w{AsU%0|Jsu{BrO9`B%7cs#8q?9jP^q8gfde=Lx0=Jx;f}C9F0suIvf?p zfMiHc&HcR&vuL#uQ57~!TGB&{*<91{oiA-#IZ_2L4!sUZZ+>p>s_QQA3WJ@Jj0?I~n*>zSCed3E2VU`ap4!~48N zMGEMmNxdcO!$dEWkMhmUwXUpYp^GDJs&xhN-QvtFp@#zZ@yS7^LNV5mhz(rbx2pl) zWT7On5{>VVwZC4?1c-`)1mf*}<+JP}f7lZ#ohuJ-iNrwc#e|FAlw!52dXAtbhIYk} zZ?F*+!WM(#6KN#=>FSw>&c<4IYfaT1rRe zJ$2FCf}*ZFt>@9=Ku5Dmgv?eV-r=6-(uAz%a9`q3(p!${yKX|2^jLAIw7zbqDQxF7 z{`#jQV!agaO^YSy2qQ^km%0IoCcgJZ?4s$v1#Q_ifsPMhpDjAFgyeCEwwg#BiSQQ{ z6SKxtf~p?M$pCUJrG@c8SD3&`vSXWV5|a60Y^~vvvj&I8q#=naVx$B{KEDb&3yqmV zq6@GD_sd14N`nKW`*%A&Rc=8gom=u%+l{+EhXIRLQHix|Ml5 z(Ym1Tz|0Qtm~uHe0OpnG1ru1*N_Iw&jtHiqqn63tAT#9MDKuDVJ3*(s+d-dZ2hM9s zY=Sr);7Q=BB3c*2c!7vB#6Lidu?7cwEA;$P?yk0kOeEwfaic=NkiMwHVaR<0n0=^3 z^e%oP2p=eN5`LG8wl@~a&l=$nS&zUwbB!-5RwFJ~+BZzV2;7#5D9I(X6$PieBl+5M zq;^;-aWi~n66J)MJqF_bka9NENqwO;Ts>2;y^H-Lp_LR}iY_OEtvajQDiT&$d3AJJS0Z{4l|WEFfWs^Vf^>`_Pmrti84W!!9StE% zHjt#Yo(VoJBy&ca9wH#HI-K3T5{E)UyPG9Frm5;QP9_jld5~CER6L8$?eBS@Yp|O( z=sS7JUZIpZp|6x04D_kwAaX4W`y*VQ>N;#hO$C^sx_MR>r8fChE>`eGM(oX}AIP2p zErI|h&QdBAQEe#nwvpT)3{$Z{LS^hw-AY(=P$*dKHQziBRv?jk?YxYzHFZhk^;RU z(4>#@;TYED(HTRi0mz-&gw2bfLiC(W#sPxhVM1Cb5s7~q@#qrcyIO)eKCl&Ld7FY2 z3~YN|WBkXsD6XYCSlB3gdcYWnp+&&UhJdc?lqjDK8X{>etn-=0QIH@PzWywGz@{Nd z8uI-L{F6)8MAH*INK~^NCSiTV>gsYzgUjx=o<5})Ti3|6Es+=#h`7lLIZ@m4DyrTs$Xchq%H2pt)-=bH%g<&pu!J5rx|^h zh#DvprEqdlWG^KW6qz)o07?FZ+45^f-3C1C z9u~omVzk0p(#@iv4xbcD=I#HX?h|pA%7`+-u?{gpLbiD~bh~Bvv$jm>?e-Q5#&fcK z--%=O3e6wxVppzpow6${Q_?3kMtw+&V^-KSK4VPdPqg?7V78_B7DXsfB!{7$^B{*{ z-_HuAk~}2!F~x#L@gVM&vd>6#vgNo(vhi6nnTwf&UBGx)o-F$0JpuW4FPEX4J|_O9 zxy8d#fJ&^uF>j58YWr(_Qrz@9Db@b`RJ?e&YYVe8+=!%uDHi&l@-@oTc+pc4$?5S5 zMk7u!=zdy!AHYaJUqh!wfsHC?w6z*Z9a=^p5}ZB3>;@P7j0HtN%EVs-Q zpRr^>G@ZC(%~G#YgPQJhO?;0@`ukz8spj{vOp()3Tk84WJT|pKXB= zCn4!b44Qje9kF8Dkti1?z}(#py_ znN_Wf!gBc$^lgcE{9nQIM`l6t(zDUNMnOo}?IRg8D;=L$a?suag=nD;IGTncIld%m zDvd{u7L>9vaVj)?t>9M(OMF2_rxUAi@dQ`V^yH9$Gf^5EG*{l;4VhzA6xt1EQ+hGt zb>2eRN16a%fc<`%r>%fs_+N+04Ge~j_`XW-c4|8N5aYuQ`C;a;!^Z?L{EzS@3ywtG zv;CiDTAT(P!zwDNj<3BYlI`89Fj+B8Pq(r;Fi8Q`Ju(s-!