shorewall-core-5.2.8-bp155.4.6 >  A dkPΊI%z  ŖWf'3(Ƴ%}} oV{iw *:7vM38RHʥl&I8`39SwLVRA=_Yty9L$;c0TAYP’7K-`H/oV}RSprF]7B")۳+Nt;6S*HKۻF_GZAYbj22&m-Y&UʖǸ -:.n tqSg$:2>0]=+uPDPA >NkIxEnǷ= jYzR7{>fvf8x.XHonK{m@"3 `1EB"1Kk-By_tnYrd8`j(tna(X|+Ef٧){ gb˜ %r.dʙhz%ܡf#Z܇3w9b76c5aa940e474bd24782c386eba804532238d15adb31f7f88de4abb3eef453ee78162d35be799e4536a9d507f890b645c9fb08؉dkPΊI%z M"V~pl M5Ձrz$F4;N -Fpp [We]媃S MÐ1Is2pDPQOH_Q!XJAe},LcJBSmi 2-rU{qv> ж^XҀ zbts3ޓ "ge\XQ̼o%73$bQa^M )eb%Q5Fj{ \BooD]*|rIH92 gֹ|[KMAj1N~: 6:[%8SOB"Ua,6}7!4TJ +Y:- :tgI}[P$R878qp>?d ! >x|  `     H L\x(8999: 9FGHI<XLYP\`]^TbcdefluvPwxy$z,<@FCshorewall-core5.2.8bp155.4.6Core libraries for ShorewallThis package contains the core libraries for Shorewall.dkPbuild77,SUSE Linux Enterprise 15 SP5openSUSEGPL-2.0-onlyhttps://bugs.opensuse.orgProductivity/Networking/Securityhttp://www.shorewall.net/linuxnoarch'F]# zEWy~jAA큤A큤dkPdkPdkPdkP_m_mg_mgdkPdkPdkPdkPdkPdkPdkPdkPdkPa6e724b9bb988192cb2619489e1bc1210a99676dcdad32f74df2730278f62982f874f6830f193b07bc31e736f65b95ebf48556aac05f172e24add9daaa8d119052a3e0fa854435ff6d3e41be2ab42bac07c7c97976c41ad9e0ac82446a8ebadb207d981292ca395ceaa05af027f04ec85ad0e9d6f0ccada9f378a3660de9c20c746c24eefd1ec97693f21420104f06a18ff8f2dbfc441005163178c54c1e2fb496cbba0b6bc9a09d588b1a2de0a078ffcb35a31827e7ff1aaa9817df42caac88f4cc4a387c7cd835315318d49d5669439725c639accc47d16ff0ec5d2e2b9a2caf9ded99bbe8db4c6d0d3c1dea70226a1b689d50d4350384a7945642de6683ce4159a9e3a95d2ef09b8b0041b40f50fbbcf72743af3ec6e242f3f6103791ef8b60d09fd28efa421d577a12f650c883290e19ba9fd7677fbc3b4c8b97064f88aae222376ce42b339fe0e5c69d4927975c544cd500009ce9c3dddb8d5c7046305fedf67088358c379689d74423493027ca6e5e881062c8b6017fa36356d61b5c66lib.baserootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootshorewall-5.2.8-bp155.4.6.src.rpmshorewall-core@    /bin/shiptablesperl-baserpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)3.0.4-14.6.0-14.0-15.2-14.14.3ccAc_/@__o-@_A_c^@^^^1^^v^0^n^h^J@^8 @^)]o@\r@\v{\q5\V\/JZ>Z1@Z7Y@YYf@YTYJ_YA%@X[XrX,XN@XGVU@UUa@UKSU-@U@U@T@TÉ@TNT@T@TT@Tq@TZ@Thorsten Kukuk Bruno Friedmann Bruno Friedmann Bruno Friedmann Togan Muftuoglu Bruno Friedmann Bruno Friedmann Bruno Friedmann Bruno Friedmann Bruno Friedmann Bruno Friedmann Bruno Friedmann Bruno Friedmann Bruno Friedmann Bruno Friedmann Bruno Friedmann Bruno Friedmann Bruno Friedmann Dominique Leuenberger Bruno Friedmann Bruno Friedmann Bruno Friedmann Bruno Friedmann Bruno Friedmann Bruno Friedmann Bruno Friedmann bruno@ioda-net.chbruno@ioda-net.chbruno@ioda-net.chbruno@ioda-net.cholaf@aepfle.debruno@ioda-net.chalarrosa@suse.combruno@ioda-net.chbruno@ioda-net.chbruno@ioda-net.chbruno@ioda-net.chbruno@ioda-net.chbruno@ioda-net.chbruno@ioda-net.chbruno@ioda-net.chtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgdimstar@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.org- Add /etc/sysconfig/network hierachy, as this don't exist by default anymore- Add %dir %{_distconfdir} stop build failing on Leap- **Warning** this is the last patch revision to shorewall. No migration to manage nft will happen upstream. Be prepared to package removal, and migrate to firewalld. - Add shorewall-fix-install-manpages.patch fix boo#1203006 - Update spec copyright and macros - Move /etc to /usr for Networkmanager and logrotate - Update rpmlint check list- Rework xt_geo_ip fixes by using dynamic patching with find which is less burden and confusing than manual patches series. - Add dynamic patching for *.service with removing like upstream the obsolete StandardOutput=syslog until new release- Correct the xt_geo_ip locations - Correct output to journal- Update to version 5.2.8 (Upgrade your configuration) https://shorewall.org/pub/shorewall/5.2/shorewall-5.2.8/releasenotes.txt + Certain restrictions that apply to wildcard interfaces (interface name ends in '+') were previously not enforced when the logical interface name did not end in '+' but the physical interface name did end in '+'. That has been corrected. + To ensure that error messages appear in the correct place in the output stream, stderr is now redirected to stdout when the configured PAGER is used by a command. + Since Shorewall 5.1.0, the Shorewall uninstall.sh script has incorrectly removed ${SBINDIR}/shorewall, while the Shorewall-core uninstall.sh script has failed to remove that file. Both scripts have been corrected. + Previously, the Shorewall CLI included a spurious hyphen ('-') between the product name (e.g., 'Shorewall6') and the version when printing a command output banner. + The shorewall-snat(5) manpage previously stated that a comma-separated list of IP address could be specified for SNAT. That statement was in error and has been removed. As part of this change, IPv4 Example 6 has been updated to use the PROBABILITY column. - New features + 'show tc' command now shows the classifiers associated with each interface (as displayed by the 'show classifiers' command). This integrated qdisc/filter information is also included in the output of the 'dump' command. This change deprecates the 'show classifiers' ('show filters') command, as that command's output is now included in the 'show tc' output. + Shorewall6 has traditionally generated rules for IPv6 anycast addresses. These rules include: a) Packets with these destination IP addresses are dropped by REJECT rules. b) Packets with these source IP addresses are dropped by the 'nosmurfs' interface option and by the 'dropSmurfs' action. c) Packets with these destination IP addresses are not logged during policy enforcement. d) Packets with these destination IP addresses are processes by the 'Broadcast' action. Beginning with this release, individual network interfaces can be excluded from this treatment through use of the 'omitanycast' option in /etc/shorewall6/interfaces. Note: This option was named 'noanycast' in earlier Beta releases. + Duplicate function names have been eliminated between the Shorewall-core lib.cli shell library and the Shorewall lib.cli-std library. + The 'status' command in Shorewall[6]-lite now precedes the configuration directory name with the administrative host name separated with a colon (":"). + Tuomo Soini has contributed a macro that handles NFS v1.4 (no dynamic ports). - Packaging: + Add buildrequires for pkgconfig (missing) + Use macro for sbindir- Update to version 5.2.7 + **Upgrade your configuration** https://shorewall.org/pub/shorewall/5.2/shorewall-5.2.7/releasenotes.txt + Previously, it was not possible to classify traffic by destination IP address when using an Intermediate Functional Block (IFB) for traffic shaping. This is because such classification takes place before the traffic passes through the mangle PREROUTING chain. Such filtering is now possible by setting the 'connmark' option in the tcdevices file. This option causes the current connection mark to be copied to the packet mark prior to filtering, thus allowing the packet mark to be used for classification. This change adds a new CONNMARK_ACTION capability which is required to be able to specify the 'connmark' option. + The tcpri file now supports ?FORMAT 2 which inserts an SPORT column directly to the right of the PORT column. As part of this change, the PORT column is renamed to DPORT while allowing both 'port' and 'dport' to be used in the alternate input format. See shorewall-tcpri(5) and http://shorewall.org/simple_traffic_shaping.html for additional information. + The Simple TC document is now linked to FAQs 97 and 97a.