shorewall6-5.1.4.4-1.1>t  DH`pYg1/=„VC2b=W, 7ρB_1,̳a_)dvG]ֺ@*pw={SYWڐ;/I~!kEήrq:3{t|-wwɆhxv u_沚+9hvҫl@3z*TXJYp^YuxHF*"e;o r&$/S U>NcuLnsCFC Gԯl521ac08a03a9eef42ad8683cd3990526a80d8ff0<Yg1/=„+og34M.^>f#?4@>=2E?>VTnxyLj/ S:ɇ\O}ܞ>޷L48߉ _v_eD OZDFh>3&+L.bziЄFl'tjG w%=|#79bmޝ n?SAʘfzmE4 2]_/VO~0B[neM}m18ujN eo֨iU^TrZl#ۥ >H?d   _LPX\ox   9d  @  / 0d3@6:f:=`==>?(?,?:(?;8?D9Al:L!=>?"@*F2GDH IXY\]^}bc/defluv w,xz9Cshorewall65.1.4.41.1Shoreline Firewall 6 is an ip6tables-based firewall for Linux systemsThe Shoreline Firewall 6, more commonly known as "Shorewall6", is a Netfilter (ip6tables) based IPv6 firewall that can be used on a dedicated firewall system, a multi-function gateway/ router/server or on a standalone GNU/Linux system.Yglamb25 6openSUSE Leap 42.3openSUSEGPL-2.0http://bugs.opensuse.orgProductivity/Networking/Securityhttp://www.shorewall.net/linuxnoarch test -n "$FIRST_ARG" || FIRST_ARG="$1" # disable migration if initial install under systemd [ -d /var/lib/systemd/migrated ] || mkdir -p /var/lib/systemd/migrated || : if [ "$FIRST_ARG" -eq 1 ]; then for service in shorewall6.service ; do sysv_service="${service%.*}" touch "/var/lib/systemd/migrated/$sysv_service" || : done else if [ "$FIRST_ARG" -gt 1 ]; then for service in shorewall6.service ; do if [ ! -e "/usr/lib/systemd/system/$service" ]; then touch "/run/rpm-shorewall-update-$service-new-in-upgrade" fi done fi for service in shorewall6.service ; do sysv_service="${service%.*}" if [ ! -e "/var/lib/systemd/migrated/$sysv_service" ]; then services_to_migrate="$services_to_migrate $sysv_service" fi done if [ -n "$services_to_migrate" -a -x /usr/sbin/systemd-sysv-convert ]; then /usr/sbin/systemd-sysv-convert --save $services_to_migrate || : fi fi test -n "$FIRST_ARG" || FIRST_ARG="$1" [ -d /var/lib/systemd/migrated ] || mkdir -p /var/lib/systemd/migrated || : for service in shorewall6.service ; do sysv_service="${service%.*}" if [ ! -e "/var/lib/systemd/migrated/$sysv_service" ]; then services_to_migrate="$services_to_migrate $sysv_service" touch "/var/lib/systemd/migrated/$sysv_service" || : fi done if [ "$YAST_IS_RUNNING" != "instsys" -a -x /usr/bin/systemctl ]; then /usr/bin/systemctl daemon-reload || : fi if [ -n "$services_to_migrate" ]; then if [ -x /usr/sbin/systemd-sysv-convert ]; then /usr/sbin/systemd-sysv-convert --apply $services_to_migrate || : fi elif [ "$FIRST_ARG" -eq 1 ]; then if [ -x /usr/bin/systemctl ]; then /usr/bin/systemctl preset shorewall6.service || : fi elif [ "$FIRST_ARG" -gt 1 ]; then for service in shorewall6.service ; do if [ ! -e "/run/rpm-shorewall-update-$service-new-in-upgrade" ]; then continue fi rm -f "/run/rpm-shorewall-update-$service-new-in-upgrade" if [ ! -x /usr/bin/systemctl ]; then continue fi /usr/bin/systemctl preset "$service" || : done firm -f /etc/shorewall/startup_disabled test -n "$FIRST_ARG" || FIRST_ARG="$1" if [ "$FIRST_ARG" -eq 0 -a -x /usr/bin/systemctl ]; then # Package removal, not upgrade /usr/bin/systemctl --no-reload disable shorewall6.service || : ( test "$YAST_IS_RUNNING" = instsys && exit 0 test -f /etc/sysconfig/services -a \ -z "$DISABLE_STOP_ON_REMOVAL" && . /etc/sysconfig/services test "$DISABLE_STOP_ON_REMOVAL" = yes -o \ "$DISABLE_STOP_ON_REMOVAL" = 1 && exit 0 /usr/bin/systemctl stop shorewall6.service ) || : fi test -n "$FIRST_ARG" || FIRST_ARG="$1" if [ "$FIRST_ARG" -ge 1 ]; then # Package upgrade, not uninstall if [ -x /usr/bin/systemctl ]; then /usr/bin/systemctl daemon-reload || : ( test "$YAST_IS_RUNNING" = instsys && exit 0 test -f /etc/sysconfig/services -a \ -z "$DISABLE_RESTART_ON_UPDATE" && . /etc/sysconfig/services test "$DISABLE_RESTART_ON_UPDATE" = yes -o \ "$DISABLE_RESTART_ON_UPDATE" = 1 && exit 0 /usr/bin/systemctl try-restart shorewall6.service ) || : fi else # package uninstall for service in shorewall6.service ; do sysv_service="${service%.*}" rm -f "/var/lib/systemd/migrated/$sysv_service" || : done if [ -x /usr/bin/systemctl ]; then /usr/bin/systemctl daemon-reload || : fi fiR?;TV~?IZ0T_GDEB=B?1C;;?DIRUYHNS\ FrM`{9( h t E  i.s=" E6Jx.G ^  {VT1 _8c%?8;5TV8~?I Z*0T%_,GCDEB= 0B?1C 3;;?'DF-IRsUqYHNS"g[p:A큀A큤A큤A큤A큤AYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYFYM)YFYFYM)YFYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYgYg448930b4d67ef0b9180c57a6d34750eec149fdf57c791dc22d27ea7a358344268783ea6d6e6080e7443a6d41940fee5a7bebe362ba407b027fbd4a37ac7702a5af5c74485c4d5efb3a2cfcc0d2725269140c5b7233021319d26110e1c5a1acff1787cd24bfc9a292a086f52fd841c47ee453c114f9ee40d70c6c27d8a12a70bb234b4a488cf4587eb35f60d761d8183b51f944c1f10d1a7e218c4960965d4397d41d8cd98f00b204e9800998ecf8427e20244ee3378cec6ea714f5a97659fe997df3f91f35a6c5a833e5ad2900df20c0ef2ad3c1633f31f6895441cdb30372afef6e6f05d5aa3af2af37b3b8041e88e68aa6b6adc70822eecaf527cbbe7c5974d41d8cd98f00b204e9800998ecf8427ece8da863909e7ce40e75de5add23cffb1c23d5d9a4a27b1f7f4a451170b32aa95b6aba1c329bbac66189d107c3c5ee169aeeeebee4b6ab7d56d39ccf8d5ebb9d42abfd0887852c29f276304bbdf8654a33a836c80ab07eea45f1c6b7ed863e098096541ba95eeaff11ce7517deefed51e274ecca582fc633de34caca893f7b406244a29dec8d72b45e4f7cbc7dad51cb6d5d3d0911b2b7bd79d69f87a9a73df054b3e0acf337eb9ea6913d401234bb1dbb56240811f699a50ee3c788b76f5b183121dfa662130d9a6a57f7ddf12294dacf15a0c7eb4da4d0d001cc82b484b30b5375be4e4d39b047702675ec4f47ce23af9b6947c871c4859eba4358cfbc5d901a147bb9ac3419cc26e623ccb0f31050b14831214aa60066e5e553fb321a02e5c87de643ed5a0f5e2ce1aaddd4260d2e68d77f4d4841cfe25f264e35533ba99cb1931cc2be2342d4d1975c5e304edc077519b88ca138103af77869f35c9c2a52844c0209ca9eea5763ccf3dca253fcc41b4a0b57c1202b47924904f54ba962f0105fa5f28878680708d9ee7e835701b7d7ccb80f9690e116e052d95ad11b84d277dd413c6c54ed82eb4cf6c418f3c14b75257901236fdff38d96cc2726a7175bc14f1cf69c9816fc9b1f1330ce0247c984b5bc80f3e486ef84d5bc9d6dc7e4daf36ea08b5e97e8932ffdc8e154ce59e578c6121c3fd7385baf69df8dd992b8f3bb92cfb1d30577682b4e435e1f83a360222181dd1865be5cba2e44fcfc2a6921a8f83e1183e6ef4e17226117b37caa4108350493359a538abe0b772da524c55e15e9b2c657e6689ff4a5c3dc44d5d2b8517d88ceeab9885252e5f248ba9a6164cad161fe877665cad3e3aff958dee578de57df631650cede9a0fd34168e872a75a0649b695dfa42b42d42e1ed9eec5e78c36363d02df1f71d10e897d7280591a80d79789e9a09d12cb0eeef8bd9b9426cc27d830e325052f72212823432ac5e430d9e03904b6697eebf4c9a39aa96b37c5d0c1c941d59b216e9456146945498be8672f7db3513d4b705a2f74601a12ae537aac6e8269cc4d199f7b103e67a3b18cc70ad6bccf1880ff7d1f717f65da13413236f00b661ffc56846a62d11ad3dd0660a9e68e104ff1143c35a17e474892cb65daf7b4e38f8fbb4902d2a369c2aff50ad60287f620cce88307b71350fa25406fc250fac42ee09685acc7339237382f3e6a3bdb090e23735a690532208bdf0098e86915e42bc4271975d03f2b9ab445c0acccb31f38158a9d2bdeed9e477fd315619a30c76a0473080e638183f09ae96223aa9f33a603d4d0365b3ad9602beb845571ecb259078499d0447002490fd6017e5118b175e682ea73bb83bb15c0b3d720f2f05a65ff5556b78b6cf5789908cc421af1ad1137285104969c653cadccfe9d521d5406bec7e485fd5624448f6985571c5048adecedde96fd6d284fccddac8711e0cbd3c6b68d09be60ef67bba205c2bfc2b953815610981e1ae3b26b1d03238d3d0822d9738ac402038262ad604cb9d5486d452cc69f3464c2a783cb0bc7ce325cef60ee9d92237debd82f8c9bf9cbb147b1163b5f503ddb6936dfe249fca6dd7270f513ebd3e0b2470d4590c149fdf57c791dc22d27ea7a3583442607aca8a4e3dbe3e89d4283fdbfe8ff2d8783ea6d6e6080e7443a6d41940fee5a30d3e5c63fd56068b40d6f9d496c55c27bebe362ba407b027fbd4a37ac7702a5b332bf3c572766041fe8419e1e2c42ffaf5c74485c4d5efb3a2cfcc0d2725269140c5b7233021319d26110e1c5a1acff1595ae6ada7d23b35026312ff3c176a21787cd24bfc9a292a086f52fd841c47ee453c114f9ee40d70c6c27d8a12a70bb5f95f950c482a9ea5a1c26022c2786ff234b4a488cf4587eb35f60d761d8183b51f944c1f10d1a7e218c4960965d4397e81a56d00eaf17cc1c118e46b3dfffdc9bd780d53c7e0484d9abb5c44beaaebf20244ee3378cec6ea714f5a97659fe997df3f91f35a6c5a833e5ad2900df20c071314e47d08a5853261e4bfb383b3ef9ef2ad3c1633f31f6895441cdb30372afac78375911a4f0d3892f21e5572ba912ef6e6f05d5aa3af2af37b3b8041e88e6289ea5c37465f68bfe408344277dfde48aa6b6adc70822eecaf527cbbe7c59740dc1ee5c3262860f67ca36df6a6c44cbce8da863909e7ce40e75de5add23cffbe9c398c031ff6fad032e90ef226f6c2c1c23d5d9a4a27b1f7f4a451170b32aa96be0da392610a1c18ebd15907782ac975b6aba1c329bbac66189d107c3c5ee1633a6084be9f41cd1ebaa9921a861cc6f9aeeeebee4b6ab7d56d39ccf8d5ebb9dbc6ff405ed5daf5d379ca5679ff9387742abfd0887852c29f276304bbdf8654a33a836c80ab07eea45f1c6b7ed863e098096541ba95eeaff11ce7517deefed51e274ecca582fc633de34caca893f7b4096488537695cc555be338a48c1c295106244a29dec8d72b45e4f7cbc7dad51cb3124638a24e330ed2aac58b078f5ef3e6d5d3d0911b2b7bd79d69f87a9a73df0276041e3a9549de44919a2167ba066a854b3e0acf337eb9ea6913d401234bb1dbb56240811f699a50ee3c788b76f5b181448bb3ae0e703009c602b4959f6ba8b3121dfa662130d9a6a57f7ddf12294da04ba30e2385cb8bf6b399a515a1782f7cf15a0c7eb4da4d0d001cc82b484b30b0ddd1d678134d873bd043f77e2b4c2e25375be4e4d39b047702675ec4f47ce23af9b6947c871c4859eba4358cfbc5d901a147bb9ac3419cc26e623ccb0f31050b14831214aa60066e5e553fb321a02e5c87de643ed5a0f5e2ce1aaddd4260d2eceec4c1e76f994017d7fb86befe0c20668d77f4d4841cfe25f264e35533ba99c193047c359931b9aa8a280ad48a5a415b1931cc2be2342d4d1975c5e304edc077519b88ca138103af77869f35c9c2a52556879b05843a13fdb9e976aa3c175d2844c0209ca9eea5763ccf3dca253fcc4371abdbbc5c2d7bc32d1a0303bf7173d1b4a0b57c1202b47924904f54ba962f0a13df788199a5ea678b2e25be0c68c5d105fa5f28878680708d9ee7e835701b741dd97c81e81e245a323a313e7860b3ad7ccb80f9690e116e052d95ad11b84d21deea9c180b820a68a97253b6934d08f77dd413c6c54ed82eb4cf6c418f3c14b10d551edf40f1f430b1c7378c02c3ad81436d6627ba1eb43e7f4a7145ef03806b2ca15938c522a25cba4afd43eddd1360dae217752b4c2ecdc5f07e3d8caf81deeef2757caf3062f559db1491a92013ebece671110932ba89c53f62666232f328b9e4ff767bf7cf4ccd7dc78bcc4caaff7b2ce11944d94f26e1dfda395922fa8a076c2c3549f1db25e2d526a6b2aa2b7d7bd328c583e3c25d6d2e1d4e1b0e9ac31a41b39d59b880e223017677017af04c0a5a682a6f8d4e47a997f101a4ffeccd637814d7dbd6fcab38f6c4850760b5f7533ad347f792cb7fab972b672a2b56d59001d102fc1e3b8f79fe00bb9776880060902ef1554e28a9a78c387a46c5e23serviceshorewalllib.baserootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootshorewall-5.1.4.4-1.1.src.rpmconfig(shorewall6)shoreline_firewallshorewall6      /bin/sh/bin/sh/bin/sh/bin/sh/bin/sh/bin/sh/usr/sbin/serviceconfig(shorewall6)coreutilsdiffutilsfillupgreplogrotaterpmlib(CompressedFileNames)rpmlib(PayloadFilesHavePrefix)shorewall-coresystemdsystemdsystemdsystemdrpmlib(PayloadIsLzma)5.1.4.4-1.13.0.4-14.0-15.1.4.4-1.14.4.6-1SuSEfirewall24.11.2Yf@YTYJ_YA%@X[XrX,XN@XGVU@UUa@UKSU-@U@U@T@TÉ@TNT@T@TT@Tq@TZ@T @T1TT@T@SSS@S@SS׌SFS˯@SS@SS@Sg@S~@SuS:@S*@S@R3@Ra@RRe@RUE@RM\@R@R@R@QQQQ(@Q]k@Q=@Q@P@PDPP@P @P}@P@PAP@Puc@PqnPnP`K@PDP3x@P"TO@O;O#O:OЗOȮOOE@O@O@O@OfO@Ohq@Oc+@OJODOO@O@NN@N_NvN@N<@NuN@N]NtNs:@NONENA!@N:N98@N%qNM@MMM@MӴMz@MM'M@MM=MzMS@M:M-M!@L@L@LOL@L@Lbruno@ioda-net.chalarrosa@suse.combruno@ioda-net.chbruno@ioda-net.chbruno@ioda-net.chbruno@ioda-net.chbruno@ioda-net.chbruno@ioda-net.chbruno@ioda-net.chbruno@ioda-net.chtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgdimstar@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.orgtoganm@opensuse.org- bugfix release 5.1.4.4 A defect in 5.1.4.3 caused a startup failure when two or more 'fallback' providers were configured. That has been corrected.- Fix a typo in %posttrans that would remove the wrong file and could cause a problem depending on the execution order of the %pretrans and %posttrans scripts for the shorewall and shorewall6 packages.- This stable branch 5.1x will be the new default for Leap 42.3. Remember that each time you have an upgrade with changes in Major or Major,Minor it is mandatory you upgrade your configuration with shorewall(6) update -a /etc/shorewall(6) command. - Packaging : use pretrans and posttrans to inform user about configuration upgrade. - Bugfix release 5.1.4.3. Problem Corrected: When running on prior-generation distributions such as RHEL6, IPv6 multi-ISP configurations failed to start due to an error such as the following: ERROR: Command "ip -6 -6 route replace default scope global table 250 nexthop via ::192.88.99.1 dev tun6to4 weight 1" Failed Such configurations now start successfully.- Bugfix and enhancement release 5.1.4.2 complete changelog is available http://shorewall.net/pub/shorewall/5.1/shorewall-5.1.4/releasenotes.txt - Main changes All IPv6 standard actions have been deleted and their logic has been added to their IPv4 counterparts who can now handle both address families. Previously, ?error and ?require messages as well as verbose ?info and ?warning messages (those that report the file and line numbers) generated from an action file would report the action file name and line number rather than the file and line number where the action was invoked. The file and line number where the action was invoked were listed second. Beginning with this release, the invoking file and line number are listed first and the action file and line number are not reported. This allows for creation of clearer messages. IPv6 UPnP support (including MINIUPNPD) is now available. A PERL_HASH_SEED option has been added to allow the Perl hash seed to be specified. See shorewall.conf(5) and perlsec(1) for details.- Bugfix release 5.1.3.2 Previously, if a Shorewall Variable (e.g., @chain) was the target of a conditional ?RESET directive (one that was enclosed in ?if. ?else...?endif logic), the compiler could incorrectly use an existing chain created from the action rather than creating a new (and different) chain. That has been corrected. Previously, if alternate input format specified a column that had already been specified, the contents of that column were silently overwritten. Now, a warning message is issued stating that the prior value has been replaced by the newer value.- Update to last bugfix version 5.1.3.1 Problems Corrected: There was a typo in the BLACKLIST_DEFAULT settings in the 5.1.3 sample config files, which resulted in a compilation error. That typo has been corrected. There was also a typo in the two-interface IPv4 sample snat file; 192.168.0.0/16 was inadvertently entered as 92.168.0.0/16. That has been corrected. Previously, when processing the policy file, 'all+' was incorrectly treated the same as 'all'. That has been corrected so that 'all+' causes intra-zone traffic to be included in the policy.- Upgrade to last stable 5.1.3 For details see changelog.txt and releasenotes.txt containing all informations for a correct upgrade path. - Packaging Redone patches for var-fillup + shorewall-fillup-install.patch + shorewall-init-fillup-install.patch + shorewall-lite-fillup-install.patch- Upgrade to stable 5.1.1 For details see changelog.txt and releasenotes.txt containing all informations for a correct upgrade path. - Packaging: + use proper %{} syntax + Adjust year copyright + Remove attr on sbindir symlink + Move Samples and Contrib to doc package- Upgrade to last stable of 5.0.x version 5.0.15 For details see changelog.txt and releasenotes.txt containing all informations for a correct upgrade path. - Packaging : + Remove all non suse %if + Cleanup older non supported version + Remove upstream merged patch * 0001-remote_fs.patch * 0001-required-stop-fix.patch + Remove 0001-fillup-install.patch replaced by specific product patch for correct usage of var-fillup + Added patches for var-fillup when not specific %name6 is also supported * shorewall-fillup-install.patch * shorewall-init-fillup-install.patch * shorewall-lite-fillup-install.patch + spec-cleaner minimal- Update to last 4x bugfix version 4.6.13.4 For details see changelog.txt and releasenotes.txt - 4.6.13.4 * This release includes a couple of additional configure/install fixes from Matt Darfeuille. * The DROP command was previously rejected in the mangle file. That has been corrected. - 4.6.13.3 * Previously, Shorewall6 rejected rules in which the SOURCE contained both an interface name and a MAC address (in Shorewall format). That defect has been corrected so that such rules are now accepted. * A number of corrections have been made to the install, uninstall and configure scripts (Matt Darfeuille). * Previously, optional interfaces were not enabled during 'start' and 'restart' unless there was at least one entry in the 'providers' file. This resulted in these interfaces not appearing in the output of 'shorewall[6] status -i'. * The check for use of a circular kernel log buffer (as opposed to a log file) has been improved. * Previously, if a circular log buffer was being used, the output of various commands still displayed '/var/log/messages' as the log file. Now, it is displayed as 'logread'. * When processing the 'dump' command, the CLI now uses 'netstat' to print socket information when the 'ss' utility is not installed. - 4.6.13.2 * Previously, if statistical load balancing was used in the providers file, the default route in the main table was not deleted during firewall start/restart. That route is now correctly deleted. - 4.6.13.1 * Previously, the 'reset' command would fail if chain names were included. Now, the command succeeds, provided that all of the specified chains exist in the filter table. * The TCP meta-connection is now supported by the Tinc macro and tunnel type. Previously, only the UDP data connection was supported.- Update to version 4.6.13 For more details see changelog.txt and realeasenotes.txt * The 'rules' file manpages have been corrected regarding the packets that are processed by rules in the NEW section. * Parsing of IPv6 address ranges has been corrected. Previously, use of ranges resulted in 'Invalid IPv6 Address' errors. * The shorewall6-hosts man page has been corrected to show the proper contents of the HOST(S) column. * Previously, INLINE statements in the mangle file were not recognized if a chain designator (:F, :P, etc.) followingowed INLINE(...). As a consequence, additional matches following a semicolon were interpreted as column/value pairs unless INLINE_MATCHES=Yes, resulting in compilation failure. * Inline matches on IP[6]TABLE rules could be ignored if INLINE_MATCHES=No. They are now recognized. * Specifying an action with a logging level in one of the _DEFAULT options in shorewall[6].conf (e.g., REJECT_DEFAULT=Reject:info) produced a compilation error: ERROR: Invalid value (:info) for first Reject parameter /usr/share/shorewall/action.Rejectect (line 52) That has been corrected. Note, however, that specifying logging with a default action tends to defeat one of the main purposes of default actions which is to suppress logging. * Previously, it was necessary to set TC_EXPERT=Yes to have full access to the user mark in fw marks. That has been corrected so that any place that a mark or mask can be specified, both the TC mark and the User mark are accessible.- Update to version 4.6.11 For more details see changelog.txt and releasenotes.txt * Previously, when the -c option was given to the 'compile' command, the progress message "Compiling..." was issued before it was determined if compilation was necessary. Now, that message is suppressed when re-compilation is not required. * Previously, when the -c option was given to the 'compile' command, the 'postcompile' extension script was executed even when there was no (re-)compilation. Now, the 'postcompile' script is only invoked when a new script is generated. * If CONFDIR was other than /etc, then ordinary users would not receive a clear error message when they attempted to execute one of the commands that change the firewall state. * Previously, IPv4 DHCP client broadcasts were blocked by the 'rpfilter' interface option. That has been corrected. * The 'update' command incorrectly added the INLINE_MATCHES option to shorewall6.conf with a default value of 'Yes'. This caused 'start' to fail with invalid ip6tables rules when the alternate input format using ';' is used. Note: This last issue is not documented in the release notes included with the release.- Update to version 4.6.10.1 For more details see changelog.txt and releasenotes.txt * Indentation is now consistent in lib.core (Tuomo Soini). * The first problem corrected in 4.6.10 below was incomplete. It is now complete (Tuomo Soini). * Similarly, the second fix was also incomplete and is now completed (Tuomo Soini).- Update to version 4.6.9 For more details see changelog.txt and releasenotes.txt * This release contains defect repair from Shorewall 4.6.8.1 and earlier releases. * The means for preventing loading of helper modules has been clarified in the documentation. * The SetEvent and ResetEvent actions previously set/reset the event even if the packet did not match the other specified columns. This has been corrected. * Previously, the 'show capabilities' command was ignoring the HELPERS setting. This resulted in unwanted modules being autoloaded and, when the -f option was given, an incorrect capabilities file was generated. * Previously, when 'wait' was specified for an interface, the generated script erroneously checked for required interfaces on all commands rather than just start, restart and restore.- Update to version 4.6.8.1 For more details see changnlog.txt and releasenotes.txt * Previously, when servicd was installed and there were one or more required interfaces, the firewall would fail to start at boot.This has been corrected by Tuomo Soini. * Some startup logic in lib.cli has been deleted. A bug prevented the code from working as intended, so there is no loss of functionality resulting from deletion of the code.- Update to version 4.6.8 For more details see changelog.txt and releasenotes.txt * This release includes defect repair from Shorewall 4.6.6.2 and earlier releases. * Previously, when the -n option was specified and NetworkManager was installed on the target system, the Shorewall-init installer would still create ${DESTDIR}etc/NetworkManager/dispatcher.d/01-shorewall, regardless of the setting of $CONFDIR. That has been corrected such that the directory ${DESTDIR}${CONFDIR}/NetworkManager/dispatcher.d/01-shorewall is created instead. * Previously, handling of the IPTABLES and IP6TABLES actions in the conntrack file was broken. nfw provided a fix on IRC. * The Shorewall-core and Shorewall6 installers would previously report incorrectly that the product release was not installed. Matt Darfeuille provided fixes.