}drdusfLX`TfLR5rY68 z8dy{^;`Jmx=&>0{FUKCzyFq6`9CZY%m9WQCgiwCUlye~hCk>Q;LM=n^mImufumc4h z>Kk=xpv%IU_R|{cd-|gfuai|9R9c_H=J`1m6cogLg%@?*t1Q1vNjP+L(5?v()~ zK8~^YpNA9yGU$r5wuM{vX z&vx0?v3={@p~9BP@Q|e(l#724q;n1p8CIL&6wuBI8T}V&!>95tmk3wDg}i8bH#SsnQH^Wf4~YP+XBCL>fszk{0$r(eS;ff%WFe$Ks>Jq z5Mx0Gk7*g+G_ zSAEj!w@;#L8N<6f#GMW4?SYg_K`DU@93pOlWUp`!4@$z#?4IXVNdmsI_DMdt&b^LA zx7}fFf)nYjb6=C_5`qyEokfC_7QHiT);D@nb^v+Wjh=Z`_Qd!Js^t$kK;$fK8S2RZK`gfZYkH>F?wQGUu@n&S`SrJtQr z-IGEEQQ2jB4hNuDP0cvgpcjHq%JW3jEo-+}qt)3=ITDcz@ZrvP`zA8~2)2Wa*Y4zN zxeei3HI``$f0Jl$w2$P`*wmCrgZM%$xu7csmvs{SPYvTqzOR(I3{#Xv>GE;6Y(arSW(UUJOsk2(qVl#>3%XQJ=*~W*}-!wE7=vYJ9BGEzjDLj6y=45;t-b`#) z4hV3ek;x>riD8PhcEPwcv)d|DPz^4S4V6H;f-oSVSjlXI){l){5h6OujQueZEw{6O zU^6Q~<654s0p-yol#}flPmhqcZ*?|}iQaIODe4f_U0sAfzhcG4;axS2$@fH!{)ZQP z+ab!9t%->w{ijn^O^J9c81lF35iO-&HUp@kd0*U(gJ(eg@p>N!e&t`rk`khzlJ|SH z777^R=*&euHeD+_J^~Ox8&;GYr@Tu^$JQhRUH`kTl9sUxS?O5N~ZN%`#gyaP4-eFFAZyaHfdq z@_NU!{ZH)DLAZsM{6{6t`+eW)9&e;v-5HE(k+y<%u+=V}V`#geHgZozrLTZ$paITH zmlZdXK^!ZJk{Wl*a;7An(H84&(}EF5Isxe)Q@-YS1&E}i6^#STN+fFgh*Qa8iC0Op zfjw*OkF8B=8(gf8 z4cL_UfWs@>kyJX(R0Ns4dQLr6S!3zsgmMaMp@5~)-%}0t$-WW1IXmp(g76UQB>IXF zA9uCQIaX3k;))W2!!l^qPH4C}L1x+H4m7zdGgZcuv161|AuK&SfAMa7^y1|zEuE9`T%f_Hlc(GSLn(l1{KV@DvN&h+m?QZYJ?+$ z)_YL(L&U?Xa>J~)`LqF*!{r3y;BO*zGIr%dZzI0(l1aqHjCvkL4j4 zXuo7)z$Z7pxlFx@5{jcq-BrX&s;M1zyWPMi`qC$PNw|Dm7d|pcxxi5ce{rKWy}79! zz8U;GfYw|4?|H4jz^K2@}K5Gr=-+q&>Qn zk#SlNGZt#Lga{0HxLyjjmhZzc_+GLe@R~=lh zrb=2|mKSS=(P6_jx*xEnifC3{wuP8gL9Qtw*1w}yQ87gDUdn%0oENqGbzekORP4uc z7>&My%H)s@Iz;+=86!+X^$r7UKyU593IX2>M_5F)xRYs$-}{|~@gLhqfyDe$PC|b# zbL@tdGv@i&nYIT|G&xhz#D*CwNfZ_zA&jpto53x>0M2vVCVo4@T&Lx4N)3hdqb9;w z+B#^=HJ@OWm7M%$Sb;YH1D)Xueyj;HSPNZeS`~4E!hY=^e%+ACT~ z&yzZApat^v%F@u-lM<}35ojrk2y5e_V&_pUhDI9XI_(vpK>I;&80 zhN6|>6m8y_SACV2=RJb-Qi{ttZNydbubN~1j?xn7+Gse;b-PFg2#COFSj_n*E(~)D zYha`OlA>RY;q~X%8M8)s;bz@nV0t;u3rUFI580ct#&XpIqWW(+O6x>227?_ye5!M` zp8+K&RDy6=DhXE~xn;ijd0maPBDtPBQJ-&^3_gU;?3IJ=T znC*mB)`%vXBe@414;2^%aSlX2b(a-##Gtlq1%nr34be;I?#i*2 zS)%gde?