- Update to version 5.2.6 + **Upgrade your configuration** https://shorewall.org/pub/shorewall/5.2/shorewall-5.2.6/releasenotes.txt + When compiling for export, the compiler generates a firewall.conf file which is later installed on the remote firewall system as ${VARDIR}/firewall.conf. Previously, the CLI on that firewall was not processing the file, resulting in some features not being available: - Default values for VERBOSITY, LOGFILE, LOGFORMAT, PATH, SHOREWALL_SHELL, SUBSYSLOCK, RESTOREFILE, RESTART, DYNAMIC_BLACKLIST and PAGER are not supplied. - scfilter file supplied at compile time. - dumpfilter file supplied at compile time. That has been corrected. + A bug in iptables (see https://git.netfilter.org/iptables/commit/?id=d1555a0906e35ba8d170613d5a43da64e527dbe1) prevents the '--queue-cpu-fanout' option from being applied unless that option is the last one specified. Unfortunately, Shorewall places the '--queue-bypass' option last if that option is also specified. This release works around this issue by ensuring that the '--queue-cpu-fanout' option appears last. + The -D 'compile', 'check', 'reload' and 'Restart' option was previously omitted from the output of 'shorewall help'. It is now included. As part of this change, an incorrect and conflicting description of the -D option was removed from the 'remote-restart' section of shorewall(8). + Previously, when EXPAND_POLICIES=No, chains that enforced ACCEPT policies were not completely optimized by optimize level 2 (ACCEPT rules preceding the final unconditional ACCEPT were not deleted). That has been corrected such that these rules are now optimized.- Update to version 5.2.5.2 https://shorewall.org/pub/shorewall/5.2/shorewall-5.2.5/releasenotes.txt + 5.2.5.2 Previously, ";;+" was mishandled in the snat file; the generated rule incorrectly included the leading "+". That has been corrected so that the generated rule is now correct. Example (SNAT OpenVPN server traffic leaving on eth0): SNAT(192.2.0.4) - eth0 ;;+ -p udp --sport 1194 + 5.2.5.1 - The change in 5.2.5 base which changed the 'user' facility to the 'daemon' facility in Shorewall syslog messages did not change the messages with severity 'err'. That has been corrected such that all syslog messages now use the 'daemon' facility. - The actions.std file contains "?IF...?ELSE...?ENDIF" sequences that provide different action options depending on the availabilty of certain capabilities. This has resulted in the Broadcast and Multicast options being listed twice in the output of "shorewall[6] show actions". Beginning with this release, this duplication is eliminated. Note, however, that the options shown will be incomplete if they were continued onto another line, and may be incorrect for Broadcast and Multicast. - A typo in shorewall-providers(5) has been corrected. + 5.2.5 Base - Previously, Shorewall-init installed a 'shorewall' script in /etc/network/if-down.d on Debian and derivatives. This script was unnecessary and required Debian-specific code in the generated firewall script. The Shorewall-init script is no longer installed and the generated firewall script is now free of distribution-specific code. - Also on Debian and derivatives, Shorewall-init installed /etc//NetworkManager/dispatcher.d/01-shorewall which was also unnecessary. Beginning with this release, that file is no longer installed. - Previously, if the dynamic-blacklisting default timeout was set in a variable in the params file and the variable was used in setting DYNAMIC_BLACKLIST, then the 'allow' command would fail with the message: ERROR: Invalid value (ipset-only,disconnect,timeout=) for DYNAMIC_BLACKLIST That has been corrected. - When EXPAND_POLICIES=No in shorewall[6].conf, policies in complex rulesets are enforced in chains such as 'net-all' and 'all-all'. Previously, these chains included redundant state-oriented rules. In addition to being redundant. these rules could actually break complex IPv6 configurations. The extra rules are now omitted.- Update to bugfix version 5.2.4.5 + The description of the 'optional' option has been expanded in shorewall-interfaces(5). + Previously, the AUTOMAKE option did not work properly when /etc/shorewall[6] was a symbolic link. That has been corrected. - Packaging + Remove broken %pretrans, move content to %pre + Remove use of %release in rpm scriptlet + This will avoid constant rebuild.- Update to bugfix version 5.2.4.4 + When DYNAMIC_BLACKLIST=ipset... or when SAVE_IPSETS=Yes in shorewall[6].conf, 'shorewall[6] start' could hang. Fixed. + 'shorewall[6] start' would not automatically create dynamic blacklisting ipsets. That has been corrected. - This version will served also as maintenance upgrade for Leap- Update to version 5.2.4.2 https://shorewall.org/pub/shorewall/5.2/shorewall-5.2.4/releasenotes.txt + Fixes for debian - Update to version 5.2.4.1 + Fixes for openSUSE shorewall-init will now ignore 'start' and 'stop' commands, for running firewalls + Spurious messages have been removed - Packaging + Move /usr/sbin/shorewall to shorewall-core so -lite version doesn't need main shorewall package + To make shorewall remote-* command working we patch lib.cli-std to use /usr/sbin instead of /sbin + commented spec + Desactivate for the moment the upgrade warning. we need to find a 100% working solution. + use %{var} form everywhere- Add perl-base as buildrequirement to force choice of SHA-DIGEST new problem in TW - To fix boo#1166114 never restart shorewall-init.service macro service_del_postun is replaced by simplier systemd_postun - Remove conflict between main and lite package. A managing station need main to build configuration and can use - lite to execute it. Users are in charge of choosing which service has to be started and used. ❤ Freedom- Remove shorewall require from shorewall-init (was a forgoten action)- Update to version 5.2.4 https://shorewall.org/pub/shorewall/5.2/shorewall-5.2.4/releasenotes.txt + Previously, when a Shorewall6 firewall was placed into the 'stopped' state, ICMP6 packets required by RFC 4890 were not automatically accepted by the generated ruleset. Beginning with this release, those packets are automatically accepted. + Previously, the output of 'shorewall[6] help' displayed the superseded 'load' command. That text has been deleted. + The QOSExample.html file in the documentation and on the web site previously showed tcrules content for the /etc/shorewall/mangle file (recall that 'mangle' superseded 'tcrules'). That page has been corrected. + The 'Starting and Stopping' and 'Configuration file basics' documents have been updated to align them with the current product behavior. + The 'ipsets' document has been updated to clarify the use of ipsets in the stoppedrules file. - Packaging + shorewall-init package has a removed %service_del_postun macro to close bug boo#1166114 Restarting this service can lock down admin out of the system. + shorewall(6) and shorewall(6)-lite conflict has they shouldn't be installed together on the same system. + conf_update flag is set to 1 to activate update reminder + Adjust and cleanup requires- Add version to requires in -lite version- Update to minor bugfix version 5.2.3.7 + When DOCKER=Yes, if both the DOCKER-ISOLATE and DOCKER-ISOLATE-STAGE-1 existed then the DOCKER-ISOLATE-STAGE-* chains were not preserved through shorewall state changes. That has been corrected so that both chains are preserved if present. + Previously, the compiler always detected the OLD_CONNTRACK_MATCH capability as being available in IPv6. When OLD_CONNTRACK_MATCH was available, the compiler also mishandled inversion ('!') in the ORIGDEST columns, leading to an assertion failure. Both the incorrect capability detection and the mishandled inversion have been corrected. + During 'enable' processing, if address variables associated with the interface have values different than those when the firewall was last started/restarted/reloaded, then a 'reload' is performed rather than a simple 'enable'. The logic that checks for those changes was incorrect in some configurations, leading to unneeded reload operations. That has been corrected. + When MANGLE_ENABLED=No in shorewall[6].conf, some features requiring use of the mangle table can be allowed, even though the mangle table is not updated. That has been corrected such that use of such features will raise an error. + When the IfEvent(...,reset) action was invoked, the compiler previously emitted a spurious "Resetting..." message. That message has been suppressed. - Packaging + Do not provide anymore unsused notrack file + Introduce define conf_need_update to track when we activate the post update warning for users when there's minor or major version update of shorewall bnc#1166114- Update to bugfix minor 5.2.3.6 + Fix for possible start failure when both Docker containers and Libvirt VMs were in use.