- Update to version 4.6.7 For more details see changelog.txt and releasenotes.txt * This release includes defect repair from Shorewall 4.6.6.2 and earlier releases. * The 'tunnels' file now supports 'tinc' tunnels. * Previously, the SAME action in the mangle file had a fixed timeout of 300 seconds (5 minutes). That action now allows specification of a different timeout. * It is now possible to add or delete addresses from an ipset with entries in the mangle file. The ADD and DEL actions have the same behavior in the mangle file as they do in the rules file. - Added systemd_version macro in anticipation of detecting the correct service file when systemd version is >= 214- Update to version 4.6.6.2 For more details see changelog.txt and releasenotes.txt * The compiler failed to parse the construct +[n] where n is an integer (e.g., +bad[2]). * Orion Paplawski has provided a patch that adds 'ko.xz' to the default MODULE_SUFFIX setting. This change deals with recent Fedora releases where the module names now end with ".ko.xz". In addition to Orion's patch, the sample configurations have been modified to specify MODULE_SUFFIX="ko ko.xz".- Update to version 4.6.6.1 For more details see changelog.txt and releasenotes.txt * Previously the SAVE and RESTORE actions were erroneously disallowed in the INPUT chain within the mangle file. * The manpage descriptions of the mangle SAVE and RESTORE actions incorrectly required a slash (/) prior to the mask value. * Race conditions could previously occur between the 'start' command and the 'enable' and 'disable' commands. * The 'update' command incorrectly added the INLINE_MATCHES option to shorewall.conf with a default value of 'Yes'. This caused 'start' to fail with invalid iptables rules when the alternate input format using ';' is used. * Previously the LOCKFILE setting was not propagated to the generated script. So when the script was run directly, the script unconditionally used ${VARDIR}/lock.- Update to version 4.6.6 For more details see changlelog.txt and releasenotes.txt As there are many new features with this release please consult the mentioned files. * Previously, a line beginning with 'shell' was interpreted as a shell script. Now, the line must begin with 'SHELL' (case-sensitive). Note that ?SHELL and BEGIN SHELL are still case-insensitive.- Update to version 4.6.5.5 For more details see changelog.txt and releasenotes.txt * This release adds Tuomo Soini's fix for Shorewall-init to 4.6.5.5. Previously, the ifupdown scripts were looking in the wrong directory for the firewall script.- Update to version 4.6.5.4 For more details see changelog.txt and releasenotes.txt * The '-c' option of the 'dump' and 'show routing' commands is now documented. * The handling of the 'DIGEST' environmental variable has been corrected in the Shorewall installer. Previously, specifying that option would not correctly update the Chains module which led to a Perl compilation failure. * Handling of ipset names in PORT columns has been corrected. Previously, such usage resulted in an invalid iptables rule being generated.- Update to version 4.6.5.3 For more details see changelog.txt and releasenotes.txt * The Shorewall-init scripts were using the incorrect variable to set the state directory. Correction provided by Roberto Sanchez. * For normal dynamic zones, the 'add' command failed with a diagnostic such as: ERROR: Zone ast, interface net0 does not have a dynamic host list * When a mark range was used in the marks (tcrules) file, a run-time error occurred while attempting to load the generated ruleset.- Do not buildrequire openSUSE-release: it's a daily changing package and causes thus frequent rebuilds for no reason. configure and install both try to guess the target from /etc/os-release. So we simply inject BUILD=suse for the openSUSE case.- Update to version 4.6.5.2 For more details see changelog.txt and releasenotes.txt * LOG_BACKEND=LOG failed at run-time for all but the most recent kernels. - Changes in 4.6.5.1 * The generated script can now detect an gateway address assigned by later versions of that program (Alan Barrett). * In 4.6.5, the bash-based configure script would issue the following diagnostic if SERVICEDIR was not specified in the shorewallrc file: ./configure: line 199: [SERVICEDIR]=: command not found This was compounded by the fact that all of the released shorewallrc files still specified SYSTEMDDIR rather than SERVICEDIR (Evangelos Foutras) * The shorewallrc.archlinux file now reflects a change in SBINDIR that occurred in Arch Linux in mid 2013 (Evangelos Foutras).- Update to versioin 4.6.4.3 For more details see changelog.txt and releasenotes.txt * The fix for LOG_BACKEND in 4.6.4.2 worked on some older distributions but not on newer ones. This release fixes the problem in the remaining cases.- Update to version 4.6.3.4 For more details see changelog.txt and releasenotes.txt * The 'Universal' configurations previously failed to start with the diagnostic ERROR: No network interface available: Firewall state not changed * A defect introduced in 4.6.3 prevented Shorewall-init from starting when required interfaces were present. * Some defect repair from 4.6.2.5 was inadvertently omitted from 4.6.3. In particular, the fix for Shorewall-init on systems running systemd was omitted. Those fixes have now been merged into this release.- Update to version 4.6.3.3 For more details see changelog.txt and releasenotes.txt * Including a PREROUTING SECTION in the accounting file unconditionally resulted in a fatal error: ERROR: The PREROUTING SECTION is not allowed when ACCOUNTING_TABLE=filter * Previously, the compiler could generate many superfluous rules to enforce the 'tcpflags', 'nosmurfs' and 'maclist' interface options.- Update to version 4.6.3.2 For more details see changelog.txt and releasenotes.txt * The shorewall[6]-actions manpages previously contained incorrect examples of the usage of table names with builtin actions. Incorrect: FOOBAR,filter,mangle Correct: FOOBAR builtin,filters,mangle * Previously, if /etc/iproute2/rt_tables was not writeable, then KEEP_RT_TABLES=No behaved like KEEP_RT_TABLES=Yes. Now, a warning message is issued if that file is not writeable and KEEP_RT_TABLES is set to No. WARNING: /etc/iproute2/rt_tables is missing or is not writeable * In earlier 4.6.3 versions, the help text from shorewall-lite and shorewall6-lite included two versions of the 'run' command. run [ ... ] .. run [ ... ] The second one has now been deleted. * New Features: Eric Teeter has contributed a Citrix Goto Meeting macro.- Update to version 4.6.3.1 For more details see changelog.txt and releasenotes.tx * The DNSAmp action released in 4.6.3 matched more packets than it should have. That has now been corrected. * The handling of REJECT in IP[6]TABLES rules has been clarified inthe shorewall-rules(5) and shorewall6-rules(5) manpages. * The following misleading error message has now been corrected: ERROR: The xxx TARGET is now allowed in the filter table The message now reads: ERROR: The xxx TARGET is not allowed in the filter table - Spec fixes * Fixed shorewall-init requires so it needs shoreline-firewall which is an alias for shorewall shorewall6 shorewall-lite and shorewall6-lite packages * shorewall-init package was missing a rc link- Update to version 4.6.2.5 For more details see changelog.txt and releasenotes.txt * Previously, when an interface specified the 'physical=' option and the physical interface name was specified in the INTERFACES column of the providers file, compilation would fail with diagnostics similar to the following: Use of uninitialized value $physicalal in pattern match (m//) at /usr/lib/perl5/vendor_perl/5.18.1/ Shorewall/Providers.pm line 463, <$currentfile> line ERROR:ERROR A provider interface must have at least one associated zone /zoneopt/etc/shorewall/providers (line 2) * Shorewall-init now works correctly on systems with systemd. By Louis Lagendijk. - Remove backported patches * PHYSICALNAME.patch * 0001-Modify-the-preceding-fix-to-work-with-wildcard-inter.patch- Backport 0001-Modify-the-preceding-fix-to-work-with-wildcard-inter.patch as the previous patch broke some configurations- Backported PHYSICALNAME.patch- Update to version 4.6.2.4 For more details see changelog.txt and releasenotes.txt + Previously, inline matches were not allowed in action files, even though the documentation stated that they were allowed.- Update to version 4.6.2.3 For more details see changelog.txt and releasenotes.txt * Previously, the compiler would fail with a Perl diagnostic if: + Optimize Level 8 was enabled. + Perl 5.20 was being used. This is the current Perl version on Arch Linux. The diagnostic was: Can't use string ("nat") as a HASH ref while "strict refs" in use at /usr/share/shorewall/Shorewall/Chains.pm line 3486.- Update to version 4.6.2.2 For more details see changelog.txt and releasenotes.txt * The compiler now correctly detects the IPv6 "Header Match" capability when LOAD_MODULES_ONLY=No. * The compiler now correctly detects the IPv6 "Ipset Match" capability on systems running a 3.14 or later kernel. * The compiler now correctly detects "Arptables JF" capability when LOAD_MODULES_ONLY=No. * The tcfilter manpages previously failed to mention that BASIC_FILTERS=Yes is required to use ipsets in the tcfilters files.- Update to version 4.6.2.1 For more details see changelog.txt and releasenotes.txt * Two issues with tcrules processing have been corrected: + SAVE and RESTORE generated fatal compilation errors. + '|' and '&' were ignored. That issue is also present in the processing of the mangle file * Version 4.6.2 changes + The DSCP match in the mangle and tcrules files didn't work with service class names such as EF, BE, CS1, ... + The SAVE and RESTORE actions were disallowed in the OUTPUT chain in tcrules and mangle; this was a regression from 4.5.21. + Additional ports required by Asus, Supermicro and Dell have beenadded to the IPMI macro (Tuomo Soini). + Some issues regarding install under Cygwin64 have been addressed. - configure.pl did not understand CYGWIN returned from `uname` - Shorewall-core install.sh did not understand CYGWIN returned from `uname`. - The Shorewall and Shorewall6 installers tried to run the command 'mkdir -p //etc/shorewall[6]' which is broken in the current Cygwin64.- Update to version 4.6.1.4 For more details see changelog.txt and releasenotes.txt * The DSCP match in the mangle and tcrles files didn't work with service class names such as EF, BE, CS1, ... (Thibaut Chèze) * The SAVE and RESTORE actions were disallowed in the OUTPUT chain in tcrules and mangle; this was a regression from 4.5.21.- Update to version 4.6.1.3 For more details see changelog.txt and releasenotes.txt * Use of the 'IfEvent' action resulted in a compilation failure: ERROR: -j is only allowed when the ACTION is INLINE with no parameter /usr/share/shorewall/action.IfEvent (line 139) from /etc/shorewall/action.SSHKnock (line 8) from /etc/shorewall/rules (line 31)- Update to version 4.6.1.1 For more details see changelog.txt and releasenotes.txt * An improved error message is generatred when a server address list is specified in the DEST colume of a DNAT or REDIRECT rule. At one time, iptables supported such lists, but now only a single address or an address range is supported. The previous error message was: ERROR: Unkknown Host (192.168.1.4,192.168.1.22) The new error message is: ERROR: An address list (192.168.1.4,192.1688.1.22) is not allowed in the DEST column of a xxx RULE whenere xxx is DNAT or REDIRECT as appropriate. * Two problems have been corrected in the Shorewall-init Debian init script. + A cosmetic problem which releasenotessulted in 'echo_notdone' being displayed on failure rather than 'nott done'. + More seriously, the test for the existance of compiled firewall scripts was incorrect, with the result that the firewallingall scripts were not executed. These defects, introduced in Shorewall 4.5.17, have now been corrected. - Restating that CHECKSUM.patch is removed since braindead factory-auto scripts do not understand previous comment- Update to version 4.6.1 For more details see changelog.txt and releasenotes.txt * The release notes in the packages mention a fix for 'rpfilter'. That defect was actually corrected in 4.5.6.9 with a slightly different description in the release notes. * Tuomo Soini has provided new macros for AMOP, MongoDB, Redis, Sieve and IPMI (RMCP).- Update to version 4.6.0.3 For more details see changelog.txt and releasenotes.txt * 1:1 NAT is now enabled in IPv6. * subtle interaction between NAT and sub-zones is explained in shorewall-nat. * The 'show filters' command now works with Simple TC.- Update to version 4.6.0.2 For more details see changelog.txt and releasenotes.txt * The 'upgrade -A' command now converts the tcrules file to a mangle file. Previously, that didn't happen. * The install components now support RHEL7. * Whitespace issues in the skeleton configuration files have been corrected (Tuomo Soini). * FAQ 2e has been added which describes additional steps required to achieve hairpin NAT on a bridge where the modified packets are to go out the same bridge port as they entered. * shorewall-masq(5) has been corrected to include the word SOURCE on the description of that column. Previously, the description read '(formerly called SUBNET)'. * The output of 'shorewall show filters' once again shows ingress (policing) filters. This works around undocumented changes to the behavior of the 'tc' utility. - removed backported CHECKSUM.patch- Update to version 4.6.0. For more details see changelog.txt and releasenotes.txt. Since this is a major release for those who are migrating from previous version, it is important to read the above mentioned notes. * This release includes all defect repair from releases up through 4.5.21.9. - Backported CHECKSUM.patch- Update to version 4.5.21.9 For more details see changelog.txt and releasenotes.txt * The output of 'shorewall show capabilities' always showed the 'Recent match --reap option' as 'Not Available'. 'shorewall show -fcapabilities' correctly reported the capability. * When a rules file section other than NEW began with a ?COMMENT directive, the comment would erroneously appear in the rule which jumps to the section chain as well as in the rules directly related to the following entries. * Rule comments were omitted from the compiler's 'trace' output in some cases. * When FASTACCEPT=Yes, ESTABLISHED,RELATED accept rules were incorrectly omitted from an interfaces's _in and _fwd chains when 'rpfilter' was specified in the interfaces's entry in /etc/shorewall[6]/interfaces.- Update to version 4.5.21.8 For more details see changelog.txt and releasenotes.txt * If an rtrules entry duplicated a Shorewall-generated route rule but had a lower priority than the generated one has (20000), then a disable/enable sequence on the provider would result in duplicate rules with priority 20000. * When 'shorewall[6] debug [re]start' was run, any error messages generated because of ip[6]tables command errors would not include '-t table'. - Remove 0001-fix-release-version.patch- Update to version 4.5.21.7 For more details see changelog.txt and releasenotes.txt * The help text for the 'dump' command has been updated to include all valid options. * The behavior of ADMINISABSENTMINDED=No is corrected. Previously, 'shorewall stop' would not block existing connections regardless of the setting of this option. Beginning with this release, the behavior of ADMINISABSENTMINDED=No depends on whether the routestopped or the stoppedrules file defines the allow connections while the firewall is stopped. If there are entries in /etc/shorewall[6]/routestopped or if there are no entries in /etc/shorewall[6]/stoppedrules, then the behavior of ADMINISABSENTMINDED=No is as documented (existing connections are blocked unles they are allowed by /etc/shorewall[6]/routestopped). If there are no entries in /etc/shorewall[6]/stoppedrules, then the behavior is as if ADMINISABSENTMINDED=Yes and a warning message is generated. - Add 0001-fix-release-version.patch to correct version info of the releasenotes.txt- Update to version 4.5.21.6 For more details see changelog.txt and releasenotes.txt * When a non-terminating target specified logging, the compiler would erroneously generate a 'goto' (-g) iptables command rather than a 'jump' (-j) command. This caused the wrong set of rules to be traversed, usually the catchall 'REJECT' or 'DROP' rule at theend of the INPUT or FORWARD chain. The compiler now generates a 'jump' rule in these cases. * When an interface containing a period (such as a VLAN interfaceterface) was used in an 'add' or 'delete' command, the wrong ipset name was generated, resulting in failure of the command.- Update to version 4.5.21.5 For more details see changelog.txt and releasenotes.txt * A number of minor updates have been made to the documentation and manpages. * The 'postcompile' extension script is now documented at http://www.shorewall.org/shorewall_extension_scripts.htm * The 'add' command previously failed if 'IPSET=' appeared in the shorewall.conf file. This has been corrected.- Update to version 4.5.21.4 For more details see changelog.txt and releasenotes.txt * The Broadcast actions have been corrected: - --dst-type BROADCAST has been removed from the IPv6 version - A superfluous DROP rule in the IPv4 version has been suppressed. * Previously, if an HFSC class was specified with dmax but not umax, then the firewall would fail to start with the messages: Nov 14 13:42:42 Setting up Traffic Control... HFSC: Illegal "umax" HFSC: Illegal "sc" ERROR: Command "tc class add dev eth1 parent 1:1 classid 1:110 hfsc sc umax b dmax 150ms rate 1575kbit ul rate 3150kbit" Failed That problem has been corrected. * The tcrules file now supports DROP entries to allow early dropping of DOS packets.- Update to version 4.5.21.2 For more details see changelog.txt and releasenotes.txt * Previously, the AutoBL action would fail if the kernel and iptables did not support the Recent Match '--reap' option. A new REAP_OPTION capability has been added to work around this issue. * The Shorewall-core installer no longer reports an error from 'cp' stating that it could not stat the shorewallrc file. * When a non-root user attempts to execute 'version -a', the CLI no longer attempts to get the version of the compiled firewall. Previously, the command issued the following diagnostic when run by non-root: /sbin/shorewall: /var/lib/shorewallhorewall/firewall: Permission denied * Shorewall no longer uses 'fgrep' thus allowing for use on systems without that utility. All uses of 'fgrep' have been replaced by 'grep -F'. * Placing | in the ACTION column of the tcrules file no longer raises a fatal compilation error.- Update to version 4.5.21.1 For more details see changelog.txt and releasenotes.txt * Problems with the Shorewall Init installer (install.sh) were corrected. These problems affected initial Gentoo and Debian installs. * A problem that prevented multiple ICMP/ICMP6 types to be specified in a rule has been corrected. * Previously, an attempt to specify RAS or Q.931 in the HELPER column was rejected with an error. * The 'nohostroute' provider option was not honored in the default table when USE_DEFAULT_RT=Yes.- Update to version 4.5.21 For more details see changelog.txt and releasenotes.txt * ip[6]tables 1.4.20 introduced an incompatible change that causes the program to fail if there is another instance of either iptables or ip6tables already running. This behavior can be avoided if the new -w option is specified. To work around this problem, the compiler now uses the -w option (when available) during capabilities determination so that shorewall and shorewall6 compilations can proceed in parallel. * Previously, the Shorewall-init installer unconditionally installed the sysconfig file even when a different SYSCONFFILE was specified. (Thomas D). * /sbin/shorewall-init now includes the correct SYSCONFDIR name in its error message that reports the absense of ${SYSCONFDIR}/shorewall-init. (Thomas D). * /sbin/shorewall-init and the Shorewall-init SysV init scripts now honor the setting of $OPTIONS. * The -lite installers now look in ${SHAREDIR} for the coreversion file rather than in /usr/share/. * If a Shorewall-lite installation used an /etc/shorewall-lite/vardir file to set a non-standard state directory, the administrative system would send the firewall and firewall.conf files to the wrong directory on the firewall system. * Previously, the compiler verified 'monthdays' specifications in the rules TIME column, but failed to include --monthdays in the generated rule. That omission has been corrected. * The Multicast DNS macros (mDNS and mDNSbi) now allow the entire non-priv port range (1024-65535) for the the dynamic unicast port. Previously, only the Linux 2.6+ dynamic port range (32768-65535) were allowed. - Spec file changes * Add 0001-fillup-install.patch * Remove shorewall-init-4.5.15-install.patch- Update to version 4.5.20 For more details see changelog.txt and releasenotes.txt * A typographical error in the usage text produced by the -h command in the compiled firewall script has been corrected. * The handling of INITSOURCE is now uniform between the standard and the -lite installers. * Previously, when SYSCONFFILE was specified in shorewallrc, the installers would always install default.debian rather than the named file. That has been corrected. - Spec file changes * removed the following pathces: 0001-Os-release.patch 0001-Fix-Exec-directory.patch- Spec file changes * Add 0001-Os-release.patch Fixes bnc#833999 * dropped 0001-Use-etc-os-release-as-of-release-13.1.patch- Spec file changes * Added 0001-Use-etc-os-release-as-of-release-13.1.patch Fixes bnc#833999 for /etc/os-release- Update to version 4.5.19 For more details see changelog.txt and releasenotes.txt * Previously, the '-q' option did not suppress all output from certain commands such as 'check'.