|OFMs#Vu{4wHr#utaVH|c^t&~tG}KFYv(Vdq>jQ1x|`m5~vMJ+heM6PhZ> zlRN5S$+}EQ`7bBH_R~? zKcwhAt9;oukbrx@5OP_%^?mOYbIF4rXWXP$3qpCwM{SC2Rw$YXn=RV)X&3DL~ZcaGBcpyO|z~U)n*7H?njStGB{=Lv!uBcg>Mo+@^u%nk?Pq`&DC1tuL@N|Ut^dhf*7#<&Qo6?jVon{G*SkGstsg}mJmlZ<{wHTL1(Ib-w1mDe5MJgI)TAF zm+F9)FH9p+)Ad2jg0Jz;Zic>wCftRAL0)pg$L1#K%*t&7flTCGn;}CbkB-N-SC473 z)Ye1|bCa>S6)%)Rq|jBVQl0hS1iDHlG>*;Pt(Tb8G*YBLHGj>a<^Vsd3S&g4=OD@&Y2&TT6)mm9woD=%9c3B&*?%iROnW0DaC zQRRi)k=0SsHur8XY57j1=dR^H5hxkOd$eeHT=AQD)?$^r!|8+Fq(RqO%1f=B~gp}V(QEd!j)y zq3TaxatXCY<)Z@bZ|4L?ft z3D!Po^k;ICAtl}nygl3y9ZkE2Ny9^Y;4k3K)ql~7M0R`f7W0+i3KG(EQQgS`RC!c& zK&ESJ6L7Zc^Ex=4QzPA#Xj;ucgDbezqCIhAf09eUt z0EHAPB1?Cvz`FXM4p$Mj)TI9wcFBXxvR01hbG(@c9g|+h z3s$ayLZ4)nKwC;#VX3kz9T0Y4)sa78vsgY6wDTsl9tTHSP{jcE2H-%uTMEl42trkJ zS$20<4qHE#XJ5@nALJW%RIFW7qCl0B+T6JNa#v&{?l*j5g--qW6ke(}EEtv$q|jA< z?7Be-Bf>B~Zh_npZ|P)QbpLY;eOUljSt_#-{*hqDte3%w>ab?a#BkDZV$3AA9ug(c z&@Dd+FLa+h0wI}VsXOM=LTI$IsfH~1k_H9!C?XBm75$Ux?M($9$JF zhb&3cK&9j%iuCE>cnq;L;iZ4Ov|aP#-u1}Iffm+%AyU6?)C_eakKD{nc(Kr|II4k} z`EV2brVGo})Dx&6rry~yZWgJ`g$pU+-MgHx&`Krk%=<=#ftr$pf?8H_kg=?MDUzoZ zIJ)yXK~LbC2m8rDNc-g78Sjpj3*Tz&dGUNC)CWO(p@W8DQ3}{{n6US(I7~*<@ z{Eolg3`+3ajk03YX+OnK_!DXZB!D`|M9E}LuO=wVZ{bT4rL}FR5DMLip~HL-b8|n6 z$P(^=L7(G7|K5t&%38{Z2>vQObbAv(bdM#YjznE%hUlM$BlY2%SEEY`3MDW#y21nL z=N_D)YvU?vJY_3s0ZD*8#d=^wIw8HBVR4mH(aDqSHSQBRiQqc-;ObzBbJ`f?D{OZ`xKexrZ*MpAp@x^Pyxg=3X@lFc$H-u1Z`ijP2XVG#`1Mci2dQ&KS$NyxD` zSb?B3az5aUx193}JhgIwuoQOqFJ7`gi95`Cb-P^2%LI-x1vV`diP6%ZU$j+k8e=CA z^C+{C#;H)_@Jd_gq_u`R52N3 z3c(?ijC*a|7hJ?n-6+Fp4Ysc(e8j4t9&cX#IGHCVt!EAi2)=dzz)CpjAD=gppV08p z*D2Gd(7p&X-=Uy|0myqzJ3Iyh(Z3h9I^y2>g|*0{;==KUigDT6nlogoUsWY9b^Z1! zo+7^r2?B8rW|4*!4U=`BLb4tg!yi-Ny0jDZ9cu}>R| zlgChe^K%o&R1|3JZ@My}HTV}w3RQN3#8-e8&I42e{EFP2ZS25|zvXxYawaPn1-xgppP?j$h%ZaaBFb{PMTrKM z&wo=$#a8DXsj&6p=2F;|i>qe8SHEiM$Ow1|o8zRQFZJwe9IQMNZFvhQiXt)?DNXty z*jOuy9sbQW849drE zz&2e+OD1&cf5zD`D-jVzDG`zX^~(O|kj?f>;*%T{#0uXjl@_B#aR0AYru4GPmj4__BT=oV^ddRl5;O!