- BuildRequire pkgconfig(systemd) instead of systemd: allow OBS to shortcut through the -mini flavors.- Update to bugfix minor 5.2.3.5 + A typo in the FTP documentation has been corrected. + The recommended mss setting when using IPSec with ipcomp has been corrected. + A number of incorrect links in the manpages have been corrected. + The 'bypass' option is now allowed when specifying an NFQUEUE policy. Previously, specifying that option resulted in an error. + Corrected IPv6 Address Range parsing. + Previously, such ranges were required to be of the form [-] rather than the more standard form []-[]. In the snat file (and in nat actions), the latter form was actually flagged as an error while in other contexts, it resulted in a less obvious error being raised. + The manpages have been updated to refer to https://shorewall.org rather than http://www.shorewall.org. - Refresh spec file- Update to bugfix minor 5.2.3.4 + Update release documents. + Correct handling of multi-queue NFQUEUE as a policy. + Correct handling of multi-queue NFQUEUE as a macro parameter. + Make 'AUTOMAKE=No' the update default. + Correct the description of the 'bypass' NFQUEUE option in shorewall-rules(5).- Update to bugfix minor 5.2.3.3 Previously, if an ipset was specified in an SPORT column, the compiler would raise an error similar to: ERROR: Invalid ipset name () /etc/shorewall/rules (line 44) - Update to bugfix minor 5.2.3.2 Shorewall 5.2 automatically converts an existing 'masq' file to an equivalent 'snat' file. Regrettably, Shorewall 5.2.3 broke that automatic update, such that the following error message was issued: Use of uninitialized value $Shorewall::Nat::raw::currentline in pattern match (m//) at /usr/share/shorewall/Shorewall/Nat.pm line 511, <$currentfile> line nnn. and the generated 'masq' file contains only initial comments. That has been corrected.- Update to bugfix minor 5.2.3.1 release + An issue in the implementation of policy file zone exclusion, released in 5.2.3 has been resolved. In the original release, if more than one zone was excluded then the following error was raised: ERROR: 'all' is not allowed in a source zone list etc/shorewall/policy (line ...)- Update to new 5.2.3 bugfix release http://www.shorewall.net/pub/shorewall/5.2/shorewall-5.2.3/releasenotes.txt This is the retirement of Tom Eastep see. https://sourceforge.net/p/shorewall/mailman/message/36589782/ - Removed module* in file section - Clean-up changes and spec (trailing slashes)- Update to new 5.2.2 bugfix release http://www.shorewall.net/pub/shorewall/5.2/shorewall-5.2.2/releasenotes.txt - Packaging: + As seen with upstream recommend running shorewall update on all version update + to be done: run update automatically- Update to major version 5.2.1.4 A lot of changes occurs since last package please consult http://www.shorewall.net/pub/shorewall/5.2/shorewall-5.2.1/releasenotes.txt and the know problem list at http://www.shorewall.net/pub/shorewall/5.2/shorewall-5.2.1/known_problems.txt - Update your configuration shorewall update - Packaging: renew spec file with spec-cleaner- Changes in 5.1.12.3 Problems Corrected: When 'reset' and 'dst' were specified to the IfEvent action, the action would incorrectly attempt to reset the event for the SOURCE IP address rather than the DEST address. That has been corrected.- spec : + Minimal changes with spec-cleaner + Stop conflicting with other firewall (SuSEFirewall2, firewalld) User can have several management tools, and it help preparing a migration - Run shorewall(6) update -A to update your configurations Check and adapt them before restarting. - Changes in 5.1.12.3 + Update release documents. + Ensure that mutex gets released at exit. - Changes in 5.1.12.2 + Alter documentation to prefer ';;' over ';' in INLINE and IP[6]TABLES rules. + Make 'update' convert ';' to ';;' in INLINE, IPTABLES and IP6TABLES rules. + Correct typo that resulted in an "unknown function" Perl diagnostic. + Correct "Invalid policy" message. + Fix omitted SYN limiting. - Changes in 5.1.12.1 + Replace macro.SSDPServer with corrected macro.SSDPserver. - Changes in 5.1.12 Final + Update release documents. + Add INLINE_MATCHES=Yes to the deprecated list. - Changes in 5.1.12 RC 1 + Update release documents. + Minor performance enhancements to Optimize Category 8. + Always report IPSET_MATCH. - Changes in 5.1.12 Beta 2 + Delete undocumented OPTIMIZE_USE_FIRST option. + Merge 5.1.11. + Suppress trailing whitespace. + Avoid awkward blank lines. - Changes in 5.1.12 Beta 1 + Code and manpage cleanup. + Allow SNAT in the INPUT chain. - Changes in 5.1.11 Final + Update release documents. - Changes in 5.1.11 RC 1 + Update versions and copyrights. + Clear the connection mark on forwarded IPSEC tunneled connections + Make TRACK_PROVIDERS=Yes the default. - Changes in 5.1.11 Beta 2 + Be selective about verification of the conntrack utility when + DYNAMIC_BLACKLIST=ipset,disconnect... + Don't require shorewall to be started for 'allow' with ipset-based DBL. + Make address variables play nice with the 'clear' command. + Don't unconditionally enable forwarding during 'clear'. - Changes in 5.1.11 Beta 1 + Allow non-root to run some 'show' commands. + Use synchain name in log messages rather than base chain name. + Assume :syn for TCP CT entries in the conntrack file and HELPER. + Limit depth of 'find' search when AUTOMAKE=Yes. - Changes in 5.1.10.2 + Limit 'find' to depth 1. + Don't run find in an empty entry in $CONFIG_PATH - Changes in 5.1.10.1 + Fix Shorewall-core installer for sandbox case. + Make /etc and /configfiles the same. - Changes in 5.1.10 Final + Add warning re wildcard and OPTIONS. + Correct IPv6 Universal interfaces file. - Changes in 5.1.10 RC 1 + Correct ingress policing. + Fix Shorewall-init recompilation problem. - Changes in 5.1.10 Beta 2 + Allow a protocol to be associated with a regular action. + Remove the PSH flag from the FIN action. - Changes in 5.1.10 Beta 1 + Allow CONFIG_PATH setting to begin with ':' to allow dropping the first directory by non-root. + Correct several typos in the manpages (Roberto Sánchez). + Correct typo in 'dump' processing. + Reset all table counters during 'reset'. - Changes in 5.1.9 Final + Use logical interface names in the Sample configs. - Changes in 5.1.9 RC 1 + Apply W Van den Akker's OpenWRT/Lede patches. + Don't verify IP and SHOREWALL_SHELL paths when compiling for export. + Support for Redfish remote console in macro.IPMI - Changes in 5.1.9 Beta 2 + Merge content from 5.1.8. - Changes in 5.1.9 Beta 1 + Update release documents. + Add TCPMSS action in the mangle file. + Inline the Broadcast action when ADDRTYPE match is available. + Support logging in the snat file. + Add shorewall-logging(5). - Changes in 5.1.8 Final + Correct 'delete_default_routes()'. + Delete default routes from 'main' when a fallback provider is successfully enabled. + Don't restore default route when a fallback provider is enabled. + Issue a warning when 'persistent' is used with RESTORE_DEFAULT_ROUTE=Yes. + Don't dump SPD entries for the other address family. + Fix 'persistent' provider issues. + Treat