- Spec file changes * Added 0001-Fix-Exec-directory.patch which fixes ExecStart ExecStop path of systemd shorewall-init.service (bnc#827524) * removed systemd.patch- Update to version 4.5.18 For more details see changelog.txt and releasenotes.txt * This release includes all defect repair from Shorewall 4.5.17.1. * The following warning message could be emitted inappropriately when running shorewall 4.5.17. The rule(s) generated by this entry are unreachable and have been discarded These warnings, which were disabled in Shorewall 4.5.17.1, are now only emitted where appropriate. The message has also been reworded to: One or more unreachable rules in chain have been discarded The message is issued a maximum of once per Netfilter chain. * A problem that could cause the 'trace' compiler option to produce false error messages or to produce an altered generated firewall script has been corrected. * If the 'Owner Name Match' capability was not available, the following error message would previously appear during compilation: iptables: No chain/target/match by that name. - spec file changes * rebased systemd.patch- Update to version 4.5.17.1 For more details see changelog.txt and releasenotes.txt. * The following warning message may be emitted inappropriately when running shorewall 4.5.17. The message is no longer issued. The rule(s) generated by this entry are unreachable and have been discarded * Rules intended to increment nfacct objects would previously be optimized away when they immediately preceded an unconditional jump to the same target. Such rules are now retained. * A bug in the optimizer in 4.5.17 can cause 'set' and 'geoip' matches to be dropped. That has been corrected. - spec file changes * rebased systemd.patch- Update to version 4.5.15 For more details see changelog.txt and releasenotes.txt * Previously, the Shorewall and Shorewall6 install.sh scripts did two things wrong with respect to the /etc/shorewall[6]/routes file: + The existing file was unconditionally removed. + A skeleton file was not installed when SPARSE was not set in the shorewallrc file. Additionally, the installer would remove /etc/shorewall[6]/tcstart * The Shorewall-init install.sh script previously refused to replace /sbin/ifup-local and /sbin/ifdown-local when those files has been installed by an earlier version of Shorewall-init. * Previously, Shorewall-init's integration with NetworkManager was incomplete on SuSE with the result that NetworkManager interface change events were not processed. That has been corrected. * Beginning with Shorewall 4.5.8, Shorewall6 has interpreted /32 networks as hosts (/128). /32 IPv6 networks are once again handled correctly. * Using names such as such as EF, BE, CS1, ... for DSCP didn't work previously. Thibaut Chèze has provided a fix. * An incorrect range test prevented DSCP classes CS6 and CS7 from being accepted. The test has been corrected and those classes are now allowed. - spec file changes * rebased systemd.patch * added shorewall-init-4.5.15-install.patch and removed shorewall-init-4.5.2-install.patch- Update to version 4.5.14 For more details see changelog.txt and releasenotes.txt * Previously, a list of IPv6 host addresses where each address was enclosed in square brackets generated a fatal compile-time error. Such lists are now handled correctly. * The Shorewall 'load', 'reload' and 'export' commands have now been modified to use a shorewallrc file in a remote system's export directory. If the directory layout of the remote system differs from that of the administrative system, then the remote system's export directory should contains a copy of that system's shorewallrc file. * A syntax error in the Shorewall uninstall.sh file has been eliminated. * The contents of the various configpath files have been corrected. * The Shorewall uninstall.sh script previously failed to remove the macro files from ${SHAREDIR}/shorewall. Those files are now removed. * The 'version -a' command now prints the correct shorewall-core version when it is run from shorewall6, shorewall-lite and shorewall6-lite. * It is now possible to specify a port or port range along with an address variable in the ADDRESSES column of/etc/shorewall/masq. Example: [#]INTERFACE SOURCE ADDRESS PROTO DEST [#] PORT(S) eth0 172.20.4.0/24 ð0:44 tcp 45 Previously, this usage generated a fatal compilation error. * Port numbers and service names may now be specified with the UDPLITE protocol. * The SUBSYSLOCK setting in the default shorewall6.conf file has been changed from /var/lock/subsys/shorewall to /var/lock/subsys/shorewall6. - rebased systemd.patch- Update to version 4.5.13 For more details see changelog.txt and releasenotes.txt * If a chain consisted of a single RETURN rule, optimize level 4 would handle it incorrectly by moving the RETURN rule to the chain(s) that jumped to the single-rule chain. The optimizer now simply eliminates the chain and rule. As part of this change, the optimizer now deletes trailing RETURN rules from chains. * If a default inline action was specified with parameters, the compiler would fail with an internal error. * The compiler was mis-handling simple arithmetic expressions consisting of a single number, evaluating the number as '' rather than as its numberic value. - Rebased systemd.patch- Update to version 4.5.12 For more details see changelog.txt and releasenotes.txt * This release contains the defect repairs from Shorewall 4.5.11.1 and 4.5.11.2. * Two defects associated with 'update -D' have been corrected. + shorewall.conf.bak is no longer deleted. + files that are not changed no longer have their mtime updated. * Inline actions in the RELATED and ESTABLISHED sections now work correctly. * The 'dropInvalid' built-in function now works correctly. * The compiler now generates an error when a protocol list is used in a context where only a single protocol name/number is accepted. * The generated script now correctly deletes Traffic Control configurations when CLEAR_TC=Yes. Previously, the configurations on interfaces with a '@xxxxxx' suffix in their names were not cleared. * Under very rare circumstances, optimize level 4 could leave a rule that jumped to a non-existant chain, causing iptables-restore to fail. * If an error was raised while compiling a default action, a Perl diagnostic could appear and the Shorewall error message would not be printed. * It is once again possible to use DNS names in rules without an interface name.- Added systemd.patch to fix the exec path (bnc# 798525)- Update to 4.5.11.2 For more details see changelog.txt and releasenotes.txt * Corrected fix 2 from 4.5.11.1. * 4.5.11.1 Beginning with Shorewall 4.5.10, if the name of an optional interface contained one or more characters that are not valid in a shell function name, then the generated script would fail with a "syntax error: bad function name" shell diagnostic. That problem has been corrected so that a valid function name is generated. * The kernel modules supplied by xtables-addons are now listed in the modules.xtables files. They were previously omitted.- Update to 4.5.10.1 For more details see changelog.txt and releasenotes.txt * Correct typo in conntrack module- Update to 4.5.10 For more details see changelog.txt and releasenotes.txt * This release includes all defect repair included in 4.5.9.1-4.5.9.3. * Under rare circumstances, optimize level 16 could produce invalid iptables-restore input which would cause start/restart to fail. * Before this release, the 'started' script was run prior to copying the temporary script file (e.g., /var/lib/shorewall/.start) to /var/dir/shorewall/firewall. If the script failed, the copy would not take place even though the firewall had started successfully. The script is now copied before running the 'started' script. If you compare the script generated by this release with one generated by a prior release, We suggest that you ignore whitespace changes (e.g., use the '-w' option in diff); that way, you can see the actual change more clearly. * AUTOCOMMENT=No now works correctly; previously, it behaved the same as AUTOCOMMENT=Yes. * A harmless extraneous comma has been deleted from the rule generated by action.RST.- Update to 4.5.9.2 For more details see changelog.txt and releasenotes.txt * Previously, the rules in the 'routemark' chain did not specify a mask in the MARK target. While a mask isn't strictly necessary in those rules, one has been added to ally fears of those who read the generated ruleset. Note: The 'routemark' chain is used to apply provider marks to packets received from 'track' provider interfaces. It is traversed early in the mangle PREROUTING chain when no other marks have yet been applied to the packet. * If exclusion was used with TPROXY in the tcrules file, an invalid iptables ruleset was generated causing start and restart commands to fail when running iptables-restore. * Previously, if a provider and its interface had the same name, then the 'enable' command would not work on that interface.- Update to 4.5.9.1 For more details see changelog.txt and releasenotes.txt * Previously, using a wildcard interface name in a rule would result in this error: ERROR: Invalid ipset name (ppp+) : ... Such entries are now handled correctly. * The shorewall-masq(5) manpage incorrectly stated that the SOURCE column may use exclusion with an interface name (e.g., eth1:!1.2.3.4). That hasn't been the case for some time. To accomplish the same thing, do this: eth0 1.2.3.4 NONAT eth0 eth1 Note: Using an interface name in the SOURCE column is deprecated. * Previously, if a MARK was specified for a tc class that explicitly specified a class number, the following spurious warning message was issued: WARNING: Class NUMBER ignored -- INTERFACE does not have the 'classify' option That warning message is no longer issued. * With Shorewall 4.5.9, there were issues when the ipset utility was not installed, some of which prevented Shorewall from starting. - Adjust for the usr move * change /sbin/service to /usr/service in requires and setting links- Update to 4.5.9 For more details see changelog.txt and releasenotes.txt * This release contains all defect repair from Shorewall 4.5.8.2. * A typo has been corrected in the shorewallrc.default file. * Beginning with Shorewall 4.5.7.2, Shorewall unconditionally restores the provider mark as the first rule in the mangle table OUTPUT and PREROUTING chains. Previously, the provider mark was restored only if it was non-zero. It has become clear that some users need it one way while others need it the other way. To resolve this issue, a RESTORE_ROUTEMARKS option has been added to shorewall.conf and shorewall6.conf. When this option is set to Yes (the default), the 4.5.7.2 approach is used (always restore the mark, even if it is zero); when it is set to No, the pre-4.5.7.2 behavior is retained (only restore the mark if it is non-zero). * Two error messages produced by the RST action have been corrected. They previously referred to errors in the NotSyn action rather than RST.- Update to 4.5.8.2 For more details see changelog.txt and releasenotes.txt * The 'shorewall show' command previously produced no output. That command now works with ipset versions 4 and later. * The change in 4.5.8.1 that enabled industry-standard IPv4 address representation broke the ability to place IP ranges or IPv6 ipsets in the hosts file. Those abilities have been restored. * The treatment of the SYSTEMD and INITFILE shorewallrc variables has been inconsistent. The -lite installers ignore INITFILE when SYSTEMD is specified, while the other installers do not. Now, the -lite installers install the .service file if SYSTEMD is specified and they install the sysv-init script if INITFILE is specified. That is consistent with the behavior of the other installers.- Update to 4.5.8.1 For more details see changelog.txt and releasenotes.txt * When ipset version 5 or later was installed, the 'shorewall show dynamic ' command produced no outout and the 'add' command failed with this error message: Zone , interface does not have a dynamic host list" * When generating ipset names for dynamic zones, the compiler was dropping dashes ('-') from the interface name and adding a unique suffix. For example the ipset for zone 'foo' and interface 'bar-if' might be 'foo_barif_1'. Dashes are now retained so that the generated set name in this example will be 'foo_bar-if'. This change also allows the 'add' and 'delete' commands to work correctly when the interface name contains one or more dashes. Although dash is documented as being an accepted character in ipset names, names containing a dash would generate an error in some contexts. That has also been corrected. * In most contexts, Shorewall6 has required IPv6 addresses to be enclosed in either angled brackets ( <....> , deprecated) or in square brackets ([....]). This includes network addresses, where both the IPv6 address and the VLSM are required to be within the brackets (e.g., [2001;470:b:787::/64]). This differs from the industry-standard network form in which the IPv6 address is enclosed in square brackets and the VLSM is outside of the brackets (e.g., [2001:470:b:787::]/64). Beginning with this release, the industry-standard representation is also accepted by Shorewall6. Note: Those of you who read the patches will probably have noticed that much of this change was actually in 4.5.8; because the change was commited late in the 4.5.8 release cycle, we chose not to document the change until it had undergone additional testing. - Added 0001-remote_fs.patch for shorewall-init sysv-init scripts rebased patches to -p1 level- Update to 4.5.8 For more details see changelog.txt and releasenotes.txt * This release includes the defect repair from Shorewall 4.5.7.1. * The restriction that TTL and HL rules could only be placed in the FORWARD chain prevented these rules from being used to hide a router from traceroute[6]. It is now allowed to place these rules in the PREROUTING chain by following the specification with ':P' (e.g., 'TTL(+1):P'). * Previously, the macro.SNMP macro opened both UDP ports 161 and 162 from SOURCE to DEST. This is against the usual practice of opening these ports in the opposite direction. Beginning with this release, port 162 is opened in to SOURCE to DEST as before, while port 161 is opened from DEST to SOURCE. * Previously, when compiling for export, both /etc/shorewall/shorewall[6].conf and the shorewall[6].conf in the configuration directory were processed. Now, only the copy in the configuration directory is processed. * The 'iptables_raw' module has been added to the modules.essential file. * Several corrections have been made to the Fedora/Redhat init script for Shorewall-init. * The parameter to the 'try' command is now documented in the shorewall(8) and shorewall6(8) manpages. * Some redundant interface-option rules have been removed in configurations with multiple zones configured on a single interface. * Previously, when compiling for export, the compilation would fail if the setting of SHAREDIR in the firewall's shorewallrc was different from the setting on the admin system. Such compilations now succeed. - For openSUSE 12.3 provide only systemd and drop sysv-init scripts- Since shorewall executables are in /usr/sbin systemd service files now reflect the correct location- Update to 4.5.7.1 For more details see changelog.txt and releasenotes.txt * When using IPSEC in a multi-ISP configuration, it is possible for the kernel to mis-route ESP packets. To date, this problem has only been observed on a system running a 3.5 kernel where traffic is being tunneled through GRE which is in turn being tunneled via IPSEC. This Shorewall release includes a low-cost workaround. * The Netfilter team have announced their intention to remove the NOTRACK target in favor of 'CT --notrack'. Shorewall will now map NOTRACK to 'CT --notrack' if the CT Target is available. * Previously, the current COMMENT was not being cleared after the blrules file was processed, causing that COMMENT to be used on entries in the rules file. That defect has been corrected. - Add a note to the spec for reviewer explaining the configure command usage - Removed following opensuse specific patches as they are merged to upstream now + shorewall-lite-4.5.2-init.patch + shorewall6-4.5.2-init.patch + shorewall6-lite-4.5.2-init.patch + shorewall-init-4.4.21_init_sh.patch - Added 001-required-stop-fix patch for shorewall-lite/init.suse.sh- Update to 4.5.7 For more details see changelog.txt and releasenotes.txt * This release includes the defect repair from Shorewall 4.5.6.2. * The command 'shorewall enable pppX' could fail with the ip diagnostic Error: either "to" is duplicate, or "weight" is a garbage. Shorewall now generates the correct ip command. * Optimize level 4 could previously combine two rules that each specified the 'policy' match, leading to this iptables-restore failure: policy match: multiple elements but no --strict The optimizer now avoids combining such rules. While this is a long-standing defect in the optimizer, it was exposed by changes in Shorewall 4.5.6. * There were several cases where hard-wired directory names appeared in the tarball installers. These have been replaced with the appropriate shorewallrc variables. * A defect in RHEL 6.3 and derivatives causes 'shorewall show capabilities' to leave an empty ipset in the configuration. The same defect can cause the Shorewall compiler to similarly leave an empty ipset behind. This Shorewall release has a workaround for this problem. - Added Bash >= 4 to BuildRequires - Fix builds for Fedora- Update to 4.5.6.2 For more details see changelog.txt and releasenotes.txt * The compiler now generates an error when a SOURCE interface is specified in a rule where the SOURCE zone is the firewall itself. * Previously, entries in /etc/shorewall/notrack that specified a Vserver zone in the SOURCE column were omitted from the generated ruleset. * The set of helpers available in the notrack file and in the HELPER column of the tcrules file was incorrect: - The Amanda helper requires a UDP port -- Shorewall was requiring TCP. - The H323 module supplies two helpers: 'RAW' and 'Q.931'; Shorewall only accepted 'h323'. - The Netbios NS module supplies the 'netbios-ns' helper; Shorewall only accepted 'netbios_ns'. * The conditional directive '?IF 0' generated an error from the compiler. It now causes following lines to be omitted.- Update to 4.5.6 For more details see changelog.txt and releasenotes.txt * This release includes the defect repairs from Shorewall 4.5.5.1 through 4.5.5.4. * Previously, the tcrules file was not processed when TC_ENABLED=No. That meant that to use features like TPROXY, it was necessary to set TC_ENABLED=Yes and create a dummy /etc/shorewall/tcstart file. Now, only MANGLE_ENABLED=Yes is required.- Update to 4.5.5.3 For more details see changelog.txt and releasenotes.txt * When logical interface names were used, an entry in tcrules that included a classid could result in the compiler failing with this Perl diagnostic: Can't use an undefined value as an ARRAY reference at /usr/share/shorewall/Shorewall/Tc.pm line nnn, <$currentfile> line 20.- Update to 4.5.5.1 For more details see changelog.txt and releasenotes.txt * The change in Shorewall 4.5.4 that cleared the 'default' table if there were no 'fallback' providers broke multiple 'fallback' providers that don't supply a weight. The symptoms were that there were host routes to the default gateways in the 'default' routing table but no default routes through those gateways. This has now been corrected and multiple 'fallback' routes are once again supported. * When a logical device name was specified in the REDIRECTED INTERFACES column of /etc/shorewall/tcdevices, that name was used in the generated script rather than the devices's physical name. Unless the two were the same, this caused start/restart failure. Shorewall now uses the physical name.- Update to 4.5.5 For more details see changelog.txt and releasnotes.txt * This release includes all defect repair from Shorewall 4.5.4.1 and 4.5.4.2. * The Shorewall compiler sometimes must defer generating a rule until runtime. This is done by placing shell commands in its internal representation of a chain. These commands are then executed at run time to create the final rule. If all of the following were true, then an incorrect ruleset could be generated: + Optimization level 4 was set. + A chain (chain A) containing shell commands had three or fewer rules and commands. + The last rule in a second chain was a conditional jump to chain A. Under these conditions, the rules and commands in Chain A * The Shorewall-core configure and configure.pl script were treating SYSCONFDIR as a synonym for CONFDIR making it impossible to set SYSCONFDIR.