||7x;gT0_nKh) zV>_es22h}GoVm;nYuRB}isHnSqK7O}2W^a`*DOCV#cWPa4YPCSmH^nfG3K4@y`G(~ zIi`aI7v0A;|HFRAeYaF<=eSK7Utd^_l82h`$5m)wqL!AR*NFj0cRLmNSAH5TH32v3bI=RPcUl;(tfM!RAF=jHJCuan0k^4di_K~Ol&P;g{enl(WfcH`!Y zVok|;udUIYn|E?&>cb5H=_v2S98stLt-$L)9a;hYWAd;A!H<{&-(MgFdinZp**7Mm z6?uSui(P4l_enOx_moF#l^6mLzRkX2Hx-rVz)Af4oAE@s^|WBtFkb>sfg*TvbJkPlw;roY!7WOhQz`UQNhXNyJ@6T*;QtQd88>o?n+sCQL>= z&{T}wLPSYP+QdxMTvt-pS;$OIQPE3SOH#$uMn*(L#Y;rhUO~}EM%6G_T+vWT#!S{n zN;TeGSJg0{$zpS2Hw7i6< zeu9UxF`q$!v~fhVl0~?xr;n~es=APXb>P9F7UGox^836Br<3w>oB!IGmmRy70msuVT61G^%OY&*u9mWl9O{oZvUK_jO^5RQ z-RpNBvtgp^ivt?gYO4bKi>ivNCtZM#dqpPgb=}FGYiCu~fqk#5brILqX7OVq+btmp z!xvS9`D0ztVPmh={S!~k&Wj!87wz5;K-ZTp{i3PIr1_86Uhh9kwk8&^4Sx~Xd4 zKNfR9PmzqoDf`Tgbc)Oj_8S;%?fur|@(KZt-ya;)xcVxote|YoWALVSEy?IxX(VaF zs8a^UohXqhRq?@9)x-kAXdo7UxE|i~ZrXWgz0AX_47qY|F2V*_PPk5dWm;?NP-4J8R~lXr97l9+FPqcB zU3Hv#`1mQkG-=cO-0JV>_iffUvWV-fgi-TgeC3(3{yl0Q?a|RupKkOV-A}{1Y4Wiy$HCknupZC3(XxcS^SrXR$A8Ab#2#GoF%k~xl0k4( zbUu*YP}jBk&~Id<56}MFDhLM&2E5IF`5vd(8+=Z+qZB?+`v<2B_x_yZSB=;Se(mX; zL5ls_+QOfK0rWSkHk1shY4)41zD(b|6$<=kC#@!nzL9XiK)J8uzht@=j)Z3|ANSi( zZ3S6AgzJ9iBokiVXKg#ZUH#VjoYaqf^f|J9cOj;Hv}0WVBjt z!!(<9L*PLFVYkoyuh)GXcHrbNcADa#FNx9TsyTvIH9F1m7n45#L|zreYIg*YN*zj7 zxX@LL?%R{^S`GKk0*!$Sm1WYCPG=mH2SlcLXa+JBT4JX6Py9X);Q))+hn@AA+Tz`^ z>-V~9@_b7{;#H8uf)mKWVFs9PUR@KK39%E18sTOxP zO%$u6%lkB+@sZ;}1mG<0LDp4TerS|RcMN@u1qf**l=dR&{4~HA%p89_aO|SZ9X*QA zZzsqvl`{{9;k~M_>EQO~fn1jd2*uYFyq!2;p&sYxFs12SU^r3@3vzw7GOlJKHN)S)nqlL}{2Tx1i+!;%G494H zr%4KafNbl1kly?GVA4<>#QteO<2TV}$DNt=tXWjE;~i%g%!#XHd#dX=#hcAg{p=^=IfZ&O%~$8Ne{8w!^LLD zo!9Pg`VMHvow)(ARj#Nm_qcG{!(bNoriiR^#3pH8xnCKLeD?$vonfwe^t$;j&cQkn zY6hNXuJ4?#w$8XeXr{J2@Av`<2{0(W;Gmhk7Y!!CCzjAlRv-S286R74BwHR&^J&C- z0yx+0#Uw&yi!D>lm)NJ+nK27n?6ZzPV{&D1?>D7E+&^g00vvNLuJ&gX0xu=xk!W-# z*lYyX$d6Y(saG>UP6(@weSS0hQ4kMqJ+!?uRwtdz`DU#RHQNCV8dbgv1v;|#E(u~c z=h{;+a}r=%aXl&F7pt0Ad*^-{Z4Z(H82O00P88$Q0d5!hjjTB{9>XUf+&|L-&3P>A zRcZYw1rL69OS8!DeZ%&9&4$?2op+9_V0vjasK8~Gf5fiWLT$USyk7R5*@qYwwwvd+ zZ)53yO}XLQ%)Q{LM?O;vK98f?-1^a<9d(K~F!tIpf9z|1S$Um0n@(P`>S_1}k?qpW zJym@~v`VtII{b}GZ17wC#3k1Ik%LQLc{Rd5t+dTSm{f7QmXQY39?9{RpFhrH*&Cq; z*?6HQERQ_b{HH7Y&hd5*JTLv+r|H^2g0ogh$Tmx|!