LOG_TARGET the same as all other capabilities. + Allow merging of rules with IPSEC policies- spec : + use new %_fillupdir macro with env DIRFILLUP in build * Redone patches *-fillup-install.patch to use ${DIRFILLUP} * use new %_fillupdir macro in files + change require perl to perl-base + Added conflict with firewalld + Refresh list of files and modules - Run shorewall(6) update -A to update your configurations Check and adapt them before restarting. - 5.1.8.1 release - Recommended action : + Update release documents + Make persistent routes and rules independent of 'autosrc' + Correct 'delete_default_routes()' + Delete default routes from 'main' when a fallback provider is successfully enabled + Don't restore default route when a fallback provider is enabled + Issue a warning when 'persistent' is used with RESTORE_DEFAULT_ROUTE=Yes + Don't dump SPD entries for the other address family + Fix 'persistent' provider issues + Treat LOG_TARGET the same as all other capabilities + Allow merging of rules with IPSEC policies - 5.1.7.2 release Please refer to releasenote.txt for a detailled description. As always use shorewall [-6] update and revise your configuration + Features summary * Module loading streamlined, shorewall [-6] update will remove MODULE_SUFFIX configuration * Check route if detect is used in gateway column (dhcpd5 has now binary encoded .lease) * DNAT and REDIRECT support in ShorewallActions * Docker configuration support: DOCKER-INGRESS chain. + Fixes summary * Fix shorewall-snat(5) man page example, DEST column has to be read eth0:+myset[dst] * Fix invalid vlsm to ipcalc message * ADD_IP_ALIASES is set to NO for ipv6 while yes for ipv4 * Cleanup .tmp in save ipset operations. * Command reenable fix for persistent and non-persistent interfaces * Warn if getattr failed (SeLinux) - 5.1.6 release + Fixes summary * $SHAREDIR $CONFIGDIR available again * Fix compilation with optimize level 8 * Be consistant with Netfilter interpretation of 'eth'='eth+' * RESTORE_WAIT_OPTION serialize start of ipv4/ipv6 with -w option * RDP macros handle also UDP part + Features summary * Sparse option (not implemented in our spec) * Add enable / disable runtime extension script * Check zone and subzone to share at least one interface * Runtime address and port variables * Iptables --wait option used for serialization- Update to bugfix release 5.1.5.2 + Make build reproducible boo#1047218 + Fix upgrade from 4x version : dropBcast and dropBcasts are now supported boo#1053650 + Perl 5.26 support + Fix for BASIC_FILTERS=Yes and tcfilters + Fix USER/GROUP messages + MAC address in OUTPUT col in accounting file error is raised at compile time + Fix port number 0 or > 65535 perl execption- Update filename in /var/adm/update-messages to match documentation, and build-compare pattern- bugfix release 5.1.4.4 A defect in 5.1.4.3 caused a startup failure when two or more 'fallback' providers were configured. That has been corrected.- Fix a typo in %posttrans that would remove the wrong file and could cause a problem depending on the execution order of the %pretrans and %posttrans scripts for the shorewall and shorewall6 packages.- This stable branch 5.1x will be the new default for Leap 42.3. Remember that each time you have an upgrade with changes in Major or Major,Minor it is mandatory you upgrade your configuration with shorewall(6) update -a /etc/shorewall(6) command. - Packaging : use pretrans and posttrans to inform user about configuration upgrade. - Bugfix release 5.1.4.3. Problem Corrected: When running on prior-generation distributions such as RHEL6, IPv6 multi-ISP configurations failed to start due to an error such as the following: ERROR: Command "ip -6 -6 route replace default scope global table 250 nexthop via ::192.88.99.1 dev tun6to4 weight 1" Failed Such configurations now start successfully.- Bugfix and enhancement release 5.1.4.2 complete changelog is available http://shorewall.net/pub/shorewall/5.1/shorewall-5.1.4/releasenotes.txt - Main changes All IPv6 standard actions have been deleted and their logic has been added to their IPv4 counterparts who can now handle both address families. Previously, ?error and ?require messages as well as verbose ?info and ?warning messages (those that report the file and line numbers) generated from an action file would report the action file name and line number rather than the file and line number where the action was invoked. The file and line number where the action was invoked were listed second. Beginning with this release, the invoking file and line number are listed first and the action file and line number are not reported. This allows for creation of clearer messages. IPv6 UPnP support (including MINIUPNPD) is now available. A PERL_HASH_SEED option has been added to allow the Perl hash seed to be specified. See shorewall.conf(5) and perlsec(1) for details.- Bugfix release 5.1.3.2 Previously, if a Shorewall Variable (e.g., @chain) was the target of a conditional ?RESET directive (one that was enclosed in ?if. ?else...?endif logic), the compiler could incorrectly use an existing chain created from the action rather than creating a new (and different) chain. That has been corrected. Previously, if alternate input format specified a column that had already been specified, the contents of that column were silently overwritten. Now, a warning message is issued stating that the prior value has been replaced by the newer value.- Update to last bugfix version 5.1.3.1 Problems Corrected: There was a typo in the BLACKLIST_DEFAULT settings in the 5.1.3 sample config files, which resulted in a compilation error. That typo has been corrected. There was also a typo in the two-interface IPv4 sample snat file; 192.168.0.0/16 was inadvertently entered as 92.168.0.0/16. That has been corrected. Previously, when processing the policy file, 'all+' was incorrectly treated the same as 'all'. That has been corrected so that 'all+' causes intra-zone traffic to be included in the policy.- Upgrade to last stable 5.1.3 For details see changelog.txt and releasenotes.txt containing all informations for a correct upgrade path. - Packaging Redone patches for var-fillup + shorewall-fillup-install.patch + shorewall-init-fillup-install.patch + shorewall-lite-fillup-install.patch- Upgrade to stable 5.1.1 For details see changelog.txt and releasenotes.txt containing all informations for a correct upgrade path. - Packaging: + use proper %{} syntax + Adjust year copyright + Remove attr on sbindir symlink + Move Samples and Contrib to doc package- Upgrade to last stable of 5.0.x version 5.0.15 For details see changelog.txt and releasenotes.txt containing all informations for a correct upgrade path. - Packaging : + Remove all non suse %if + Cleanup older non supported version + Remove upstream merged patch * 0001-remote_fs.patch * 0001-required-stop-fix.patch + Remove 0001-fillup-install.patch replaced by specific product patch for correct usage of var-fillup + Added patches for var-fillup when not specific %name6 is also supported * shorewall-fillup-install.patch * shorewall-init-fillup-install.patch * shorewall-lite-fillup-install.patch + spec-cleaner minimal- Update to last 4x bugfix version 4.6.13.4 For details see changelog.txt and releasenotes.txt - 4.6.13.4 * This release includes a couple of additional configure/install fixes from Matt Darfeuille. * The DROP command was previously rejected in the mangle file. That has been corrected. - 4.6.13.3 * Previously, Shorewall6 rejected rules in which the SOURCE contained both an interface name and a MAC address (in Shorewall format). That defect has been corrected so that such rules are now accepted. * A number of corrections have been made to the install, uninstall and configure scripts (Matt Darfeuille). * Previously, optional interfaces were not enabled during 'start' and 'restart' unless there was at least one entry in the 'providers' file. This resulted in these interfaces not appearing in the output of 'shorewall[6] status -i'. * The check for use of a circular kernel log buffer (as opposed to a log file) has been improved. * Previously, if a circular log buffer was being used, the output of various commands still displayed '/var/log/messages' as the log file. Now, it is displayed as 'logread'. * When processing the 'dump' command, the CLI now uses 'netstat' to print socket information when the 'ss' utility is not installed. - 4.6.13.2 * Previously, if statistical load balancing was used in the providers file, the default route in the main table was not deleted during firewall start/restart. That route is now correctly deleted. - 4.6.13.1 * Previously, the 'reset' command would fail if chain names were included. Now, the command succeeds, provided that all of the specified chains exist in the filter table. * The TCP meta-connection is now supported by the Tinc macro and tunnel type. Previously, only the UDP data connection was supported.