- Update to 4.5.4.2 For more details see changelog.txt and releasenotes.txt * The problems corrected section of the 4.5.4.1 release notes was missing the third problem corrected in the release. It has now been added. * A number of problems in Shorewall-init have been corrected: + If more than one product was listed in the PRODUCTS setting in /etc/default/shorewall-init (/etc/sysconfig/shorewall-init) then the second product would not be started/stopped. + Shorewall-init used 'restart' in response to an optional provider interface coming up. If the interface has been marked unusable (1 in the interface's .status file), then the 'restart' would not enable the interface. + Shorewal-init produced a lot of clutter on the console during boot. You may now specify a LOGFILE in /etc/default/shorewall-init (/etc/sysconfig/shorewall-init) and all output produced by up and down events will be sent to that log. If no log is specified, this output is sent to /dev/null. * The order in which the compiler processes line-continuation (line ending in '\') and conditional-inclusion directives (?IF, ?ELSE, and ?ENDIF) has been reversed. Previously, the compiler built a concatenated line, then checked to see if the line began with ?IF, ?ELSE or ?ENDIF. Now, the compiler checks for ?IF, ?ELSE or ?ENDIF first and prevents those lines from becoming part of the concatenation. * Two issues with the shorecap programs have been corrected: + The Shorewall6-lite version failed to run with the message: /usr/share/shorewall6-lite/lib.cli: No such file or directory + The Shorewall-lite version would not run if SHAREDIR was set to a value other than /usr/share in shorewallrc. * The Shorewall 4.5.2.3 fix for the Shorewall-core installer's handling of --host=linux was not brought forward into 4.5.3. It has been included again in this version. * Single-line embedded PERL and SHELL commands have been re-enabled.- Update to 4.5.4.1 For more details see changelog.txt and releasenotes.txt * Beginning with Shorewall 4.4.22, the 'pptpserver' tunnel type has been configured as a PPTP client running on the firewall rather than as a server on the firewall. It is now correctly configured as a server. * The shorewall-accounting (5) and shorewall6-accounting (5) documentation for the IPSEC column is incorrect. Rather than 'accountin' and 'accountout', the chain names should be 'accipsecin' and 'accipsecout'. * IPSEC accounting did not work if the accounting file was sectioned. Beginning with this release, the IPSEC column can be specified in any section. As always, the IPSEC column contains a comma-separated list of items. In the FORWARD chain, the first (or only) item in the list must be either 'in' or 'out' to indicate whether the rule matches incoming packets that have been decrypted ('in') or outgoing packets that will be encrypted ('out'). There are no restrictions with respect to which chain IPSEC rules can appear in a sectioned file.- Update to 4.5.4 For more details see changelog.txt and releasenotes.txt * When EXPORTMODULES=No in shorewall.conf, the error messages have been eliminated * If the configuration settings in the PACKET MARK LAYOUT section of shorewall.conf (shorewall6.conf) had empty settings, the 'update' command would previously set them to their default settings. It now leaves them empty. * Previously, Shorewall used 'unreachable' routes to null-route the RFC1918 subnets. This approach has two drawbacks: - It can cause problems for IPSEC in that it can cause packets to be rejected rather than encrypted and forwarded. - It can return 'host unreachable' ICMPs to other systems that attempt to route RFC1918 addresses through the firewall. To eliminate these problems, Shorewall now uses 'blackhole' routes. Such routes don't interfere with IPSEC and silently drop packets rather than return an ICMP. * The 'default' routing table is now cleared if there are no 'fallback' providers. * Tproxy implementation has been reworked. For more details please consult the releasenotes.txt and changelog.txt- Update to 4.5.3.1 For more details see changelog.txt and releasenotes.txt * Previously, nested conditionals did not work correctly in all cases. In particular: ?IF $FALSE ?IF $FALSE foo bar ?ENDIF baz bop ?ENDIF In this case, the lines 'baz' and 'bodyp' were incorrectly included when they should have beeen omitted. * The 'balance' routing table is now cleared if there are no 'balance' providers. * Previously, the compiler generated an invalid 'ip add route' command if an IPv6 provider had '-' in the GATEWAY column. * As noted in the Migration Considerations, the generated firewall script maintains the interface .status files used by LSM and SWPING. Up to now, however, the 'disable' command did not update the .status file. That has been corrected. As part of the change, the 'isusable' script is no longer consulted by the'enable' command.- Update to 4.5.3 For more details see changelog.txt and releasenotes.txt * The LOCKFILE setting in shorewall.conf and shorewall6.conf had inadvertently become undocumented. It is now documented again. * In an initial installation of Shorewall, Shorewall6, Shorewall Lite or Shorewall6 Lite was done under Shorewall 4.5.2, then the firewall would not start up at boot even though the installer indicated that it would. That defect has been corrected. * Previously, when per-IP rate limiting was invoked, the compiler would use the deprecated '--ratelimit' option, even if the preferred '--ratelimit-upto' option was available. Now, the compiler uses the preferred option if it is supported by the installed version of iptables. * Prior to this release, using a manual chain in the ACTION column of a macro body generated an error: ERROR: Invalid Action (mychain) in macro, macro.FOO (line ...) This now works correctly and generates a jump to the specified manual chain. * Previously, a line with the single word COMMENT in the tunnels file would generate the following error: ERROR: Zone must be specified Now, such a line correctly resets the current rule comment. * In Shorewall 4.5.2, the MARK column in the tcrules file was renamed to ACTION but only 'mark' was accepted in the alternate specification format. Now both 'mark' and 'action' are accepted. * The alternative method of provider balancing using the statistic match feature of iptables/Netfilter was missing some logic, with the result that it was ineffective. * If a logical interface name was used by itself in the SOURCE column of the rtrules file, the generated routing rule would contain the logical name rather than the physical name.- Update to 4.5.2.4 For more details see changelog.txt and releasenotes.txt * The 'shorewall reset' command now correctly resets the IPv4 packet and byte counters; previously, it was resetting the IPv6 counters. * The Shorewall installer now modifies the Chains.pm file for Digest::SHA depencency when $DESTDIR is set, provided that $BUILD = $HOST. This allows rpm to automatically generate the correct module dependency.- Update to 4.5.2.2 For more details see changelog.txt and releasenotes.txt * If a shorewallrc file is passed to the 4.5.2.1 Shorewall-core install.sh, subsequent compilations fail. The error message indicates that the compiler is looking for lib.core, but the pathname has embedded spaces. * The 4.5.2.1 Shorewall/Shorewall6 installer installs an incorrect file as /etc/shorewall[6]/Makefile.- Update to 4.5.2.1 For more details see changelog.txt and releasenotes.txt * In release 4.5.2, if an INCLUDE directive appeared inside a ?IF ... ?ENDIF sequence, then the following error would be generated after the included file had been read: ERROR: Missing ?ENDIF to match the ?IF at line ... * An error in the shorewallrc.apple file has been corrected. * The shorewallrc.redhat file has been change to conform to Fedora packaging guidelines. * The output of the 'version -a' command reflected incorrect versions when Shorewall-core 4.5.2 was installed. That has been corrected.- Update to 4.5.2 For more details see changelog.txt and releasenotes.txt * The generated firewall script includes code to automatically create ipsets that are referenced but that don't exist. That code was broken in releases 4.4.22 and later. This defect has been corrected. As part of the fix, the generated script will now issue a warning message when it creates an ipset. * The 'mss' option is now supported in the /etc/shorewall[6]/hosts files. See the manpages for details. * It is now possible to conditionally include or omit configuration entries based on the settings of shell variables. See http://www.shorewall.net/configuration_file_basics.htm for details. * The MARK/CLASSIFY column in /etc/shorewall[6]/tcrules has been renamed ACTION to reflect the expanded set of actions that can be specified in the column. * Some users are finding these ipset warnings objectionable: + Warning when a referenced ipset does not exist. + Warning when using [src] in a destination column or [dst] in a source column. These warnings may now be suppressed by setting IPSET_WARNINGS=No in shorewall.conf and/or shorewall6.conf.- Update to 4.5.1.1 For more details see changelog.txt and releasenotes.txt * When checking or compiling for export (-e option), /sbin/shorewall would previously issue a warning message if the SHOREWALL_SHELL specified in the remote firewall's shorewall.conf did not exist. * The changes to TOS handling in 4.5.1 are incompatible with older releases such as RHEL5 and derivatives. That has been corrected. * The rules compiler now verifies that the protocol is TCP, UDP, SCTP or DCCP when checking a port range (low:high or low-high). * Previously, start or restart using the init script would fail with an error message referencing 'SHOREWALL_INIT_SCRIPT'. This defect was not visible to users that set AUTOMAKE=Yes or that run Shorewall-init.- Update to 4.5.1 For more details see changelog.txt and releasenotes.txt * This release includes all defect repair from versions 4.5.0.1-4.5.0.3. * A typo has been corrected in the blrules man pages. * Previously, if the interface appearing in the HOSTS column of /etc/shorewall6/hosts was not defined in /etc/shorewall6/interfaces, then the compiler would terminate with a Perl diagnostic: Can't use an undefined value as a HASH reference at /usr/share/shorewall/Shorewall/Zones.pm line 1817, <$currentfile> line ... * The compiler was previously failing to validate the contents of the LENGTH and TOS columns in /etc/shorewall/tcrules. The contents of those columns are now validated by the compiler and an appropriate error message is issued if validation fails. * The column headings in the tos files are now in the proper order. Previously, the SOURCE PORT and DEST PORT columns were reversed.- Update to 4.5.1-Beta2 For more details see changelog.txt and releasenotes.txt * A typo has been corrected in the blrules man pages. Previously, if the interface appearing in the HOSTS column of /etc/shorewall6/hosts was not defined in /etc/shorewall6/interfaces, then the compiler would terminate with a Perl diagnostic: Can't use an undefined value as a HASH reference at /usr/share/shorewall/Shorewall/Zones.pm line 1817, <$currentfile> line ...- Update to 4.5.1-Beta For more details see changelog.txt and releasenotes.txt * The packing of the Shorewall products has been changed. Beginning with this release, the packages are: + Shorewall Core -- Core libraries installed in /usr/share/shorewall/ + Shorewall -- Requires Shorewall Core. Together with Shorewall Core, provides IPv4 firewalling. + Shorewall6 -- Requires Shorewall. Provides IPv6 firewalling. + Shorewall Lite -- Requires Shorewall Core. As before. + Shorewall6 Lite -- Requires Shorewall Core. As before. + Shorewall Init -- As before- Update to 4.4.27.3 For more details see changelog.txt and releasenotes.txt * Previously, if USE_DEFAULT_RT=Yes and 'loose' was specified on all providers, then no routing rule targeting the main routing table was generated. This has been corrected so that USE_DEFAULT_RT=Yes always results in such a rule at priority 999. * Shorewall 4.4.27 broke Shorewall-init functionality. It is restored in this release.- Update to 4.4.27.2. For more details see changelog.txt and releasenotes.txt * A long-standing problem with Shorewall's 'save' facility has been discovered. The defect can cause rules to be dropped during 'save' so that they are not available to be reapplied during 'restore'. This can occur in 'safe-restart' when the prompt is not acknowledged or when it is acknowledged with 'n'. The problem can occur when: a) There are IPSEC zones or hosts present; and b) GOTO Target support is available in the kernel and iptables. Example of rule that will be dropped: - A eth2_fwd -m policy --dir in --pol ipsec -g AAA_frwd The defective code has been corrected so that rules are no longer dropped.- Update to 4.4.27.1. For more details see changelog.txt and releasenotes.txt * When optimization category 4 is used, unconditional jumps at the end of chains are replaced with the rules in the target chain. This can result in rulesets that are considerably larger than necessary. Beginning with this release, replacement will only occur if: a) The jump is the only reference to the target chain; or b) The target chain contains 3 or less rules. * The feature introduced in 4.4.25 that allowed provider names in the 'enable' and 'disable' commands was only implemented for 'enable'. It is now implemented for 'disable' as well. * When detecting IPv6 global addresses through an interface, Shorewall6-generated scripts were ignoring addresses beginning with '3'. * A typo in /usr/share/shorewall/prog.header caused an 'awk' script to fail when saving a multi-hop default route during 'start'. * The value '0' is once again accepted in the IN_BANDWIDTH columns of tcinterfaces and tcrules, and causes no ingress policing to be configured. * MARK_IN_FORWARD_CHAIN=Yes no longer generates an error when $FW:
is entered in the SOURCE column of the tcrules file. * In most Shorewall 4.4 versions, if an exported params file (EXPORTPARAMS=Yes in shorewall.conf) generates any output to stdout, then the following messages would appear during start/restart: Compiling /etc/shorewall/routestopped... Shorewall configuration compiled to /var/lib/shorewall/.restart printf: 214: Build: expected numeric value printf: 214: ipset: expected numeric value printf: 214: of: expected numeric value Processing /etc/shorewall/params ... Build ipset of blacklisted addresses Usage: /var/lib/shorewall/.restart [ options ] is one of: start stop ... This has now been corrected.- Update to 4.4.26.1 For more details see changelog.txt and releasenotes.txt * The Perl module version numbers have now been updated to reflect changes in 4.4.26. * The 4.4.26 rules compiler does not issue a warning when a capabilities file was generated with Shorewall 4.4.25, even though new capabilities were added in 4.4.26. This has been corrected so that a warning is generated. * When TC_ENABLED=Shared, CLASSIFY rules could not be used in the tcrules file. Thanks to a patch from Chris Boot, this now works as expected. * The quoted part of the progress message 'Provider "..." compiled' was inadvertently omitted by a change in Shorewall 4.4.23. That text has now been restored.- Update to 4.4.26 For more details see changelog.txt and releasenotes.txt * This release includes all corrections included in 4.4.25.1 through .3. * In 4.4.25, ACCEPT behaved in the BLACKLIST section the same way as in the other rules file sections. This could lead to connections being accepted inadvertently. Now, ACCEPT behaves like WHITELIST; that is, it exempts the packet from the remaining rules in the BLACKLIST section. * Previously, Shorewall did not detect the ULOG and NFLOG capabilities. This lead to run-time failures during 'start' and 'restart' as well as confusing error messages during compilation when ULOG or NFLOG was used when the LOG target was not available. ULOG and NFLOG are now detected capabilities so, if you use a capabilities file, you will need to regenerate it in order to use these log levels. * The SAME tcrules target was broken in Shorewall 4.4.22. It now works correctly again. * Previously, 'shorewall6 update' did not update shorewall6.conf. The command now works as expected. * In earlier releases, the compiler was attempting to process the params file before it was aware of the setting of CONFIG_PATH. This could cause the params file to be missed if it was not located in /etc/shorewall[6] or in the directory named in the start (restart,compile,check,...) command. Now, /sbin/shorewall[6] passes $CONFIG_PATH to the compiler (/usr/share/shorewall/compiler.pl) in the new '--config_path' option.- Update to 4.4.25.3 For more details see changelog.txt and releasenotes.txt * Correction of the produced ruleset when wildchars are used in the zone configuration- Update to 4.4.25.2 For more details see changelog.txt and releasenotes.txt * Previously, if all the following were true: - AUTOMAKE=Yes - Current compiled script (/var/lib/shorewall/firewall or /var/lib/shorewall6/firewall) up to date - LEGACY_FASTSTART=No - There was a saved configuration then rather than start the current configuration, 'shorewall start -f' or 'shorewall6 start -f' would incorrectly restore the saved configuration. * The DropSmurfs and TCPFlags actions are now available in Shorewall6. They were previously omitted from the IPv6 actions.std file. * The 'rawpost' table was previously omitted from the output of the 'dump' command. It is now displayed. * Previously, if a configuration contained more than one wildcard interface (physical name ending in '+'), then the generated script might not work properly with Shorewall-init. This defect dates back to the introduction of Shorewall-init.- Update to 4.4.25.1 For more details see changelog.txt and releasenotes.txt * A'refresh' command with no chains or tables specified will now reload chains created by entries in the BLACKLIST section of the rules file. * The rules compiler previously failed to detect the 'Flow Filter' capability. That capability is now correctly detected. * The IN_BANDWIDTH handling changes in 4.4.25 was incompatible with moribund distributions such as RHEL4. Restoring IN_BANDWIDTH functionality on those releases required a new 'Basic Filter' capability.- Update to 4.4.25 For more details see changelog.txt and releasenotes.txt * A defect in the optimizer that allowed incompatible rules to be combined has been corrected. * Routes and rules added as a result of entries in /etc/shorewall6/providers were previously not deleted by 'stop' or 'restart'. Repeated 'restart' commands could therefore lead to an incorrect routing configuration. * Previously, capital letters were disallowed in IPv6 addresses. They are now permitted. * If the COPY column in /etc/shorewall6/providers was non-empty, previously a run-time error could occur when copying a table. The diagnostic produced by ip was: Either "to" is duplicate, or "cache" is garbage * When copying IPv6 routes, the generated script previously attempted to copy 'cache' entries. Those entries are now omitted. * Previously, the use of large provider numbers could cause some Shorewall-generated routing rules to be ineffective. * In some contexts, IPv6 addresses of the form ::i.j.k.l were incorrectly classified as invalid by the configuration compile * New blacklisting facility implemented. For this and other new features please refer to the releasenotes.txt- Update to 4.4.24.1 * When the logical and physical name of an interface were different, including the logical name in the tcdevices file caused the device's classes to be ignored. This defect was introduced in Shorewall 4.4.23. * Remove the ExecReload from all services, since systemd doesn't allow an ExecReload for OneShot services. Also, add a missing After=network.target to shorewall.service. - Fixed Url typo in the spec- Update to 4.4.24. For more details see changelog.txt and releasenotes.txt * This release includes all problem corrections from releases 4.4.23.1-4.4.23.3. * The 'fallback' option without = previously produced invalid 'ip' commands.- reworked systemd related rpm macros for 12.1- Update to 4.4.23.3 * When providers were present that specify neither 'balance' nor 'fallback', then the following message was issued during compilation and 'enable' of the interface would fail. Use of uninitialized value $weight in concatenation (.) or string at /usr/share/shorewall/Shorewall/Providers.pm line 644. * TC_ENABLED=Shared was broken in Shorewall 4.4.23, 4.4.23.1 and 4.4.23.2. It produced a shell script with syntax errors. - Backported patches removed.- Update to 4.4.23.2 For more details see changelog.txt and releasenotes.txt - Support of systemd for openSUSE 12.1 - Backported patches WEIGHT.patch and SHARED.patch fixing a harmless message and traffic shaping issues respectively- Update to 4.4.22.3. Corrections in this release are below. * On older distributions where 'shorewall show capabilities' indicates 'Connection Tracking Match: Not Available', harmless Perl diagnostics like the following could be issued: Use of uninitialized value $list in pattern match (m//) at /usr/share/shorewall/Shorewall/Config.pm line 1273, <$currentfile> line 14. Use of uninitialized value $list in split at /usr/share/shorewall/Shorewall/Config.pm line 1275, <$currentfile> line 14. * On older distributions where 'shorewall show capabilities' indicates 'Mangle FORWARD Chain: Not Available', entries in the ecn file generated the following Perl Diagnostic: Use of uninitialized value in hash element at /usr/share/shorewall/Shorewall/Chains.pm line 1119. * Previously, if a provider interface was derived from an optional wildcard entry in /etc/shorewall/providers, then the interface was never considered to be usable. Example: /etc/shorewall/interfaces: [#]ZONE INTERFACE BROADCAST OPTIONS net ppp+ - optionsl /etc/shorewall/providers:net [#]PROVIDER NUMBER MARK INTERFACE ... ISP1 1 1 ppp0 * When 'shorewall update' or 'shorewall6 update' results in no change to the .conf file, a message is issued, the .bak file is removed and the command terminates without error.