-FJw0Z3qmIneFaMPbJJUkg_H z>8(?huy#F}2QD0qtcKx7IO*2K=|><&1=PRb3C0{Xi3Eb)!hz*SUD(yNRvZ6tjW|b> z+ekh1{RZ57rQQ9a`D2Ldap~DFlz=JN^h5g-b;~d0j`YS(^!psvvxEpEO#~R-e>G+l zxwCHq2xB;rd;B1+BS(#@R5fEQm*=|yGdq03%h-;doH*FdiOy-ztVq!+UtW8N`$h=E$D0a!|d zrmW1fTWXAhWd|6ZE7qGVb3Ck=YTb<{!o5lsL{2Ervlv2x_&)3Ot|JVoShm7mi0Fkf z4}RVynobKDqd$VoSF3k?s2iJz%z{+gG6K5-w^|Ukf3u9ml(I4qufP6n^mkj`@IE)5 zqy};-?{2|)y_}GyqUlC`4MOosoGc8U9!~Oq=Oao!+&}6&Tt0dQo+QJn*00RESYdO4 zBWAzI0$?oAX(udL$Mv&D)_zi~61qHWH%KpNJ>ltfzPd8L=j3nTb>8+XU!Mk^IG%qj zH$s5m>ga*Dd#W5;2$8Es!_ECcyGR`!enev;sOEodlU`w^p;=PE)P5K5-@O+2-f~Sz z?>2T>b+1{;!Fib29?|~AtF=3*!j#6GVK$n*&&|?QdMqYp0v^(M%{b;i7|DDF?pHc- z4o_)H`qo&m2NQkHO^%A-nY>hjtfy&hq&(ob8xjlCpcZ>@Pz|KM3`LuxHv(-V1gY^gR{YKzx z`@+R^?kFyD$w00?@$;5I^{QTn|q`>!N6Hg89q zjjTF|4>nT#MI%5phpn9qjYN-a9-{?R% z>gh@F#A+M%D|OZthnbt``bb^2Blm~2C``(Hb*s%l%D2|{@(T6Mg2#KCjM|;I7*5$K z&Fl7d9i=GwJ^KV>2IzJ8M+D=et#+pha~++^?s0HBLuf+#r@gTt454Db9%RPdf(rMcb<=$lez>@!m4QdITYY=**&9L46j0}7^oam&a8mz4nl)uG>%&4X~g)qT42#mS!C19dylCE z0=C=Vtk?(Wz-8jjxsoH5?L6e#$F1(!n%7f*FnZWLwrZ$Y<_%WIV>VEZzpF?&**hk1 zH|pkr|06s_*Yj1{1-y=ek{O++MnLYK} z+{snQu9Jn5hfBvQfJWE38jy}<67+pL$;*5q*i_VqA(ja4^+Gb;GnrQ^Eari^pxn_J z+Me?r_m&ck;ZaxH$PNdDp^kW~3SQ2A!KF%TRt=M%X(Lx>3HA9!ejr2($DRHz&g{&K z^c$rXPZEw_aHlLPs^y|xlCOq(FFk>{WBFDZbk%UM2!E=b%4$KB_k!O@@B>jNP5~>F zOCu--kwQLGQ`o^=#s1n3KLUZ@mg>)Z9)qwHagf|H#(v%*a&E>!Q~o6 zTu-Hys?ojVxl-iadz{?QDOVHQ#s(RRMpzeyPG3tkRiJtag6F^bczN0b8Cdg!o%{Fa z-_i*zFNN2RieRrW&r*FDyYLDyovwB#DvHMaFFGyI~ZU{U(?nOuqu_2186CpZzuK<*PY^z3p@j zwWrP*s>j~@ZzNze1+s+7pz(aQ6nU=^C-=YKKHbGbjV;p;!vofT(*&zX`qa)D%|O2Z zdYR|g@8d*M&ScdYI!ClnwoH0wS84xWA7>pE)!XiUI;Bh6p>t@JmKdbFX8-%t3;H{@E~l$5Mn$`=$x+6dHo;wha|>U4Y24Q_sx>sWEF#Z5dn zKHfc){ZvTodI7!JL?Iu=wG@PE0-f!C)A;xy`~+G&{5b3%6CW-3Z$IDI&RDI}<>yx`N_IB?X4PG)c6t^l%G9v55{#_?w4LLfa- zE7j3JD3oXs^At%?Lz+ts-g|TE5lJfkqVv>A!lHoc6kQ0MzgG~?2y;^i)8d3Q3T34A z?D8P9KyR-D#or8HJbLFNS{7Yaj#XrebWT#w8VhFVMckPOZ9;fgC}?EFPAPX4I7_X znZ*ctdRyJCK9665^!vs+{@V*+vW@>T5tu`bvRJ2w+9~>DYV^23As!