- Update to version 4.6.13 For more details see changelog.txt and realeasenotes.txt * The 'rules' file manpages have been corrected regarding the packets that are processed by rules in the NEW section. * Parsing of IPv6 address ranges has been corrected. Previously, use of ranges resulted in 'Invalid IPv6 Address' errors. * The shorewall6-hosts man page has been corrected to show the proper contents of the HOST(S) column. * Previously, INLINE statements in the mangle file were not recognized if a chain designator (:F, :P, etc.) followingowed INLINE(...). As a consequence, additional matches following a semicolon were interpreted as column/value pairs unless INLINE_MATCHES=Yes, resulting in compilation failure. * Inline matches on IP[6]TABLE rules could be ignored if INLINE_MATCHES=No. They are now recognized. * Specifying an action with a logging level in one of the _DEFAULT options in shorewall[6].conf (e.g., REJECT_DEFAULT=Reject:info) produced a compilation error: ERROR: Invalid value (:info) for first Reject parameter /usr/share/shorewall/action.Rejectect (line 52) That has been corrected. Note, however, that specifying logging with a default action tends to defeat one of the main purposes of default actions which is to suppress logging. * Previously, it was necessary to set TC_EXPERT=Yes to have full access to the user mark in fw marks. That has been corrected so that any place that a mark or mask can be specified, both the TC mark and the User mark are accessible.- Update to version 4.6.11 For more details see changelog.txt and releasenotes.txt * Previously, when the -c option was given to the 'compile' command, the progress message "Compiling..." was issued before it was determined if compilation was necessary. Now, that message is suppressed when re-compilation is not required. * Previously, when the -c option was given to the 'compile' command, the 'postcompile' extension script was executed even when there was no (re-)compilation. Now, the 'postcompile' script is only invoked when a new script is generated. * If CONFDIR was other than /etc, then ordinary users would not receive a clear error message when they attempted to execute one of the commands that change the firewall state. * Previously, IPv4 DHCP client broadcasts were blocked by the 'rpfilter' interface option. That has been corrected. * The 'update' command incorrectly added the INLINE_MATCHES option to shorewall6.conf with a default value of 'Yes'. This caused 'start' to fail with invalid ip6tables rules when the alternate input format using ';' is used. Note: This last issue is not documented in the release notes included with the release.- Update to version 4.6.10.1 For more details see changelog.txt and releasenotes.txt * Indentation is now consistent in lib.core (Tuomo Soini). * The first problem corrected in 4.6.10 below was incomplete. It is now complete (Tuomo Soini). * Similarly, the second fix was also incomplete and is now completed (Tuomo Soini).- Update to version 4.6.9 For more details see changelog.txt and releasenotes.txt * This release contains defect repair from Shorewall 4.6.8.1 and earlier releases. * The means for preventing loading of helper modules has been clarified in the documentation. * The SetEvent and ResetEvent actions previously set/reset the event even if the packet did not match the other specified columns. This has been corrected. * Previously, the 'show capabilities' command was ignoring the HELPERS setting. This resulted in unwanted modules being autoloaded and, when the -f option was given, an incorrect capabilities file was generated. * Previously, when 'wait' was specified for an interface, the generated script erroneously checked for required interfaces on all commands rather than just start, restart and restore.- Update to version 4.6.8.1 For more details see changnlog.txt and releasenotes.txt * Previously, when servicd was installed and there were one or more required interfaces, the firewall would fail to start at boot.This has been corrected by Tuomo Soini. * Some startup logic in lib.cli has been deleted. A bug prevented the code from working as intended, so there is no loss of functionality resulting from deletion of the code.- Update to version 4.6.8 For more details see changelog.txt and releasenotes.txt * This release includes defect repair from Shorewall 4.6.6.2 and earlier releases. * Previously, when the -n option was specified and NetworkManager was installed on the target system, the Shorewall-init installer would still create ${DESTDIR}etc/NetworkManager/dispatcher.d/01-shorewall, regardless of the setting of $CONFDIR. That has been corrected such that the directory ${DESTDIR}${CONFDIR}/NetworkManager/dispatcher.d/01-shorewall is created instead. * Previously, handling of the IPTABLES and IP6TABLES actions in the conntrack file was broken. nfw provided a fix on IRC. * The Shorewall-core and Shorewall6 installers would previously report incorrectly that the product release was not installed. Matt Darfeuille provided fixes.- Update to version 4.6.7 For more details see changelog.txt and releasenotes.txt * This release includes defect repair from Shorewall 4.6.6.2 and earlier releases. * The 'tunnels' file now supports 'tinc' tunnels. * Previously, the SAME action in the mangle file had a fixed timeout of 300 seconds (5 minutes). That action now allows specification of a different timeout. * It is now possible to add or delete addresses from an ipset with entries in the mangle file. The ADD and DEL actions have the same behavior in the mangle file as they do in the rules file. - Added systemd_version macro in anticipation of detecting the correct service file when systemd version is >= 214- Update to version 4.6.6.2 For more details see changelog.txt and releasenotes.txt * The compiler failed to parse the construct +[n] where n is an integer (e.g., +bad[2]). * Orion Paplawski has provided a patch that adds 'ko.xz' to the default MODULE_SUFFIX setting. This change deals with recent Fedora releases where the module names now end with ".ko.xz". In addition to Orion's patch, the sample configurations have been modified to specify MODULE_SUFFIX="ko ko.xz".- Update to version 4.6.6.1 For more details see changelog.txt and releasenotes.txt * Previously the SAVE and RESTORE actions were erroneously disallowed in the INPUT chain within the mangle file. * The manpage descriptions of the mangle SAVE and RESTORE actions incorrectly required a slash (/) prior to the mask value. * Race conditions could previously occur between the 'start' command and the 'enable' and 'disable' commands. * The 'update' command incorrectly added the INLINE_MATCHES option to shorewall.conf with a default value of 'Yes'. This caused 'start' to fail with invalid iptables rules when the alternate input format using ';' is used. * Previously the LOCKFILE setting was not propagated to the generated script. So when the script was run directly, the script unconditionally used ${VARDIR}/lock.