- patch the Perl diagnostic with a WARNING message.- Update to 4.4.22.2 * On older distributions where 'shorewall show capabilities' indicates 'Connection Tracking Match: Not Available', Shorewall 4.4.22 and 4.4.22.1 generated invalid iptables-restore input. * Previously, the compiler always placed '#!/bin/sh' on the first line of the generated script. It now uses the setting of SHOREWALL_SHELL on that line rather than '/bin/sh'. Note that SHOREWALL_SHELL defaults to '/bin/sh' so this change only affects those who specify a different shell. - Patched REDIRECT rule- Update to 4.4.22.1 * Previously, if the name of a zone began with 'all', then entries for that zone in /etc/shorewall/rules and /etc/shoreawll6/rules treated the name the same as 'all'. This defect is present in Shorewall 4.4.13 through 4.4.22. * Previously, when LOAD_HELPERS_ONLY=No, harmless iptables-restore warnings as follows could be generated: ... Running /usr/local/sbin/iptables-restore... - -set option deprecated, please use --match-set - -set option deprecated, please use --match-set IPv4 Forwarding Enabled- Update to 4.4.22. For more details see changelog.txt and releasenotes.txt * Under rare conditions, long port lists (>15 ports) could result in the following failure when optimization level 4 was enabled. Use of uninitialized value in numeric gt (>) at /usr/share/shorewall/Shorewall/Chains.pm line 1264. ERROR: Internal error in Shorewall::Chains::decrement_reference_count at /usr/share/shorewall/Shorewall/Chains.pm line 1264 * All corrections included in Shorewall 4.4.21.1. - A bug in recent versions of Shorewall that could result in rules that are wider in scope than intended was fixed by applying a patch by the upstream.- Update to 4.4.21.1 Changes in this release are: * A harmless Perl run-time "uninitialized variable" diagnostic has been eliminated from the compiler. The diagnostic was issued while displaying the capabilities. * As the result of a typo, an orphan filter chain named FORWAR could be created under rare circumstances. This chain was deleted by OPTIMIZE level 4. * The SNAT options --persistent and --randomize now work properly (/etc/shorewall/masq). * The LOGMARK log level was previously generated invalid iptables input making it unusable. That has been corrected. The syntax for LOGMARK is now: LOGMARK() where is a syslog priority (1-7 or debug, info, notice, etc.). Example rule: [#]ACTION SOURCE DEST PROTO DEST [#] PORT(S) LOG:LOGMARK(info) lan dmz udp 1234- Update to 4.4.21 For more details see changelog.txt and releasenotes.txt * The Shorewall and Shorewall6 'load' and 'reload' commands now use the .conf file in the current working directory. * The 'balance' and 'fallback' options in /etc/shorewall/providers have always been mutually exclusive but the compiler previously didn't enforce that restriction. Now it does. * The ipset modules are now automatically loaded by Shorewall6 when LOAD_HELPERS_ONLY=No is specified in shorewall6.conf. Additionally, there is now a /usr/share/shorewall6/modules.ipset file that lists all of the required modules. * TPROXY descriptions have been added to shorewall-tcrules(5) and shorewall6-tcrules(5).- Update to 4.4.20.3. Changes in this release are * Deprecated options have been removed from the .conf files. They remain in the man pages. * A simple configuration like the 'Universal' sample that includes a single wildcard interface ('+' in the INTERFACE column) produces a ruleset that blocks all incoming packets. As part of correcting this defect, which was introduced in 4.4.20.2, one or more superfluous rules (which could never match) have been eliminated from most configurations.- Update to 4.4.20.2 * A defect introduced in 4.4.20 could cause the following failure at start/restart: ERROR: Command "tc qdisc add dev eth0 parent 1:11 handle 1: sfq quantum 12498 limit 127 perturb 10" failed * The 'sfilter' interface option introduced in 4.4.20 was only applied to forwarded traffic. Now it is also applied to traffic addressed to the firewall itself. * Issues with iptables-restore is corrected * IPSEC traffic is now (correctly) excluded from sfilter. * The following incorrect warning message has been eliminated: WARNING: sfilter is ineffective with FASTACCEPT=Yes- Update to 4.4.20.1 * The address of the Free Software Foundation has been corrected in the License files. * The shorewall[6].conf file installed in /usr/share/shorewall[6]/configfiles is no longer modified for use with Shorewall[6]-lite. When creating a new configuration for a remote forewall, two lines need to be modified in the copy CONFIG_PATH=/usr/share/shorewall (or shorewall6) STARTUP_LOG=/var/log/shorewall-lite-init.log (or shorewall6-lite-init.log)- Update to 4.4.20 * Removed backported patches for openSUSE specific locations as they are incorporated in upstream. - Changes in 4.4.20 (for more read changelog.txt and releasenotes.txt) * Support for the AUDIT target has been added. AUDIT is a feature of the 2.6.39 kernel and iptables 1.4.10 that allows security auditing of access decisions.- Update to 4.4.19.4 * Previously, the compiler would allow a degenerate entry (only the BAND specified) in /etc/shorewall/tcpri. Such an entry now raises a compilation error. * Previously, it was possible to specify tcfilters and tcrules that classified traffic with the class-id of a non-leaf HFSC class. Such classes are not capabable of handling packets. Shorewall now generates a compile-time warning in this case and ignores the entry. If a non-leaf class is specified as the default class, then Shorewall now generates a compile-time error since that configuration allows no network traffic to flow. * Traditionally, Shorewall has not checked for the existance of ipsets mentioned in the configuration, potentially resulting in a run-time start/restart failure. Now, the compiler will issue a WARNING if: a) The compiler is being run by root. b) The compilation isn't producing a script to run on a remote system under a -lite product. c) An ipset appearing in the configuration does not exist on the local system. * As previously implemented, the 'refresh' command could fail or could result in a ruleset other than what was intended. If there had been changes in the ruleset since it was originally started/restarted/restored that added or deleted sequenced chains (chains such as ~lognnn and ~exclnnn), the resulting ruleset could jump to the wrong such chains or could fail to 'refresh' successfully. This issue has been corrected as follows. When a 'refresh' is done and individual chains are involved, then each table that contains both sequenced chains and one of the chains being refreshed is refreshed in its entirety. For example, if 'shorwall refresh foo' is issued and the filter table (which is the default) contains any sequenced chains, then the entire table is reloaded. Note that this reload operation is atomic so no packets are passed through an inconsistent configuration. * When 'shorewall6 refresh' was run previously, a harmless 'ip6tables: Chain exists' message was generated. - Reworked backported patches so shorewall still uses openSUSE specific locations - Fix the zone definitions in shorewall6/Samples6/zones examples- Update to 4.4.19.3 * incompatibility with gawk has been corrected * Previously, an entry in the USER/GROUP column in the rules and tcrules files could cause run-time start/restart failures if the rule(s) being added did not have the firewall as the source (rules file) and were not being added to the POSTROUTING chain (:T designator in the tcrules file). This error is now caught by the compiler. * Shorewall now insures that a route to a default gateway exists in the main table before it attempts to add a default route through that gateway in a provider table. This prevents start/restart failures in the rare event that such a route does not exist. * CLASSIFY TC rules can apply to traffic exiting only the interface associated with the class-id specified in the first column. * Fixes start of shorewall6 (bnc#693162)- Update to 4.4.19.2 For more details see changelog.txt and releasenotes.txt * In Shorewall-shell, there was the ability to specify IPSET names in the ORIGINAL DEST column of DNAT and REDIRECT rules. That ability, inadvertently dropped in Shorewall-perl, has been restored * Several problems with complex TC have been corrected: * Double exclusion involving ipset lists was previously not detected, resulting in anomalous behavior.- Update to 4.4.19.1 * Eliminate silly duplicate rule when stopped. * Don't believe that all nexthop routes are default routes. * Restore :- in masq file. * Correct default route safe/restore. - backported paths related patches from git as they are in mainstream now- Shorewall packages have their openSUSE specific locations now * Executable files in /usr/lib/shorewall*. These include; getparams compiler.pl wait4ifup shorecap ifupdown * Perl Modules in /usr/lib/perl5/vendor_perl/PERL_VERSION/Shorewall. - Updated to 4.4.19 (for more info please consult changelog.txt and releasenotes.txt) * Corrected a problem in optimize level 4 that resulted in the following compile-time failure Can't use an undefined value as an ARRAY reference at /usr/share/shorewall/Shorewall/Chains.pm line 862. * If a DNAT or REDIRECT rule applied to a source zone with an interface defined with 'physical=+', then the nat table 'dnat' chain might have been created but not referenced. This prevented the DNAT or REDIRECT rule from working correctly. * Previously, if a variable set in /etc/shorewall/params was given a value containing shell metacharacters, then the compiled script would contain syntax errors. * The pathname of the 'conntrack' binary was erroneously printed in the output of 'shorewall6 show connections'. * Correct a problem whereby incorrect Netfilter rules were generated when a bridge with ports was given a logical name. * If a bridge interface had subordinate ports defined in /etc/shorewall/interface, then an ipsec entry (either ipsec zone or the 'ipsec' option specified) in /etc/shorewall/hosts resulted in the compiler generating an incorrect Netfilter configuration. * A fatal error is now raised if '!0' appears in the PROTO column of files that have that column. This avoids an iptables-restore failure at run time.- Updated to 4.4.18.2 * SAVE_IPSETS=Yes didn't work unless there is a dynamic zone defined. * If a logical name was given to a bridge and the ports on the bridge were defined in /etc/shorewall/interfac, then the compiler could generate matches that used the logical name rather than the physical name.- Updated to 4.4.18.1 * An issue with params processing on RHEL6 has been corrected. The problem manifested as the following type of warning: WARNING: Param line (export OLDPWD) ignored at /usr/share/shorewall/Shorewall/Config.pm line 2993. * The editing of the value of the TC_PRIOMAP option has been tightened. Previously, many invalid settings were allowed, resulting in run-time tc command failures. * The Shorewall Lite and Shorewall6 Lite installers now install the 'helpers' modules file. Previously, this file was not installed with the result that both 'shorewall[6]-lite show capabilities' and 'shorecap' failed. * Previously, if an icmp or icmp6 type which included both a type and a code was used in the tcfilters file, 'start' and 'restart' would fail with a 'tc' error.- Updated to 4.4.18 * for accounting modules xtables-addons must be installed - Changes in 4.4.18 (for more read changelog.txt and releasenotes.txt) * The modules files are now just a driver that INCLUDEs several new files and one old file: * Beginning with Shorewall 4.4.18, the accounting structure can be created with three root chains: - accountin: Rules that are valid in the INPUT chain (may not specify an output interface). - accountout: Rules that are valid in the OUTPUT chain (may not specify an input interface or a MAC address). - accountfwd: Other rules. * Internals Change: The Policy.pm module has been merged into the Rules.pm module.- Updated to 4.4.17 * This release adds support for per-IP accounting using the ACCOUNT target. That target is only available when xtables-addons is installed. - Changes in 4.4.17 (for more read changelog.txt and releasenotes.txt) * Previously, Shorewall did not check the length of the names of accounting chains and manual chains. This could result in errors when loading the resulting ruleset. Now, the compiler issues an error for chain names longer than 29 characters. Additionally, the compiler now ensures that these chain names are composed only of letters, digits, underscores ('_') and dashes ("-"). This eliminates Perl runtime errors or other failures when a chain name is embedded within a regular expression. * Several issues with complex traffic shaping have been resolved: a) Specifying IPv6 network addresses in the SOURCE or DEST columns of /etc/shorewall6/tcfilters now works correctly. Previously, Perl runtime warnings occurred and an invalid tc command was generated. b) Previously, if flow= was specified on a parent class, a perl runtime warning occurred and an invalid tc command was generated. This combination is now flagged as an error at compile time. c) There is now an ipv6 tcfilters skeleton included with Shorewall6. * Several issues with accounting are corrected. a) If an accounting rule of the form: chain1 chain2 was configured and neither chain was referenced again in the configuration, then an internal error was generated when optimize level 4 was selected and OPTIMIZE_ACCOUNTING=Yes. b) If there was only a single accounting rule and that rule specified an interface in the SOURCE or DEST columns, then the generated ruleset would fail to load when OPTIMIZE_ACCOUNTING=Yes. c) If a per-IP accounting table name appeared in more than one rule and the specified network was not the same in all occurrences, then the generated ruleset would fail to load. This is now flagged as an error at compile time. * Two defects in compiler module loading have been corrected: a) Previously, the kernel/net/ipv6/netfilter/ directory was not searched. b) A Perl diagnostic was issued when running on a monolithic kernel when the modutils package was installed. * A line containing only 'INCLUDE' appearing in an extension script now generates a compile-time diagnostic rather than a run-time diagnostic. * Previously, the uninstall.sh scripts used insserv (if installed) on Debian-based systems. These scripts now use the preferred tool (updaterc.d). * Beginning with 4.4.16, compilation would fail if an empty shell variable was referenced in a config file on a system where /bin/sh is the Bourne Again Shell (bash). * In earlier versions. if OPTIMIZE=8 then the ruleset displayed by 'check -r' was the same as when OPTIMIZE=0 (unoptimized). Similarly, if OPTIMIZE=9 then the ruleset displayed was the same as when OPTIMIZE=1. * Startup could previously fail on a system where kernel module autoloading was not available and where TC_ENABLED=Simple was specified in shorewall.conf or shorewall6.conf. * Previously, a 'done.' message could be printed at the end of command processing even when the command had failed. Now, such a message only appears if the command completed successfully.- Updated to 4.4.16.1 * Beginning with 4.4.16, compilation would fail if an empty shell variable was referenced in a config file on a system where /bin/sh is the Bourne Again Shell (bash).- fix fillup for shorewall-init so it will be copied to sysconfig directory - link network/scripts/shorewall to if-up.d and if-down.d - Changes in 4.4.16 (for more read changelog.txt and releasenotes.txt) + If the output of 'env' contained a multi-line value, then compilation failed with an Internal Error. The code has been changed so that the compiler now handles multi-line values correctly. * In 4.4.15, output to Standard Out (FD 1) generated by /etc/shorewall/params (/etc/shorewall6/params) was redirected to /dev/null. It is now redirected to Standard Error (FD 2). * If a params file did not appear in the CONFIG_PATH, compilation failed with the error: .: 31: Can't open /etc/shorewall6/params ERROR: Processing of /etc/shorewall6/params failed * Previously, proxy ARP with logical interface names did not work. Symptoms included numerous Perl runtime error messages. * Previously, the root of a wildcard name erroneously matched that name. For example 'eth' matched 'eth+'. Now there must be at least one additional character (e.g., 'eth4'). * Use of logical interface names in the notrack and ecn files resulted in perl runtime warning messages. * The use of wildcard-matching names in certain contexts would result in anomalous behavior. Among the symptoms were: - Perl run-time messages similar to this one: Use of uninitialized value in numeric comparison (<=>) at /usr/share/shorewall/Shorewall/Zones.pm line 1334. - Failure to treat the interface as optional or required. * Where two ISPs share the same interface, if one of the ISPs was not reachable, an iptables-restore error such as this occurred: iptables-restore v1.4.10: Bad mac address "-j" * Previously, under very rare circumstances, a chain would be optimized away while there were still jumps to the chain. This caused Shorewall start/restart to fail during iptables-restore. 11) Previously, the setting of BLACKLIST_DISPOSITION was not validated. Now, an error is raised unless the value is DROP or REJECT.- Update to version 4.4.15.3 - Changes in 4.4.15.3 * Previously, the root of a wildcard name erroneously matched that name. For example 'eth' matched 'eth+'. Now there must be at least one additional character (e.g., 'eth4'). * Use of logical interface names in the notrack and ecn files resulted in perl runtime warning messages. * The use of wildcard-matching names in certain contexts would result in perl run-time messages similar to this one: Use of uninitialized value in numeric comparison (<=>) at /usr/share/shorewall/Shorewall/Zones.pm line 1334. * Under very rare circumstances, a chain could be optimized away even when there are jumps to the chain. This resulted in a start/restart failure. - Changes in 4.4.15.2 * Previously, proxy ARP with logical interface names did not work. Symptoms included numerous Perl runtime error messages. * Previously, unknown interface names in the proxyarp and tcinterfaces files resulted in Perl runtime errors.- Upgrade to version 4.4.15.1 - Changes in version 4.4.15.1 1) If the output of 'env' contained a multi-line value, then compilation failed with an Internal Error. The code has been changed to ignore all but the first line of a multi-line value. 2) If a params file did not appear in the CONFIG_PATH, compilation failed with the error: .: 31: Can't open /etc/shorewall6/params ERROR: Processing of /etc/shorewall6/params failed- Update to version 4.4.15 - Changes in Shorewall 4.4.15 1) Add macros from Tuomo Soini. 2) Corrected macro.JAP. 3) Added fatal_error() functions to the -lite CLIs. RC 1 1) Another Perl 5.12 warning. 2) Avoid anomalous behavior regarding syn flood chains. 3) Add HEADERS column for IPv6 Beta 2 1) Tweaks to IPv6 tcfilters 2) Add support for explicit provider routes 3) Fix shared TC tcfilters handling. Beta 1 1) Handle exported VERBOSE. 2) Modernize handling of the params file. 3) Fix NULL_ROUTE_RFC1918 4) Fix problem of appending incorrect files. 5) Implement shared TC.- Added README.openSUSE which warns the user- Fix init-4.4.14.patch - Cleaned spec file - Removed Provides shoreline_firewall - Until upstream clarifies non-executable scripts put them under rpmlintrc - TODO * the code files should go into %_libexecdir/shorewall, only non-executable data is for %_datadir/shorewall.- Included docs-html to the packaging as well - Patches have the version number reflecting the diff to the original- Initial packaging of shorewall for opensuse/bin/sh/bin/sh/bin/sh/bin/shlamb25 1499964191  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~5.1.4.4-1.15.1.4.4-1.15.1.4.4-1.1 shorewall6shorewall6accountingactionsblrulesclearconntrackfindgwhostsinitinterfacesisusablelib.privatemaclistmanglenatnetmapnotrackparamspolicyprovidersproxyndprefreshrefreshedrestoredroutesrtrulesrulesscfiltersecmarksshorewall6.confsnatstartstartedstopstoppedstoppedrulestcclassestccleartcdevicestcfilterstcinterfacestcpritunnelszonesshorewall6shorewall6.servicercshorewall6shorewall6shorewall6COPYINGchangelog.txtipsecvpnipv6releasenotes.txttunnelshorewall6-accounting.5.gzshorewall6-actions.5.gzshorewall6-blrules.5.gzshorewall6-conntrack.5.gzshorewall6-exclusion.5.gzshorewall6-hosts.5.gzshorewall6-interfaces.5.gzshorewall6-ipsets.5.gzshorewall6-maclist.5.gzshorewall6-mangle.5.gzshorewall6-masq.5.gzshorewall6-modules.5.gzshorewall6-nat.5.gzshorewall6-nesting.5.gzshorewall6-netmap.5.gzshorewall6-params.5.gzshorewall6-policy.5.gzshorewall6-providers.5.gzshorewall6-proxyndp.5.gzshorewall6-routes.5.gzshorewall6-rtrules.5.gzshorewall6-rules.5.gzshorewall6-secmarks.5.gzshorewall6-snat.5.gzshorewall6-stoppedrules.5.gzshorewall6-tcclasses.5.gzshorewall6-tcdevices.5.gzshorewall6-tcfilters.5.gzshorewall6-tcinterfaces.5.gzshorewall6-tcpri.5.gzshorewall6-tunnels.5.gzshorewall6-vardir.5.gzshorewall6-zones.5.gzshorewall6.conf.5.gzshorewall6.8.gzshorewall6action.mangletemplateaction.templateactions.stdconfigfilesaccountingaccounting.annotatedactionsactions.annotatedblrulesblrules.annotatedclearconntrackconntrack.annotatedfindgwhostshosts.annotatedinitinterfacesinterfaces.annotatedisusablelib.privatemaclistmaclist.annotatedmanglemangle.annotatednatnat.annotatednetmapnetmap.annotatedparamsparams.annotatedpolicypolicy.annotatedprovidersproviders.annotatedproxyndpproxyndp.annotatedrefreshrefreshedrestoredroutesroutes.annotatedrtrulesrtrules.annotatedrulesrules.annotatedscfiltersecmarkssecmarks.annotatedshorewall6.confshorewall6.conf.annotatedsnatsnat.annotatedstartstartedstopstoppedstoppedrulesstoppedrules.annotatedtcclassestcclasses.annotatedtccleartcdevicestcdevices.annotatedtcfilterstcfilters.annotatedtcinterfacestcinterfaces.annotatedtcpritcpri.annotatedtunnelstunnels.annotatedzoneszones.annotatedconfigpathfunctionshelperslib.basemacro.Pingmacro.Trcrtmacro.mDNSmacro.mDNSbimodulesmodules.essentialmodules.extensionsmodules.ipsetmodules.tcmodules.xtablesversionsysconfig.shorewall6shorewall6/etc/logrotate.d//etc//etc/shorewall6//usr/lib//usr/lib/systemd/system//usr/sbin//usr/share/doc/packages//usr/share/doc/packages/shorewall6//usr/share/man/man5//usr/share/man/man8//usr/share//usr/share/shorewall6//usr/share/shorewall6/configfiles//var/adm/fillup-templates//var/lib/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector -funwind-tables -fasynchronous-unwind-tables -gobs://build.opensuse.org/openSUSE:Leap:42.3/standard/023c292b4d41be4924a32454770f27e0-shorewallcpiolzma5noarch-suse-linux ASCII textdirectoryemptyPascal source, ASCII textPOSIX shell script, ASCII text executabletroff or preprocessor input, ASCII text, with very long lines (gzip compressed data, max compression, from Unix)C++ source, ASCII text, with very long lines (gzip compressed data, max compression, from Unix)troff or preprocessor input, ASCII text (gzip compressed data, max compression, from Unix)UTF-8 Unicode textT=Z^] o# Check if we need to warn users for upgrading configuration but only on dmaj changes if [[ -x /sbin/shorewall6 ]];then SHVER=$(/sbin/shorewall6 version | cut -d "." -f1-2 | sed 's/\.