=J2aTruEse%c6?5Jj7b@Omnca0BKj&sI(%e8S$=x|Du{gP{p%=W z?%(zMix@UX(7Ne_+g#IK?$p`1{g{Y2#J_w&^a;eT%`rl^bjLElqYJ)APosON(XvVe z8On*=2+ODJy!wJyL%x^&{ewRBwJ>(UwD_gfH3{GNVaem5laE=37K`S{Ec{(>dOe}n zHAhzGzPhq2Fl^z5WcQPsq)y9?4DzwxRdY?RXr&BEf@<= zt-g+PnnY;niYzVbC~hEbU-=Xq1tmG;_Irmp;J1e>l_r zy;z48x|%4l_v5(l>iF{pCpZtZ*EZT>!9>~;RB|aGSIO!_T3rj;Zn4t!N|I=H_ifJo zX_1l=4Q}X&rR{r|Fwu&CTiP1K&=jLy2?HR%(j42u0K$guNyl|0kf0zbg_krF;&~po zym$Pg=wde<PnG*sM+kl+Npk zu{Dho0n~rufO_K`>!HKQq&aWuG|rRzxCczo`ED8VEor0zFM?S^**|fdyanqs5;Xq! z{(0TZ7@3n#3VpwS+dPz2lVM=-t92Yb?h}`P`J?4=%B^{M&p>xEExL=9SblCqfxzsG zr`UxQ31pNb<#>crdh7m~>5%_qks@2HtuzZ;)kAx;MzL3;zE-n?ao zCGEZP^$BKi9QP$*U_XqL_8=%o}qnEszlHNDO;9A>`Cu+~Mi{qmHvj;`pdMzb3sUv%V}t zm5;cFIRV;QAncFVcwzImDE8h0$5>%l0bnbcc?mBna8gVC!C~wd0eb}o{gg`&iQhYc+Zp3BooUf8&1u2_1 z`MM#mZy&qQdr$s6E?v|!Wt#`os{&y^PC8AmU!>%DE(Sh+l=LZNre)gAUEWmpRafci z{qI(Q$!yR305Ai@mIB@h#Pf_Yj%}3lk*;_2%OT(F!pp^P3-i7GL|;Dm`)z_$^IlFk zXVFf#OE1aNYGPrta04BKocK2Bd$9}A%pq$BY~EpQP3s3Tl_YzgT41Be8h5 z(YEOnFhj&(eNs+x@P+K04|?#~`3UFKp?E7SLGda6qVCmDP&M(C7!mMcl$NzUx`tW$ zSL+>MKDN*9jtV#>*?36G#o`gDB6Vm_5W@2odVM4 z81{3MN)IjQB1vCC6Ed*iT^`2Mv!S?G=1pOfF{YQ+8KxZtf){=_^ZZF*e_@|%5izFA zYRX-%|KabzIXD zHJyTxLu$VMJ5f>g*bSOF*dB#pyYNLoP+TRdQ;_YPbrBMogAL5bI%YL(9g)?+Kn2n_ zne$8D(Benq#s3=s{7Vl1$pij!#s9>FC|?f~d$*-$qhGe4bxz5cPrgMF&<`icJ}jeW zJjXzWAQ}B*2jRui{*O~#+fEi{r(rBr-wzqqm?l|}MI9f+cNS4(5pPb+Nt9>SjoGOs zvB~OrOuq!1PnYX!m_L9F^(6ETZz)Jf@k2HPC3-`EumZu13;kC4UTg5~d&TL@dm zQmHXtrXX92>XkwzmoqFyjYm26tAd%u%%{m8lmwz@`&bhFtSQ{&wGvz1k?)`OQ~ych zI#s;gsjTythxak8?`%r)YVKmBj$PN6*_WXA(o@TJ%4qMvF`h@#??SG}TLWL*^T!_o zfw3ELBu~$Lmb|dUu~t%a_Q|#D3d`uG2nb8=d5KF76rYD-cHGpu+s9LE5FB`fV`ahV zWV(PUmoJG0J%|&7HX?H{o6eDq&Z_Aj`k}~84zEF~v> z=M28XYJp#k4vOtw6oNyZ#i;e12frHMIC=3(afNhg{&cWp%aCp^Km%!qyf2bc^VTB6 z%g?h&IOIM*QI2ez7?kk((+U=p!bjm*0=xdRq<*;8UvK~|+gf?I^@=$!*u_DJO|1sP z)K2=>{A)NryB&=q=@XHLq?y|h@?w%_cRT>l(7#BCW?^Vogpoju$Rimg{0(_ zU1Py7YbQAI9p%V<+o|e{ik=J>RAJBq22%*wp{n=*Kj~wG zyRLPoP8I9>8pDXPod(~9_7x&5R7QR`eX-LF>Y!u-;BMVcP+L=oSJ+JSGE6DlvGGlY z<3T^5OWs+)KYKZo`pX3WVJ-!OJ=ZSwcVpcGC74WchEv}=Vp~&wOXgdL+CEE&R980B z`)F-H(=%XIjsXaUKGa2T*C~rsTskShRB>-!