- Update to version 4.6.6 For more details see changlelog.txt and releasenotes.txt As there are many new features with this release please consult the mentioned files. * Previously, a line beginning with 'shell' was interpreted as a shell script. Now, the line must begin with 'SHELL' (case-sensitive). Note that ?SHELL and BEGIN SHELL are still case-insensitive.- Update to version 4.6.5.5 For more details see changelog.txt and releasenotes.txt * This release adds Tuomo Soini's fix for Shorewall-init to 4.6.5.5. Previously, the ifupdown scripts were looking in the wrong directory for the firewall script.- Update to version 4.6.5.4 For more details see changelog.txt and releasenotes.txt * The '-c' option of the 'dump' and 'show routing' commands is now documented. * The handling of the 'DIGEST' environmental variable has been corrected in the Shorewall installer. Previously, specifying that option would not correctly update the Chains module which led to a Perl compilation failure. * Handling of ipset names in PORT columns has been corrected. Previously, such usage resulted in an invalid iptables rule being generated.- Update to version 4.6.5.3 For more details see changelog.txt and releasenotes.txt * The Shorewall-init scripts were using the incorrect variable to set the state directory. Correction provided by Roberto Sanchez. * For normal dynamic zones, the 'add' command failed with a diagnostic such as: ERROR: Zone ast, interface net0 does not have a dynamic host list * When a mark range was used in the marks (tcrules) file, a run-time error occurred while attempting to load the generated ruleset.- Do not buildrequire openSUSE-release: it's a daily changing package and causes thus frequent rebuilds for no reason. configure and install both try to guess the target from /etc/os-release. So we simply inject BUILD=suse for the openSUSE case.- Update to version 4.6.5.2 For more details see changelog.txt and releasenotes.txt * LOG_BACKEND=LOG failed at run-time for all but the most recent kernels. - Changes in 4.6.5.1 * The generated script can now detect an gateway address assigned by later versions of that program (Alan Barrett). * In 4.6.5, the bash-based configure script would issue the following diagnostic if SERVICEDIR was not specified in the shorewallrc file: ./configure: line 199: [SERVICEDIR]=: command not found This was compounded by the fact that all of the released shorewallrc files still specified SYSTEMDDIR rather than SERVICEDIR (Evangelos Foutras) * The shorewallrc.archlinux file now reflects a change in SBINDIR that occurred in Arch Linux in mid 2013 (Evangelos Foutras).- Update to versioin 4.6.4.3 For more details see changelog.txt and releasenotes.txt * The fix for LOG_BACKEND in 4.6.4.2 worked on some older distributions but not on newer ones. This release fixes the problem in the remaining cases.build77 1684754618 5.2.8-bp155.4.6shorewallwait4ifupshorewallshorewall-coreCOPYINGchangelog.txtreleasenotes.txtshorewallcoreversionfunctionslib.clilib.cli-stdlib.commonlib.corelib.runtimeshorewallrc/usr/lib//usr/lib/shorewall//usr/sbin//usr/share/doc/packages//usr/share/doc/packages/shorewall-core//usr/share//usr/share/shorewall/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.opensuse.org/openSUSE:Backports:SLE-15-SP5/standard/f80c202db0d1e263607aea4166538e7d-shorewallcpioxz5noarch-suse-linuxdirectoryPOSIX shell script, ASCII text executableASCII textUTF-8 Unicode textRRvt?wfutf-8afdd2d31b5ff92a9ed8e5b387c8862b6c5bcd8c5a66e4595ac125c54cdd504df? 7zXZ !t/t] crt:bLL ؝.ΎTLiwKOSo Z͸/" nصcB !NxHf&~~YNSP`iM7 Wo {9`pj_YJQOtPbnԦvHYg5w. t˾MX|GV V",g,ͻAq[WR Xytjέ]A5N33E)z68taeHcZ<=xjk%-:UK5h.;E =m Ѫ@ڴbZ%Bn*B=a"8[qK\}9a1 6b8b瘅Xz jJ?o#g\׵@z¾ X#FXou>tE~M sM6qwquQ!yUºNe8F^`))6#o'd$&=8e/@ʍuyzX6xV\"y>#v-s,nw'V-žn3)B~L9?׾C1K6R`ywԖpf2{g^Hn:eٜ,פ,H-kٍ puyT )$(ZÍ!#{jBmt2 5n䎓EP/@E}'D䷢!uvT _ܢ b5Ix5qsZ4۠-Ehõ5WŔD`(Ӝf}{o4Bz >}nFvzF| Q 'Xxp@PCE_;6'.$*K!7MA]J^~=Ws!bXi8Bm%4gn;eİ8m\ƣėP==A}e>O GOe>B\شA m.xp5;LaZ7/IM;Ctl9 SL ׄ4uEN_زQUbQ_xr\Pg%.%WjYZIQPSi(BRuCirzCѴ MOy&%0-L*7]QT< vR 2u ꬉQJ5Jeh(B׬{z(a7Lÿ#o+~X> B<,l@JED;\ jZ3@ L%nԉzi] yba뗊E`AS,;_?PQf#'zt=%81pܩ*0 wYt;Ut9 ]4ٸғۑrK$)HK)m1Fc8嗱 6V^>)'ܴh%2 _g^RpLz ":G ѵ/ر-Φm3S,: ٲ<垗Bjrl(SrȫZmJk %Wy?n3 ^Iq%8쳯.oI}ಬKeς'/W1X: O{Bu׼ϐQ(E)=m`[ 4]pn`Wx2HF/Ʒz21R"4dhv}r*r$x!P ^F{/چoBZl'Y w%JI5Wd']"Z?Kc ޘp!Mƃp Zҹh3avZ 3zYTM^`\@i'G>!!bo4UD[#p/%=ÅH56%DLj\B6ڶ`t*>R/c`6~F#>? zh`$x|ADW]P 7|!R 9@a[2^\@reAb!Mĕi#V0NuJӿ+e_:y)je.qZ}!FXxOQ{̪^Ei,U-zm(kpi 7|jg/4xRѢᷜUS4 U$"#alHF6nsx K} W0j'VE| Q\I K91OSy0ti39x `! Z5۷Tp@?78fqJ^Ftpȏ ~Rw/-:ҶqW3ī7W@;Up~&OE|+z[E_W{xͺM+xӳ/V-T>LjiIF dЅHkGߚhw.AԬNo.ޚdg0/ejjOpkq4IM%hNR̟LB@`pt~`Y=%vdbH"ʩ+xg[F}E&_&^$!TL§gٙKDJ]jA8n<^>@e]Z̺_PUDޖX(ބ8ek?buih)@GuJLj*iD X}[+- 9zEaŌki'pXż xz3vpRzf(ZY⇚LV=cEa~ h#4بq(M涧Z@zֈeV))S@ In ɎW! !7x(q#d1P;Xxq:9p0HD?w'fݳ0$[CQ`T\BZM0%zi%?ɝf6)lIbh Hs!؅OCRaX@kn '9@g#_ RI0/Kj7~U=;rZD͔_ WsoHI2␯ES/jveїpվXr1Cݹl7'Aϒ^. 7k5JۜSk /nc:R;k=FCTTy޲Ƌއ*Dk#[>;n@2"juE6H^ \K8ƫ Ot L=\Mv)AEwr6^J#?[0gj d& { {=353akkC69PW%ge oF:{ٯ@D`d1⍫1j~6-KC-W0p>Z[*9ɲxQ-!g>V*ǖ)e}Zek1ρ\]x.c Q0Y|Y򄈯z;RVB"B: ]2P(` I,qR oZJYŷh."{Fo&,Umbg9!NTa+r3t#ڗ08s#4nNa ]cVRCIB p,v@Zq|I5/z狄ݱ1Y4D2GwKcuu5уF-n, Ku?0s4GGsR eQ/LWh1f>ecd6Z~><'!LȭR$fپZvBfmΥ"5%z(//'|7~eyV BȌ-A+:^19LX2v܅r.V߸e8YӁ3rn!NJMAAkh(+/==u=%;俲C/o?EWNJj7:AZʦ$ .@f˺}nqe7mܧ`'זٯεD |1ery\&֭y񔱚0y~igFPޠ_o; m/&96RoB2: mlARB=K!,z" '̓hs -y'ɸQ~ mUytŢ.R{d3 D$E?DbM͛j˚$6om#.MPn*uf5O6H ߭zgEO!7R.DoPj$Fb(U >1;x%{NCjW .u2OI*B5w D{DFs]kBPW{[G~;7Ɛv6cj%#-5w{TK(fmWrmtz+-Ǒgiej,08AX?LO9@ `$s70N64yzeX6{z3"1a^jea|G}ȉe:-10 vÃTHuAi{;ۗ+w$. 7>"Z%Atv~%WK@Z)db~ǘ\)ܙSR iW<ʘi""^oL2\7Wf'Y>tǣv{„#/zRk(h6 fJ}(}Q2%816QMXNe+k=a5F}G<ʁ>( [W>WO,揿TpwR2ӤDn^O~*wɺGtnP ev-ꭀ&4Y|9A7W A[aj/q%zZp'ѥiZ8&3e,󬂑{}?]0^Z] ,o-0+40i 2Dxf _!U\yj^Ė݄opp*OAPkAӚpmJs .1"\QMw7cTW-EtpD˭}`QlV*^:\ߤ/ =νho/8Ɩ1.e֕>vj)Qy 'ήpM3BwnXy_N|=x<mgؾ ͮ )`w%6r*!+^I殖a͆P_}B+RiꦷFůPpzo =m2Hs$~ssUď+I;OnjcYs:'+G%4`k9'{i7_h' Gi0b J+ z="j> -p% i]/\Gr2LTIԫ>5'8H3OVD&u/7{H8* k"48xRQu8Ǧ_7מ ĺ$TR [:B&j q@4V* Ӎ3wFiflz iR?jhE=iY.1N_[!$ &FC /+|  #DG|LŮqC ^Mq*ζ43A#B 3瓡z3KO+ Os̷lbϗ}8_'nN^"OA^g)B=JH6vuxMf^ |Q@;.Yh7 8ɣQf h3 pO,8vd|OD"vuRgozG{Ux(a- yTb`2d\'8 9*П0`_ӰoA3;%`!ŊAc~Tdեҷn@oLg c#x $m2agUfs5&GmzRb#_l}| #OO t^ߘle]Z3Ǎ}s; k=nR0Q~S3BW6nC'TTpStk0 :1P%9gQϴC'DMXI'ih,Zޠ6P,v"shA,*z7Z9ӷ aM-40VHe=_= SY#T"TD{\4Gۃ%Uwgӥi4XgeGW[FYUzVt%e[P RZUi Zs]WxBJ|{%٬ܪ?XUtIcTΦv-Yڷ#0x}7cK95:+Wo<1Yeq!ZLl:TX(Aha,47c ZfҰ%m'܃i#MN mnME6Z!,Z3M*Y @*ThX;R/ Bjv:5 Bdiǎ>9>w*gv -t}C]a,?<3>Ma "ḓ5Jdj癠>-J@ĴHEb3K*0 OFKf6}YV8a`q XHEl=j _{#dwӛ+_PjxMey`]i@POhA;rh;Cn맽E&K"u0&v떳0myEJd#_W AfX A%s0,cے0E뽣'5v Rh_k\H/_3wƦ9 ͅ:RfIE,OcqdXB#_U߉*!onZlN ,<͆8pi9% t桚sͯ=5aJn%»o4:JYkNIi#TȄ@S)0% <AY )Gh57XY9w|F|б&j>țQ$/xCjqz'rYz>F)Sw}LTՂb): Ӎ2?hq)kDwݰXknΩNS'ǯH(h}CIY]͘dzCa( T<-%yL|=`yNz5/fdld7N"!dWh+]i_ &?J "c~SiG< NAO R{#ңo8={-F~`0ThFD76»_fRm} U=.leΡ[>>5\3K\*ƄZnEoEh4&//]%?tb 5y"v sb '-qm-Y6ΒˌΞ"nY:ͨ˞[?4l"tvhq9XlI}Dǿˆ;q C壟b Bn ln]{@xRKy?˧7-Ak>Q͛ ġ>좹ѪP92Mhdc@@Qn%S95W f41"S} KXpL|R1P i8A9Xc>3 W:GU?[砷Tcz;A б,b5v['V%JK<mQvPA -įoIvCxG"TIE}HIAK/_56W"7z<$f~26돻hJ!ͧBƊlVJCB|f-uڗ*DF+8IqBG d ''df`)t3䴆n!8щJ'&nmdI6in>ZyAO(OPvNHw@F(#>?aT5% $d |EF}u ;Y]vhvqF)xIJ 8IV`']qT~5Z ڪyQ@Pj8q2Wj:Лݒ`N0k(`aJci­>K Ɛ`cE:ʦJLdz7j&c+6:&hD-HPOɤZw f] Ҽ tIs.e(^͂ύpI$@Xw(SbLW$tX 3$]z`;uהډ>aMр|7M|}d>zض%*ANڱ.ϼ"c$hGeF8{ꓚdNS*RCS5Y~be~l@r3H1OS C`]{ƙǂ?wXxc+K!Vٯ'pgkX04}OC}n[54n{oO|ug=+yV5zJ &3u07pt ,hkT1kbT}Z%4AkU$ʡ V6Z҆BRAcȍw ]/ŃN(v0Vb٤̄MQ֦~,=.]x]Z^Sd@q˵R%&Pxoz8ʵX׺`!(_4ON_oiW'Fјh2> kj֡O'WҤ .