//g') CTVER=$(echo 5.1 | sed 's/\.//g') if [[ ${SHVER} -lt ${CTVER} ]];then echo "upgrade configuration" > /run/shorewall6_upgrade fi fiif [ -f /run/shorewall6_upgrade ]; then cat > /var/adm/update-messages/shorewall-5.1.4.4-1.1 << EOF Warning: Shorewall6 5.1 has just been installed Warning: You have to check and upgrade your configuration shorewall6 update -a /etc/shorewall6 Warning: Adjust changes and try the new configuration shorewall6 try /etc/shorewall6 EOF rm -f /run/shorewall6_upgrade fi/bin/sh/bin/sh?] crv(vX0D]LLVeX.u S< 09|D 2,͒^ؿsIX~}VPhebnh9ݚY葤pF.١̡V>fjm/قЭ@СjuZE dgZ 䡕ɟ^mhtᡓ<+88([8jQM2U'Νo6UQY?Ee*jͽ$LrwO/]3dF"?%!kmnep 8N^?ȘG<=bOI&~$U p稳\k$A<*-gaE~uy̥2;\&ᚁ*fVYLPW jۘJ&tlt0O(K0*'7kM$I>ڞll)0j$;@2 ,h'5M}x+ZbF :rڶk9E0 L~~͈3= }Oqñ/uc|c10)-\t>M?8\b_<†;4O`-"}m l`Nṕi9e8Y-p+YU TOk2WrX8:Њ_@!7^ Sٿэ9/mG;k+0˗: (?m0"=,a>nCq6ִUf {< "NjLjN2{<J|G6|!Y4냅qe&S-ƴֆ47GbTkw/bB?K6C[-oBKn@tY^7BoMXxkZf 3U[VϏ6|!SdÄxII}$2ТQvmTԕS8B6f!.`o4#Q¿XQFRvKz4e^{$ZM-_Z`g<6hK5zsA/$.[H|0٪eUj(Q=&-!Jo@Vj,QG(j *6֛'nsb)4b89~za@ִ y j Zܶ=q32ؼcA$Ω"?W%{g5+u7)*_t𰿇fB+/]C6"ŵq eY:݈B-6YTϋx@=z͊124jޗ䣮ўc^Z8-Qu{ ], 9xEb+^돿5ɨ'͗\+n!jt6PFԊ sU=|0sxYC@U[b+cmX 7Tŝ)wÚ\ɼvxfK 0CLlDTnSZ;N'yd#V㾴+V x*{B MCU _YD6 +8%D~]HF ˪4)jp=tԃ2]߹5dTVt7cY-w>̢[Ù tՐb(ڨ0$X HIPsn,Ҽ1zx2Gѥpʀv>:M(Q})</p:В9XZxg"ō4*Dܥ$hG3VG\?d WJ ݐf̦`7!;󳨳AYfF33o׸>6T!O';&\֟5:V; ǐ2ʗ;ϱJ1*dxJ됟o%PO4ۧ Kmˏ0Z|lEx;Y2HR( s໣Ʌ"cHE4Gu  5Cb 8K)gZ D!x-ozhzdDfnnb&Qcd(>~SJ*=/ ,H3?A(!vczL-#5-mm<̶07= ߽Vnv^Y0@^4Q{uqF )k? xhxx0)K* IK/>X8mljd !#2Tmak]>|V 7=6W̲QqpǕFjWD!!1(M/1=@f!(\o{󋈷 ݸp&lCtXK mDdHٰ4ޫYc :fBye ƙla6! #:YI8}ɉC)-=+ ˭/ 9.<-v^WIlBC~3 1%UnK苦d r;tL*oFF j+:dtn#GfH8{yw~UI^:rb5wT+Mۤ$µ֚VJ}7@>SX~QJPECEtEY ;~js` ;شiR4"w{KoJ/<+ԋ;P8SM&0y,.w8Fʐ';k4fmXn" )Jk5#;bJPk@Qf5rh+Z>q]"KC `JPo#xTV&fQ=ShezEiF3J ,k5 ** (Na4f6k/Udf%,VyUpfvԷ#ȱ]?q7;g󢎛Y8gǖVE0ɜW^(Ѧ褨\F$ճuӗjV%DZMEciNeF)8*#ј۹v# " R[lPrG"̆&|(S{S L|6Fw-&}q?w@s#WiN1(ߕ]qA] oxfvp%f~p9QIziZN'܎+G9h6i+~a(wP+\s{MI3;%L{ D8;|W9ť*SH[?Xӕ Z]W)p lh+{K(l?煯_Tpܕbd4diJRҙw0ucC1tFAk_VZrJ%vphcP?cZ⡔(TXA_|6~&HK幱 ܄PJy S^"!ȶm >.nI{ B8!%cG I{Q /E0v'٪^ڔ^$W*sEwyC@ej|!B2j_(hǹ ,E5j0ܝ\T{Wn@tL[*w+s`0/R=D^{'XHLE gt=T [x.aLm#'1x#]#}ȳN8h .OR`t́מr;?J ^ Kh3Y(DWg.D<$ۚy3>𡢻TAjH;DЕQNA)I(ņ O'9K+oL::O P(yBר:NEJ /b¶R8+%Y<;]9CNj^t^_?}6EB1A!rL;8"\7"ףjGQFz<(<[eexAD}ji(7.g;E,h䣾νbnl1,@{!tg~pQemG ވ!9KqSHdF<\;5ђ_*>@ ;t=%Gg"zI5c_ݷދ>! Y<(.V9umd.K2@Ob@?USx.S˼LqeJIT?Olm,Os-7oB=k:k kG+cÆPkb$FL5Ɖscg~HQEtOL:t gbTˬH*¶6I<]dV%sba*WMOhNӉ~>1侁Μᵈ7C=oy?\d5T!Ɨc~!fꢣvF}1\1K]-#S? +<>srv.Pڧz> t `̪EU7b'십\vS-;y\atN@"h)=AxU#髧j9ȭ2?J& z2X`-Ȥ/lkO, [[@9|s/mNH>qe(Q(ކ=1nUX)>KgEb'dgh3V/|0R-"BPR9'~ËsLj,'fW_־pWC/$PHaD"-OC7`|ʥ.q鞴*P088 !j=lD[K:Q ;rp<%j<_$iYwȄo]xC$:6}l n[(&BMKŲNN ScA/ a5mQf(M3uysQj\2I?RFT QXfCJгB)ي, ? 7kwdg686/py (񭪵U X=FuoM-Z|nd?~nQnG/chP'#OQ۴̱Ū1w&P5c|7Ʉ#_gr=cǧPYuB(' j8^%jT U) &52A>:މBBэj &AIC ;7nH>5!EqO P,VMTj b0jm1[pdM=OxѓK'8@#tGVFڄ5X[X&"᫉ޏmgReNXFfQ,E*,Gnm{9uko I"|ow3fXMն"A0ͅMP~:L"?㌈(;?CǸpt~xHGEVC=uV7?]o {ɕ|6 B@4y+_͖t):`j1>W6˘gy_ L"=YY3Pg16utţzy#ZFj1"A@Ӟ{h"u-EC-@ZuZ˄LMD'_tK/ oYӣGTHzF84GLƸSQl%Ԡ._()o3 ɱC>d,MPȪ,; <)JR!b|U7,ؑ * ķ${F d}qS?Zָ?瘺6虎j(5ZI2y=FRxe~r/bSώ0hSU+|xA*-kyB07ةcRS1x4K#{'zpY)E`w ]`uqx){uYaȈ%cJmN8UZekɇ.x -ݞ?toHz!>y%#,L>w3IAX"m`E(CYVD͇,[7pS0ղIiΒ+-BjyWאM\a`z׍g 5vlSu%f8D~)<r`z,8Xü f,L- $nRG}8r4pGrԸ_+ڜHQl(W]MZ|p cj92~!K4\R ʗ=c:4TXcTeܐQ Z_=pнѩnc@T~-]E<7Ϫ:MWwg N6MB\:`FX:1yE;r+'R'50<?덱5wuہ:7KO%Gj<Gc*x+uq(;% Ii9 /@i! %_Eoc"$:xskmM>N7-R0c&C5&cdrz6l%b\&U庹N4@\.̙`'0mL˗{ 563{\񘵖soS/+ǧPo?YW /mnoZL71+O)Zb9e= 4#QJ~Y7`XU־ #:7튴^1?2 xY!(czm[՞x/yTfEj**1:D?SDMǺnߞE YŜd=}YlZn =Z+#$a&?Ϛ?c9qoX[8.شFP{Vg%ia26GmL3ԣ:EN}& E]Ӄ^{JDȕ)FeU4 "]Ho/#Qgt=sWyBawD 3e.EՉ\Q_"8OtlZ"'4ʱR(/xtKQ"gF_̙9hMHVE!4 @k2' f=4 ܢ"PXð l"ڥ94A#\ up6 Z[aWTjO7CV V/bZo?=g%FG^8”/lb&@Z3N Ka6mkw J+Z}<~ Pxo.Ge5O1l ^;[{- ,ώiF_Crlvj"cƧE8P|0w_AD&92TVse ?S^$B.r[+R|:p1uuVDQA?ɇ:a~8( <.6;'/PKe!2 Y(8Aa՗jœ]NJNJQ\I~$Ր |(:PLߣW游|. jF-,l-ˡң]2| pљ=}> HL):FFaØ֜ԣ'M5M ֶiDu*xIWlvj0elӲ<'i5/nIHQ#uP?±xO7gJBhy3;TrX""܃٭rIգ*]د )Bl !&wgXSxy8o^H5HVPd-he1v/js "X|dC+d@Ҭш ,~::+bFm{79k6t g1Oay5C ܮ"$kDžd56$Dup)4> ҂gqc6]c«GʢxX"eAO>ҟqM=|W;TifZIKi<ēTUs\l.@1dh d~r)*P>NLiX(0"#Sf=5ˆmÙBΚ6o5ee?@ސb,ܬmFf@ kJ2a7HlVa}H8ҮT}ZxGג$?D(| {!z5Jbrv#M6R{XH#'j˧h 8# S޿PyQU=7wXVmH: KXpMMI NtJ)T~B\nR%d9;Ȍ{32-_"C/"6+VLO<F?lt1T4l`~(}}4EX@>|̪ 'wVa6cl'CٗHJ$ MN?4M=u ͽERd mIĆ B8EFzBP<4|d[^܈B`_GS`fyTL|QF3͞ G.[ BӠ@}^ˍ !mx zPѥRc&jRgš״vvI0Ls ѓWP>W忉zAY:N!⏠0߹j<lR- ӂBYu&(6?R̀£4LJ8ϖ4"8anNXV4Ls$WdI`ݷ'W`UE#؞(YEC/wWrej{ gt*>>q/D&n]aQQ Y<ˎ1N4O5۬F?1y7P *˦X\Ii8ήr!\b0 hAq&ucDyQT]jW-#>{_-^֍ӉIl(+`W9&>,ꚹƭ4ͱQͱX,vYYgW{q W^9>†^:K[):#ɠ TTH|)ަa,E,K퍎ƚ VL - 7du5jNr3HEH*äR\BL@SL)٬whz"I_K Dc3=*E&–u RxUxpj}H%PQYsnk'nݡ o)P7>@JӵQZkwc 4?ׂQW,&w/kH4ԒsT=qkcp9EWaihfy`>N-/W̰ e!&j%Ckx/A@ έ)'+=hS}|BG1K3 4.;ڐ qжhBд'yhȘa|Oް͡re0pvp5kL,&zɿ8/A_)0ue=Q^dz ;6TB@4Slo5 UƜȺruVDw5$sꢚRlêѣWd)j% ~0N];)S/pZ&qixtmv[_]&|B,Q{tj1Ų仠cD,)8f:\|q> *+_?-`8z/q;K606_jo@8Ȭī l 8̪%&btI'WS`Qzo4^ 5+=i#+n$Qq v'Wijrv(Jd$G._…'H~)N|[7&ia j_DWխj ^^gN|wĕx#8-up?.ć /2[|Cuef~|ho3~/zFb;LGtg7=+8D4OꇡFG&z 'bzpHŠ(`*'>3p5oJF DWf=nUoɒ_^NpFտ.!D*"-U7JP& eiUw lNCEO"}i7mLɉߵ>ԝ+i>^:=L7ēH"z]iZbp]˔7-:b " u*ήf %ѐ1dI\QGnnp2I˲2!R#9Es?OKu[NK >Z-"h=+cj[:%sBTI:E=)4z|v^Cb' /lD@u^p.u Hfpfi!G/*"徳 7$}áv6 ̉A4R>:u][nP#?}h!pl !b,͙ʬEp$ŵ0)m$ni4`*􋦅taaa:}V?q)L.j}d%)-Be-0 r>u 3:YƁZ˼VL.5krUǝO80͐?Gw/v$*!@0jt!3Zz*ҦdCoլSUyЮswe^GS/7~J6d+lRX}$ ٜ-e_#A㠒; 4G23#42jVΉ9Jm_G+ N5 $ȢـC-X~rsW}z`wm@_U@Elb%))r@@o}g<\4A{A17% 4C}-g U?7)P1vߠ\uU̇e&!i㶣2Vq-&sv4^nV$Y:˔SUclJJhh  V2gTu1x Bk3sezAn_ו[ƪ:UX0t($.ey:ϕD <פK[Șft)@SCy#{=hh+DӕEdU\%D(Le,uM7:yavLe!_ox_Ьn$(&v>sHF!J[n.(ր/@k0/ qt{EMT~[G1ځ(fʇ<9&w :S*MX\^ӼoTP=6V;7Fmq_ wnvP7:en@2]@-rY,=E86p${b4s \>9Xє(扆 mZɆ}^0HQwd`MEJ߹mJ>8-E_׷?||o-f Pry̡|,䠴 xڃreH璘ZϿlEĠ<#AOwܒ(m[.tVˊحλs#ηᔋ^o4:·dTAzMekk!xM}!pKK0( ٌBsmiεƒ_MMzi3< C|؞\)rHD@HWJl=ư;3޴R7Dd} SJ=\Sbu٤21 &k5fM sS_tb'x'iٔehX>tU)>riXc{&[Gś+c&ċZ ,"NR8뫟հY5:esE]i%)I:|LKo(FQ걺Os]*f9#yZYl(|"B'x,*cd";4Sߡ*磻l{R Ffnh5\S;>49]x:סfK.Fa٢my'Z0*35<nY>q!Q[U U#l<s)5)r5kQFT.J'2_UG2ytsFQ&WAUb}XD D/+(zʧ>Zm>w Ukww t ^cVəEݽL+.F^ܙ"(ֽfN6FH~!wAW{ȉ(64lQ+kҼDzmϛpW uQӠ^fKˀ@K=L<SkЄ&9P+5Xΐ)f/g([L-߃4*=c" itY,1xKϖ\hZOeЖs~Ubi,.@#fbC 0(ihS.ׄ@kޗm'eE̐dgԒO.|0w'f59P=7?yG/rIᣣ?Z;bgLjMR wRyl6SYW$/1|2>CUԜo1;ʼB_"4'gXob-Nx#Bbʘw{!TτlOiNj37g_*ڲTߧDˇ]xF@^ehG7kދ/HWeӄ05%nf<5:?PE;G{kʋboAҟ_g[W#9@Rea"nұTe5 0Agj_%d 5l*U)ܽf_O+uO@¢?^"/գt=]Křg궥t%D)1El:!p!D8<(pEq݋$aS8!)2o6I?ZnJm,3BnZ$Fc28f=.mYտdP55Whְ@z*0XGt'@u=؎ƇyhK _2X#v}zUEoB= lxAWX>mrD,KЙY+y>9Z_/"qDM}]c|x:LIXl8"_VDq% 9󥇨o2i8ŰP/%%Ɩs)5(EVxOXCǠg[M?>jS)Ipv"W{V ZVsˈ>\aYś.+畦ٺ _TK lb-,rSEIf]Gu{('J$%\\nDvA %[m_ 7n8;B#m佄̂p,N|ڈ>ܸ[LUNv)7㮌&pƊ.]qǐ$R۱ M+3ܣ=3Ν{pm9?H)M|o!@k QY VN3$R(ŶcĄp'cbS@V;||n̤JUUjB1ߙҾ|qlBSfXBf^2ϚʼzqP!,=Cҁ;FLJ&0և{1CBER6o^ם}w/@ Ծ̧׹6wHXw]0wl֨süc IqgTݭ #<}'nh}6j"xw?WnabxGDR4k$Z_:ފ۽`\ ki lBy3Q!M.N/RW΃y-bQ;^q恉^b?G\ˉ5 aP&yç2ލfW'!xij jdNBq(T ectWMVtzLV0iA\RX;?DS݄ lZ)k/Ө7^/: JAC8MX\BjU*'@&Q|R_p'z"@C|+]&`. VlP&Ǚ4vDIdD?c"L,Θ9+/6B2  BdF^^iBB%RLNx"vV*sE,k(嬮K.`,U \Cŏ~qt~S ļ~Hk#YҔ>\뤥 m}uc շ g>%%+F}lY/%w/w9Ԇt:O_5~﷫%]NxkS;3ΑyPUTs L#el&Rd[s Q+$gM2Dk]')!J?TD i Z`Rvҋ:'=t| @) &ڦse$P[GRgTO0H܉]cW;{{GQPkdk|/Rg@Rx.v&y00m:d`[{aHݶ-$7kMDiɛMPmxAXؖ3pإC+h 5#9` vgK*9N8A/D,S+jeaȦgwGTt7GKz(eJ3crVe|T$~7 E.x񰚯Uw+8Ckׅ%p}mβk"c0<ۧ[%4F.($8@Ik.X>7?V!(Ж* R7-@_{| |۳ 邥 ^vyNR)Au ⽮zA2yՋ#g%`"EzM&QK*23 I hO郧qY:=d%E[oW(B#/::Ir=m?3ڍn6<1ekYm%¥P,>phu| `g:OhK- 5 "Cn{%rbǝP`B2KB@kaY b (3"pHPkx] :OmԟВ'Q 9_E.'9]l/81V#u&p38{FzyUjM&pJ,1+--;}(ONxPVz)YDͰ,},}7@~7}++r6Ca>;VzEL=pw)~Z-u`dWPʣ$bިc[ERFa Ҹc-=EHc֙ޝVŋMs.RKEz5 0KԾl}i{qotK@po`b燯io,z;U4҈K 8!ԢbnwR`Y/XZ;@s=6rqR"-s4ثHQ_jb{?+.Jz) aFFhE+AS~d=j>ڒi7 M)na#PtxͦxcVP/tC *@c UZˠR/d=iIYOi3@ -qe#~`~nR{+, 'CrXڮBeRA[C0# iT|I2DF< rr[P$<43ʮ zKҘ%!59io 81f&7۱^MI8()8j3@N0˲K$YXz\oNmA،ԑ(D cp/ٝZ yur4b/]xΕyw/&޵i v/IWA!Z"=m~:7"xƀ=O cN>|6;֯bB-#E@橲AB1PC4ӽ;3([>o/)=j^kDUL#~lU LN)%y]ā.:%kV/!jDA}Mw1qS۝ v.X`u(]_ld mP/ܳM6{C>HqzJ϶7Wr <(j]=;O/8Fr/OC*W2%q~)zLC/z,P2g7JzDOCqx8p8m\P Rƌ/ 6#w:?:~f^8'K ߆;5c F5$cI$`G`]|Z[(T=x1PPUl3Y/H>%OOVk$N\AՀAݔDA?\.~+ky8»Fg`_XFv b=W)9H M2yjZuA}(+lI* uǭThVfwbu%Ns P!{n,i &C2r\%c38M!$H ?cr>]!J#*m!`w$='|*'ƭS,ay](%@Fz_g:%[ D~CY.jdhWE:_^L ^]L ݸ<$Z`rq)"QGP ]qጹFP,=oDE.3ȰxaLأ5o_Byo`d^5NfU5*YUJJ88@ik!;7%f{zL')iul@UJ _h!IP$b  hCVv+ u!0u>A &|'יm4hG4"|@_cd/ދ+a_̵XO"G):{<%]jbQB!%X4jlrQU<@kSƉ!. HF SA7B Pd'30d9~+-c&zeަ\9YT(Kz0C_u+;H*Y7t3ֲ$Enj ѧZ?4qPїJ[7A4b52+o .ɞ(Ŕ:!V. &NVҙ\:q=PQNG 8o $8qfju:Z JUR&2Ԛ| @{>VZ\xU)E2줱OiP~g=uW*Rl`ʜ+Ϸ+}]T80o޹Ӑ8&QR2Ѯ] _dX65/U5k K"C<LeX+Î[,2Qi!1ZŚuo@ׄ[Y4L(٥=cNVyU!_g )E~z?J!S|G]#KL1 ` 1puߞPE)u8Ů4)%4dkG*4sTv2UAP1=7ZYt] B|J]+1ӄ)a 9$i ;2K[*6}ْh&BUo,cNTyMqܞ3~jFX@tjPxǡ)˒{_1QL>.&#j&7֙jqz&rb7Wr(مNI8O1ʸG[pTwg!b>X2aۻ"C>o\_Vt)>BiGNVԈ6 B6kin OWxz-ZCgCMi9osi?'i0Mי*71VCXD8 fQCbBJ?e'޲ԙ[cI0,F:Z WIh62b.,bŃ;2&Pc\_#|fN虗{ҋʹ;xj۟真4׬ p0,l1 ESy; '8s"+Ȩ&-f^a/fDp9f^iB8KPL~r"}^+ T.O $ {iU,Қw=%dz{Bu'c^r K% t(ÌGjB@WSɢE:f%l,fbC8ݺh($UtDcN~ 3 OO!Y9!mĉj^D7F_r *h8?fZQmYԉB >\A_P̝[o7-w3HʬBLP~BnX7l:[rZ*CfOs5(DbmGmw5l$Im/C-j"wEiBl O/5gL?zamF Jb1Ow^~;i6\) qEZ|F豠1DbmL7,VHvTd$z]NPKL-XH!Q_˜&ٮ dWʎU.!/ݍk=FW Á}a,eSVyB:PW=xvHz+cR{ OG9UFvWKiiTK2+7%7=!̪v^P;hΩbdiv_q'\ LqTc5Cq=Qv Lzqц[= Wnpk=:tעm@A=p= 0*u[6x+ನ'ji :4[ڞU˔oO [qڴ,֥C6BYppLXI!Fۻ%`v#OKkWL"f$G^Qeg^DʡL {EdW%B)5dVg4 K0OCVT)>k P" ?P@TgfeSd2! 1IK3QM=Yh%-h<$iʀ+)vWXpʽ:5 ,Vwȶ׵Gp=kauғ[[\}R|v}w*zĆJL 1A[p!u{y1nt1^ l o ;t`FR=!vt z0ruBD^l zdW5lrIgҜF63 Z 0kt &"sAmȷ@P[ϖ|ØXr"O;\]*,q [Haߑ(!ߞ#c K5 g.+ɍOUu[MF`q6\FEí 8r브#R|g]KlN'$Q3qqcp^FcyxsV"~H$l$( a/p}JәXn\r侺=``D+aoW@7H0#ͩ(,  D$ Ol}[ꐩnkݻ,tzsLAMeF%YmiMՂ$d,/߹MugA7ń)QMgգ_F` D6( lT}tLpIZ͢C»`ꡓ EXGpw:ﳣ*ώ/*'QYP 9l$!{IߧISo+&C[rwiE>A}jiP11m ^78&Ń-1Z)MP8 8 JoCC}=uуr`Skb!޺ʭP"E/K\x Nx.bQ}P7s1&uPSV~cJN"Hl)"!K+Du&a ##K`x}IpN |#.(Kq]'/ZhמvH̫uAEA_lx T}dv=:# :C=$[ FA.%&m щ?˫U /sրP' Z1SJɥP٧z~"fg, 3쁂 2[aE:֖Z @qYa6J3f;h 2 dSwc\0Fy pyU&.dO* }o_\lکC8*y=W/֘C'!5(^౲WlA1t_F"b@kd>">d5":x`앿[~DzAp̢G#wr)SMJU>/eGC&i/.p̜n/ס-*yWrAC^鏴wJؙ*z}izpx 'f|~=y{$gɤ sRpFKh?/4b (t2qIS ʠr2+vG+~&u'Sׅx0 ;Rb(Xo%}&!βD&9q7B iʀ,;tv-)&0i ae@{w T&8݊a8o[-)a9Pʬ1͋EV ]$q$ݱ0t  ._B$nĶڭu7<՚نgO5PK X3z}3v>j<] rz*!.q /l%5Rl'!-6.b*l[6KDX2q\C&O#2u>,)M\6858j>-lJ x p 짜?!8 {U;mWKSti{3,?QCFƹs$f$Qj >]i05;P݆+@s%1)P| _〲tpkt%ئr:!8݆7vhI["!LGB {W𳉾#dO16dZI_䕻j>{l\Ѳ2QhuZuB^ߝ }TJ{w5rTt{$T[iJ_]Q?~lB3oCH/p<KC\ۋ: rwwA|j/&^2"C-z"DTw+rFa9ţ2HqW 7TVۛjWw4uҙ^Q7H[J%4[&4hx`y@ 6P㵺 tC~)NCd$ (dn q@eͷ IZNHeeZ(4W]to>W (ֵfݡ5gD S--7\?]$8q@#Pܷx̲As/QZnm]RV]ϼCj9j'hq{~Jv%{n]ckMv!_Ըe,l0 ƺ:,e#p|O|Wï*]D'C5ASe︩[8m!m^q;ϱcG6bTwQ7B(MvUL`d\8ZCQ%eWXrד<:.sL\x; 9/Dp1ov~UdqJ?&991W ~Dt}C|`A2_,—ܬ Ys-&3n f}RyDQ%j Č[VQ@YޚAOlu ~b羲 -㐜~=~Ox9K+UKHm}\o#ٶ"ϖ+!"xƂ VޫaFGGqQ,YvR&9d-[bjхxi8oeRF_hN ֭?i8_KJq@q;ZTb&/hWklH9 a >1̈́[w̉_'1[H2t>ri\&GX=>'9>bl{ }XV<#o{--?1SPlkt>%^a᳚,q(61`D8- /3TOXrb/bcv@6p*ҥVaT,lX!\[;QB2Gz搽pً|iRʒOWDt3v} #rf>Ԅ%+A .fҰ9eq鏱 ~'5ty29§)ËnCɳ" Vf6y[ d_`\;U M}{pE[{aXE-G^TrD_YKJKCέV:wY"^KVwPاt8^Xuކ]Ч={ڂUI&k@1T}x%+gNB"^t<|qw*S@⽭at. 6QX!@lJY 5>{F;[%ܐsg&&6J@]fKނퟗP{8(5d_ GΓ9vX0 kfnJ&Cyf"c9+F5^@&r%j薼۹剗\d#pLkFCk(ʒ>Ό; ))|8}q.]Fd)s{yb,3$rL Dz'4m{*hVGLz4S=s9i]&uB>qPtNa ťf ]b? hK= Bқ12|EjS@wlFT g[+q)uiAňF)SDܭ;d*nf{PMѝfu)>&9۹Q4 z9SCѓ}$-y%^ 4ĩՉG/L㙘9M^Y,\F$O=ZdÞRR@F"eRbC)%Ռ܀YBQЭl1U0Βc U{@Ց͟;wd5Ϋ؍@5o^ϹtC<9,;HX@NT4V a U TMm)]|'@K ۬1L7˲Zcma(dSnG6ʨ%D/c@4yG2!Yl~fS!PTUP ߋU1/-wmNX<nϩ^UxvZX\E-`ep V@:j`' 1f3y7Ewyk0KS4?ϑ&I/v?`=~bC/SBrW#8駧hױ ΕL 3 !QeMxd@;4|am20_: *.u)qh6^7|3Nɩs^ʥ^(Iкpy,p]Eߍw툨++`> -W4K$lb·䑾"k,[wp贍(M)%Rە'(fc>0ЎFuYiuU h> ur8 p/P?z4; +|j+f7F)C@T$zN5)[`9nJL\Yó长g673z(ɘŜt i%@A4CsV|"XKwX Z'e`'Nޅ}y4OKݫMtLtN -% GF@&f^m#1GFZdQAچ2LO+FJfu$uG@"p.f!s h^wѼ`$BֽC,VM̜mɓr )ݿ[=ۂd/[42C^TZW7H b8| s tMܻ&E+lӁGχQVKi)6K_Yƛje"6WAkUi&eϋ\/JFTt goF92`*(X;vՎSBP銾8I5:xTa0nN˓MzR::c*Prd|yҬkn8Y'|^c%$*BXQ]fedbÅb=u38rANY}Fv8D. M[s_;{D"wF(6IFr6Ѯ aiuGi*}0Ύ|p? l8 T`3DD`LOOI{]0Zg\4Qgb=_[}氌7FmGxŋQސSse{h\:#N#~>SKnaW' ys]?!l/WR84{}F<)N %@<#NG2Zw&@T:sF5鴋vb3~a<FSQr,r4 x-ϿR=O*HqZsq bt7{r\XB#=/-KӼWa "֞}WhSt>"BGt0`Gm4?ޏ'ʒ^`lj 1<^@Giܗv-uYnцDOy>UP\a唘cQA{-941uU;HD+MmϏD%?JJHc)8"c afjȼ4ҵA@!|TUzC;DW56(缯}ɈY*~Z9SђmSL$lG_XZHףA@跥>&S ܟ)ܞ]Zxn)֭~\]N·°L俌FR}?|}Q؈ːkGZn(.K`e@Ф֘\CUhԗZU${)wAQLG}zd;0֜S|ʊ >)nVp7@>VIxLpX;Zڇ jX˟>𝴞Dwˇ˔o#2x*&p|/ ծU5q`Od*poH"0JOv,T]<0((6 hq3\Q}"ƃ)+*lWVxMWuZp\w,(mQYaB N ¥p"c> #=) ~IGN+LUpef4ӊZJd%c 5/A΁̾^֙,Y`Láxkp#v.1rb9ilXgrք^x7N QS @0>In |wm*iFНgkaxB;xizkB$N/?[Z{zVaj3ivF;HAgxHGe*Ա*|Ba 54()\6fJoy[D>e'*[a<5=ŭRmD[ ~HKCO<=ɚVSpQQո2UZsCsHo) 97 1$$2\aK2Gj~7g)$[a:zVD1ex2)?|{Hmt$q8 xo <"oÛj0^M!Tw}v̠?Jr+&YlQШs֩nɳ4dxG⻚גtAӍ0x@+91BU8O9E;ɖkuViGhQ[3c o0*ܝTe} `q|nSմtc6LF#lWHSa]Oo"+x>_UyȁfpF'h% [.WҧҕGiۀDq[ yG νB[>LhPu!6?WA"ĺDn&#v$_zNLckuL0]c Xgx}S/")=j_K\V?lc4~uӂƟI ]=".oDg?Pm/}@a@|-]arαI!㝈o*)IRiCXA-vbc ldLCc>ڰGK T*ʀcHg8pUiN&:ș&^]9׸wh\c%5SIEXI=H!PI@nM35~ZZe~Yeb 16Ni#$Vj]r98~c-~i,tﲭzкDsOQRg6{ T 3Mg?t&0E&`? әL 5NNk֚9Vu3a++ q#LϐT`֋0]9_p[P=-1Xk>|,a^ n 3d˪z׃>QZ> |˷A`2j3Og$+ $1eoW% b2W;]$Ua |w_hCHH̎vQDUW zW@*f{a+`i, K;RB'ڐ_l0>gA9Jv$OBTN# H ͽ~pl]m H"^[gF(\{^G(3ҙc5ނY+ ܂-FxAKy_c0Sa ;uRpO١, .=;O7n9uEQg9=xihAQ JLOmic5VbSC65f+I idi&y.zPN'fV[ݟR _OCMN} ͑I`:w9 T p]xI1|X6VV@;^}@L:GG܎:DXE[ "lJAk/xE&U_7_֭8 |~l{^.wT>1 - ;Euq*6SRL K 'bW={?GAv^} 2PR͍WgZZlXסmqh6&H EҡXq$"f|?d;7=„pZIqQUD0>G5`mmwQE7jW? q'?“k,8y=WT_i6)K|LCwxcԈ͜ sXlCXbOS)M%.o!j] )Th^Kn Fe3TQNf DYRR ay0U9kQ|x ůӇLaU3N ɯj:sW:m r4Of]1x,R?t&Tޣ펐t s,Wyp[PB*b`J>@GzwZVJ 7 y"ykNsC|XOr|mkbc< 쬍 .O :X1pagϪ>,|РN=u /NhkZ-Ի3 e"mH>2<ɪaEB4<Ӝ;i׈~^A%inV7mV4&=0mG%`X:Aysa-yt5&d$Yd* m$vդ㱡24LK,1ZscAR_=YsXqNFoܠ}noE uJ4D4LvyXk+pѪ+nzq 6c&eVʼnY/k\z͎ua Y_ n1 mG@i-oЊ4KV +Ԋ;n+v+vPRP(0BEz;|4T>x[DyKq2IcKgQbB _ҕ)P=hMv KeԔhYU~I}ې2 >" .X ;8..ٝ{~%5vsR<4`}${~,'~g"StiV] ӊ,Ub'y)vT/]M:uG!Oע ٢>'PB_&:o27%6U"L[ꘊ1x6пk.d >w)1RR)BAsFF:I^7o8TW/%lL'H6X B 6^l J=7T/!qѠc Icv 4d峂Z- *zGڿKpq&1c`vDM Eݚ;;eFιK+ a! `(J #jm]M((NJ86t\怀P&c_eFhq6fu= כ캂@H`QZz lM8,(-07NŎy aMR g4gVM s6br|)'m[x}RX$_%`"֓Jb--WFtRA*caUVߒ]jWu(r*.'=C OA>`ON ^6|29dKqtMHHCBHÍSYwḍ ;7/ۀd8u3itT(3DBd叻)i<-t(Oa˩]HF"=&;dɟŔ05HC#JQgݭBZt[o;r jK.ը;XTl"u9 UM h/*I~I#$ s-Maj$k20ٕBA?*vmK,dbmZyD5eJ[RāW3lb"UB'!TTT.Tסx$ pUۉHϫ#G(;СʇK卙 ?:0 } #Qw5S P(ǎ,+o3)s}\CUdhhy]f<*/H7F3YQ%̮Z5v l5 $%q=WpPn2|ʧc'!EdE[[|Zfѽ1/@SԐyC-xzhr4ea:<,x'T~hpkw/_R:+QԃP=q@iF_$ML{@t!ږ'V Kԙe{'owֻ6όiOKԿ@&DK7.4D =xacpi8 ˞/v#oq eSTM!@mjZlHqeOF+!M8tںj n>[<0 ]:_b2FIoiR8 3nDF@c(2J3Tp8q .u~![֋\X#Iz=Pȳ--#\~&zEIQ_5չ}܊Y~}23KvU ̽y),𳣂E'n5 #IE[S=E߯^g2 ᧩ zN-&&MԺpEsiMut F林^gAhw0߿UzV|5 )jpk{wn ?GH>qV,TU )ɤ4TYOYLȰOrVk^. }/!o,)cڹ~dH8$ X" {eCZ.dje771TR..3jljjI>1.(dЈVE_sE(5g*pV#U+jPLCٕ(^ɔ'沈`.ADKIMȡޒN- 8̼rօ$Ux//qB_pdQ%(%` &D_A#_*Xn睯#`ɃBrQQeq%hXtVCT3&#R)r!:^? o=堪h]=+(n7l "̞ՇxgI^γro1r5@53Df*.nY :ޚu, YI܁d;s NL"U5Mhf"%rBj|h5 ;ʭu8` j zi^MW@2ܞ /cao%WI}đqSwЊh=T&mTj~+ rCbWb|%CE: ed?t[@a "m]1vgFQPKړ@pWiZ8::$L:"`m;U!wZ,/Џh\u,-iȗI۟失 Q~mX(m[F2E[(7\ #RDf2t8V0KEd>t#K25UP߆Nq.-= ܔEmg}2ḩj !k%Hڠ󼣁CgF8DꭵhOL7Ͷba$oOKgH+$7q5il%SOG,%W6@"4ڼ<ޏz PÏxزMd9tn3Uh*= n{en+~ezGM2cj+*hU\_l\jv^a^G4VQԼJvJ1\*pn5(;E̟HQ śV¤e@+Kސ`gXBAk%V%c_'iQ;u*%1pGvy _csLf)?V{T=CIiF='bHs!h~a%16E#z]EhC-Jvf5}1 5*q? Pկ`f Qw%F5)Zz$~35a2%~k9Pk?*I'+#7 U4q|ܨb+(N=R}}1>wM+pqGo#%J[;8vHr ޶J0׊[Z^pU&+҃Ahs=:yn&v;AQMA$<`GRY:1('aD%2d'-,)o~wK:ec8@AX{`exҭ7yDG%G$,:{?.ǚ1/R9heh*f[uh߁w "<º>[8t M>갔ݾ䱡XDfntes&G5[ք(u^f9bR".3hHS&`RP0"ŷ`ދC"F֣@Kl3L\$ fȷu8\h,QG+>lڈ 7Vӥ.ãlxOo~}/ M~^2@>B3oB'X\wD4u?١clU>#H5=r @K!:M;o"gflVuߔPB ߼ hlPZ!D= ˊSRcƣ5Ñ|cr6l.ji9ND8{՝+40JAR|Cݜ!<Ԁ @q^SwAГeWȆgc`n~<xP8z@jOw&4fTFL=ċeAQfmMO*mG[Z㦭pf PPckQMsK>nót(z,"glzŮ5*h=>GG&˼iyh(p>0眠iUPN2hdJl]B-7]Â|_y(N IPݏ>7,Rc`d¸j5-.neHO^N$;$q%=U.bO)xHGpSa0JumX?~j0=EGIҶXlbO6g+qq͵@N$;?tv'EiX(Ӣ_Tb7n э\7/Hyx#ll >ñȸ c )yKoxtzڍ K3"O') ۍ(`Ԓ˻IZ:&[@6vbV _qR8]6SF٣kbasm7\*m=Nm3X(|fJN65a1"ђjjd:ʜEޏoeT>)I- 5\v%W| y :Z1R(~]wFF;z+= lךeM64Ss`saW\w4}mb+JpkԘ+~lD+ε%-Mƃ ShXU%)4$WTQSV9uj6U}w0  W0 Yk$k;@}(6V0Y&U;nT4\GO8u-7×bbAR3sow$+@zNwy0#vgL{ jI]H6_- lE3x05z>/2 a∯[voGDX!;NLv .c6(}Jww.?Ŝm!>q szCp_X[Rڀk0dmnqW?1:d8Bs5OIC(I (7?³iHP$fyMդmзe|t;³YT t(c+YH gX_0{\?SpCAIo cRm(}KZyر=[7BxTmEU{UaN**Jʲ.MmKPUTy tG{* lgfE{9"H|ˢ Ϣr;n@9adx`!j,Y蝳G&p+ŽG3 Wu+Hb ʁ봍V^;+*&iE$?lF1c1U%'yRUuvM?/DH._u;R(d{S/F.dq( 6l+5ib}0{pumsȲdWg~ZC8M l` OKG 6ʣZK+6I%oDoMEX%6QY{$~ڄ3AcaPmNuؐƗ8CªcB=łem LT{@BJÖb}s{u,g.I. |QҮ꺍\¦fH6Y>,Z:^ZjMP MSL;\^9#w auCH QN62F5duv!6Boq\KRj g(4l&E:%` SХh#Xc;φ!XL5)j:ݒ %?Ѯ=  55&&IB|Čx/QYj&52VPƱS)>b2EU `XR꠪k31Zlwg29s훛 ))RZmrcVV Gwq JU%4jDAmk~/0ul~V-G7T[R'U[h<Dkc"TXVO^P_x=+zrLBDŽ#lydlXg$WAf',BP~/GtȟKُ`Nx Ƨ[ao-3/]`~OZ̓m/BEpî8: ?쎷5Z~XIlxم;z_wJ@Nذr2d?%)loQC5w j<;d`-ogeӘ~Sτ0j:E`՝gr?G~aDK^*#*,:a=b k>BmBQ,Ù8зn^~`hLBq x^#]9K]rVZTaI5+ѴeūZ)`?d'Dy4ik4ٯ 1pV\U ~bZY}eN5srể?~yq91%>n-gbV8C@߮Ae h n2:Э `Wt`P⊟Cl53!%9 7XЖ(V>)'\L yvvNǩ#sh^[G*ֳx¥=_ڎs99 k"Jn 8+͂/=evGM:z|?;,z3rEFFqVgi0%d/>ݕA?Cr1­؏ԯIA؂%~-wTp AX,v.f}4iVˇA{U.$4-RqP M|n)aY`7T2Ȫtm`6/6Znv|$૧R$hg $u".tAו,eЛϧEd>I 'UiQyY*@ʠ01s& (@1lEYHo$"3f*\Y bl,IBθSn[7uD~6"3r:f"[]Hs} R`0 $B8=uXrrPB'K.N{`Ȕe\q*XN2k@XC) /=mynǧ ndcNf^`pz6Sܳirx l#c| l"ە,#Me$iswX'g X90?A0]E [Nx1ntOsT6=gLTlP ~͉{Cg;3hq9u<<Y[-[oʜucj8z7ڕ'aTB#R>=m6(J^4MEDVj[iQ`+A@#R?9}KI#>;PV7ԱQG8ңH[,.jXuJÅvh;E<6aO) H {Jj)!DɅ Ԛgxs6sc"te6/Al "AZOj+p5G(vC0O]ut3"]|Y]bl׼89AЛ| y!Pl+X^!/8Bffzɕ$69kx냣CЇ [,r/ƐͥlgzL@JDn/BޖwQj,GV?8aq +IA{"cE.3&="?_̇ Wqa*\os'R|Ԗ`*eɊ8<|qiaxl}[3pFNCEV,<)ٴZo'D0XS'֢/6'bwSǎkBfSLaBtNグf"V]T%Nh 啲)~1/i='2D\-b%j!*m(kIT]BE̫wvnG0tq$*$\yԘN"$qKC5>Wט 81rz|4~ny $_3VjsJitv}/(Ade ґR -QC8[%yߧ!mG:̔?u %b̓SB8,Dh E`֤֛چ6%[Df&$6M2Ŕ}D {rj_L:[~8eBZmV=\l̉xQ ˆE#?D䌇 grtQ~ suEdA$bwS)@2fs}u/f19t plpkSǒ*<;= %Hw1FY|,TN1 *C 8M^6Ԣ'n.r4PT<$: 'rÄvdXV#dVx?ඎY8ěba$w)}>"@@PJ0GIk]%$ٽ6 Fm^ Se>\x+&ΏpxAEhfO=;^ӰD.h3@d(h@4#ǟtN t"ֶ_ƿA}@>򖋣%~ tH5 [G8gRCFlL3]뇸k؈j[ʽJ^~}İx$x#,Tnqp,-#d *0 PYxvYZ2tw@.( )=Nʮ aKbJ+X/,\\1)ra}|6wchseb4uo Ϥ5G[`!zuxqB+-d/pvw!:2tEU3AxA0޸عle>W3Ɋcxw8Mn0;qtԃ0bF-JZ,ono\f2Ol|BRUI%ɿ90*=H^ne]|@Q 6'ݴ  X;%[M3,W1`5oj >B[n 4$7vdUZs{ hNawpǢx.Nm:44q ms',r͇ٚfqڠhq4v*Dc!\>6M Kzse|ҽϠơqZ,WLX+J6k?dwb Vnw}Nu PJ.E5)Q7f0^Tݠ >߯^7`ۧ=]GSҞ1^ĉ'5 rx ^AUx-0vR IJ*b8v|ՏkgJDv .~]Ć9kufuklεqБ= QA4N;ncèLO徫ܻO;g6)2$FMz&9Wl9RN<ܽQw> Ԝ :0d&lp.>)F#z>CV=60osmHgVⷕq($ߏ%1d᎜AN@TڜVRW{O >-.<YDP&-gY\61@Wz*3ֲk;'̒8 /;ɇ1 #nE 8t2uPԳFC"Fk6eXW!ӿՑ ApP'?mDέ{T;:23"[aJC(!c[. E ;2ʮ4Y|cVvm_[>#%IҺ\ c+pR/7^Z`cC>ݝJtheCjHlpgkkۧ<&ﳅ76!Gx VBZB8 gh;]f-Ok 8bGj &debXml NaJik8U YZu>C ;wm*%)S8SsZ6T=W}ke0Mr"UraxE4UKr-eG`봪>$EG4_a3bsi`<; A!K1>&m.4eE6"e>S\jоn/BJځݺ/Bi1FDELS]q;d}snK|9A REy^FerŜ&'UӐ\L@D?hN#eXКY$6|FjkIԯ"Y'5Ȧt C27y'̆ 1hȇ gb{(boTMhQ>c0 Wx=!-]fݻ0n' /. N2SyC{Def1Tݬ*"X9w$TNM e(-S=lGD="lnZen8(IC)s YX23k6tçVE6+- d,<3`G0؁4nsfa24+}؆>tVx`s} e[3LaJ ߇J o{ڇc`@9(n#^Єu_ۿ'J|?0U3S@~\,*hY<ɼNL4Tշ/co }ʷB )x*04koR-bQj윎V@\&?nSغLK*DE|뉧ߚV67"O6fBLC,9̿C=TYLF`D- hq{*?KX#~QG䂳5ފwmң7SL )A $7ܧTd-g0v%83K\t|2# yȼf\ ׫"|qYТ^STa8A義lp]aQJM ϫ2?\Ya \eRiFlYs MyeiD_VFhކ˸ZT.o'/7*]\~04=J1u^/Ɓ$׃oC@}`%P!m4(f ~rSɏKUU-/3H@9YWy hZw@aT-$e*R-.o[b΅^Ji4k%f=aWƾBߦo*vjҟڢIJeKXs*/۾Akϗa-wL;Hps0B˒FxXߤaQfԼK&h's?1qP9ߦBɘY9Q6TQ"݆İ4R#o&']Xj2y繛W.٧=Bw3h=XHHۿIEr|6NaAA/ϑmQ ",-74SpSW%!CۚڞF."W5vJE"+Wu=*i=ʄ?Su=^'^@p&CE2:Rͭ~cGzSA5Ĺ7ﳉPN̷e ZaՃsoXsb_^dJ\f] h5D&D C,m; TؿN6[ї`K.mBD +o4.V34! 姂-ϻP`HnVțO20һS.3T-L`-Gzx&HL /ꭺ~p%R!q?>¿_%5 v$hOɼd, G7"'.bBj*X JRs,3$@l1qz'[{&|". { ]#Ԕn9R2bwʹ&eyrhX|l BC*}"`5ʊ^4kݑ xgԅ/8pqXU*|4<ךk6~:^yLgDkgtj^tRz O@J1DEYz_wgf+L]}/$$ qg-e&T&svu^go;FWȠO"AMt׆OM"'1m@{k 4t컶a1]`B0݈7%gP}2浗ԁN"~G8D9 ]XHvRgo; N5>䩢26se@`ūi]wO*xX.cJ+@sTg+)>@\Bd9-)dzZ2[zx58"Z7 ژ=h atPq[VCMDf۩'pJ&V<:ҫK| 6ɬry$Tk>hff7(Ĵ1TzwGYrJ"2 u5u xWѬq ύaej녾8ȋ5g{ܼr] #MeWbbmiWdθx̼VeuJx H-ǐG4_5x4Aw},ݦ|V p70S3-L`Og~|Nm~"YRNIܹ-vJ_c":>7$8fX ,4=BR^z2SMC̓6x'.;^y%)XwA~smeM6 HX<|0:Ldbd MGtf\$!bָck{>0168< / @[u0P9 ?=jԖ01 mg!IJԤ.|q@0/ۀ3IL:">!%y^EM;1"8:Y8Q,T}biD` ?:\JB rV5aV8 MyZ}uΔJ:jМ%m߭&v ZzZX%3!9)hʴcxnL>'[04>@ GD#N 10z)6Z~H0_Dw-Ca{,ksYPUu\rp.i\#;⏊1+6"T^FTRlSK$,hyȺw*V|q픰^12[s<˒dHjJK05Ɖ\Mf_9.iya T n /װ : `uˊrtOI:m :kU#CUZH));Y6<"n^Ez4#&( 1\X7xNXP`T, گQ\mR+Q90Jѕ D5ݕ[)bOؚnN" J85>{K= Pe$F.sV*Rb߰˕{p_\~җ1V>KA%#>P !ZV>b8>m0Z#0nS!ͮR0"Z۔qēVܢ:&>&ύ935?XYM\ K .hl=C|+N@`[! <xo?FSt +|TXFݿ?X3a--Ґw?q歡ZŁeXKA!vAۄ켯=!D$e1Pߗ Ibp*ʃʟizPOsV,>2,s\(gbtcL9Mn.>pADN)y,<ƞP HCWE, W%:YlnnDZD y'&<[ ۭo_m6ߤ&GVFNps³]&g D`^Äw1HfԖZI )/HMbov5"[> +d!9 U:ZjU%i|JBɤ](QaAwxS;}n9BЎAZfOQ65 b{G%d|W:"UHnPBCXvh/c:e)),\7w|2rޞIm3ݢe"6VP4FS\|ٯCu ewy4,cB@@G@cS>!bP׵3)ZGp- 0m‚ ypz"ós!^}6hƚ`0TGzUG]Y_hq^ߟE h%C&o_?/?6Df|vB/>(Ӗ?k"S ]zDӨp#۩ $_SBH(lc{L8IΤ&M&:j&BD鷝ɣx.G/KI\܀ ?s]d촘0)оKz>J'K #JZVM ί>ZH5Yƶ7Gq(߁Ixv&JĢ(m8ź6Dr՝̚efo2wʾ(H)mَJbH<6"u#$skX,?2H4"^ VSXMQ6Da6Bn$,=ILseْ;=6%G6<}9BN`v{OaVfAG_'POmĝ3O$ƼȎ.՛ST¹=ӷlM6h'`"ޔr7SQ2ƺ]m!ڋY@9vBm4Ã/x@껪8s$!bpl+Ro3ˉGn &M;eDC--0 /)uZgpҽlF7J]KzJ9C6"'[.)[ mA&階 L^W.2<0*x]Tώz5$(7?{"+ p5‡y6y*?8҈:5:D!PmY=yr#ᱳ>&pOXqEъk܇{ڶ7rG6F@V+I~Mb{O)|[R: Q-B6a5Yڮb? 8 }=4p"Y@i$.RɓhVab: NDzn r?-rN:?PEXT'gC"E`% 뺾 Ko7ԵVrctꈇsx{SPSQe+awV,'k>T. Ć4><& j%6ތMv8HSMmM:M5[5$Q$55#VtI @fYLe \} |]_o0'svUϊ˔쓹0/秀)$+Fsށ8lx6vBt?9 {bbx %,01bѨLCnw;WF!dL 'QjJ.ŖF:ӭXMln&PeL".w[[dsPq)ث<,h:ә wFk/-ɝ?גw0ň/{H.P^(L xDY|@(f`vو4V2lw>NQ,a騩nvjFuOU(/=`9owp>Qx$A ԧ$n+:@s@B~*)Ou^$=e붊(Y= }2^G32OhC&K ~]WnhsVhF]W410 oQ"-Y:ۢ^yF#4u ȹly9Nt1ʊ^g%л4PtRf;'6h6sZw^Zs_yT\~ȅ]]DZO?"-Ldvucoq8z#W5kuO&)jA^,y}y*_%. }K JW\`܏B(.=u"rՀN gi b8$Tp~Q:IMCJrVRs|wevW[`\t|P3qTC6nЕ"x0L_VzCu%Jkxh$ ij1kfNXcsDOSuLovNxNjXJ#yCaXfH0 lE5j \\ENZ)H&HlLYଐC1cnZcg)u$ia~F4VjˌɃ`5)hk(P1nO0S\ӈ}yv| }yW Vu3z//xw[ogxyd+o({35M[7@G@`ـR Z2+oXͳ^c\wdFِӰSpPsCgr& oL_"Ug@?[Ϸ/7)(|U2z:"ad 05&i .EvO#T- !