+%|xsIgwY-%~mmWkns<^1hBLac3c+0 zo{$|!y-!^c@)F>tYRj!g)fzjEbATD&{;AwzJu8hMH42d$b6|k$_p$!P!}s@D8%G!> zc;1JewHaI4b5kLaiu+YA(j76+Ynq z4>p2b&NEM)qGfv!9k+t!xeQKlKOO*BWvz0S(z)O z9)7!G18Y~Q?`C4nojEtNLOy#tt|i?u3SH}~54@bJW#B4b41X(10>6BOMx{lGiuQkO zr;EuT-$}DNR}NZ^SAM|^DparSD+=59pN+rmIxc|U$V)KR3Dw&7^ACVzM05hf`E&}~ z1~m(z88FN^G)YwmUxJdOk|wS5u;EOsYQ2 z7$hL^)ndXCDz^M?xWmY+)EIf@aG5U{FpjpHtUzz352t;Y z$=AxI(CZJ8l!xD)ra0U?Kko^qj+FZ)RAch0J zWhe2j!hPRBrU}NC@G}hKc;^_$1GabdwkKjMv7q(Os?+A1#?D*|g#Q|Yr(~EIi z+}UamydNWo9MoKc1|}4-2pX4Bn=z)W*Cn^nwe=AQb0OZv?$vWa7^FrAFMg>Cp_fCm z<`f#k3}n9<0nUxp|C78^@BT6$Q!Xj#%=V?^k$$jMFjqEJ|Li2lI!%W%blSRmJT|DU zpIgsQoOrB&Y0M-P+;5#}Yojk*->?|vW|8#+ullROVX2BqVo=3JO|&KcePurb8ER7L zMWxr@obOG0-2^7f2(Q1Nk7UO@`C#j7`c`;Co5|dsbujbIU6W}YNCCbU2Omzl{pelL?OlW~7j(~nut4L~X zSR#6`RGtCPAPc`;U|zzS{6YN@KwQWkxnE@-QK>l;FMC$|x-|Kc^xT_{(fuQHc)Oi7 zgIY92)h0x@n94C?NbOSv71DL%N2FGh0wh+ox;84YC}AhLjE!g^uRI(NKqH-4saF$7 zz_680Z=5Ancz2$|?>W-Akju64kzRjFL;v`y0E(+3QdylpRnp54iXSyv35W;p4;#Z` zl9Te0)Y_?u{7?f+D1JcSG$RQ_ASzONPWD*TFc=6+E#GxMG``vpAP1{Hq%lhig+p)d z0xPBAMgW7%;+|ss|5CQ72LoU)0U(&Fhng`3-mme$0c43$-0rC88E7qPrC`4Qv)r8t zIe%a2J?N>CUoLkwHZT}R*I3_2N>!XY`K6*0G*GG$S}u_E@zK2?L)eo@V@%OaWTnx9 zr@GQ`by7NGCk5JCTJU>2V}jeELUuu}wOchDWa6L=aa^AEACRT}mn?1+zL-kisv&{` z4w&zC^tBDTSG=VRnq&>e5NFnN#?F+1rs+!+R0TM}#y+K?km1 zdbulv+Ir45ZyGB8M5Y|-&itTiF@`0m8W*w=p86*uN8fH-gMqE3!~zk$$)}K_k@8f& zkv4gx_Rjl{txU-H?PTYi5lT6<{z=L`2ad-F`+b{`vy3e-`=3EmI^v7OP*8Ff5u7{r z2(fi*Q*DIQ#>a10{EU-q<(K2NP%5A)qOj$dvQmJ~2whm!b$vu< zWnyq@d^G#Yx7TE;cdq4i>6!>c2Le)KmUteb(fdr!(Pvl{)`(dk=Zvr#4_X4TXX2?W_`ioU4S9Kb`WHun3PG$X9L+Dqr~ z;qAE8B4Tp6wutNQ*?fL4X|F(Z}|81!BAlR zGMsF_u-UNienpZ?VXlVSL-+@uPSBPToMp^9YK?Nb!W8M}^?nfL>$9fYgRpX*#e*Wq zVwjEekSBb|SihzzO_PZtXdlA&0jCyt4;5~K6w|?()0N1)tL>|zEzu8B+VA;3Y1xgT zbLNuVBuQF`_}U-z@u7xL8q?&LYMa^Z$frcnhWrn&iy0JVUlCR;5WS+3GA5>&!b|5$ z?jh1FRYFiw%p7BCj#woAbfK_(o{e_}s;z11S#dsvT?Y>ZxbSG%bfQs#nY5pY^Y0KV z6_?