#NgHItWq@ޤa$ %g oGBeϰ\Oy$"/$0TVZӛٚ4A;?rY0cW\6N6yvg\C;=\7U X"6e юIQ|Qg` ^˓kk@%)OXNlI=ZAj/gTHwRJFt3Q@+/M]S*v"&k?N\ZI{!2[a?Kis jdhn"/9q=q߰wpWdal(OՆA>(`g0ҼBZsa$l#7JF1_uIҥԚFEE!SoOpIw$Z,ȍ#c\0 Hc\Sr-O/+4*K>}B2ADj%$  Rs@l{rs}b]7/x(#Mecn[l`\Hv)o[~/U>R Hfh:+=kDT \yjO +,c7:9e\K"I II*ݠ=*==Y%Lq䝡rRI Hzt{| v7Q%v`kO\R:@2'Yj`qc3{3MV e7p/׺)%]L!h'^)j'EE'tI^XyV*h>q'g8cs^ȯFz Ǵda Y?2utU=[ꠣr)"oJȕ6rQ +Wxq'Q솩R 8sj^;Z -ޮ2xhu5-я]8wCsB-x7:4 [GT ;Ǡ7q` 6`ct2Rdx~[bukJF*vh)!DeJ3s!K;^2Ĭp>#f8Y9W-{2}6v/*zxz?5X"הa>*aF l<"zgT¼LI-!Pp\n A/eott$o CE(XdWfѥYmGX:@UJ'rc4Wzp,N QvיV5FO!6簾IQP/SolC`~ (%_[TAgOy|s۳۠ǥ3=B|9*(-:Zn[y_VyY3`EA("7h { )7-/-0_ӎ,P#EڨڨB5n @ I,+( 8|ۤ\`Q2QjA[ˋm>`A/FlW8y/*p@T"*qenTIeT/f NČωRZBKz$s7Q.>s|V4ycE=9Y(3x4})7L(?A X1oY{@1m9!0#r! k)S+'Oȓzah`2G\ Y;[x)}jokRR5'd8gDȿ#HpYN,nYyiSǑRzvDZn"ܵpZ`'2=0vR2/hg5#"UXym(I hw-ί~i`2+/3bڐ)_lŬ%>ׂorC<5Ő͡AX qǩ׷thgyąkmOj1z5F5ٴ_smMH8#:0KSN1W:"Z'zqM+¿' ^AޚɨW7嶄QԠ[~J~1*QT&;1k~I۷}RfAfeXՌ1^q9 գw/ί:~ю{dciw ͤ, V3O,6LJx~AY"Z"U(wd^!ڍ5ۨXGϭCTJ2yd=X_N7{Oo 12r7+Of۫f1.Y#8r C5M@ *L݆Rr&> Lذa^`-BK̷ ol@{Jf3%-! PeN;wؔވ' .]uQ`&AsqǑ0_`n9{GpzS1 0 v6L1_G`c~8(̋ 3!GN%=C0TN89Wu>6؉mQ"/$5׳KS֍K%)##ْ{!Q™="SqOƭ5#g)bΤFjQc͞вn!;(|RDEkSqb u*®a}_RPZ)6#i+p+9VNl[pq-C׀Y%@1t𺑸k:S\qUznF;9@Syߛ;\Ez-dx@Uc^q2P衢Kbaa:?8 (uq{Zѱ)tsN@|db^amҞx%bOvW7%dN:ŢJ;[U u"!M8p4}w7`CV/*,M18须 y[96csqKEVrcV_¯YC?="ֹQeX4O|<2>j.iIX"*I;o(4WƑR M }aF Hh) YPNI7YԆ8ee5v)=#n%3|K8Ue(kB#canalϫ{T%co˂'|.>+?bF֠CJh7a;7vCa2$X3="[k%Уňx? @J@VDxCI4( q" ]$9lH*ruS}l%ue.0z+Kbj_gИ(rYX)v3.f28{4Z,mgݐ %1Y <~CC)G_EjᲶiv4 Rz j9!{qI̚;ZtnPg"4UvgO:WXk|'larʃcHafBg9qTH^hr&߿:oؽfD37r4{0=P|%޴U%-c_5,cQ[ɖklypa›k~cv3 @I gx[5$HN,ng {P)8]"srӟ^ WqQ"8Jǁ$,)iY.zeXzu*[[YbUfMC$md{՚*H@ ϋ輬14ͳ }h9OW `Cq񆿋ewT~:UNz)(I FBRyK+rsmM5턋Eܹy~mIwt(Ys7B dt}},©C30SQ0G%mfq54Aq#_(K fk \ek*K婺t #_y/WqjT>jz1ah~@C,¥|g((P41\ޫzr0zo&:WtjƓiqmz.ܩɻe=74@:1\ۿ-$QZ Z0}lW8:MUr.JzVbc} ۛGg,Cg_.РŤ& /MXE2FӬLɿ;|47۴T:u0i#s~+v5,O1θqVfLQmTJx&+?wC.Qj!Xfg.ǹbA46aZrp κ'2$3wP`6U|1l瑺>_laa XvXZCyBMz-c-tz %p&9^jhVn9 O&මUK?ģLoB9/DӦI/agi!]!m"!7\uR(Ǭ˧"p;wʂɌsI] 9F Y,A$~ǰ&/sySWD :{3 O&H*8l.*wAnDÿ #T=5Ql;B⣞1$sYʉEj9=tk4kCA,.z*>/Y wk&1IzFz:G&kFWŠ #3[g&f^5|q4`髙g3C|0!Ro?Űl*ۺl_NW״X3 AUCmFˆ֚?ZNsj]1ߔYr=1;E'غ6eol;OLp X0ȕGONaJ~1P˲đGE]&iE᳆Lje)YM[mX4Keօٞ@QFI7ہQMMeºsvJtx,ztu q~lU6nw-Oe]voe?!hX9}1(o$2:/u$+a#E,LardS^n fk푍%}"ie/N-ӗZLd"`Q'V/#| +٨( -owCVMT\-S@AB; kZ(GS_ma8-gim˲r}3BHoa XEas DYKYQk>a+`iC25">cC2z?p< %BxqjhVTado@Se"K-~FY = *d{ MٽS1]ѷ"L|5;'vk!|g[ c_jǟ8j0whAr"D[RE `7r:-IJw"3gO TT^ g D?wK*ГGbJf}P0xDmH$AjM˸}{jר+7QTOGE;p..N@!Jmף Yecɩ2l℥'+s"F/fj Q |o]8Nh1Kǣ?tJ Lo\i juɳJP~ %gkO& .+@$(aXt| emC%Ò a?jWܐwF ( uc+*l ZZA&&κ9hh0epV g페KKҌ#%LQcV1޽}XI$O\LO!!cpQ0?99NrwʈEջQ{Oգ0;O: 6Τ|,'8NSv&mH ے  =k&E&ZLw^!9+NS eiV>VՅs8kH@F`?Ub*'N&)޻颋O \1Bg_;;ؤT/6HVο-PC)gPjωOZi`MMMݳ#eO N>=Ui[.,tI9$+Yd*.s!&.0hA}>hs ljK f&aTȚn ?P@wR~@LdJj(  ̺gQifᮟ?%ޣO 1 #7Dť"U;h6t:]Ύ5ئv4\isoTݽbQ */Χ6evIYAU*̓&|Wr8bK`m0 )6_iEh (0q:SB/sDP4UDʽu= ?7Bw<.}[gIh[I)]>ڠWX`w)c{eNjbGz66RQ!/'k?\cƀ(If9Q+h<]9!YG{PHa*qsvTN`!R)\sWQ^7RJMA+s"RHm.w}2DQ \࿭ù]0xo,k۶++AuZ2qd'V#۪u=;fF>w-7c(ɲ{`S5c.lKr1ӯ,2Mi4ư:.ɓ ݟPf@GT4Z#f714샠d!E:WN5y>-BS+ $M_#NDD6=MÝdUݤ%c:S6Ǎ 7{N;:bxSxW}?BtS;m_,'%l_T^q7t:;Fm:2Sj$4| ]rfndL9 lbERu !N &aAGpmxjhjҒh[vn R,z=zLM˘E.S JV]nH\Kل(.j̘2;EEYilhtDj'k|ͪ)?B%t;@5 zF&*`UpY4ۮz/T G)W=> =v"+7eskù{馠md[Kr)8 j8mM11OZ" Dzуkt7 21A{+XDE;yOc6U7ҼzQb륋yzW a!qCXe!cs\\T;VuGO"+`Ae? u59x.?W#;m~+s:fzh}|}ä+}Y%+٧.cO4"%\A?嬥)4 $:*dy{byR>Ra߁;|皋K.!3B 1-62x&S@XIZ2iHC&r-1w+2Az> }2Tּ`` dۦ&@M{e|hl}*PEeA$peeEOӺCмKv ZmFC zz$;w)R'jVM31jv~2 ݏBl9 fm %r \Kz$ c\>B;ScH$<l}Ǝna=-wঅT8%<q`Rj \R.#s2)ק#N# Ǻ!Y ? ._KJ=(=;C}Ŵ#g<; r>*7L>W:AEsVz-tXJlˀ2Zr]jtv985aqVflg\\H*F)QW.޳8u D~Qc_\Z @Wն|ʱXl&V=@lOtA Ru긦Kǖn8\`gp~Bt}`2q0T;@(`×3X,Z1[3r6%w&WcaTÜqDa,fƖ&CU5"s|8Ɉ̬ݷAE&#GR"T;)bv)͹Ok^:14*28|DEJ"LL_Ze e%> ro p, QkY&7kM~!8oZdђ,j`&L wzZk&ș{66ÃQ2KvЫ5_\#%ċ&uKXRIÆt8RGpT$GnKӾP%C(ۚ6Wtf1@IpR pAI 9aU=v+KRK`QFUiz[V9ȪM!ێ8V‘9UeH}j!nܓ(8ˊ9U$|-L{kQax綀 ~-O:F:1'm/Y8oɬ0MTF ^^ s \ p]̕#VI$( ĥ~rd>B eZV^Y_a &Y"!Ҭy!TWpOjJZFKlTK%3TFam ^ A$UYnWG{)P[!>e'$ vH4%V8ǭh AGM82uJC" 8;G]}H@WO!N5ΈQ[- ռr5GA[a#4Ti:5 M><ҳJ& :z1˫Yபe lߴ*Kz^I `CH<49-J\P<~19vS9d. CLJD5_:%-o{\t#Idvn"} 9lF myإB4WrTӺH.$<4@njFؒƵݳz7r/ޗ;v^7~/:kk`fK*0r1}ip4VP4˭W˫f ~ѿ[XxlK>2{y(Aw4 YP+o"d?0[:!拃Dwk' SJyj&VPpw& ֭_f6 ^|fvݾ8ݡ녟)wv _:ߎRq3^^P ָGmA9HP#NYfwrAi[i˽h$no c2"Qa%* Ԝ1㯙MBZm 5XB½D +q*D_h-Ϫto[T9thdJ]ga!G4ץg?P?*`XWbܺs>!j'uhN;qӍJVNGP)ܙ6Tŋ/O"qMz\iۮ;3+ͫїڍȫZfXgtG6Oyg, abl;Eշ"GZDW}%殇MAv[mwtMvʯsVs@@4_͑XoumKpRJ01W,6Uܐ%ՠk=@NяiȬ5(Tb^.J)h,s3yjc C3d+!R&ᆔ7ފxS00(Ъr&W*Mh)j }mxZ j6cvG5GR*K\8x0v&:HϿDuih.f+wXpM'(WugnFa=aWUu,{qh$< 3/`{FN+ boDĮ% S ("a,~p՜b9iמTlr7em6~ooݰC P>=yUvdy7w ׂ@4^eo{Tlڄ11N*8a$&;c,qZj3.g {Y2TypTiȵ8utp9c`4%dn!{;O|K"Tv&hNDV#&7U+bV+p:{foRI/Ir<"DS=-wo#h xA sNAm^rI;l>k-O@@:tyx$sMCd:ۍ :}Mb `*UA,w9 ,NWEෟ "ux'밴K O6I+veݐr0#Z@oSiE W$>gڥ}[',NmPԿa( (iIo]$ǏVJ, ;mx܆·htp7 =Y:#1I\; [b(O8"_4fG&h!I,5ϩYŐH\A]<{`ZI> C!%+Sļ4(>/| Q\<N`[,wOeg(N4)3Q.1 AdFMڣ2Z|پEMî?_ffL:fK(Wg3׎+@hCb.Ku3)-~d&w"g5dȍ%jJ,m&[uT%*JYD f<};F#V0k{+Kg&VC,Z)i9}Sk,u 1 {3lvާVqBEٵVԷ@8̗^9p:;}ƓR PFYDvT(`1 g q"gA--_fl2mo'ZhXǩ kP0oraL)Uy/͇Q\D2rų`&E.u\` 3!aChK@Ex܂D\; UrC.C==ىnd_P vZ~ !Q?L7?HP(-?Z66@n,"$r["S?ɘCO7ZFԨ~sDqy~a5 WJF_EXmm4OM8_(8A]V'U"&t4f8`a.eZunu?;V/hz6U9c;W37.] 8ZJ.bL:dǍ6Emɵ -H$ق!~5 q)z4=V`䒅p5x2w֚[5#ä+g R W1O&#i܅2U&<o*%~gF]A_)`C$Nұ/L)BXWhޞ:"UCN&5Ft>FDa2 ࡛w4>J[,zw3أZhʃE8Rx7Irb8V̉wQ{qMQ&]TM73Ij5wsDFO", `}|(D{;9լ@MVa}_C gt(A ǎbDV7ntv/\9=*nrYsXR]y%!c4cg jB y3eܘ:}`A`]nxO)YKMBA3<:]q $[gb~k3k82y8FØw`k[U=08 eMwc>$)`rzZ$ja;&< Ϲ_ZP Ѿ’C88zOVqwGZy!KVFQMo+B,v4&BgfT{FM]>\i09;r|$n) h&76@k0T*(B]UoWF-G(֗ O)io\ ej8bH"V[k k?8H>g9$KDžYq!Ӧܪ R ^.7?(LshD-ykYZ C 9#A} @/-i e1aW)yě34!@ b*;viQs&EuӰь‡s[?, q6#g;|}jG hθ Hɸ¸!mLS`~ഀK)-0F H߿!O^% 6Fnw5 ]:uN'巕G3?H,ZkSpn۫*BD?-_Љ5QA!)NjHFoJh"U,4mmcJ;f[7N}?;e_Ć;@\Dte;>hE<& Xc]+yAM; lr0 &p g'+kw)NOnAQ vZB,q|d>zPcN&vå_9uջfУ1:W^5D uy/r ( u ~> @*p&"8[U{Lx"odBg?Σn@Ñ=z5iۊr &!etN `^<O &, Ah#õI$+j ;#fԅ?8ɴ G'G]uكg~$m`GMݳDH1Mcͦ>(&E4lQ  +ia@SH2]+\Ft^ AA'"7i&ٷ*DuV%5vF|s+HW6++)L <=0lsa )Vo"nVSt<%L6Rke). cLflPYO#r^lou+.]|K_q ԰ d'2/GKubIl'AD'cMCDxFx8U6ڝtxF&jH(܎P4cANa_0XZ}Jە%Q,nA@Ժ {Uk>6枠f@z+ej(PK" W&'i@ۙ=jc_.Rc{}X}o#Ґi»!nN-C?Zss@{UG4nxg6שr[Ǵ1c,c :pJ8K氢#kjM'F%l& S\v8spg`eu9v `W0g1WE`&NC̄؉"ѫ7g~[x3Yܩ8w1 ÉEHڃe S z =9r6eh2zALz;\.b^s=dр/= hG+u`O$@]|J|c}wqҵ",EK#+0Qbc)iNAPN~-]W"-qIȪ[>(U:g*TgHGz㚱M?.Mo“,GoKОut}p!J çcNJp[<Jr iBtGu 2>H0}/^{=֎2P`IHUv-zk΅d+J~أ*m8sZ1A1 #؞YsX`7cKeF&lSG$3EOD*i6YۻeD-}#7u,ci3ŀ62woEЪu=c\xIR'ndx\E"d`WUC 4#_{WRa[ݪ/ƕpՐ65sFZ%NPA?ws,=yZz'O|Ʌ<"02>h-0V{ :d(8G$;m0qI5Ǭ33\VڭTo@ OU>4^h3. :qLfaCuh)˕TMC !3CA/cYa V ̓^_rԛ1*ψbU/vppRwmq8nU 3!ߓO.F0_RGQ2Ipm7ڑJoŏpOaӐ8ᆷP yNEynqtwkѱ6+&>b!%uh_Z_dYo+8^x ^P@~}žX"s ) 4 /TsJCӐcf$jʵ֡+=Z6Ms{1{o*{q63.2uDݕ$^y{̈IIDLj1uV=YsP] vaJsKB(tf>C5v!+Nk( f}xjM_.y̭Ē _*Y/i6h+wvhkZT/4(xyrqh('JK>?r bu⪣տTY6eI<#|;gךKesYͤ~v(<,xy1B2P/:6 fC 4TF &X]+] -G{l,؝hXiӵ}@Iț^kҢ" H f gN藌X}Ԃ-cik }?5xh-bX2]9MUSEBȪ4jSÓRfRYW)(v*&M^*8tg6I+=L}R,7ֻ_tΆp\vfߢdi anlPBgoAzkݧ; akH>rp6FiRuX1^# N7s0# i`$_r*G^.lBL" X'b#ó4eEz"p1I5{qyG~ٝ;Mضә]#$WA( <.e 䂁 f*"®glr+} esQ ]B z!y=:#:14- m ">S{XMftfL:?ik>?n3NTN/dXDGR`OhtbgFf Y7;[ OXXႱW 'åEfBcgzn}|]`,Z}ld+6t!j杂ע$#mgζl8N#Q%L९5ɉ8z|}yTy 9,pDL hgؿKPl &w>e\±GOs%mP(:ZV[өNfD\fʒF&"g^D ovq5ldv;g9*<3 Bq={JI޳@`."csTiB-\"<&0UTǖ 7$wEƋ7`2#u8kR$VL$Wg:}_n!MYN RԈ_Mz7eY$)2࿷@8dYae6E!Aq#=z #eJB].a1Q5mj-JM',AhE6P/Kxnua-wt0$YM3~S˵LbJq#kb*44t<զ=|/,?sPqeI-or\Xݛ5yH[Y3jʿ/%]i*5q[2takyW{n 4dNj''_Tܿ`U0}i|E*M>}mOi>2n`ShT\EGF҅*jj>$xW}hTQJZsphvN9y|]?beJUKXnHEi4.ǢZ%ۃdx"A|eWRAf'DZ-[ qb?!T^Mg.I Y|y}H=|G̻Yo7ISsm-h@mBU -r ZFxLGQ$DRדǪZk y~I/'#WAm~eA{`|J ̿x|"uuN<;_ǕtuI]Ģd^ƻ= \.ʯ&:8:%}sY&if]N޻X_Ejb!v>)?tU/PpYC]R"McUxDV':BNC)B 1@=k5df||7!]D>T̙[ިI=';},_$i4L}do*} 2mM5;w]cM>x="bRxg6'.e ɨ=2h3 ]{ޔdc^\W%p%4urU mc;5H'mZz𨤚7MA;K `Miܔvx[~GY$uqw߀ L.Q< \R iww! M]K7~_ų)t3%6Gderqk9{QNF}) il mzu ^ Jp#>؁0W]NR9=~nL0#4h֨":ctGDת$I/HgFF}ra ?5ߒ(;U^ .o:Oڰo{z{(7:Rj{ !˞VM?o9_⊁ս:}T%> gP)CDFh";klT/6N @Si8e|50`Y6q;YErRས<12G$1oLᎂ WsipN+fgAu =Oh /X ߽'|I(-+ rEd\/rωk phWLSlȳUjB8w8wv̬!]B|w@qafXh[sK9cYi?HNSm r0FbR[Jt6swma".G[>?`F@%4±uZ6 UG*M "^ҝ5&SWp};چC7& qWQ"Ft"OF1lÉ+, & VU0AoPbaTbc ܭg]y~P j k)VDnPjXoIvaيeALLj_WDS  pWF翞yo9ޫy%Lk#]v՞*I:婧`΍ROu{ Aٽ((S=zEF&soۏm0 yvִXa.}ըш5=7t"}f GȵYOZ-G;ckWs\Nd,T`jѳ6~/&%m7s8#SyY;mQw< 4[E۽gEs1^`(#C#J%܍vq=T-16ɓpcT ,I``WT~KZ3* {kTžB\ww4lwԿRf-b?Pdju#'yuz qbgJk m{[wP;ȝ,zeUG{Y:R^継5>\EQUxCo8S .X8?fJ$<: qIVnhd1 h+O"sC(H,(4[uK<ލs׊bME=Ȇ@b1d`F+yUzlL2MO4wFR5¢L j\pT)}c\Ds<7|r~j=%ÏX -ɋ%,;@O-fr>NҌ0`O4=ެӼfaeH_2*8+O ǖg7-Sf`).[Dl#][b_~׎6͞PeX';SQU7hla{ң8b6vg]b[qP%Kd뜢T:`R))s|:yvg?F:߆t.:3l׻"%|9O@3:k{ϴrOX+&jLkZ~?