-fY$jJBV gՄ卑*],R%BZcܷK4uuPtӗ9+lX@[7)4ݶ SU,Ӏ:&ɏs ;Qft٢ք,DgcFZK8DD _'H\I5M+1J5{Gzx> Kk2;th]IӦKuh8U֤ozӝWBty_q[#')b czCR\4<_E*o * $7 FF]S GF!]yHd.xC1iYT> ĝJGOHB*BIR|b)E}xc>vt``x^*-%0 |; l;Yҡ ]da0Ji_*+W|_N!2r4hMVq81AN]q4}z&ʬ=p`6w`TdCW}Q2d;1ngϲ*-~ =:3ݓC(MI8{m[BS$&6į23ǏK]-ȇJ7QgDkqMǕF;+ƘFCIkmz&"W5YXmחdSd zgI8fذ(=V4*n@(aSh^~.L45ՂnB<~.#cT9bյ%I<ɒ! g+MLa|P] ,وiryl)NyW`RhS_vd4 [E}W H@}e ::֊ i(·Dg(0yFIms#ܣSFR55J:fQ|=c04e"5M[=z`i ` i WlUާ~\-,;y* ^,(}K8T#pfr1jTXb!xu™ 4HJ]ٵ\μn&6[Zlrz|S_p7]!0F`tk;ZS GԵc=&mEBLF".h(bDJNM4&!77D3[ le=0w}Uڪ<1S >v@c%3UeAŮ#(p H|uh{($N[|sCtsDj 1`@Sӝ ʶ^ X|A|E&[D|`4ͷs:. n5<)?`%9[ ĺ16[^LXIg0ֈ{A0 !WY M%gR}&V5޽Yo y z&7gf BmЋ#4& @eMp8!x V(L+4170P:e()i?f^j\eY4OI%˩nZ4D̬wI}Ƿ,WGkK7I˼Rʕ<kѽH@LU'V"OlZYڸ6T/SƯl0zD[YLBQWCh]|E8ם-B =l };_o0_B>_!]naq誟X8O*Aƒ5^ ، ږtg<9(eHFu.;,:DSJHbTFZ,yg]NثP%kU??]g-u^jiUˑ2.xӢa⟧o}eAD\>K:OYpdacbL2#JsҚ9NזO?_rVD0#6,XFxnA^T@n[/PW"| e|NjM|,~gBCT8/^~5r&Nj~&+1iswma+j4xxk(sZK\b&|oʷ45S;h |h iu!sz֨^Wr65kl(pҩgIV8tg#E">4jR.,y}X]&FXnaogA@C[0_)3Ww[^t0Y،|L@^A@Lhzrepel997(Qʯc߼e Yhm- 6hVGdb_x·1?wSZaw'=To@!|[8 嬿ñǨY5ekOz!o-ÖMʂq ^ij%9 { _~f( ;oc_!AD~ue18^HS''z=Ua^ 9 ٠p k#<([4>g8GODk'擃>ۈfԜw|hM<-_QLѭ0s'Wx0, ٟǂf @sZ‘eG'EO9aFǺ3B]/blRw$ H p MGo=Jt`Mmc`~[{cĜ'c)daE|פ0qmU]1@H1 FtCXAA!@qB|s~?CA҇]eDiabXc8qgp5Y=ͫpp suTOb+Պ,X ]AS@.վtAB1g6e2bDx鰷ox̋ ݜ=uogYR"+Kxr=c;S 1Q_WmCC{|&d#eI-[ҍc{Zj-λB&efNX|RawrIYnpcKނQ݈JO*hqhϬ.ckIT`/LW}vVF+{vXkG,7<»a}iB*_xsin=m4M@{ɢљcN}t[3)_/CYLm~4-1? f6naq`yAHXgd_|bd%X ܪELHUe~z`?T/Z +tP>6.pX.ѬB_Ʌ֤_z"+}MiB3td,LGrYi)Q?hIaKIv Aʳ.5Alx}vaڊR@?1vr."xˌ`sBsWPEkSz/Oj ynqcD%'F-UDz&ؒBaF^{A_ ` XhB=-bBV|@lѝKvOM|9kǒ@0o-Ȑ" L` 2l;An4 ~ GSs̜=Ԡ*Z0|7Rgd*t=?2? ,%S0XV"DȕAiw0:/;:W`27h7 y `@URC>;@D94)P3[ZVyܵȖh:qZ\<5S".u9\r c5;n8MWGe؎qӯ;['6yEmlpt;ŌOK?s"q`? t.օ6O¢L.c 7 9%egyd[IٱD؏3:=K`jMKZ# ;{ߞvB^NmkHjJY\RՄ H{'g"wzQ4DGKcލyܛ/Չ?GuFE wu2x m UΦܱ|wfF<ǝh=RQm̅{k {R")[RVZ$)a|cRFQz4@8=)ʦGKk3`T݊l "CL-F~n9 }*(m#?½L48z^Y< bB f)rϪBl-(/+#JhQr{rjr&/z&bRVwm<#1#V/+8i3}$T՞XHQUF` @f?!{dƓ di*kf3{:?] {H`=vkj'PZP":q|$^\=/-%ouU(6DU6 óNF$mtF2`Yٜ@-&QD{"yV :*:=KߟHۯt1ԕ}f_/TCkDH|9vu[mXX8m ǽTgf翌H+S"ۃ}Vϭ.HfE; ֜00)El4UIiXP{}'us :' k ";m@]ӊLızۃ` frwffaT`8%PߋlI3sK NtX[hÜ'[I xUZe/^JPDmrsD.:dWNyq_A#ΎiZ!+ı 9AE$h2Cjl eml)6.h~_LhZ^VA;OT܃4ߌE L3ylIvR RbJ~(vAdAkmb-7čZU~$1hW[ [(`8;Rmlg%!z[mJa^ãg%uz)3efyՏAxmk \ԇik>{fPq;TRbr IζmZycOl Rx`dPo]GFPiZH􋑒RUl~`3!˛>Tb bh;xSv@۞髮xaYCisǎ؛`( KG &j*WݟHm8%%?8[&K ݈ 0{z֮ж#%n%Z4tH oU3c05rLd8{kUxyM_-!x @ɒ$jjVU4v2b!VIJ˓Gqߡs:Jl&I程7M@zl=* ,iM&ͻhXh-*\u1{ r~?cw\)P⮘eG~9; 1@q؃d "sp0NooŔ1KJ87jG9wzɠg0'hb)xV\O"4ŹkLk93BwI0" J S~t eR/01/rnɧ'IrۀyJ ́FNND03 [[RR#q_]9B?_d &%m.+HgըtmQlWNR*Tv'1d!|U£FY#4XHIU؞[1J6n蓑>Q9BYȏxl#\Kk;d p"9>M($۵##u$IiqܽK'pd׎>tI9]*0Ol7naA_ag&Kcqm]CPM =3OPFmw$u Ŷ~k%j7Xl5\/߯6,3 q+])醬 ĂQR8zv# _B \G?H:rXTfCfU΢ZxWa(/l^VuGȀF2I[1Ti'ZP{!h)-u˘ L=>pq ϐo钉6Xݎe B#vvmZօ_ߓ^Q ķH4oJ7dF@6Qfш/~#cF>sWzxGܟuXɴڵIbo5{hHs~=jsHR5 ßi1M1#VKow 54<eƶN؞?!Ҕ*p=\DQL+ z.i;<$F5d&ex¯سIrrl~@uš\nrb߂#P12[*S}f) 7DpgvhF -2zBr-hfCD!m%3;`󫐈 o7"`z 06y\oUgvK!j$|cs߃(,MnJ_Y1ׁz0uynFzNzudBRkvvn]yCF}]9m`+u`),:a$}(>sFX"}rVk R0Rul yXAۼ.SJ"~X#Pt:N e"3'(5vbt(ǔ`RɈtZf+l2޼g s֭yFF,)AٚՅ,\2PME[?:h`s.w)OQ2J!9J qq"`M"v%Z@UgcșӪ&363o41(Dm6"}rogOc_.ӁBR+z"d2iQJ@u2o"T́xʸ'`<޾G4Sad0dÄsƴ0}B鬛3YَNHuT?gi/}k=mQT<2ϫs^lj͆ueMW7SٶާTW#Pgw-<|̎<09`o$%0s5\Z˔va;EAv=9P 0#UgAdR^HwVDAoi YS-2(ՒBJM?>U=l]/>z3cVh|P]5l+$`:vd NfM9brZ䋠,?N'R F 4e0ɛ59?Х4MbZLVDWu" $S((JT-'e8:؁c@/c(J_Ph|vߴKj tu]fPMcNQKs*AGU[wCik![dꋈtta"mh`tDKX ]oSGXY L-C k0Ãx ڻĠ1>p;.%A wΪ쫇d鰜JA9bPvj]Lu\p\il32oE :  xƴij%f\z>Ѥ+ 8E"'˝#3ļ3j㇊,Aw_VԌ$,SD`pq='vRv=[)FAa.Gͻ?sͳD&]8tv-~YDԕi$-gg%pX+ݽCE Y2Ms1g 9%rO2N&"cXP0] raK U-1rN.C-QDyV`K{5mmފ Eխ'@LDmyZaA(5-CH5>DcEU ~*!Skru bcGi{λ܌f0Ķ N阘wBpw`jVD%/ !!""xLC-Pb*3zbvۧ w:26`Az)T8}덹/V+E- Yp9o*h#اACt?Lv:o`?mD͐'iH*E:u=bUx:O=5یsuqym+u&?s\3-!suාjg DxƘEkYW֓]|.١q|b`ˡhT9u SN~ܸO0eHyDzWn+ČtNण㮶Srq; ]rB]DӉE 6#;3VD'T Sf3yĹӾ{+ȨNEB_As,V|/6h؟7HUX "y]-eZu1k8"9(8[eTp.9Q[I%峃-Q;YmN$+x0U+z5=lw%_5%fdv8=@1 D-2ZKB09z"o,7TRZ]q8ls5ATv$.|/)#5cRrFۗ&S~55ݺPeNMKn/Qd8S/.O}eHV ay<^q\E-acu Qq,6Ⱥ(J59iM)?ո-rhY{wBY';@P[M%8%V^ǐq3ܔ`iQ M{[Ј絡 44;+<3Do֊w؎^#RӀ#BeOѵcVc=g}TK(/$FVYKXݱ6q(!|-&h)֠u ]`kä-DOO;s(e<ı)h`??pU6TODojg=DЄ+W^{jAv+ťQ m !o W5TEF(JJ+K%E Mѿb%ċO$V4"8OwZH"q@*ZהxqB!n!R`&f y ʜD!mMCA睙]]1 1頿+k{PJFNR os[daʮ'N|/w ǒdx:``sFA%1>e` B ]0j9M8RE#Khӊ6BfȰkY9Z1&dr媔W>d@3'_4 q/jTeOcwqcHj&a$2¹f,,{eœ%-1LtUiCEAkMR]}ǜ /bHst#k;#9o~qXvm^=v&3. +2vԮ >( |3Za d,4;+![S^/Ņo(ZZ X3MX.G+z8LRMB%bbRtX{*D";6lkN賾LOwv1YB.QC3m7NMRxwؚ`{-iA뻾bꯈ6!@1 {b'CIb ~PM ~ /mRaC&&E 8b'yxã'$ }mض;S웹A7a <llzFFiʿmTJ~8@=rjYSW0[ZF4l%jEj"Lve\qP )"Ro镗5Fci2Cg:0^VP/l&NclrS5n(b/=_@խmA1t5Rp*:8>]ҝEu^gE}.y*yI`U0?9UE];Y܍Z)Hֳ08w4fxUUZuByRkE~ɻ|D]98YU|?6(+,)Fէ)ڎg٩,?4[!*hD X 6te3 ԋ>GjޙIP{CdeD lv+5^nsrH*5.!..&'P\I^TNLti,l*:5%PU#WN\]m*Eū{PU^}}Z}ji, :IA$)| (ԉ֒`lʙ~U$XRx81K`f籜p̠#]MNYxƕX"xR@:HMgǷ! awfY=_0hu#hD}Fl!I┕'M$$v -h%4R'*J<& eaXhu[ 2 DVB (OI[O=yUH~ǎ j1r0֌'%vE|V[XgxU%;+vԨ'<C2Ci¿p A3 QΒ]m~A):!a^InFAeGtVv6($ QB3 /4+D@%@'o6ba\PzopNط`A E<Տ NJ'!]9'FaODe`#oLǧ؋nꅵF=B+HkAK6Gw؀f2wozQkzK<Qe2Eb޶3WfH^53SLoa~zu$Qg`g'Zk!R|-'FSn!R~0g*l7~8;%}U-k 1O&2ՈGc~[$GG4qΉ9QZ½O)Loƻ~U ̫+GȐ~`0پHPG-W93%1,H }[r@ymhFWbTn`CUcxzsCLk <3gФ DP}e B:z`Xɠ ;n&T`v*z͢l1'S<.+$&'(tò1R{?F$?N$I'\6StZ˟!#~̤Dvi$z ?ɂ`ћdh9Yz):7pl1bz`T=xͯrqD5sF60vyqO& eHV-6kjnv:clo1З `ƌe!D3Gq)Vʇm=DNAwH@:P9YhjPz&>8x>9-Z~$%=k. H8o@N#yVRlG7~v,M eSg5Qyn،۴9yEɄo 7L0=4,oF}ߝ~'vn$膊i3xB[A_ڰ2 xR%E/=(#iB)p2A9o r" {T)azjbN \gŜk`ͭ"'!\|+Jvờs;UÊ/']O23L טӪLM=v肺1d ?Ed7PQ H̄nƞ`lg^,Rfw#~/#l (}`}q\d:o1/a1 1GƊ$mu#3gpI$E;*Ұk[D-V; .a;LYCS^78Ԟy}D@H) USj/nU/]@EW+HBd\o;f224eiR82 =F0q\sgc|!hB{Hf$` bՓx$e HT(lhCPz$3 ǵSCXSfp)Dwk X;d8g !<"]m>V2`vRXlD߽(,F'&8뼛6'nm7(Q#B& mjgܒ[13 ›J{v>:CnCK,9lttåNUğ _5G=Lױe?աҖXN{keE0 ypU;e粝ZdP)CuC)4&ݤ Nt#\c=0pKVaAuvHBx(>Zop-#q“-~',=2<%$q <("5Q8J/WoSR>R ؊ŹBr:hn~#^cFƗs"ZF}"A0레~2P +첎%{%Ky Z <->CZ5эj)wX(<;;4-j4_>s@Lwx )J\`&%Ol5H#2_.Vzѷ'U6dcŜŤ.2*\ԅ#.r;Q^x<}h`e,>{N9P` &jYC ev:+<ŷIg(v8pJԻ؉9c+K_ϋ=ۯhA(H0=+%r9e.(<o 扌\(lgU]TePS=?~=hhErݿd>9ōs& wg8ur)sWG؅3d[}f!eA"IP6|nG|gjdv'nU\!rpdu\歑p÷NX{:TȦTWoD6_f#MELՋ[aG7[f9SG(3v^2"e+ȁ⋾ *vNm\ӥbvkWf٠T0I\NJ*P'E#Oq`s02g?ytܢsnkNbbL 2YXbJIV +Ϗby$7@ 1,O@NF [L|H05ʂ SwNv77$<ub0ΕUJJT ܴʆsR!ޑ곇^Ɛ,gϙW`QR}hAU(b|``K: H(1:SSu KaKp-'>"N0QODzez ۇEfl-tە%>wqd0m~H D*VOE(L/G'4FWFY_&Jxw.wY`MRHfOn>OF0KI-ǐϒ?I,:ǫY{.سܽRѤw^|\/ .TB¡V AߞNT>F뗁r-m+?}*1`wm8?fR{8\|4iYf#=h&!b{>cyĄ) mC7t'>W` ]yByYpTZ-85-xLGQP`p4ã"rƣ[}g\E?۶&f۞Ax$y32ڬipp @`A2>m/z\QLRtC;#.XV##B0gkMn0oQcGw]5ﳉArǼ"v~',>LeiWuz@Y܀4NK:N=|%h8w6E1e*߂SX܇$폏CcWU"Ο<oİ쌤( ,[XRX+!17PȦ;`_Tɀf\|WDE2ԅ KO-z`[:|rcΉ GL ].r">ͨ>ϴ$Mr7cP`??_Fϭ8*fީH}ɛ~Rʫ-q: @Dw3~;U wᛦ&3H Ny&6|WqYm;0lX|'$Aė]|҉ o"aڔ|OZحimc8dOx#vzWFg@,Q"O:hZ/-svu: y&a Y$⤴I~D#ϸddُW1+ HiF V1ID潨~H u-lRj0րY; Mmch!6cUO5i{gg/ ΢>R6DVR?#8 e"y]${N9>XTI>|| d@aW`fR]fgbOq(E$CQ, S bs':ap&|n |3?}0UڿPYK@^4)w+GYϤC%W8ZV&}ڵc]j,6cEd|3.%MOg@k 욑դe53{Or)jwŋ{ w(^Nzu8Wn9tXo/8|㟅1H'PhͩjHoonXn^Sa~eY<.^"#wY|):#cLg6*/dP9=el\'T*wP$5lR!fic-''+ӯ ^GN.^Zw,fRe-eTRp}}TYp [d\78U`ϑ78אPnǮ9 * el&`х$`n, n>1 c2>e K }m^sdlf6I=MK它dO"`C ӔK =he^btd .ۯK{#+@;l!wɄM֪]AHTŎηkfL}ZlnE#PYʿ{Y脌w ?"mD53#rS=DL3HXI7e5W=xu8%XkPgGO]A"Ly k|j>Ŗyv' ЕG̔X˿,Df--y({lFs(BK[fHcWm YS+MH gtCʠ4aj>GE5/ߪ|򣹯 w)~wz2ril힟)9M,D!m-l.1'۽" 񴟨Ml}st}N3]u#&۱9|ۮ ?m>LtAb%-ָ-^'24 3dDAAۊ /v (xP+ދ[lDzjR C U#P I4P ^%P;r:e9I"G}Ay8:P[A`sP-(w9J0,#-Q&O-]}N_|ߎ2 ~y?j}5 l}{`lҘKcu&wWn.xܱ;W2_ # 0j&:Rbx;kxF/?Ҷāhsfq奞qAkB}MaKgC${ wF&oqT(u!=l*1Unܷ%?J* 0ZGrDȂ(8ѨK41L ncX_>d09\f%]w1Qr$Yy0fw_j=AƏXD:;1b&1;ӼWz˗ŒM  15J# 3fgPoquG7tw#~^ 9vALO֯;=sU9 zʝHL3.JwD$3soACCQO}ul+;guT`0NJ-67I#S36~2%p7HD[9f`O!ntPj['7Ʃy珧x_y=ƑōhUvۖF`=P<;.]nlحiו ;7}?+y1B" sv{m^iQ.@LBa %N] E$? f4h:ckv@)`ϊ PD"X. Mm@ I 5EFEiԾ"CLkxDNʨdt_1|cQArVXՠG{n6;ljˍ߰VoBZY{\LK8ڪ7̭ʍ 2\}=hma|x΀&UX+: wYB zdt@hS=;#*{0^`*bq\G6H~_,0td+`0'İGkŗ3r]n_O؞#"{3UdQOFK?^UcRǒ簡Q;cudPo[.yj|^$Qƹ@2@AUh|<6KȽo\/wL/ Hڦ5%xup>xJ΀<\+qm`>tGi`7>QN3\Gaf}K40~݀bD׺2;/+]7|E1%;z$ZL7ɣon뿿-vNy2ͤJȟB i2SYs?O%x0/Q*k-CwMmMb; qs !Uvb)h gVWIK!-l|?eKjiB@>Oj}qN[K3|#] s`Gb9՛8pM*GsOH֌yGpP*[@ :ZkW7BJD -M!ox-`_DCopx5YK5VrO~6G*nS 8EfϠ@r>(>Ұ `8)Π;U Ȗ"d&k@Qᴈe` VoZ8D{I!] Ez[cRKtρ>B<8JPTxșa4I|?YŒSv?'Aۄ)<@c֎*duh2_`Ol0v-e%Jm8Q#ı͍+dMhFCG>_ZNq^+jVa !*x݄ Sܭ$]62۝E碌]׫^bXA̧L*-@%IqCGCm]h-5Y\=(EB>o=įA nMsq7"\)ᶟ:}vؗ_00‹pޕ SAu67-zU[:r yeYǬIbM$17}|=a ` 0gL`'=W(8>c"WOZMnijha-\32|oܣV mUZ(p9HwQhP(@ רr4YS EŻYNFƌU'} [[~El$XLTIIXll| *~.GĄUbX۳4c5J'NHA)cp/RpwK#q,Ɗuђ~PC b~ \C0z8䞆lk!D}PfE69)]&׬ĩg$kmTY㠙\3d[#3,)Zμp)D^ ey!RdC5g̳&ja\q4y BycܞZ_M·=_lӷ7@%|`IqJpe͌y(r/1)HA5%y_|La *UTgtփ)J **V#9BWkL5ptBïu]7)콒Z2ZWb~Uf'koٸ.M =7_l|l+y䓠;"|1H x5\??YaFqwB~%hⳁCHmqpBN^eY RN9 |DPN{XZ;%;蝾@!ꥌ*!\ xپvQɀ? {^r/ BG1x[ Y5/_\3Cиի-D_3 HOM6ak$]=YF1hƽsÄ£\D]!Bnƴ-h /00z,?NAeCQ,`Ъ҇zbpLbsI+fIGM@]҈-w#Cm%EDB x!,)"#Fgu^GS,qKgy֎:gǁ3hCtxx}mHP$p ?_(|ؿUۖO^/"wR,)J ^u7y QFHV՘!,Ua[q8^w~JH@߿k'$ vG+CFSÍvK% mOkkzB=&p@>o(ѳ=l{K#(o߈yݏ0G{PK\ ԡ'6zkt#Xe:ZmfIwݶ ԎÒ&ënn|$$L2i V蝡+hj/(Mkx8@_όLC.}2wLbʢ3N(OhTZ~c?u&#Νfm$f gۥ ?"+ V[ߪEdv!pQYMǖrx5-1g(ǖ.j~wP(N-OTugf w*E:ѭdy-U1F4Eq"Ֆh%L?oԚ{&dq`İdrhW rf'IƎC@-79^.zDgqӣ(H>󱋿~>inla]/̱TlhM1dClZ"vQ:(sMʴՂ$Hk૬NrXE r  _wyșhG}[WJco.?4\z @TNI}ئ$:=?YG̀@(zkszώjV(:sn(A6bE5d+Wg&IxE+:-;Dؿ׊0 Y e"D<1.9bHqb6fQG#+h!٨Svϼ$#t-i(`{BfO#I0X_ uz0?kQ7hx\S|m隅BLu*O6W6})qbՅЮuI/~Ach!XV0{_& ZQ3vǺɃZl +/C[ ɧے 14PIK=T*? Q#ioyϜ! ny Mc *IB\&T3$nqBc" .בDDe8f'Zefq!)nJϋfHT6Y|+o$F2$. A]]j+YxV8ñ!mYSl !_Xq4}dݹ*+wg=a |HPUBeu(2"IاYDdPhjLx• /7x5@rHm3r:& [ w4T*H~=6^A:qd_` ~4)T@,*:)"'N'Ve3JM[ۅ%KsPSU?G Al q+X::#;i-T5 FP+^o$֧G-f1{#C WճO_Cw}:J+̒]0u+& %ܮ* y̸3mrz @\`mOG/ES :U'(,by ޠK0c.FMŀķ=Zm2o-ŴBFFX2]!wq4(bOfEp  @r JNZ@<.;\CSdr0ӿ~]ecC"#GTK83z鳣|CX0ݒR4c߅n u:M>*/ *C&4G;Bn쇖9&&EP[}i5/\YKQOw([H5>#?y  mr?:$r++YAqxWP=A[wbyfv.12#\J rlj8KA {kֺJ9-4@-E-NUO ,M@D C#l*p*RӟEBd'Fp;&B|@֠B?+]ahUj,`W!JXu;թMhY V/xVlLcL>okP^˸*z3;0Ձ68K^k<NH≁1A!dTϣ(^ mz&]3]y)κ :#81q pkTw)S54.lwSGtoˬnK8 Fz lVY djܯ!j;ÂU>/]'EAm|ueϖ* ;ZF[ZtLY%Z 9JkDu W,At5 fMOuuשc+R;ng3*^ $S.kUU*؀iD #spL=v5C^ oޖg7,CQ2sNKLU<"pT\(}^֔ƢAeDepg`B@9+.3 A,TLxF6Bt?bmn@f(9ʰ4kXyLn?Q7kSx Pd_wƤv$|qxu=sGlD_ESS7wN(WW+Lo+\YۯUv" hxkͫ.D|eizx2aɍK?nm ~1ZN]&tHB\{Ց˻ &:2]LIK~3?ˁ/f^c"޸`9ď0QqneOF?Pl|H5Ļ]r'<^L:\t?~u(2&CvNX̼YDu",c|#;`@-{nIURYrʹr+OoEV)+l :s _Z%4&Vp~BuY# pYdx4e8˄# #˻7fqPA :KU5(:i c@,Xr 35#_s"{5"z5Jx{Nb,$zOc9 CH#ꏙCݨfP nNe| :$cki1-ϓm)hqլ@cAb$h5>Q`#j_4IJ+-kgqn8hTG^vL%vT0.J>uSwL[|Vʖ@|:Yc\MR7@hN FnH,'8gy4|ѹꉙ-h|?bڰ|WFtq~q +YsSfF,SMMF_U *n G|^x01SA&A;Èc&đ'3D'#ʆE]>u^2&ݹUG°YW=3#К7XW2cd759 QY)A;{~ 5&*xBCX2 9\2Is^Iigk1⃱f8{sWW"t?/ '{^">Cx"jR9xe62ZZ[3 o G(jWX +h\5ZjL_ncv[;N˜o}Y{JeP/+?<53Z~(*3r/t'fh$Dy;`ĪJ#]=2lwY@ *ޗ78 HSY*³d ٢ AއA {cyqCf'͖tQb4;nhԆaG4f׸0S@B,##Q Rٗ.Y{^W=#B_het\p1 Х3{Ak9w.>\nLf\z z#Ww5JWMg?|9Z2HT#Ő1lcy7JOŻMw*I9;#TTu8#ճ -.7y]&ʧ{I9Y+&TZ'&ݵ {]ySܯD Rru1y u*F ǍXQ?#A*/ l hr]F/"֛"l}=ʻN e "4 4sKFaJ)e3MږV3Odڸ/K5#r:ƨ;_a_A 2 BU9%!e[ۏL^IvS?Eݬ:]\l>$p%3mm&`1 ѳ{}}6)h!KW͡_ #{LewyVT)wx-rc Z9{an=w9e81逩_UQC!˽nO"6'/f,Do}֬oBhL$$?ahfl@fOs Ңa^*a DbMju T~#yίrôv} l$Uf˲goa(7ّs$=&{GT06dlsfMT hç~u#>ջ^^\ֻ v `|Ǭ*3Вt #aO" p5_i `$_"B{ FVA;˾2rcL:9=Fq`ٶ޵#;i=[،ށFOƲ<ߧ$d0g\!KRi$~,Ԫ'Hkki#E6jj]hG_($K㳧mzI;m&7Dء|[0͉MFvZѣ~%5%*w rVlK-Ƥ"mqr'm ĔS膫cfDFr)d*A富oYⳌnH Q O=zhE愗 iQeҽ1W;$)wUNb x9j&EjAA֧r]^ &VeiMi)G~טG6I&Ł<'.*#RyL:`ɥ76bwrxP"DW՝,[4+ph1v5t#A6e1)YO)\AӴ~^$ԩ% ,,`C)~.67'5=k6؇*vB`J_< v8inʫV?|]o\a`6[uPD}&4qT׈wϐ g@q8:oaC(3:BJ[e25 XB-*j+z'vp!iuin9qZ"[">UR~VG#CEmW7SɆC~bv%U[ @igķh5g'!o"$'p͑گgMӮ|;> O2NSĴBD}zRc^1069ĊVRe%{ @=LȮaC!lrKXGx$ے<`j9%ǣɎU lUb/4=9pѻ!9C_y=@\:klbQ48YgC;NQ6 g$Z~gr^)z%jujN<2J5ةw3i BL5t6;$"%*USW$?a2 tMcfʹLx#Y n,~488#KsrEl@Qx8 |wvt~<h]=p~8ɼ4Q3#pD-p(Hq|ة*_Ly_\m/ |WyKFx:lv-, Gzab y.TcQ$n3T gjwIg`hBEwwZV߷vu],&ث›쇾A}$W#12T߯ >vMuHU1yZ+G&2bi눦yɝJ I7o_*S=S&t0M'"%r9#%FP|6viK`'4ҿ FHW>NjTH9Lw8@_K֫>Vl:%y . YA@Dd ʃgcrG8;Z&`DrAj Σ{^aW}R) v)*S#=`䴖eʆ@/LDjQAh<1sߘ9DYl+~1X$ -fo җA 7Pb ɚ߆HxIY bW6wY,i &X`[E~bH_[MӚ]UKrO7>p,ADRmK?&%'v>ZX5l_}YiݏST ""#)#e⎝`]!6i '|& XYwY(zHxkAd[ntHs p-U)K)NvS1)+9BNW KWހ'_,>k?c@x8eJab>[OJ(3[?_UG.Yu ſB%˜M"kuZu4-8/XF#olhTP,/(?~]( ~ mPj/[yƋ끒9)vp͔ !"0i=&1+={@Nnns<9]7 -_~9xExWnZЯ ԍQ6ʈMs^>ޯʪA:GJTtQ픧Efj7fԲJS['.Ptq(ɹUeHzIPٟ(ג)qxk$|@[V[b 7R irm7,iH=jᨬ0G),ژ=~wdδ!%x$ $$6o+K:?:iZkX%XUUe/Iʛz:\( R}Zs| dOjt3:uU~{fU!/Y ěo6< sd͐lMadE0."xGJOTçIEjSdPqsNo 658裗D-0 #=XlUXoSW`===dy2oCUWU13\bi;YԶ$ (0{3!{yyx$zp*GcJG*BhH=X(i;:y/ҾkpD/Mgi)]HI~x]DT@P/*rW.xܾ뼾UpGXEJ!Ɖޤ^ }2Svc_Leu{-; FȒ)= Pk~w79ΟW?:ۡCS>x:&<ES dWjEQh} A0kcDHBX>^_:3DLR7(jnM:5 T3=_ |"hJ/U*/t&qY@*b_@0&u)?E2H{{oUYޘ\ NM4%[xS nK=s(w -t;KS.e SToy޷n^u-xPK=oJ8 zs g= Wel.w)s Z^jkaM'0j*퓎)ac1\԰Bad;]rZtѥyR&yV $,P>Fr?=q:}3o1cFs 5jAX zdc:@(d@hFRAJ4ǟ_?aS\!+o:u@ΉF<_$M$oApJ1yETr0VB> 3zW9/]3U"(R <ůьP:I'40۷(t.͹ lv;nVzoEISi)=sK#cAPe42cAjH}y?JPf79ب,-]Pf!| e*bW3-fMNM|cz#Z>s8Aù|[j*o0z& }Dԍg YeQqu7X)b>-CI} T1NDk=0VۛJk"#}B3Cr!Ϻ 7oܙAdjJ Q+IUqbLfu!Rp>`.G?ɚ!VqL Fe.TW'{oʀeމHV0؆*z2S)FZx+Ka) ɆiȆ _p2륥5QG#\;#9c%O69,II8La'v#P2i|qv+ZQ,YKQ.o@% `s<#b8H(V+ GU<%tsoy5NqR}9wҷcCȻJ}= WD~faU-Zk̕~ קɘѿy1ѡ äW:QR@mL 3?D l1{%`w X$.eld -8a2^)R3cBEh油 ʎ!hcfׄg$,a"doG\tҫYT_&aޙ]b5;PFE ~$$~6n2IO_h8s`iۂ޺npS3%9 }:@فd$MRR"'iߘ(go~]i> EOsq:?YqcvB9K:Uq#.˪t U;5fBIyvN1ή@'ngRv-R=t2w_N;@OSEtTu@r ;ySl^_ Mb0sO}4W![5~c; KMW9wC* /Up anz M IrnVt;?ȣ&7IsH}VyQxXa喡EGaI6ʤ3ZUZv7M#JaӺVЊF6OY_m)rO[o(Y^8'qJu1RM(^XVS׶k՗r>٪IU(XoJe[08Qv%î^Q4@[A?Y%& 'Zy:´ Jm&ٳS "m y{c؟CvxA(KfDs):'dvK(w|E*OV|:CGh3Ht4J3)44˪j[@i<=!Fˤȫb=X'RaťC*^*jxXP]y# !Q-0gOşP1-HA3BsVȪ9W=4da8NPix5s(EsC=Tj l;sۏ7"ėGM~EfGa-~jH@FWPlqw9yN 4EXi@eW~G"/+ L`Mk*$>ˊ)c׸f]%6 ! >$W Gz>g{T-F| 36p ŦI=ܷ@tU/> ɗEO5G {zIT@ '% .T$26-T ̂lR" CHSv3ru*lGYlx{l膢} z S5`*rj$˼4w#qz oI4"CHa,zCXtr&eXkWˀxIT+0Ѥ KJNiحoijajeH݊L3 SťѤjYEWVxԼ'!+8wvGDfzf4Xlrg35ipM|kvi$㵀H/\$ Z FD@?J~ee%ƺV1M\pP7q^#v.hM!^[ A}k" k+vJ#t+Vם2H}-AYW4He!!h0'jquR{߷Nˉ{9؊%˂fE ւժBiwE2"9A4{<~vS\BZ1j @:U$K!(=OÅv YX3J!yMc]w۩hD<<G\*()h5j5=̙uU`K((p""ۇ v/uY>ȵw^턘lG(\C00L ZOMCDj!Hf.I d篨I ʲcLϋc5U}W!΀O ’UKLC -x;m|VEYK} gJQk֦r<@ʚS'&B(ȃ}íQ76˼(! gcy}t~%}Οz伖LWs&_b zV\v'8TWtH>"? u1j0.avrn2,]2 ̈́DW&ޠ^Pc4dq b=#@2{FX<]C sl^u = VSGOQYNֻvNh=%*j{rX) Gxu lzGֈr\,jI`b']%GvUר~H04f6 8 Vh>[~i§U mrHl;Q1WSOK(q:"o!E][~NFLWax:S!?a`E ͳ4F{)=PƧj,8OBF(rsꈧ/8ndͮ]c8@ ؙNyY>o$=:rW"kJ&hL^c|2WMQ +w.Zjƹf~([%|Qo\eoRA%,Sy=Ȧm"L bCK| מ9Ay.udcȗ'FfaU& RIƐڲf3 v iE~/jQ[dw;笟f'Vg~Q:1 $)߿'CpXR7nVi뎚Ӡ,&^-yh5cE$])dT+5Z|}:<8Y<5_(zBWd«J4\QmY|b::yY)2wGKMV9f!gә>͜. xhe `Bb+Pp\ HߞPE6dhEGs*OUco`.tbFǑYFi8sWnK@bZ_B.oO2,MϨz-tLY -rmlP4LvzPfA/e4ۯ2OAg0 ¼˳v" "}Q^ c4`3ٓb}xD̈́ƍCIbgiId^L 2mtjk$e~$qUfK-|'l!㐁Ų2+*9#ٲ*31:B*)lKG.ur_^5OKLE N7dӶK)K2 ^Y[C0 Zѫ:ljx򑪵ޚdL)Z$+,1Xƌs\xH` *ׁ"̉ccS s;<ub9!pUo;p7HJ=vp _L5X|w~h-j}g0l~uZX_{TF( i[JqmnK,/9#e)7 UHROK|;jrLJߗ#7/{A%tm ҜY Zgt~w q7Wv4CϬK<cZΔ@=9OuP`B ,M͉9˜i/ ]׶rtfF F,Xi,. g#7Suی!°NiIlIYi^,e{6cof΍d쒤W w>%h4| JaD9;آ|q=eJ:S4w6ңXuܞY' pC!X;ik.Р;d&W@u> MH3IQP`VX QØ8G0gl#+G^7j[A0TYe(v/8Ql/5"7ɨaQM WvxM-6gQBELֶg.քlA\70%;)ou@?HSw^dL⸞*Xu ssľe > Vgr{~yWL;v۝G;{,~7u&v <iĿ4Ѹ;;kQź{i]JC0hqsE4 muAO=yj>LZ(̜{gs^Reh_F21g@La`XK݁/orIkH w{ƔVY=J=%u:E]}CkOe@XP:ɤ7~ra&PAwGuA#y )K#HB=L|rO-t325\<ďߊ8d+qI"tFJ/9(VXyUK4=p֪[Jgl+!j,Vnp2[5zMCʅP`_lyZcw ӷUP4带 =e$1s}20i%)gZІЛmϡdM">O~؋GlmuQQ^N9 REQҺNBs6db~ d]ESirpq,ӌ)]{;Ju8*:&!{sfR0;m=3#Y$N ,=)+I~T>9W _̖g7dsjK;?b/S kbWZARj½DG[:$|}a\PUۗ-TMQ\0|kէ.HRFym1[cVĆarO ׮a~fGay}v6M=swD:nh*Pb_tD\?hsҫ"ɝ1_0L{ f4U[ PU5>:.߼bCf0k=$rI!]-e-ͼ &B9ивUwaddז,e9/ADppHpzN'҈#Ə1`@RxpX,fu qL<[4"| 8)Ө[ю[Y-{I&c[}nXy P X2лf%]~h,xǺ5w5IB'x#A$47 3&u(/p$A{ 313p c$㌇~+iցSWxDi >898G0lxqohȭ|c;C o$U_"U]֔&YY;|`'21C3 \aR88ʒz@=G 'p@X lgb'B{$O$; DA9<-s"n=Gլ>u ~x@C 4W:(qT+/ #WXʤIRn2}:,jJ2:\\x(ȏBT nqwpvQ ;}!OِGcdG?ui'Y L qvИhB.fIy8TA&j"u)Q%54:BKV, GV5dZy[`޲qA3tpqybaKd:&_S]AL*k!;A޾]1yG ,3n պ*qE. TDpcNʂ\d.0l.ri<fz{z X؜pC61V z,|>xݕYBmADc2+$[!YHwu8*O}^  (v ~)I}ejݎ{9kS2&Rc)׽Y.ػ}+*MI99&V `(~rоґj̥`j7BxsQuhTlG|ZJ _~:DE4èNKF׵ùH0",-$/Ci* vpSTz[=im]JeAʈ0 uYldϳXT#B O (jrtBX/l px>fp-4lHY29(?MW_ݔÂ?>X >XggNX k,k!')/pW1 T_f/jzq//"3#DzƑKvxq8M-,Pc }l[{葽m{Tr%7BqI1F8hP063n!/疆5:~Vx G`=aTg+2QkSjNFI$GVyu[]^0ڜY|LoOOm,{Qx{I1e9 ^" Aulǩ /r#}Ҕ-IUda"Y(sGyCac?^'M5Y&q!E_WOGCWn Kǣ\2}{Zu+ä{ 隞.$8g$9xeS?>wb4\X[@d QJ@ Mn[|sR&nk㲚Qf;tԝ3>' w&{Ǜh)kEx@mކ4՜~ػsq֨sUޑ eY jIykhd%{DhY8[ pYӂYit2Է4XV|ƽY y&-T>K( 44AevrA h>!z@.^e!GY4wqӼwL-эItVhtBo[ Z1'!r8M^\_1ZzH3y2S˰xAy}CW壷f }N׆.eu! [ `qXZvApC }թ'>uqFCo03a_*DZjP/iw8~c/ltsȎbdH$W'Qʛ`tx˒QmN)C__ K5 < W 7*h2D] |91I쒴z%G^|Ls;+Z:TbC^5Gagn[l  *_ H1 )FP_yk#\I߰K̈́rԻt8n}a/І θG=bLUgC7%`IaK)߀ |%I4J A۰4< 7[)vxk}$'wO|$hl](>>ѡzOoA324q&c~ZbڙzdKO/bt&}TLJPnuR]h^^5CijO)]Ю8pϽ5x1K>BI l\KΞ%gF,649Nv# J9QԌ;wB ,9O s[o}weBKt2h&Bj1:;>bŀ>[r?@wX29Q#Ӧܩic|[8l Y椩Duyyiڛ r|/| RrKr{zr5]`e'Eg*A=Ϧ30g\8)b1BF ŖX>MGPie9|vuŭc 8W"_!ƃ D7a= ^nNl:Z>ځV^^{ iŤ#fuj5 YF)~L0=F:9ۦ-AڨNj\8 __%.9G~0cx6R\5^aк-F\~AyP|ٟd;+/y7/6lAN3tBq>j] aCK8<]1-VJ"Y 8Ǫ\ kbOJWD [x'w}')έHLcQ۳GӹlIkhX^EMnfR(5ܚm?.<Ӻ; 3 сh~mD/CayT%kJO< o波 AfDZZdQPJge/1N|0y@-{ 1xwҙ:~% ̇ob?~+P*~!wQ+en7q \))ߙ[Nx42A 8J"c)XBiOR3D_1Qe%$~EQsCǑ$u>mO;H6(, $~t Y ~.H*|Lji1)j.< 4b̌-zBUIpN/) l<2 =|xi3:ixK>z"jW2 /@7OTnZk.+J !XB"%F (AȿRܸ[œzZq1LMX0y x>k*Q"asRTh'Cޯ $ V儶LP3j\I(Gj>6(o\Hr }l/G+ΩxwN=IBO߶ t#B><&f@E.zaMMGHtEV.%+4X@^N|FAZV@h'vЀ1,ty=iHhxbţ@o<;ĉ -y'<z|7mzgg3:S ПL!7b@fĆFwUF'jX~4FuDXŹ.c 1tf3fNM}1k&:_E'xC1vr2&E/Ur55?Q&KvHFd'I?Q?λo9k+` L#bB"w9reyI| sAtfF V~*Md||)Rt ÙuƖ@uvlLne6l_[U=H Mˤ:~"nkd.GHX) h[9oi[,J|EAS)֔TuZFkWR:ngz'j˹|أ+ʣms5hYGÌîʗD!w. [+.1@BK.#:wCbn~gՆ]W fNr ѥЫjnRSA(0_h9 wzBD 8Sc>`s?W7撮 ,`1}_Y iokwX1 NPZV68QpI,Ae^R(K5@C,{ނ(˅&ZEЅꊪs) k su ~;.)ܲ֝\HԄ[I>_[;|qi8W`/a1VJXCs1/ֈ6bg=+B]`H=&Y1ހ"n 5#6DTL$qpPg"B8AۺQ4x'|SZc}nPDvu6W@{s%Ẻn3A:JLv}?~AR7(iȔѤRQI >.9j1ʓqw$ybq۟?Y~*^Wo>V90జ?:lj{ԻZ{0 `jlrW7hٿ;b dG-p$o8c|w#2_c_@Xפg)wRwF) 1I'Uf}"T3u\T5(2A=-1xH;䍁lݭf7\ SI-<3aGSO[7ȗQ"% V%CڱjtHRDsl0ۣ7UcY?[q)w9x5f$}+u?hf[Õx;Z"/fMzԊ}Ҕ= ]vKPa?{Z l/J5d[U8MF?""F3p{FP i(uGTC7L{"֛YSGkI@ K]O8lL:1^_O;Wf!B%dR'X dMxA3[>=mo'PV |i=m?/@J,"wv__ji>DQ5 ꑂ" kC2L;XIU^p -WpUC T Jf LY =J1c꠫"z&e>[N:"!}"YagIdEoyE;!@#ĝd6ui (g4N}ZAbpe{v.@Y.GX&*8mO'^{۷t?eџL hWbbVzZ_xw˵IO$~wï;觢fQ6M\97κY5tbw9lR[(i 5L<*3 P|)mċƌbh2zh됂mb2H BiInGJg E+f[-Toi7/gЛ<~Ԇs`/~\qr#"{.*需.96xft ~.yvUwE8 #5yҲLݗ\nMNd+/6ѭv0j,]/-~0f;`ugAT@QG_q=u,8xrJ\9Y92|7t28T8X }M9û4ʼn JZBbO=gzs M(\E .^i$p ÷[q zmj6p펤rc3Jzl\PBkrR843 J%Vևc9z׉յCe{W$hk43}l$ a* #zHMF8Yf@Qa@vs 6ʺQ+:T8x%O'Ֆ.H^ Z_}hFҩeHqۀ͵>v?J:pR^f";SMϯyrzh'zc-@XN¬@#?1+@wѾC4"y"4NxQآԔvN!\]"b_V̞esDc=hvɈ.\F byd*u#77v͙<~/fe(>tXW\ࢳM4-*YQ v!@"!VmZb~DLȃ[l@VRmX8MRXkD.dو)z6wp/*vQzlA n C=/|I#!,*O$.Z8|`ēmH }jV^3)`:~)uьOɂsQ"k*c n`(p0+y #SYXPC.H+, 7=\LJIM2kLq wqOsNJi=J`li@[xzC:aQ?ReV.%&/?pr*ڦ?Yg4ilG\64Ѫ MɄ[wj>H賎])N *.XWȦQؠL<xMَ;TIo.t,zn_CC -UH-Gu #6_\J_T4a%}s<;ɂ4V<2]TPDo+`J]Ds*>|*^h9nf-b@t˸p ¼!S>b{q~&} Elãk}';VuɩZeN9tPU8[]64\0Y_G>BgZ裁ټ2$mR!}8' w (2M;[N"Mq ɷAy|/LK3Qt~5o\1}> q (_G47rGdvVO _{!~=]r[ =" >6w->UAGV*žt)B߃ڽdǬr]ŇG{w$1Nݼݿ:6z ^c` C/]߅ZcŮvhp8nr vX E%n~#Lc6 d!5ĞgKt*܏'_$ Q=m;[oQaњXΪ.GU[@k7܍z+ t ݮq{I] v\(=Q0e(ƑS9OFP~DYF4f݀#07KnE;xSĵƞ.Oͻ%v9gnDIo04%p06k/ͳb|}c|@)rH4eK "b&nj@Ƥ1R޲y ivL4QĎ߂<[PyW1Ʌ o($4*$m<%\vHf#  K)F؃'XX$bBuGPCw} o&Jċyof#!?ohضs,G, dhk\ ae:.7QQO=.k_Do%L/|Ҿ8 >6+Va ۵ 4%no&a%W5Մe#ʫ-ke`ˬ#qSbzT-a5 h!"wjW 4 ]ʧc-lKTcQ°!K 1HfO:,Gy%ư AZ?:#N̷#/:(E}}s;Ϻ)R|&%iALz ;̗퉻@=Q"IȅH 4k!̑L,!uV&J+2Y|) I*?ƲW K"!e/Qgk6v\QEkLi&siVCߥ4-X$m/PS$Tʬs/=;ʷh&ѫ4 LFQ1VRDP#a9..%n;~I_Z<:)n/PVBBRZ$W7oN+V؞y2vY}`ds$:#μ;.<{lB$Vwg^{׾~]G%}{G ^DML),)}mOؓ?:9gVS4]RTҺĨRi{4ˋ0KR =^GuQ!%bhJlKuy@7SՊXK6ޓkߖ՗h´lLaTMPaoj p`xǚ*hjx< yWl%~]ZWCԚr'6Ȍ(AMmJd)wFd~ %뭎P{(v)PHDDJM/ʝ6UI^%R<ʝkB!OpҀ= sT,X3=%Pj@ z'e$jJϬ} 1|fW> EӚXs)n3 )W6pO\H}LSN} _Y)5Ƨ `^dڝ ~S8Ma4!.֥2xD!?jL[-M>L+|?9%2NȺX4cwf@EUuo78g0X"3QH :B/aRiVa%<!9<bvT;Fym[t<,`/kVBe?8]NӜϾŕ+]ru?􎿆Ԯӏaed)nRMOݯ9,_UAf]2!Sf Q"*4-\陜ibpCȳ0iK4>V1b-Go䉬RB9{Ha#歓M*]'r揂Yy"U;"L*|M'U=|~+2:Q4"&J1J;. B{oc]XB@`̢E b4(!qYyD_&@8ʩ ֔%mj5O8tS85ᥔ^Cuh6uxWaWŪ=ӎΩH9J4%nI,A.ש%xeEVvtÙddϐ&!Wt/}jK7RAfpp8d8뫷r.5G`7i΄K|姟 6 {#lo^d2şXt]>nĠ̻![9ն1Y)̸M+'/ x*B 1>zBMZ3:DԪ('QҔwSˇ-7.jYO@/dƨvύ=~ZjSn)"0A&k+bSKWjܙkkoNVuBXI:~@)m?SLuΞ[6Dj_~!>%30KYWa`̈L!GKDbSfJ2^|Xizo;h|[oDB1z=b'>fxs<&Er J+2P&ǗJ< P3~ƁQtJ',dwCse_mz;_Jg.4%Ǫl+( 'L]`$؊phMk=ZHr!E4b^1HO#d4zmAZ$w K_d])n {3Gjr0"U&3#F49Z4,)T&\b#)eC|bCrrY5Y̾:ɿU|,E$o6\ ?_K -VR4<9,H !nϕŕ_p|mpAjanǝNG<OWpͯvDhzOZ#w(%57.Yk1'hEy,rx?<>zw FdPC'AŹna*n߿r!Qg ?^8#ڒ@ΉpTo+w)E8n L9aY`UGwbD ]ae6՝|AUOd\ڔat L(yF6 7ĭıR!;'c. kc Hm.$]T:MZiC3@=6҃FQO(h\Q œѱʐ)S-Nhn! 3$DjSNl_6b&mO\Sq^ _/ Pv6;*}.Iљ:>.S ޒ6[Ab`M{Ѐ|%pQj8>}=r⪵q1 +.i_;5&/c'u9s.:A )wՉ~kym}k twjq+.ޡTeQ>zG OڍbŸY]7S_T!ϼ\nlXś,26\Y#,!tK:6Ez}kw.w^;`B5[,k:Ztkpr lN&8SUmP?+$<)Tygδtwo~d>&F\̳Ӆ,%Ő)M@cb2=39Gq x _cdJ ]ԹfiɾB"lo9fL< t80s4͔Kh}i^ 7iЄ+WW& 3 RU(.?Q4 xHnz4*f6U\s. r?Ԃ=\"ك4Lf_z'*ooވp؃(9<_nPbC#RAY.>n 9el޸L۞|xXV"b^ XߒWܢ"  Cz$,giWPͲmM{z kmzszGkhG V0BعnlTT[`Otxn{}Jpͽ~ОdxpFv詅PG|PAtSoّoI۴*FHr_qwqm+EW|e &d{UgIf54\[9(.'}[\!}o;9h:q5~dEN@G5S v\UsxUw >η ά,QvL+?_!\Pu})$к>iRAEԪݧzMnzv0I'ܔ{|s.nWY'7c2 *@k^`SyLfn\w.\b>{2?tCiZ6!OÕxwY2Tڂc#fӷ37 1i|O7yA+2KƓA.(&oVۄf?U'e` bq#ŊP' BJWu('|7΃Q%zk=}% w-_ FJ玵DZu"{W!U.AIƝ|UQ1Mq#zoY19 ET NN`*/[GmվR1no~mRG9w D 眡$q]#֥{NKϭT)WaHA∩]ex}Iy,$,9~j2KRav!UiN!dka}vCg<M->ѦА^| ih'}*>}_52HT+)EM(fؐ :y\D4rߊJjx?gnCh1_p%ҩd>8$#SqQ] dʘ@ '`n'PlkԤ$ϰ&m63u %8?-k^?/0!T6Sϯeo`Xkل tjS1:tz /OTQC^ 9z~.إh(\pҚz[hI^~ 1 'rpT))i+DA1@=6J^IsWOsD-ppWAЂaGuڸ/iN($^AH)eXRbƄۻx3L2NebToKHg?Ʊ^:Oƒ?pvZ,G:t)뀥6 G/ r`.z?pDq hf@j8Wi}0m PseM){zh(1O)?z gI݀ :`X>1$ۿQGN)-m8.,BZrԱa^}ZцrԀ!ծeN`4sY#y#?N$jO_T3 ]NV|qSi+l>~~'g$v68R t߅OS׫Ӫ0ڼco[M\?zYj!oO| M*Wk,mTR[ ǥDX`{[`s->sO~b&/? Z(t{עV_t \d f?HOeU٫7 &&L%l "֞ ޘki=G^f`gp$fD:{)d%VkL޺p6qlЧx:h1Fn'/b ڀ$#[Y>VʨqjGEe*Rw )/Hs)|IpPv.:;\wP`1Vn|8"^.k -<؋fI 6Q顬\[zsX6IG!Px~VWI"|fK'U-~<1;=dBM~^bٴ,1#PQ{I*qs٧[jaw PwA9N_ѶdO۠,\"a1Fnkѳ&djQ,wMfPB=8fCic+>rj ttn-e7 ©5N (\L8g Z=D\#^|344?8nN&_8J6½~ۦw}۪58:IaRc"ˉ2i"q X[ٙ=Q||jmRG}T&j+8,F~:!m. ?vl$K:`g+ 2j4r'kr#"CL-g4bKK _-O40z r,= T K (O 36وdXlDՍsIX>ނHò\*ӷe d:cʅ}Bn5HMKiM23b)QMʡ!l<X`F2hKq;XWc繢 ;(k$rm5l~JAn]&$>o"pxLٵe=8mk6O,(Lg$ ^ߧ3Sg.uLB-Ic[PVeGM-Dle:l1.7><.نnP=qb:O8n*marE~vhC.BUg*>JNw-.v7"I!*־@oL6:9e1A)LEUoED%ߓ7H9wꕑL~I|@ HOC#C 1)ܻv"=gb߹!"ǝN/0t5LZ@$i<+lpʩOb sN(~ݯu\kUo\(7O2ޢ*r$)rfOSc5Pbj1'R"V\vYzF.HQ pjWRn\x^҃/@R䋵e?x@3#Lu5](f-kB[S ӻ:x?ln]kJͪ!yi_Y8mA`}hxHP$+Po !:^uw[l|LMhq #[mX i<䳴&=<'̑Vpa.D! Bo= s8 }x Zp rmcLhutQ\|n"Z:[I &u`Sմh*Hd"b)eNfk3Ge9JDQ_L2-ʷtRlFMA4icq:cglJ4(,KK,mLTH0̴㾢v L莄ap45~xIT:(O^ޤկ/5">!=7Wlަh1[xCeHdyh[=J6\Ju?3 v)q veH")>H XKIhj(q$--kR}G/Mm9E~ׂ5+ƙz*b,Z:b*xaa^f=$ɥ/BK=rHT}(gv*"QL|-3XEŢ}vrGͰc0ǎ~\KZ_.]!=[b⫅U igyN3 Nޢ^_qBcX!QA ީ?5C*4L7'G'U!C_2T4oTMR5~Oiwa v!?8mfzAA\fal`ZLB.VcWT.uyO9ͻ쓺R؉l~Al]r&$A,G,s\.E'Œ.9.aC(Uf/lLQT~MB!>2ʾa'v.ȆCZ3~9+uaaoe٣?h7qر'uAnz{2v{8E)Gʹ{@ݺ945mFcz6"/Z| 4_mHEoy/ГEtöfcume )h>>B&üyq>l0n"NK܆\oP:# ˏΞ_.c?m .6"@Z8H&¹ȳJмhՋ8q@dBpyZS4" |yU2׿ridxL׋ ¯L?B MX蒔Q#)0~.!=?JxpVJWB1LZ .ٿP V`IR@1:nVmZ2bc{lJǓWE³i%$#~?HՅ|.#l!/~? ╞xvo SrlDDZ ^τHCmsN%}1xlui$` lA?pO~ިwڍ8F鳣`ѻ'6@E'$kӞzp ԅ֤R.5`ʈ 򷽢6$Qąg e EjPi^)fӷ.H|9H53-Aq5%T38H=6讥k[dǹF>d^{PD|{g;?!2v*%_(nUT"%'6]n.a}Hfݱ "#WD:oƭث+@BxOwɍ`E?Bl T<&˴z:E~hp[C9 zaDe +݂t+XK9 X_6yXN#&¤ /B V*t8'ZDifhkT+>|.?xiPW죇/W`lҙ|!#44F0zI!Yj@0lea5?(OHi|H.V- wbN%!nkqY$G ̔]WAZ4W̍=f2IX89g¿+mӸ>h9T 9q3~CO#j{ySpܷ";aZ|w[j$*p ;Б; kh7q5۶h0 XʜG@}G|5b:ZrXPMn%SM}Eu758*2O(`= ĕ[{0XRaTy#1c599r^ SzkE0(@*pA=G^J>TIM^rg򾽣~I'Jbl߇?kM&p<?8Z_3"c~&mE&O2$ebO?