#;r74=Ey*8oPSk$P+0-hwgmIgQrN`=7J_#egws3R7m-AWnPpxIA}L~EUjW&m2% zv@Gb)nRg)qO=~EDfQnqv(ah7O{=`CFGKhp~v|*atN7A`BjZl*&szR#7M`QzilD+E& zN>BPV2?t^*E4IxakhGlIg0I%kh4?A1xrUOb8-`DsOWL>WVd-$8rI>!poB98+B>ZGrM2}M|({|K`~ z2~Z30xjlM587H#gM8S-ZoU_eI!dbxf7gkpMK+FVG{VH@eh9;9X7r9L6Ow6+a<`Sv584V$ z_|3|uqk#)2t{gJAv)D&##c1p>@NgDy;Vk*fGS9l#E}SfxU-|}qWY^}>rpe$+z~Nl* z&M=< z7xdg-N<_TaDI-7eFG08FOyyf9y-Cc*zTIDynIA|suC_qWGU`_< zL16*fk|9&0>)jEdv6dU}tCSS?vau$)nm@3Z0HmKqo1Kh|xLm7kkua~h2YE;>cI!RK z7A3tMJ5lEXTpsb#H<08mFQ&N98`L0MxmS^@zDY2!V=o=CO&UiEnhB!96hHY za|YSli%De~##CVs?DsL5Mr%d6)-}g`p|*%hYy$Io5k66hB(?l>S?j(oM{`7DCS0jk zZ5nPW2$2e*F_`X$bssA|45W0HJ?O&AIj4_#t!U z_L=m8n+KDv8m~^iHo5nmvHb^0UciqgSU#57JQ3xM%w1#U)io_;Tr-$_#DuYoTK&C3 z9y%a{3Q_xA*R`j;?}O-{6XIBYHaF5HD>lY1ViI!;=u3pU=nKy_&*cv{q8%0xG_BDw zi2JsmIP<9#lk;v)p0(xORGA`k_I3E4TQB!d(cJE7M7i&I3o5j&yj5=(g?vcfA1eI< zey$=%4tKbvyfcR1Fl-3_o@TC01thIAto_|OdR!A zC19@r-1jm`;BMW~R(GVHH&Dhzon^&v&C;5w90;twD>;N|FW34(0Z(Y$!C+$_I^B}5 zGHJ3st2~Ctk9zj--sQ!g$4*VB5U~)Nu6sAs;G4-Un$g1x6&5ZMczLQ2IWsy_&0YA@byx%S7?NEVLI6K^dB&bK zrPv+o=z#DBMt~JIn|#3iZs^&nI5M*q1#Pq!U3#BdK)`sXz9{Dsmq&cu_nXix9a){? zhQ4QS{N7YolNKtMYa5r3x9*o>o&M=9AVRwCw7}TNOdSd5nmxF?vR9!Avf9V}wO`kzB2-w)C8-ENsE-nVU<7X;Pu10~+{<`n+g)Bp{0g1&-8FmYHD=Ngc1uG2j;4}t>5`;C zGy1M{`f8)vMIDIVV{-w>Z1cmTta&1r7F|g(!bW-cIkAbXUKaZ2%gw8cgI67$vn;bq zlXX=9NB<68YGA|DtXDAIl~}GNo538gOxCxqqP5*PK^=v|3`{@lUvB+R3%?esGdcM@ zfRC?TNYXWW5U+UB0gI!y`%ZA6`5gYCRj8?=B-G|2{gh zg3Kc{%5dg2c6<+sf`kS#IkGZv)wBCufj2URp>Q(hD3hRNN@GR~+k6y?Nu{oX;(Ky? z@&ZMAxT){Gxtm%Z>6R(U!CQew2mhL3n@EuBcl@kH1Zi$zPtm3`F7Y_xO)N#;8^tuB zg)y7U@qvm!ogD1N_}3p*HMQ}w)a-Ph&yBf?3YB=TL0Of}Tkk^zuqW{x45c&+hZ0-@ zzLe-TeelLX;!B`lY=ias97g!C^2Mu!HGbfbcyoan3iF+8`;UTWMB-04xHq{Hq>GW( z?+E(rm`}x!uK-mLW*`j9qW^_UeyybwfI|Gks}QWvA_tX7-r5xv;clnMiCUs3J8z83pRseGEL z*+*|m&(B_B$nzDKYKdXXIn96(Bo+TdfE-`g%fNwk6N5BrYIH@lU~lc&VCbD{dm=%& zjlRWNR2cns851|QhuG9U6xlTBjVXr7GdS7KdCxSFo3TAtqGwq@czY(c3B!TMXZ}Rj zt7?i0ReMth0Vkttz1)$;IK}`1hqX!WU>Z)|NLRV^e?3B>&<=Y_U*TM?b~ z0hVU%92>TcmRu>*>f!WT6T{|z#sng&5719kPYMDlaM