}یRW>޷JT?f }T[jipAqvo`,;L|ߺ!6D-8\Tꮩ-$敺5seװM( 2qIz^5+.g$ OA)>es/%Θ$=8QG C>BcgOWd$p7};P> +d *y{p4@9NjZݯh&B o'5H]5 RoX@Ƞ팊ZB THY)c!IUyQD# 0KoaivLj SCfi>ADLiӡmSj\4_М!ה-FotT&8ר(EGk6YF-ѹ[f(UC. 7f q8-4ה;aVFgĝR2ph/#]-{I=uZih=;)~NP7&7t0d A𫞿ZZQM'cwJp8T"d4g3|/~Ag>H`/3' $ZSEdRr!*2U 0,ZyV܉jդp5A g IY &->7Ԩd $bhf .2 !ro@\l@1FOOgɝӒgR^~PJ'3&DWtrAE&k<@ҝOfc?FCtFxv {˳i<#D1Ι̕ɦ%3>;0cN푾{bY:8 Svs#X\4šȖ=sQ'\{]2ҜHeV.~w Ѿ_h+]ncylɈLӪ#2jʹ~`tRT>D m[ N5}DjEݬLP |Ǒv*Q>! qAuW+32̘`ZdeWqu\ U_ /3ӂaܱHQ2BٚXH(BY?ڮ%MZLx/ɽHq3ŵ ڋ:"Ko8A$1 _ºVIXDcM.begIm"䎚_c$Rwk};xǤ8גIyaA`|lX*UoXO-dSǮpmcO"K+?I$NV%dsp!&1Lz2xJcHcoWs+>.swvaN8cj3wS >M+<[v6]M'YX>j5qp!3Foڷq ? 5 mJƁ~ZEj+wsgAć,ǑoJp-Zc*T=uZbKxx#YsYwCw!V]᠙MFqpL.[A3Mx̘gK)cu,CqA.m|m9f3 :m٢!G` d=ӣR3̈́,4%J 9` D gֽ$bMa4!+W^ vYlpۡ>%&4l*/OJchCF ݦ߸:>Ց`'CLm7*C*ɠ-Pֺbg#v(NOdO*U.FN5˷6#OXBly$ߌ_Q'ts/N qI]n|R9r6= rɹ2Z > eI;1]ʧucOAu̽'DdLG|rzqܥē"nwS- C&Õ@s.'㥏;0oy4"aGe\$u#}dP-h |GT8ϲIs Ls'YUnp|0nԩDR%߉/ JTgUL+$"SEѯj0eЯ&ƶoJW/5(vurSoʿ9`N3-|p"NGMJ,kOssK/DK7 r)}d ==:kKpŘ5ASqByuX F[2 Ǎܔ? JK]'r\S4,xOڭYVi[3Gvv?+?3UHN I5`+FA\HEpM5-\_np˗.4p4Gceiً6>v(ECvҌ_.Oٸ(b#-mޗ7ha/_-'SRhMBl Ξ;q,ɮ:nAIôfQs{:hE"q6UX-{k{er0SA\;TUh7eAOuX¯ϡ*?b!\#Hf,6PrO ?~x+#SMZRSQ 9H4qJg)H `6"ĚՎk plmXY{fK괭]T8k.l{"V|h3Z£ %qNzq*K#pN7Z/iMj),A@qu3Ee_[mcxjζ\ @ǟ#L 3D''$FUtǯR1'*HW$ൿ0 K󓸿=]~xP.`m c |Jxk ɠ*]ӵCbj`d?Mr#1*]ˁ<=n딫@3՟孫\b|0,Wfk Alr4˳Ųȯ5-߮kҝCd M6KO*=d?m(Y &Kd=crj04UYX*ID=Fwg̎V03b&|8%I ܄삒^@C{^kVZv$I IJDJ#.%] =[l"uve-(jX:cfEyc##fƛ[Ψt*<5am#**3ii_o*Zمv1hLr'W4ynM١cI H|CKOrz;' #댕oz: 2EhG{"YJjQO<ɩ0˲eȋ$: Ja@(D_6y.ng!S2sC\{BSIC%3Z4tC~Ԕ\-,$ USxG{;̈́9K/Fі[ MCZСR ̧U)vRbEj]2swo:!-aֆ2i#0nY^V Ok`(V,~ YhU.)/{=L26,c|D;PLN16s*׃20tXk7q6鹖t]pd_mr] Jw(m̓{Ae/u @=םVYqU0JOu:ݏ쓞۠O|}Zw;6UUCAfb\yRגTWK/lh4wT~f۩7PЪߦ|2[†ws&=TAi*hsP-X# MIu Eƈ/be](SO #=o)Dv1DbKn%3Z=%aDrEBM8Bl; Zk{<*[c?3 qKxw89&zg+g_ׅ7iXcqUډBY4m8d- 4[ b@+ xhUb: NIs`"L2Nw!+M=V4M#gcEЄ#0NT} _~!5@ͯbw\Md}׭Hk'n( VCmgXKҶbʖCEzs=xOYLIӰtZVPdECP DLSgv͛Eo}'>u [fn_[K\ZGF!ئ׿h[*Q4o C٤,ACy4wNv}-V="@97jAlms s<u$DqoykCJ%as?ݤ{5|G=S{lZ/6ٻOhcO|;_(`J$M<2%23"\'[f^σȴub z/QpgOvO,O˭YlDi08KM._{n& vpjd1C5Y4 !e_s},\j7#9+ s7Uz,2B(2 NlXۜx9Sl_EL>ݺ)@cul< JBt?Ir?OY'GX1&&_snO@d5&:'5 j>[ӽMHᄼ@񆸝O T3TQe{AYXёq>^.V:LdQU|GAqMb[Bg-TKbztI@m#wY#,:>亚a{49~PZ1f⋡YI}PbC~,4р4Sfٸں$-6oB]X~$\c.huIEd3hf-k.VA^s]vXꏛi/n4opѕ5C죹-g~fZ11ߐ@r E-ZB8*j݈ĚͧCTY䲹crY}u+s~`-H>ν `zhzQ&ħ/זЎ6׿^ڰjZ([ i($6NHMQWɳGֽwHJA=!.N\)F$:PhVafU Tг|6[R%oVYz"x? >x!k&"d,+(7PJCp}^T8؝(ʗ$^4s&MP>]j標!4Z,b˿NCNm6NXG_aAdzFj@YYGC?xsw(Ck) ށzO>3#">j8oٺ蜈2oޙO̊.hB8/a,& %5_U$9L*1r]O-_PRLSB$&Ȭ|/7QCDem>xK)JeG#W3~06/ b'*Dm/FW X׈oH*u%/E?W3{73^N+-<0HSPM䇐.-("I\"s;uY +(gff-׊F ߲¡Mb@.FP*4'-DUi5o.+w' -}@Iؤ`ϩ˫BHnmJ1Ե=p%rңyUb6c+.MHJvK[<ٰw)`l&ts[box~q$k=IQ'?R$SHi:nZo/)-8.@ޗ{T~"eˢV݀HS3otx"Ԧčhp䄦*/#i|KA̪r "yi'=ъ"#yTy2wCYw+wS@5Ih{6wgXvUj3?ndU&$_tU}ťor3~dsEk$kJ#9&%`@KJj_'gВd4~ $^0s5Wx 4L>VnC+#6tNm(M8a--doUiy7:*xL6yMώoqb?o~9 Vӏ< \'yhev2t$GM iVLbelk_Fj|Ip}M -]l vĀ#Pic*uk@ GYZK~~PxYoDC̍2*`?8w"Vm펍L|b|)S`F눽ԙз Kih$VC[d d9y‡D4͆87U./fuTb>CCM!U+fI[VXlbM{IrU^p>׈.Rt7y txM? 盾8 #WFm05Ѝhn葱ʛpK}' ub;q!V3VǻwU9"Bͭߘ)9sMlNDV\T;:dYwE1M̧'3n𑨝ldK%[4F݃Kkc5~ј2&>k䐲[j`/xS`!ûq's% ƐD_JF5&9*F=੸&o?tДI{ Ha)iAu$Y-|.^6:;52o/ˌyGf'>tQ\),{x#uWqf75/6Hl [h2v$"fFcJ)b%%S}^R/dN#$. ޡ#uͧMa<Yk$ a!ho)XhsDy9m7b*"~x 0d]gT+ەkzM{*癱y{h똤xuH3YI,ZGYnHj2]@Ոä4C&]1E]j}yg5m߃`ߕ<{"K,@`; d_\2eux}!9ƃt96 b Xؕ .TV~1|)ّmB|%G2*Ylrfr)%uLgl[^~u/lRYoWd P "0@j*jxяw^ iB ?T(54nn EC Rފ$㦇|aa6ꐓj{ZxWe݂v3JA>DZ̋_-Z| sH`S? Z(JkFoTDrpK\՞H;h~[oFym4 \,60&0/R>y<%Q6|akdFI+DwL;po#<*40ާNIWe9ALJ9hǩdWEmȜwz[$;t SHr:Jsq%^~aT^CP*vTn7-\HcXJUkj)i){gW#N gݾ 1s/˺2r\gh|\Neo\ѳzmo!p]7odoD}YSiPt$$G:ڬĤB[IL`qђx* x9٬= s\>d ؂pVM}T]#y'EdzFlɸ\2 ;wM0Y>˕_Кݴexyf mzNĄlC>0@++CMp/Pm;A qhq+vvf\8i Y{zr_: &.1Q[\U|ЙQ,rlĊ&\@o\E";,* Z1 |ݪ_S.KIq''Ss %|ils!takD35 xxH^<#lO[/"^^|dY4-5)kHw2Η«90Xp9L/5'pS~0\9gt;h|]R ru[PplPYR: 7QyQI>fOM AvrR*w2i,DQ;Bnm&yFӑ?XlƨYJ?9Go c,+jꀖ5g#;4E_9s{j'ެ^-rWﵗǣeJyp6UBr@TpY (^D,BUeІ҄Ϭ{踺%zr(S.j:?b@Fh6bp0w>E#]h}NpoҦ Q34,qjI@'؉g.n3/lmp.̾6BCrشRA-j*jjOLogDދ)͟6<(OMPyAѪΛ-A|ěʬ|M[obC;NpPXaMK5|G[TǤn9GJV6@N-i{+aYog9!6:{̏(߂S͛˲rܰX]X,K( %ChYwNqp'F )vSuYw7Rz=T˯0oHa()xb(x›Y/4PI܈C4::XxSϭ]5P1+=.V~DJpX _d󼫪HDeӞ\yIZ tf&Id{bg^>8Mf_A6sFv ('E#zcDaͶ |b'Ѕ[/a= Πwx3 ԲprUHK,uHDAJѶd(pDw4 uSKTu #am 7,7I杫Nv,Asø MVn M$M̽5~{ҚM#P|z/./rɃ]+㭇`DD]43CUGYqldX@U[[l`X (r3KOi$mxҀ5 $tPS+6aVÚ&yQXRvbeEa!͙A}Sʮuu@jD<= ի<K?Hĭ$s]L'@EtZ(6S X33NW%W/~A x]E Yƻ!%XR1ȋ'.ye5]h]8zA8WlqKb/uۜ!}ub'ҐK$ ip4o4GLhwcJyHƞ[Rw1<.A~5#8iCBɩH2 53ędž5)>'/e \έj.* `ݟ.٭Xk %cKNȀq\ޥh\񥫯#ψ״|^>V@x&dZh!NPShF;-TBGAF&oj؞%,sk}+uv˜PQƑawal%BCo˿@+ MPwS>0.DMo;|-E/j5i<0`z|.BntlĖit0LCT{=Y2kyģN.4][A` |^+9&d@;pMdw;MPENCTTJ1evRBv PʼnF8&+=Y;`V#ȆCGjYI"M:݊Ҭ#e ~""ߪ-mPv<LX;Dm#{V:+T?Sp:V|j9#hM>/aIe `i%-o5;}^f |R:/lJ£*K9D@-vP]at>ɷy0:*{]v suvDimŢ5ࣷJQ@b3J;ZQ3k7_C;Ziv]AaΊ"ɜwQM^-I't-;c2Lƚ.L#ՀZ0_?y7.I*Enڪg]OqAq2%:=l% 9 ڕݓRnmB\A<94s6~(jHotXi>bgJB'B"T+Q@/5P7 )USQPD:RrC@&@h jڈz햲#=yaR\@TmZx {h}ְSkhЁ]m<-wm-s٢bؠBڲ/ӹreIi̓.XшB6e&waAdi9xD[._)c=8m]?hB!3z cUaE^CpB.7;Kq4Jˬ50_6ĭF%fZØ|~ɭJFѱyҮ8[V!g[[PFev#X"Z8Wj/MXs1?ta)"r>Fj~/e(MJ*aEUZh1.߁yD= - ~se_ZJҧ^q>>xFGgp{DSLݳzB]54)% #kFeAv1ŖB"m7ڥ)C{5:˩Yt` KY.y8u>_}d^niF@5c~.۲܁5Ƃ֦%*C W9`,7mLР%jz5X9,R%wʭZ?e]9=f0aKR>t 2R(o^4P|_3Eɏh v:OA: ̺>^Pr+#u iH- >[:}9~VM~ [#Q*tA}RÀ1omQD47Pvsr R/'2C7i])5WNTɎn}e& &إR.L]qh=R}O_C,Bk O|8'u0T?߸2 RefiRe=!р7%/OFO:UXr.Ҏ%!#?\"Bta0@{Iup)B+Ń? Z g)($O'{DX/w>x@olNc7 .!)M 4oYIh:]C{e #}A_$yttWuy-)#w̭N]Yj4SHdY0ʦ+̥;q eU*[Y @j,:PVkh .1 bUc'lQm[QH[[^>ՍW%p o-6XϽU{@^"˄rEva&o d}O,6Q'ڹy&(-w&}OECHb5 I;lo+A.Rsb^U0AS[Hjw;2~-O8;c eiRs`T JMS brCi im 8#($'@aESƼ *DCj`Bl(Cd [\Ǭ-pC}@~}]wL`]?_㇤R)CDݍc_ ]3j <=+)uDBN82:]!j\)I5½z[g$8>|ZM"oۇ82\'fm+W9o X35?0^~?x}xIK;ҿ3|mԠ)MGE&\|@9jTx#̳WJjWtƙjA) ^o $Q,MlwR !-ydsSoU􍶍Z4\(e]3KE V6#hrtc[f#@|CD{hHG|\(cjv?d313?#N L|g2U)_h}TkR50 g@O\~;q~# n/湸 =4׶Ch@| 0Śp!/ܪEMRO'$6rw|I7ɭ2%uaKJ;/3YDUStFhْfj_X."}bJ&f_ ݭMRm$?}Ey57UuL,Wwk> #aПpNj~ Q O!S^YC|?\1lvb=QPLqj_{Hk\>=PR4u,Qf} xX-0}0$ҡ8'%5и0˓1;䱱@+ewi1aH$_#m*>m { (4!D<eL\RP)D%hf9Vg4f}ȣAOR1؂aP[]<XXk3 I/ A~ D&WpF 7S\ŴEjF ѵ:ǥSg&u9׃#n~c:_.TTKMqkwY6gPqPP{ L( +Ywm,$b;RIGG>k/^7^E6y\MtO+̓Sf)HDk^SuZhX6W##&_߇wM%Gkx Y4g;L?U,/FRd!C؃ Hۄҙ PgUz L*e,WZۃrۮid1 1L(]Ŝ^ )?qJ6p~)C|ǩ#v5 rh!YR[=a y.NjrWk˘z_x='6!XV4:*^rml Q\Yq=6i)lj̵a+ڕ?ψoD~T  \<27Π(oH8k6i ChNB-l<ך#ݠX}s޸*(>8Vg^Rt7,I<ҁO5iB-2cwId+DэDV1uI'y7ni5f؍XK(XɄ+n3!06vႅ*gS2C䠰f(2]6XY <1 Qui?k9+vQ?MRyRI.,R.GED.u@B2C:q`S$ds+R!}V@Tmw8YWM2ލ^/*Dk3X i“ ɕ at01c2? h;q~"4q>F:O'x,Rlj7ЮbdO>ij0DZT|r76jPyڣaꅆ({ fDO!hp׮^:gV]$H2yǎ{p/Ŋ'^3nd拌AqhwjpYl)=cb.DS"`߲0bQn9=dHI94M\>!Ǹw]VuӒ0HDJ-gLq6w5ё,`# vFKo6:8MfEjk59dv u_rc=z?Lr[ߔD"M[Dy YD ?r;-)d*<0_C$YL=#ym\?{V{O=IZ,.7`3@P1L.[ ˇMc<]*8ԻLkjZMNd+Kd"BrtڢoV+S[Bhlu d2+B8@z+!C k}Lp.*wXzSYW?MlgL8(Ta,HNݡ(R֥wbuyܽiOc\FT.Pnt֐P^eZ1I/F`t0К6;TޒHpӁyk ge 4%PBn =oN&n} O !0'BcA7{s`=*Dvgv! %4k.Xb:J蕹 Ysm=eY'b*OZ+G!ҮG͢-<~i;ƛG .3+& Dk%#cV3{+-(-K`Ms|!Ŏu<}H\L3B;^U Aje͛d c6 ^ [.) {R mԔb c]7`64ʤk `Z dQU=ftAvb(Ķ]dHvnZ<}\οyZ)r$/8wZQJn+7l'UlĭbR>s6"ߘ@ nz_W`;pVr|l1R X?{%x[ %xI?n1( E8%QMꊼO6jyz./T >@~聖_얧LnnA{rڥMά}D`dSO`i!Ih ՛N_87vI0@MX&}}<-cbC+w`nCsgPjRd?#H7grV($uO=Q3#z,R=_Şmؽ`6DړtY8CbHDDaNvB˗?e@Լmh2Jn_7I &/KW͘WgoO=(6T7frR ]!̢p}az8dtOLJxqv1`?lD0VНypxo銐N A,I[tpz}k]ԬBw\sC+٩WZt櫉LmV d?~[<6[ʹu"̛ mB` ڒs'_VZi9߯ٵ*uԳP_/{?m.ߟ'1o ={C9;)HIC_ ܕn9jZ$Xb/^iKo *.cWP0!&ⵝt[2ɻ0dAA 85n_:۰ȩy=JB$(]`Ƽ b| GN%4S='wV krDovT4XJVyx܂~e Sڤ0?B Ts{Atm5-I"O,e>9@ɂ4Ll*&ѼoǴ _Q̱Nlrˡ6zQs1b%8 k? ndv{^~7H2ܫI=Ҭ>Ly;r{*IVX is9Z k#W` E ! t|Wږ? E@$-~ !JD #]`n˔ _MJۊzn21uQHw;tꡆ8-- ‡|QGyP]K ;IJog}P͌;?!rֶzvg}wWFއ qk ԡ>t<ȥN@kD/{A{'T5jgZHZkfG#(Rh @C|V#K#X|y N6G?Ur@ ud*+Y{F܃>LōPUn"3{ˡ-j_?UGF='W%YYĴC`Ax@03ks}KՃ/j3~#91ͱЖv`ZM!x7; e@0M!) hyA`<#9sۦ&h״QqtROM 5&[@]^tVA Xex =0lMm%>_ldWc^2 ϛp !lVDXG}%TAMI^Z۴-Ů'KYv)bPCSp3e ;R&B P-,wG~)*%-?Jf`)Xž#x!kR؍62}:d89.4Ob/g#J.t1a'sk2Í]}wY z*~ɶYDP2[`<~MUrʢ:> ix%}5Y6u & n HZg0wx/N|vxi;dN>M5zt#> Eْ?'mi?ِ 7<Χ.̌[3V4v8t`ۣ  DڤxdW6U;ʧW wU/`#=dQrg/XB18$`F !akV'O1@KذN*NxUaFS*e{dx<<>#CeCri@L˽̅y Y7V%3r\ۄ|sOBj8|2*1A! P>Nvyzp[L |ۭ]︴-[d zBFoXMca>pKXP`w$%e(Z쳤Myި[R)”[Hq[7dzLݍ/ْ ?!֡]ִ6,cgu~4%@f謖1V̈*Vipv1)? &p2e=cQ(+Uf[lv4Cș]SG2Y]|/|룷Khx!9TK'feWP8{FT)m"Ftx1xꚶ%0=ϓa$cum8+/6jc/-T ,BXᛝx90#AFW)JQ+j-u=v/FnZB93 "7mx.|g2 V.͡@Kq, E8[aKQ[(NcvllTC D0XeG"*gOś.i^ Ʋ>%G f<ʋSN8`?Zd4~wPvǖZ0*f71? .<NwRKF8{*}"0 $1pUxU$ӅlNY[qߋA+ꌞ ,A P+FC͟|{-(ZܿH_ YZ