@XC>aTͽusLh]c2p@VVw~؀r?I1wx@c~4o$poe]ESG_Afk%[ªCv;E֘}%*8-}h_ؠDnK(19=}h_M~CU6p8 {9EL֙ymm{kr5V@@JR K KUİg $Ggy &x~E㟠N \)uZ{ QNhHgFhy.HB*Hhds U?'sw\3 p@rL6jHDlPmJCț{ZdYMFZ_UYӢ.lQHќOO1O'= :ҰaM>c qiV3]98Mgt] +7r>w_ohG'D`SlV\c W2/m*y&%oG!1Ɲ~885uٻt*: OCW[H*Xкa'Xuط:"&2-}@ZDU9_wYʚol~.؃i:5S|=u%P7Ui89{*#g?W砝L|fQbLz. 4.d1I@?kHP(O'(nb]O]#t,Po[C)?G|l\%T39VsQϲ`Y>Z$ b-HM er db4mq'jY_4r/a:$Gv`lS)CkHMOU>.4_ [֍r?qƶxSzx+J8d)D dHOi4ޗ"LdsD`"vs\gM3ظ} vט*eг=T1йgxj%)~u4sKk].,]~5q-5~)-kx\G5Y!:'9!?cZpMEzZzİT,^G0Ro E ,9tt'U'vljF,LYCrDag|%vgEzb| (,ʌOXm#OݩpE?Aԅ`kO>"ZA;gG p0b?9ۏ㎎f⃇8L;d\MvTۧLo6-z  IٓՄ^:G :G΍>/sJBn<`T4)r[Aßg"B/5I1h/}<7񈒾|<'iG-fAF>)a+,HCvN^S\+iKEVŰL!f`c 9x0N^ў$?Ke6.X10mYYܻJy`nTqעCqSS|Z6e~۹o+cGlΆ m&L]V E&`}}5!%tOrD#Za41K _zV"] Y}sև牽"z+{lW z~K~[4N/Af  5z:MQ5iߖztDf*g6\ ChǩF,g&јY@ w~_(?8DžyW̬&$ xXMCgR#)Gy'c{]נhU˨>W/- Ȳ F|I\W[6ӈjgCSIRs [g9j;vGeM U|. {MbںΈEZe/Z9@BpʄE,H+}(g8~."gRT'Gh*+Eiz֧2'v1vXp:/g\Us"DӺGa{.U]0uaʆ6+ӬbI24N;E *:}U+_C 7;0=pM L<Yjح2S2`u }&QBʱ߀YAsQ7-3w 'Y~1@zMSg ]\b5mV\גw~<Q,t;xԬz V ϙkŖ4+vL(}\/Ѻ&-  [\s/5 Flv>6}Of TceeDq\g PvtAs;539j/MzG#m[SY ĹH?boSY3u@V3pѸةBoi94$QjN-B1aN2o}#I- ~d(M 1D@13uobIpK4sAֶUYrM%9E&3C© L"]pƗ:Ccss}X#d QAS<g"S{_+79M5B$ sj0t8$dSB(w`u(n&yD͵Ħk=`Hkvℚ@٫#5% 3x7SvSz9?0SΦ/tO)TQRhWV2j('m;n(S>Livp$VA^3/]c: f Hc~A&,XD{؀@;HzVu &, /apwsehEr`q3V IO|'vAl=l c_x_ 9!xRcDMgۏd)+"ʞ d~[]5{Ε<<[WPvQLTTm?24nff(S]Bㆼ2?HIH\ZRp捻ͿE04w1OV9S5jV`gQL#ֲ9DauLjlMDK{)+?(v{͝g :QE' : (3Xe]fnV;G,2ìKJ n˖Fמ"$d Ý- MXiK@J!} K #k3" ?H<#5C^k$hrR ^m@Ho6g拴`O{nrtS} $?Gd3FFt~a]ϵzBjwpWB|hՄ< Ů&TpoҬӨ4L粜n 9~:P˔مwEσM1$ ;y'Ix$̆-垈LO:)b&s#Rn#Xc.)q1b/8c%U#P-R2ڏQ ^BK8Lq[$ /sD9-#d41x..%}Bf#bwUW gF̦Gc9\oƏV rD.|h +DևXO\S|m^; -feD1nՙ~rjҧ܁3ndf1ZOQ,ϩx|ް0s?1m7ۊqGre2pzz PWSx$yBK54GE*zvP z`uLc-Ҋ;vPQ>Z-.-4UőΎrƀ3.\#G+[!ʚkSOkPf=Do@b#5\&]ڂ5~6WkXw!ltg#O+|=w\ZpQlU*žNy㺧CHmyk}/ kt$vK>{:Dz9U] QwOJ9O:ch7 $.XB:_sOX&C #-6a%&'sH⎾5<椼ydهA 9l4!EGϺ@/ygJ|.{˽K :x.вMEb ▛KwQ%z@#-4yt~k}8!q戧eyj\Hs{飴ddL{3dZ/6m(_07J*Z*( dEfi-9XFxd"Q - Ww@) zy-Se.['!5~tG2>}wg^_эؗ]w{ܗ1]50MLkYľP"vjux}F<-t X$j7^[ e<>dhD.D7C8v\7%G6 y9aر. '8/sߑlh#zGm/!+w thKړ`&UjՊch(#ԉ-剦3Z8r[1ԱeB\i7'$iǜFc-dۨ>cĽ{u^vA't"Kػi#Z;2PϡW:}JEJILy5\^PO(DBv$$. kg =2\*P/֏ڴcn{d0>Y1P9/-q#J*G&..@= i꿚}b8q)NxkJK¦T,gm,l,|WUu(1.cΑS `LD 3n{r4qau _FӉˣ@HxT tl=_JJH]drY}0ؓ\$_<`Pc-qj ܀϶4 Z0)B%LC# Mn 9`=<}<&t0mrVex%ݴNC>V2a=jLxߏp$v^I +PbGT"=P ,{sfb^ 勐WZmXS}?B;?㏕kюon"f"OrR /=^ct).Vr_vXW:Qnfj |mج8!A[{Šl!u, l  PL-@y~tEXkm&3!78! Nwsy2Uկ4y><\ITwR /2v/=o'2|nZBa'4EiĠxȷ/க.G ࿆g5ŧfgڧ?աR7gE'ި5ĉM(T4 !uB[ވ+ n nb4V3%T Ww 4{Fk>ĩ%iO7Rhź ̪Q벋lEJ8J]VjcqԿҡ. %* Bfo}4)+YzTi@?B; >Bj']Rv)r뜔͌fF':#neNVҘDr޾p-N=\Balر'R%~"g:Ah'm4H]'q@Ү9zOf(w,z#^Y WW!>6+s򣂄nOl_= VM@!'4>/ֹ6{.qssh}e;f/r[³w̛+0ttTϙ 7µ274N/_$L ֮~KMH7Yg:=$>p"m+q+x0יn8B o-ΕS*__0uѯ%~e\Tc?!kLZnħ\m{'fvtVrFK cηV&;AP7e8 iD}+!1އBDqnQIJ2&*qFB`q$<|C]պ?%K"Y$5$~f6/6}vAmH4E-TkWk[-U\$s9CO$n្k6O>EOmǹW6|2r;ySK.8TCݮ22Ivh5tſм/Ń!c/Ypce5z| \zeL7ޭ'Ȕ7N|oֹ tYLBgM _2ŗgoK7dr^EG:40fݮGB cWhr5E2~H3e,-l4>X=1hpEU:pB+8'b?рakc܌Yᜧ[>)k8}(J4" Z:q8r%Kl,VPJzeY_֯0lpYR<dzpSݵG=> o~$)!m.Q5 fX(L6b@ 5&P]9{*s|Jh*6`q,8 ]Pa[h맞SobmT"y(("CNن,3_rH+:;dCO:1l6% <)I`6(B\2@GBGS«0c< G~ϭÕK*#[]L3!à@{dฬ0 NDEa} v&֦}\o8'؉* t֢G;YFv` 2S9N?tY Hmʸ<"[3zia^ʺLQgN+ FyV0.mY=E}*e"z._o- z%.I/wn+:;W>t-[8y#u6ax秬Kgl_741WfTaߓLQ! N[xMfx^Pw a3ZHaRHT{r$=ÞPI +gl̆@[֒<=MEEIZuq Xdžn%4䠖*ҸA CG, xMΙ#g#phMC>^(Օ_7 hPNuMձtK`O'j5_[13)3#]ٳ"E&ޞ)hbW{!RDI%߷@vv0_D<;._UVvwݤqF@|7ܓbRSA(LfFeJXj6*2J Y{gi F3# fD7pT j?4C2ͷp_u@o1W- %|L}'B! n{ݸ@YAnߗ]2sjע ˤ$c!J7!ZN}j<# -li%m3W@vyH˘  ^Oy<yt [ffjNP\GvFF/Бpx{"jƉGO;|.X>62 k9}; >5ug栚GB[1yeG 壄L9 hM.̲P+e[:}dsPϨl95jp#26e]#Ne%CEj3E LW1lOءx]CQ`6Ѣ`<~Y8g nN^xgY6@''!Y̝f5as+ֲ 5Z^mҚr:C1MaH%o8e.,J˾ƞåj΄a zJ{q \EyJZGEe2FQ|!xG&*DJ _3ER:,q@N*/%b5&FF#^1Tg4ƔΉw*]'JCl7/11>NOb[AϨY SE]CKw܎M+IQa[Bju<2V:]@R+8ʨ9^7t7墔Jr|_v2 %.3 jl Ս+ rjrZ4?/4지h/ȷX'p1ًwBOS(iD nH% Z#5~Fd՚4ܤﯶ#4wD?akID( {7#% orQ9J#gqZAIF B:saJ pl`F%N$66tԜq[ɂwj _v.m_ijhM߆Hd҈F&gNYiVH(9"2Z4iDԞ']/*2Yc Ռ 3mF5{K<꼤B. ImXNjd'GΟ;&uzrT@_9cƭt'(J1E3`1VDb' BHi$Am 2Ћ~ьtFXl i5tcg)lg6'.\HX7M WI?UٻIUǯ// WֈUJ}A=]mU)8m28 xڠ zIi,Yvy׍kcVtC*.A%[4IxvS Jwaq;PJ}R{P Cf~កv>uzjL}ƺRݰGpUP/, ʹe^N&} RƓ62d'1|efqin]  Dh;똩Kzh!+#1Er7p/`"j$/h2m{ M4? L-4WMs _UIWYigH5Y1^/q8X@3D |ԊN 1ͬN'o rjmWNJy;F-Jq y&YhS[-,iz  KfO^mb؇$]!h!B^ϦZv(sA s<^?YQ%5[lbRFM0fN6!׀?K>TG|`I5>oVlt72VJMut_[%G7}l'B,61 jND8'm'!62>TTPw7T( i94rgK-?@^Js/vBs3a"CAmɿ-Ou_kȭWE}"R_6k-9Wpmyx f^ _F.j\gKBJcNpٛ:=l!GuѷtuBSHJHi^U7W=% z90vX߫ dAE&fpmNMtQ8DXzF VvDy`*mYs6 eu1;e;po%TqzqP3c(VZ֗{tDl\Ql1`٫l+Qm}.J*0qI @/%$DD;Iʕ{MaSZB1RŲ `tkjov!8L;w@ϧ?̿y>_rbndM.,)4Jf:C-r6\ 3ޙhBB ѭq|2BnOC-{:o񩍹ݕe B"MLG'ȵJS[2ijk-fŔkn- -W\漏NT AAxk~ӵȜ՛@\iWmJg#g6 ܳc6wYWh Y$ɿ3L`||DH=/TJXKlBnO(J:w'q@\Vgm,o _YgBhxxuNaI00/}psͻ`Of:w+0E?=I+^N͍$i=^_24S!s۪<<"u@ xUc۶ه}T)bKwt:9{{7$\Fؠ@h\a8%mޓ!gAu~ɝo ZL֚o7 c),dnr:k $>h͙ =h!&]h(,Uc |fB;{o/_i -w59iu".!>!#,5YP(z3e}QY2[Ɓ% IY8 AٱktZ"b+U ')6wtn$NbsXQY9[X2.2$6kTFt0OU;F{;27զ[~ra?C1IfCi[%KU27V@xt,T_GOYܮ9oULw*X]T/~I;pP{=+䥴] Pp V_N JyNEO 1umxs f;.{֪a#v-t"{O`9LdAhk(N^'@N]k~M?/~X ך.u)O J R̪ו^)>vv_Ύ1 yr9bSuH¸]zH[π* I(َxB +cK#xV f~a^n =x$/ "ٟNoX¸i&Z3 .'6Dz#r6P@c'C'C!-Ǐ#Aͥ%Z>L\ + $3TN3]~)IPO W/$ǩyj;>Byx<e{ceVA6F\1\ gŬh PH؛BGDk$F1%@EG3^ÆEŶGV,D(m O|-˟κ2rBﲫ_(JH@A?X" ?Eak 5! jpqR+S>XC &ˋV $rQG!˒ƕw<ِ"i/Wqh%[}ݐaC+[ܤMN4c٢B@2uuH+mLq~Uܮv g9P`dQǗ(Q .rʊ_#*Ar}n?Q gݒ SL<5 kDE YW]Go><_{'Kg|kӆ-~]} 7c=,ljS1c/<2Euğ WKO+#(bBuێ+G9_gsjTkDHц/r6ӓk9ICNBsOɚ@ǻ7m$deb\dK} :g r ,vmoGvKuNm"[Oc3{{7ѭeF'_m R _`})@뾇kT/|{<~v"sm;3+58ViEËVB%mDM cA˅ -XTE%lL۹xSJY;Az%: kx `>ۼ z M!q01Cjgq9XptHl  F_2{t`C;_-,Yם:e5#׊ܹ@M綤КL y<0HD_b/@H")'Y.h_DIohJFI6X\Cּ' IZNVBbdd@IM-Uv6Xt?M}3GFT֮oiC;u C'NX}ּt3QRqo#m`98uV0ͷ$uFH z#Öu!*қI4Qs;3,L/G"ğfVRYc` g{o#/O107zʚH})HS8R 9=]y 3Eڒ܎5 /֤Bem ! 6]!j"Я9UٝIpfk ّ6FHX2nSp:p 퓝N.hba7#ɘ2f@®)>ʯ+3^c<\w]u˃l43CT]\g2<ލ+ֆ :Jp)Kg % r9Y${WЂ?>$X6x=SKl*Tef7$_TtwYlA~1;Q7 v8y.G4|v3׭ tLzTv~JU;%P>f`Oz7 L- &͝S`La5~(I_A% )+F5[{rJDtC6 ;˾'w@}1<[5RpIQ`ULgznU}u X)ƷgI|$8Z2y$N۩ #v-Zw iii]U O[kxqP@LxNzWl_W0;{2Ɒ3#>?OT6ց([ F蔅Xo}49g nI <²nT_#̋jdS_2e׼|iێ{7`S"x$oaٵ lej>WC ֎>gq|K-$F BD,x(1KwblL J_'`\wxT- TpaSl]h)Qұ  fqZ IrfVrGgNVk LGo&N05KFFH8<6=O,H-,ἶ〜vT? )YRYe'Qг^ {;2s_oJ Eϗ#fkk?iKˇЮ#Tj&X%hذ.)zj3?!+jkۈ\4&`903yQ5UΥ^n{0{fm9T5|; uH9+oJ e2ͦ2v#aL(qDab|`SJ(M5( }^8wGywO/ k&?HIVuu~ B/W,.0Jdѽ9QP&(tZX,! eoV3ݞ}6#C̴1^d*cZ5/Nuwʣ%SkT±w +_Y43 K7էkzupcVse B"LuqѥxfX~a?5 &h+G5߈3gB֕f?MrMxoĢ4spqe ^1G9%$vmEgF[財'&Wau~T䬙 S3\P@ȸqI|uT;R :8'O1 zﴘDD>J@:!*M`gѩ(fn4r` ȫ>܀)dZ3흄N18`nH'k 0n2.ϮQrY`"ZswSԂD[LgԌ\&JۏH t(x7PDjU~KrY M?촬#ț/gl 6>%N1maiJosqF-r 7/RѾ9 ,xBT>zd0}wط"dE3hG#@&bOb05(M߿CXԌÎ0B a k[˷Rtѫf_Wx }!k)%?+k@+ *;c E*bt>j9ՌT{wW*uY$D)o'~AaCw~nwIò<>w/~(?0a%hGߧ4Iww S;OdEVYdW\Bmv $K0 AUn`~Co%;)C\>#9KZyYG PQEQ|PAX-0Q% &Xg[RE/]elkUI{-(`H ̘Ч XM}]e1دԃ6G^I}ׯ+=HgsgL3_7a4s$Rh[Q vs%gjmh(޵!ƧtBz*nyw,PK8x[CjrLC"16y3Vm !pe(EW0`H'ٙX?+XX]4܇ sjM['N= A"NoPa&2xK ( ؇(:D)wd;"9!tMGD 8fW 9dUGyCQ}|%=}t>* [kB=PkSNx&T864}x"⚾2y|rj׹o̷zw*D27r@dߟnٮNzOS%unn[d.<'Svz=̘_j_ajxp)RlB5 #qnZ.*[D+};X2'Gje;,| 1K;,g#G(9@"ɀѡIGvcrn%g''\l6~+dGAt9찝I$5lϧC%.wYuRqz%4 ʄ,hM6 vx:lTkg0 0fNVŏ%( ̡m]`0;ґ~q| s9Q ^RʸA *|_HUn9N~>[UY,:zqӋer_&'vtR_SHO]kgo@Y!BW^ݨb19i 2D[x*mXUr$aH ~6,+m+1X죂x[BLBQN)^:S 19nK%#֡yWw4a8dȷbA@X20 ([O9[; [O>2bZtl&OEZ1E~>B9W*t_EHYΒtZ 䏖 i@9cu3 +sMOX:SbgQRB߱1`Mӿya ȴk ofT 5u񄷷ݷI[^y<-aawfSÐf$Pp۷WYvF4=sbhAdBZ9\JowKɉÞpZ{MiNjRݺeGr|>tZ=p_3xݕ /g.%4q/=5qq]c?9d+T xyR =Je:붋{V;RL}<1Yy_#zT=ԣdyȺ9XƲS6#XRҹHǶx:p$;rxv:Xu~k {@'osjs5GV8$ۺ*;vv:' BƒJaWWwC&/Bd 叒{4LڐH;L\[ژpL5%A7I6-8;$UX6f }J r&r3ŕ@Stюo(`cw Pa>4RML~W~jQ{~b.5= {@Rźa鞑zz]<)Z2Pz/O9OXO oZkުօJ~Z3͵=IS7ݜt-yݙF߁6+af$t'mo&ʞR#׸ ^o?Н}`̞Ne!?+p 8&yʂ늣"$qHQ79i%jT܉9~ԙIj#{ͫ7B.REE(`I>F,AhY(AjFEt)b||2u E3՚C\U l2^%|x_!Z51xV- L-Ɵ{.^w+􆫣`:}ۏͬƔ"&e`˿ Tp#jhcG\J nAZ۠tAzGfԅ˅nGݙ/lF?'Z/sE5{aE=N[+ 8 {r G~l=ǂؐ(> ʊ,s~Fb湣,c,st;^' SUH 58lX%6n:%!v]# awٯeTUȕ;oo\}I۷6;|5X Y+Uc]u:l'Aw7V_R[]tnm#g@`Q#1n5=3D%fѫÍ۠DU ÓƳ<#{/S $`!Ґ0,t5it$ENbE:tn vӴ1CNed򚟡ۄ Zէ\{+M.aU \9KrZK~El8-m.+Gio\ `y94)9ejOmqJ5'G:" A+'D&x@"_s*t#t| 2 ]ёvw7|!6 w*py=I˪Ɵ2FwePpDfJ2A>q)|S j5Ï QI@ 0VN5&V i)'HeO| -S $}p=Y|+z]`E6J&tK H(uvrCc㱝<=Y'p؈?dxs9 Wư˻/{Dzəd~^*ߵ!75ֱqf/U'H_oջcX 내\ I. p#d*A) E13mJ ۹sʎ+&1ؘ3)o^^$ Vau5{p4A(GaQ~|pCkdlVg-xYt:-fnqg)ѝ aJ+JB-\z`D ]ؖR@9:8oqxʿ^ b۠z+M|pw ݮ!MbW~m%iܭd<x;s`Sʶ~[9N :# c=ZUq\hjX-ٿ8#D?WESrzHo䆠 U-؟.d֙eaӕtW"5.0Kr5&1KC$qh<6t4K+qmQт#Q8lg|x6 |Wͷ"Ǧ3(yK~T:N:<:Z'Q>s_|>iʄ$2G#vF|I{ r\IWǿu׽ H̅XtjVӥ=DAk,=AMB$HJn+.lGȘ/] ٥8Rݒħ_aT΄C>S a=S@4Y&P u={wBGek &wxj8Ah]Rкd;TWj3l+BHWA/xQ7"DKioL(Wv#] 7er BiœZYcsu KA6 BӹUOKJFA6vB3U@8#`ŞE)/82С.M)M@a:O!W|!0\E`ǘeuM9ECA]_atQ\HG -&k۲ڮLĪ;i~|Cx'+'y1Nӟos&/X§m*|+dFt[v*sKt7>& OG4tMD{VHD/LBqc.+v@{O'=hS usyDs(Op.P(2J"9{h?ThfhET{` u&哽x28D̻t>1ʌd 6QB2 Q7;%jqc΄W0j81g嗃MJ@6\4qA7ta=|)UUa-?!H Rn+"*y(' F`yw݋j4z z~K0ڟ`+P8` ̈)5G=\Iq&N=].<7{0,<䮦yhxK;E{x̼R+a 24u@_y;l.Tj_8[vRsB_aX2ji,q2*UWœzfK) m Ҕ׊~ХV~,M+|aZq&RCM#cs׵(2qOfq~8AحwD蠎lW iF9-V\MB͏(J*-Ķ߮0_{8$fo)Tk<u#4[;Pr$*x}Dž:.ݖ~{rS)<Z4@X00`'͘/VTCD*Vؘ^`4+Ť3,:`Aq%bb|[K/tLM<7T`}QEI^*⺒j*>ٻvYϰTe]_6ikBݴ9 lO^| ,?4 &E=R^@2d`u>5.׬ )\ȆZy"hs!L4_ _-ˣqƒNIze̋Iaul4=R!ܗt{,Sl6|zPX1͘noyCT0\Pb.ufN*L7ͺB|K>6r |1dY#2zw$5xhF#yB)q@%ui҅a玘gCIVI- ]?jDU>w-7 ,yUwM8DLc*r?2^M/1گ4 f,=&9NG֑#: u$-J|a4M<)%c({.,>^`ؼH ]I1$!O EYO׵)45O@kd'E+Fj( 9 <"qgNw zĦ/}ԁѱ@Wl2D j)kublN,3#>ys ֒% %[#@-Y za2s3 @ PR J׺G>z=]pRG$=PR7Q1c׳J"%(l4|. .q <5ngcb~Y*Vf6Ҳ4qAX*tzQ8yF1zCہ,a0 vBl=/~@Yh#t}Zy9` ]]2 zT6d,  !"'}mlӴJڿ ;>(^T4ӘQD&#j2VɈ@*`uͤqKʆCmΛTVW˼oYï|SO:|1Vj$_Z {kb#AV<*{m:=`O5$=;5t9xtRzywhN(@48G͊9Vhm%%V[ļYD YC{`>ݥC{7EL%$MZ%uvzʂԉO'PJ.2 Yi36iΥ9:S!8Vl=$4%51XW6~s /(|vs.[q$}ɘp.ύl7SiD'j$ 4=lSڅaO1;g͝ NAWIǺU~|1wPʓO SOc]y,Us — ?J.[R/vuU񝵸'_GۡbfWd g+TlrP*6ߖ-$BCP((vq|b8+ZY# /X^i Z6S|ݶ.kmawΰW?oI镅=6e>8 }eTټnxǿFR Sxd:|qXl7Ik(=V) "R)S=0\ܢlʜ}z@p_@ C~E! >L8M\k ;LLHcB_zbM栧~ Bʉ`b8E>r2; !B e(f죋.hhUǨEYc^k5޿R̈́}3m@7cDDoѥuk*['5wUL)A3FjZRy5'ќxCS@sΝ$kF$4V]3 b40Zc Ȕ Hh Rz]N? N]Ce <1l#4vamNVzazsB׋e_XԛL k"GBt `7χ}D\(@1bX4>NN L'cal3piZ%]Oe;̂8/1I6qxh=5l#ew~}6\Fб:A[//"|uThγ#v1g 3[/1֌T#饏N/3q``o#i*P["PN x'H @0ڙ"r < ~@Ħ cX7ĉ6)K*usT4xӁm bלrnj^rcQ~oa0&dW۟wYVj+ -sxP r6U. oxѳXDL]+@oD18 Oж?HL)҇geaW^(2pfcQ])3Wު<ںj~:{>hP0Pf@Ez㓶>^0殎6.g߭JVp{J3k0$D{ @:E]ˀc G<|f+}WHW>\r[285Ng>-@/ ,YNU[T>@D2D \0.kǛD3$3TGϺR{aH}چ6'К<.פGީ x@q$]ߗfÈNzG%_WmDbb2R ٷ^yˈ(٭ެ"2H{mH[{ߊj+ }sMlmx 5aYcaS~f 9+@Z-ǩ_; ʉ#Q̗*Вg  }ْ5L\m#N4~- ;'bI_Ye9ݿfKHUMO}5!#*M~n,J:%pklu[)ezx-zqxQ{$d@*BUb]- #,EhUؗ[+'ыm!wIh{G58Y}ϕ#%LgHYP МF'>*egY^臭Ly~L RK(hĞ7ÇĿyb{reڸ:Ttod4 1)|9HOכ_(FVSAX?ɕ|w[֕O@3D`aqS#N b71`q AS }p,qqϸaƇFdCn[LSWK휟~~Gp;pMO1ȍ Qz&㴝U/#%5a <}ʆ[3AcK_.*z sLTo IGT0wwBoԊ*]]CǢ -n7pdF~wPwTUQR,S:֑9u:ŋ3/.-p^dOÓc]^f\dr&=L]|%3S⑵40mO =I>P6AFa fUdHMx0o/C,bdnz0N<;UZS[QjZ 2jxcI xEޡY@!VAK@vJ1֢ e_ K ˊE0w}.y+ou Ԩ^3i~A@+l 98'~:_y/Ew.Ea׬v~n+X ƒRq,cCbN0M0$Zꨘ+8E$88ptB(!!J993>xQW>߹x,^X,P}xk%EAhiY) yc=CEȭmLhID&G02N(;x0MtDF+) op8'ՎaI 앭P` 2S&߃27q1*0QM_xŬJq\5S9cTnfk<+@<Vq-@;SL:SUr:"J%u¼B6n dKeԪLkq1\}źz܆Ss`C֘mHC^,-i}'h3}Y(+1׸aͪ>WO*|)Th N=s?_jZT |M9ݙ`OXʢm`Q=AxCTX~JkV{g]I"䵳ـ fN6q@-oS&ӄ9> G>c.“V2s~D"ZVuCR& ,ޏ'{TlӪw\aĿ0WpT=_4MY pPD[}=\B&~h/"P=Smu#sgi5˻xUUIQU\廽foA.4ܣAc g3|o8ϕ8ИSii/3xTěF. aSPY/^ĴGnVvJ$0QJk#0ߨy,mΙ40#ܧuIڲP)rctG +vewZaoSgQhd'TnF~+R2&FHwA!֓>V0^=ˌ@q12 cb4̽U9PҼlz_9 w(+DxAYE^-$XoກȒ< m +^ _qIo: ZeG݆g<5m% (x/5>,̃\W0Cg zleR'Q_0j.TsJ-5ex1JA0\V@p]2v`xg8ۜrHEI"$6pJa\6bS~݅b&wq"_ l#)>aCS()tԢ"?t?ѓ>SjLTTm="'Um:)VBSYa[8։c`jxO[y3-鞊|ၑ&fINd[ -uci'W z \|he?gB]ƶ6+)PW\5e %JF\ÜRҠ ucspLagwn٢G?]V&}R(YM[ T3x3f?p/(-~=\;c3wRߝQ.]ĵp0U}eKv9Ҁ4/6yNC½vu܏zĄ ]f5RiS^i<_2)D3k~Ti9<:BqWeK`CQM9F&+] 2~,C1V/R¨6I1M|?y3D M-3ťWr# ^JaiǺ q|gHnZlE]dUu _Xz7ěx׿HJTe9ee/y6gYVFP FHZ14bi2fM:c}qZ;v۠Otz7nyǪȷxvI;4BIx6A}iw fSOͽ'/p$u/? 7D18x4Yx}fiWfic[*vJ9A3Ue??;bDH Hg!Yp;{ݯXO$tAUlU{=|ǗUVtI][g6?lAy058rhub]QAϢ7Nom'ax P%֠'MMQԛAh|ō^IP:~4]r+3~劝n'@ LY.U-H*dͦYSg :}6. OfvEx۩hyQ+c"S].|,[k 0w]msC V8P^yRdJ!g{?v㳔ʓծ+vXM8ykZ`ۣvC>-|O91ȴ>s1HjB>eV+BK#hLXX Ř A$oٷe&షu36;/>VĂm|Qy`vJ c y'xV#w[vzQc_lB?͇ F/:M@3O]yވOR=[!iXt\ ԧN"7Z(4hv>ܜ֢[n$l؇IbO- +7r,u!'d `T~h'4)Y"$`Me;!:E/r , αnɜ%oDAJbOX復u-ˑ&îPg8ƹk*kU+6y1t783$'j7] &@:|3@ Nn}pTztq ڨ]> ٹ~5p0 2'v{DeTF8T e4,Y&8D{ I? 3;C–.`)s؀M3d޵cPDEy f~@Ji38$p4VW4EG*PJUuT 'S[]%.gO\l߀2xF7ʚ rR.)ӤBI!gz^MA1[[A>`k2emk^i//Ѭ*ٿ3BgK/Pa$ ?ݻJ5CO~a_ 1[M'\)=t;.5γM] +] ]s~^Z{ȹjE%u4*h5㝸Y <3%ەl+1hBU蒊 T>̼;:Ll/"mҺ38[?ʹێ C/_U#s^ú6E^OeR쬁[J]O @M&8f4ॶجߏ!#)Wh?P#sEhAVąkaO+m}9noS`N'? )mFh6Ҕ {X?&y-e+ׂr<|A]Zܹ`OJhep}VSrmso]@5+uڌ[l1dBB| J^_#X/q !yM5 Oo$ Ƣ,| ;]4)lvZ7 Ql=X{ vTHF1Lu𓘇y s1Ju25eWBW<"JQq#*aR^v8l$?d{&뀰 SF 8sofL-r%"B*HaÃPc"YN]C:B.JQBX:a*LXfPLm*©PEto&7û5=;BO-BWmr@gĆatf(ÏƜ60%xe\IM]0DS5mC'e/Lj?(s֖yhq,D\ s:,BjQ pv\]gJThɆ{A^r(u6ُbθ{b -](bB6RHV? N hƒyRJH~b^ш,o^殤@nvF?ߑhri/^<EZdUdpZ48d%:0LjdT_6k/֫4Wl*v@E[JCt;4!jr(EBW)vM,$kgAAXqkͻm7 oQ-r[4Iqˌol<(3n#n w$'د \Tv/@[4[bnBjnj*C$_>C-Z5?z:Ezg4@Ptg.k {  )~:9]@8yV9׬Ge?oE(i]TʲU]9<DŽ"-b$Tp !`$ΨRt4MD!dM剣 =[Ez (/7+!-}zϓ,*3~z\h4yVq~{I~ 5`@!ʪ 8?D)EX`݌=pF];[jå?o|-EY!ؿb`WxLoI8͖Jp! '$73Z%܋yOpʟGt<pW󫶖2wP&3!6IGŃ~%3Tvqcp߾=PCMT,moj=,y>SR,zK  7D5dk*Ud3R/[?PFe:TYfﱷ<U%{ &<(meMgm!&ج)zHX۫NCܒ&_O$@j赡y ڞ+m : ^'Q퐙9H @+bkS\ѲrW;?bscHqDbTQ*R>LCS`3>_ؼ, }NT}/vMg[ꥑÆVn< EgC @# Lm1 ཁu ko ]Of?|"OgpS:KO:@ :߲.z5b1Ӆj]D] Ds/TUӽ͊}FIE +HH~>HY认5 ɣXI713_R?Jm' ,o{3omqRsg]1[hl'&GCMxTM-WJ.隔.y/WV@8+t >[yX Eӏ i"d ` P裍7@}JKǽh8FUן*s4{2+8|J*cxJd`(f9#"t P"HRE+~pݯBS0%P&UҼOO*q$+# >#6ox<>Gd+aEGjW̢Q' {9L^.mDLё=!QrH x577 <̏ǨQ S!$u+,0 st=*^hWS̿J`>$S-:fr/ rn\c/LXFr;\>]yўʘšW .Tf@< x<}GXyO&6{r7#ܩCy]0 =5vY7ovW[Qj|IXw/di:%O $`p}BwǠ64yn*a:Gq4n9VNT=@4xYlbG8*dkC VY7 u5y#x &e?b~p^ zߪ"}Hskk mtL.y/ }Adw`P\]5jAH--w_ !&"kbF._ǟ M~MxKL"_$F|KM3EڈH̅oQ0&ظ;J9P1WSh\ifҁ\Wvpafe-sYlym{R5~d!?"W[ѸĐdٍGq?NpY'YuU E$뚘ÐO?9Ʉ4^S/"w3FM\غ<"[JduЩJ%%/Y5`@`y44PZQU21M{l=`2g&\c.ۙ&[l]QJGY|W>~xxiqCRT'ˏ}R6mFGdoݢB3xmq$r~_ov9l HC"(%[=&\b;JWzv[r4۴4PVG;\Yf2.JlWcvFAC0n,Go0|ʯ(R'Akt´/GcuqAgK%Zq-3&\.)eU[f"e-b(FwEZZzlWńd1O[{Ŏ6ej- W%&QkւS+}C.kX7#-dlcKȔDҡ:uژ`k @ZfQCjƨ)kNۋ㨺6v W{W:-$rx72ۜdbbPn\U.ޭ=?EiV\ э" *eEK0%Q¨zL cb>չAM0 5mw n'}'+J,!#Em- մ P9&5Dtlx= 6 ׁ.hClJ *ĵ(fzryTtؚQ Iioޔ=;|7 K8o0Xe8>jegBi׬忤ǔ0N]0ȿ4Vg6|ꤜ)R LհP-4<(km<&Fcys?P~V#.r9ć~YܭQ="P՛eg[>c6wQ[IHTQJ0tgoyr/ osI*v" qrl X1W ޼,US:@6i; BR67c.#u=0EKGȕ8KR"N8$ϫ{į^+F,׃V^Vkۍ3$-/D8ρ 6'o@~^ L5z0vոypM_jaa\Nt] t#Yդ=ͅ0?}|O,٫){auޱ_MC^X,VxCi0ed-:ӊm? Sk{{3Rf֖“KaqЌ1PQ?U hbi?=| V8f#`e' j 3ln?kO1":=Fu <^^ xE:r|J}eqʆ+XPQSidiX[ 4aFHs-WrF-j%&rI6TvGuLZ`(hmb`EԃP0I&я:pw呎? OmJ[kk9\XF2rM'Xq'co_?$ME}xd\uch^}fo GݿԠ$\I/i%h7ش/I110P韶va5" bt0v$hz\sŒkj0"A㜍|z袶kxFauMȉ? ީL*jL΍%}2worAPWx߸nvRpyXVU2!A︒2GyE|-sFwnOjAlɘىI ]8\>J]`ޚ yI5 (U(R>A$NZp0,l^bTIjd߻bC#K#ڷ+Af ܙ75v[jz0 gz,1&t2KÍ#kPDr(m9G{AU_<ݔssYHMU yUq.v r!`¸{0ݢt[H𴗎3}kp=Y| j\Fh6*7_3Q44@MwekeӣC!ll\3w\ !S~GE_ûxnl.jȤI;8CZn*_ \v3WQ]mЭ7hRCv{R7MG{#&$Af6ax"sQWg}G"Uu;KxGMMbl8̺Yc!R@LDKI.%҃آxfFԏ?|ǹP{P44B2~ /55;lߤV, oL:˜? yag|WAg0+pI.Ӧ ɓ^KaMkEVyߛ ؟~6r|"-%lq5L[O5OfhMHO~\ n-,7d\(?cHtavPY eJwod~x:I\(@wr0]5I+8I 2 vZS' ȒBqI'PHi/uy]y(kj>I$ӧ{r! L[ .>&Q̷,ىh7W,T)Fw$`ҫz9%.͸(CT}7N7jfbPNEubңSAEdeJzz vR ̥t:oi{ڃJZϰ;Lw@y0Z<2u L9Dhi70DϙKj&i|y'#;(J%7}nF),j6kc*f͌D3|܃5j*=O8t<:UKOkW\@gcALE&-z ڽO|ӻc#MLޠΡKA?hrťO 9E@XQ _y0(?V."JmQOL\Js4BɸmjO ⸃*[Fi<7h?Սx]C"Gs@m(B44"f͏vţ @X3Dc+F{7~5lŀpǾC:p.[eT> =N~x J5L2UM4TmyyhϽI[_0bpds:3ɕŕo#OZT:r0hYnVq=NŨL|tNJӏG&3aT'w%#n",Gf觥kԍhJTAr/m$I}R}Tvj,t"M! #K{\'Sahf> R>#ȸ r}Mb1\CILDu^m lIxK pS¥)!4\4)|븓)@d^w}Sh"}.VT[? SxES_\|\ȁ{73kXEeE*"%HBh=8>٘J;^0t$_c 낤gL}2v&|~}s8$UFe dt7c0}>ֺHP}@+)P L4ɊZF{f;1"G mCGuF,vӯ %0**sN ~`rS&UXsQ=Z״(kd.VYȚo~F+HldN.:b Z)nfM۞mlja72dR5IWkYE\HmN`7(s|$/f) L8tg}ku\*L 2д~l ;&v$Z )C|䥶hQч qOB++GShkFI$&oɬ"ċاF=9OdZ7nC/@9E(%2?n`&&CS5^J0 r= Τ |8a^pzZ=Sおh@|w51>*c@ -ձ6>5ԧafP";K9D.?22^F_*2h 2E?YF*Kykp5sd@7NB33JeOg%`uj;"ZnIgs`b"2,Xnr\5S.*2.𨗣|ځN=?`S8(iv]#Y"Nc`qSt$GQpJ%2ETC@E\ԃߦ0/gcQڏwA Ja?&hS{_T 6Lhn3p VvO6O5q*% trj#Dn$r7T@J%}e6}8+x_vQbnm2S2~fSEi<渖oi!> f,\Ym%;oKK&Ba ABr;uWZX)=_shbQ޺V!.QNߠY!۰o$<XBA_glrq,hv kŹQ,hߗi"tއ@A|_瀡+(u" 񶰊cEQagU2A/ )~q_Nh=x/iMeL^[|ዿd/B<Rh[)K"Z?y@:_Y\nIPzWL)>FgX ̘Ed9CE P}*M*0N}YwI)ƸTR7~H3uy&^^jط 3\t"aN.J=s~H߁/'d}_Nd=o -vDS ~>i_iJr0T;œP1 TM:-cZNv}Htє!3;!7QT|FNEMY ʐA{=O/: x1'@qD>$[?~tpd22oWwɉru4]K`~ {p9Jw+g~ךܜ(P-f}}9 '\,qE6d|(R `ud3"1!2#3LA`e6:EZUTb-&ky<^oҎgЋ!eq3R"p0y%x-9K^(6_{pǗok.)A;\wzB2ղ7imP-]q% ̫~AMSh_!bEqgϥ,NP r.}L镏 rh6=WcJl^{7Ff-WNm݊.R&IIE2=>=s{P}fLJ h36qъoݭ2qɓC݉A,X p47boFsv$Qsya]#bbt6 ]'T)؟uOmXF;:=.Q֕_B?NVm)M [5"wr;q۸/1ݟ` lԩж%5I̍MFߘN64 ].WJ-鞖{գp.`% HPݹ X3,XT zFwpZ#PhfK:5 X)wVBwT2!vcЁriL~cǨxOfVuXdm}HTJܭ$]dd4`ězBPz+[1-)mvx(pogl2klpS% g5+} v MtqS̨TneNFыM]-|Z"vdDOܥR8(sx2ҖZ"m'I{+u|Bd+jq=֓Fo78;@^툍M(XdIlf$3hKRa~}̻Î?L?_`~*s.{|=dYiQJ,i!qb- 3t{sZt#Ҧ cl/hcuĉQ>1͌K0pgCisb xH^!D<-șa( o3U+ 8˽T:NR][ް4W<@\ӋUZbXWbwSoVY8iA139|sNM%\[cLR<ZZ^O#{ڶq )ZFE4&#xME:EYvIjי.17˄l<(!ҍ Ozֆfkmm/gU;(tuŸ;X5H~9(BkG |$*r=[x } !A_8}/`,T^P97471n/[ˠe荶hhE.eqZ^ܡmoUܶ? ehGL2)Lqx"*Ju3!,=)0K'n@&6tN"ޅ{jl ^xB䁄YN2Ҷ ϸ,^".ͽbRirld|2}/DLu۴–)-bӭ"Xrt`p@~Q <ud&A0CX_\Rp`Iam$&U̅rS΁zK$N[ b?En`k_qExμjŽi|:^7kA,"P;p5M#^`OmeYb5AZ_@無0q ɗp|^cԸb7lz˦@p0dhO$`N~ìhPȁ*xbfX꿈jZM>ŗe@M3az|+q[ T|7=;p`fPo^0En++Q`(p,m3Ս\(_% ~mtTSΦX:Yo/ kTIJ̔M6ßKf*#jsxt**or]A>T h%irY~;F$N|%$} S 6B@-}-#~C(s:e*hlqQ5/7ߗttSf#wٷd;~StUHbD.HI4|{fwPycqC)60K$ tm \̫b|Jn`#O.+f^ e:E4B~{C6%1ͬj tx]o?0yʜc(rDZynt_06][-N(7t~%EVڂx̠ͨ_(2W?:l}:9:NOhL6Vk{|vE"(ā0"qV|@'fYm0;T+!('A%5\b5Q12A^lԥ`g>;b?]Woeh?x$ iE5} m'BKB0f*} ח6fo"AG/4?㌑P-f_'J脷pa׹'=b`#OcESܪ{DU ץ{-b :#c,L5i l dÿ:Jr5zT}C 5f\Uվ%IM#Ef~\VP,8n:@ JZ$fͯp|w7 7UY"UUwlnU-eooik~fPi&8FG}OP$JmOW-5!t@H$9FJ534lYHs׺3L$@ZA9<7,~7Nt{=0[#H=m> m-![*PC<8Om>(]KUntr Jq^`+(6dPdH=5ޑN*'[Y' j"oao:uPy-.q[g Eھ7xE ,^GxǐYbӎI*?<Ô+nMq˃Ӵ`?aX\Ae)tNnjuUN/>]FF^\& ;[Ud-|Ϧ(HU,/6 eP!F 0#S,m/)3RdMJ6?Qȓ9n BԐJ ܶ4-6U0 @L?h n8QZdقu9\M`5E!8DHO*k*ax* mOTdbk$؉pUHE-4_!أGHmą^ci`֘+\ ] "I8pI/G"Uv'E {2< y*_`@vLUϭ%ōq$q(P -q2zpo5 ]ّ#+l`1U"!#.nJi>B};$aEc$̛S=(qRYr1ȈMgT |4dUW<{N&H"'/RN;+,7+X9cVDR49'9!kjKtBLr&qChknbC b60a$avNTfsa"&|4G}wE +\p~ xDWF}?/炦ys\W~ F+XMvN4iP kNGJf`j%h9"LBLنcm~4:->[m:#k8gh"b7PӅY%Qr[(F"fm1*DK`@>h/6̡hX&!؝hQDS[muϭמ?b9xX' K"bZ<~3#mrwN80k89+a蚈ـQLȔ<6V Zk|𪴸KO E\uV(QJg2ߋ bkWe74)y+Ҡ·9KQYsX͉diaӳI/DleACI!RME}#h(7ka0:җyͿڥ}<◍v 88G'%w,sLg"Uy`dO nn^Zj]DN κ?;t{)1s3C1=/ҙT{GDpc$44~mǸioJ$b 1y*vg iu:MR? o#N+dX3 u\C\qe72Mx?RǹǁΆ05y Wx}jM$g;W$N_@xBixzZRsdxn.=Fjls zyR -[VXʀQ#8sR0bMFҳ߀uFi+xD "t9~,$:2F*/S+:2b}r8 ~ZmScJ#\ˊR͐+("k#'%lI팈Gc@7_p%*Xd+]}! oQf1i$5a1w=P㼸Q<àsuL;ҁ;J2aq󪕠nnI,V)w&3̐8Fz@/URPU\A5\?"L& nJS  vxtN&]L'!s<<[d]UU^ _J>1̤\|C2g*+X!$"PuGv|₢€ﰮ|BhUZ{g$|Y1}!f f /͇TD bC[bEX{<@9v4 a R1lNH:'ٲ>oN"Pz4r@.%B- B9W"W;F>B9xIt3f}-ZjN$e:yy:#Q~/-e%OşrE.se['R@ҥqȊ,4Mgb =ILә"TFڷUԠ1x1C˟ \)b 8wKSLd ŀyuVJUò z>e}ws6Qg?|ɿh-U}%!ֵD{U 5mĮ"it5BNG"w5wzX](MnQ1r(i S%%a a9$t^~ki'kȀi1ݑt#G(7B"HIvؕ]3=ŻBz$.Ğr<` 6A=ץR 8]#|Iԡum~c} 5RЪD1X>j ]T^͝p7 C%v@h$7T6<1BvY̮kOcxzbw8ѧ/jug`8;n+ Mŭs \QW(aUϔ-0tD=cRb=.Ywɋb(fGa0fRVcD$fOAN!M Qy qk=bt}h-QYb'êR ~:d3e=5v}QU(nVuPeavဘ\@y5`,YȄ\4Bh\c.ہGr@N[].C~Gl*~b>S'C+m9d'A7%Cңz A ^ĺ1ip~Ն$6^1p>/|‚Sf+1q]2<]m1<i65ϖZ+_0}0P尘Kr&Ku"@DmBs}zA櫝ÍV^&M5рUJdi !ym'K0{Q+#65=:|zMܷ ɣoE+GJ9WM-Ԥ9Ð?E%ٖSg`/c4KIe_;5XWղ>5-N}/^]xw2'"LYkp}E$: Qe?yT'=N7 .Kl"f Ei`F-xx,߆F{nGcCGZbHC)a<,p + 望J=2g fiˮ,mُ 4Šq"F*:7ǗHEa0;~Zyok&G`s:?K;G.N߭]N)?q\׈ofnu#0ύGXP5c<}7ƬRy6uf[e(ȧ!~lbܷPa,]h?&~G1QAg7R+_ඹH|v}!}șB /Xd`4Z, b>gKo1Z>=+ A. DA t> L6 |G7Ҝޜ1cpenRn$CģII?YNZm'dw5Cx IW@E+J>Ӭ qXXk+aӋÕ>瞻Ȯe24]] ^w)-&W7|[|B7 a- ZFD;Q^p#$מyOW&e(dH 9|"~ϲTp'cF'dѫ'Rt3Rch8رiλ8_, l&&|k版ZGNhgIOPmk^T^'C } P#10F@33 CF쭷O{$VL~}0@`7\ݎH$t_S}|s[Eq(<^Lb]Eϻc=fFoJi,`/=atdY_~եEO&) dQ͗qN.5 n|t/G̙g&7c%4trFDAu.*D5TT#{8sDGʱ/6,.9"ŝqBt`2\G:FA)[o FYǦu R!m4JR';8C(~ +L3!~\x3t@"-[e@e6~d,GXP+~ !bт~." $*·0X;\+Fb3xlK8 K%~R%1G>^f4Jֵ9U9Ɓ9%Fhk ʢ +Z0/&Q@7q-R.6 lskؐFiHR"_Gkvh1YOr RյnC9gwfo lߞ7gBB{Q?^X5kϣ\XLo}CLQ?gLĿBAMD:$icE3\^PDOJs(E5.<Ȃ͇x=sirҡ nSwRef|KTyˋ*s{TrI%?3䱉!3zYF]H8Oߧ 7UGa[\wDäyWɁ>}_*sW/&. *E KDŰ0]W| |E EKbO) Тf37\8WB *YҲu4/KY\oƿDCYE49vk{$ƪSB4dzgk! HzDI#o}\Cɡؖ ʼn3Be[Iv1MP~9"<'ZEu!- |ASޫs9Uݽu:$ߧjuZac#NALL&~J63tX*fS szIsUё~b("ɠQ͘Mú4a[-!Y%u%MN2X멸Z&"i&#aZdϦAOfg:vĶ l7yD]|;_bI"uQ1ny{<7o4"5@g #Yɳ9N nyL +'AV~+wNMU<:zհL ދ=% 9fZm{$Uil(J4)cnv%Bn7>P C@AkSL0QpQҝ(Z$(A]"DӠdMa5]O%ue 3Qל(R]fB$C5MtF,r6|QhAǯv $ IQ0:Z3}8.?o$gxPwA]0 CƉ&}zlnMي>f0Df \[Ԍx4:zI~x*vf*ŧfzʲ*KB"j bv`"@Tx{?&z΀ ؝τ8 Yw*{=\V@P@UN<% !#O-1x4Y'>cMp< B cO %dҊDr;˶>J") 5a8 "vdĥ A}C&9~13*gJһ,S嘜ގ#,g}U㞳%ܘ~=|v%5.sQ)O;==XiuXsl:ȍ:PBȁ{/L?G8JitT3$0WB`ҥu΃ k%dClSQ_񼞗g2\̺P`ͬD}B@=T \A '=L0~hU([*=$a]cn"/dXU_s_{$`8'Ŋ݄o80JhV`5\촮 aAB4k˝|v8,y\F^ ?p0rו)tM@&%.<޹ Aa}2rcqE(찤j^ ZP1Հ} :IiX zPRVbd`jG= )bR9_.Hhd'%~;ya QtzGK'&t jdiTRxaW + nqחCm"&'}u^CH*7oS@ xckG#pS7?ŊX wC7Yw8ԁ,zX]S8'iFL cLcz񌉼疨<"ɕśɟ6W$c4k1Byxq0ȳN<Ӄrq2(;H G`6 WwWXu6J*\"~3l&0<:!P_NQO0P`hHx',0?AlZ L)gǬI4D] :O sN%MK3 RCiH߱u dK ⁠D "c >mSf8*5EY]wҪ]oӐ.Xܩ fm2; XUD^.J K[~c1.FT;Xo )oW浃?Hj+IuܕI2B &Xa}?R&=@Xҹ^." ;"ih@\mC3¡R׫ ET_jߣA^fDŽ5rWPG6mr\" ,ڟD FC6\ AMUR.|3=g_ (-R2O%4k wz'<0f,)9F_-C&pp*Mc%MKi$9^3Ʉg FLqg~wƓUA{ zk l\ H fi;|g UҘ 9|標<8{_yc' HPI`KɬO -5( ,% r68i#.]<(q2TJ9}Rv) s6="]Ґ:^~}-$SU>fy}!e\ZVm,;\LjuJ'zS؛{L[-( 5 ȱbm+:0q3D)Sn}hW}{ jz p)(#bGx]][' 򃓭)y֓Q4 |x1j$<3T94?.Mb"uBWr^^W޿Q5s^^Qˏ:W(jmmNKse0Lwz|*wW:a.?iY1gSP(bůG\R5ZjT{c]2luuQ0"GQL%'DQ`R@$%_ՁC얇P/0 Xk0ߊ 7리^+|_|k7*2.9.ut E;kHKU| 1UF`dyCzVcР;@=F5Zڵݫo4xt^&1*j c*P-6(/Zw-x A貍G:@$~8jmRF,X#f|<4=Ve O $(*(LH63F"r֒4t{[IeOQsʗF[x8(o/ ?) Ysx,FS|۾P/kJc^ܿԈN+>EyWIDb:,|htVpy]Cvh7a,IĜu ĖvAOeǟ-ߺß r  =w 9'j;n-CTޱXk˕~ǰpD^ݞ9Q{d EWA A;}"T:drjL5t-:oʱ*blPihA.U[ˀۧ&d$J{&$uh m$lxlb}w;HСn|=§lΐf7` S\9;NrSZO-%1g}'&Ic\ 4vt27BNb ZDzB[*:( DoozR1v3Y*I_}ȼl|"OӅsoD=#gbYcYz[jߕ䰧XbdtXQas\xI[3?StkX)۱mjc.Y{`J!U-8̈́^?@KԬX0,W4x-?PNBfmxZRINlZ?vO{^vaw P@qz?Rմiڅ y)ZXxb Wuj:R$nW >j~ش\Fc'3U"rM]jmCG mQu'T({8ٰSmHS09, J@udOa\#*n\À >@fF,u}{ĺ.qDY4V4JZ)TCs ȉ T+'<^қ@9e&LdJ+rE8E%X IqXhC/0ɶ?1|, M $=SlbL$`au<K, ^TGE!9EOl&n#Xlpc ̾Cb{Ts"sveM"a@]UANhZ5k1on|@TbΟ 2I?t3k wnm$T$ M

X~!8/Kx-\gHBg4ZLg(!X~vpZg7^'x {-e,~}H<4?L;XzVXf3vvZ9} ?".ޒlF, ߇4L¥G26/7%n4f05:0չ*ίLTKgdj+PLd~i%LjP];$G<>.Kǵ^::1Xr>Hv a`AnA2TI}n2[b鹆SMQ^I+hExէde u䟫,0td^sͧeȪڲm[ZggHx>xr铈TֱG"5҉bh]C 92n1Tva0Jw'!i"5 g ѺD$![q)MrNJH\1="a:g*/[qҎ0{\;NPN=MlJKPKܟ[R7l;O;ڒ"|=@5r?HMz`Ep/RQ\\h; e|r);KwS}Z]7;MAk~g|_ !'.t$~_Vk~,.{ЪjtiJ~5GSt24IіA Y]9tQ2йe8}ـyxxO7žҒf:ˋkAp&GTiKk!yPwޙ#e52A* 0{+Ui[, 5,{{OЗmѷD%PUaփ˷ݾbη_biM\bc(,9 O?e;K Z)?`Upܯ\6gl؝85fJq|rRiJfAK٩:h_8Y;5zqӾ=jHfmAywSh~RCM'z8*i zQsxQ X%Ҿ|U2z-{{֖A 1tIevs/0w.P ?^g5gK[v,0Ô{]6|^,i0GBG ee:$Lbg={=LZ7W֙{tCVɣ2ł-o1gؒ4k/r -a,3jS0[VK0Ju8(ocbCy#<% }质yR#d_8A2- ?7GNNr#qB=QEO!$C?(b9UEx"h#fa n.RGD-t|A*ˆJews_" f(a3I8>KASF(O'w~*nU0D .2-T F7p&&rbP%:g\E"apX 'b؃L ^=Fow (}uY\H2{.T6@-C^=f jͤٴ @θ:pGƿI?KM/{2\:F -EB{,O h-~t[ka`]E?$!d,2%E#6PP_! \+./1J' ")L"cvUBp?b3{Fk~?ZH߹R;Q쟹'ꊮ+:tIy?T/fs$Hp^l#}צ$a̜g7K $Orft廿\tK:dZ9,*,Bߊ5t/7HG50vR}9HHSjgn_ث*50R4<̇ g пٹPڨْp,mTjT3DSۄbIq ;!o' ش#.a4~ٖ!K L  #Lwtva1L5mTlL&1~0'6\X4Z; {h{Ncv.96GQ Ww=OXafh8.9^\+c\pQA'$7b(ҧvj9)Z۹)HV!w*`v}+ JtDà~^gg~SDuix^z}$f8"pJVMGGԑOX8 .?h$E9R)κnüzư(ҾLYMP=Y>J [\#9wH*(0lȡ B-vpT'LjN<)Y=ِ t 3MUO#ꬓ`$;ݸIjAδU[S AOP:$YؐDyh 09IB*=SCf>]B #;xג!Ww*&z݈6M4v4t}9Zp̕Cl9ƿ\ ب93")Lɗߐ #Xycm^B@Chzq\)p캠+=˜"Mwq2qzm5B ?^uv!k>;Wc\<`A0CB?L,hOLM_xYW3X, '^,$RU,H-#.r|LV.>m>럃g?WDTtwUQTK!F'yPw7 $'{#&6SiA#Lp~̍z}c!!gF6*'j߆*$GȧNa?#< UnU`q* &e1{{:f,"@K\ 2aY]K,2ܫ>spr7~Ie|sux%(%1K> oc(Qo7CW]mLY麙^3w{wgO  i* Vk,r:H8D+d=z/TnPbڎ 'S*ͭz ~ 轑K3RckҬa'^8:(y gD/~x:3cU<#RRRSuq<{+R3s'G`3ms%S7.ɕ/נϾ5lWPyPIHO' A|uw&M@_;@a|t`.7ᨋ,,coQ}4[@Xg·O&4^43sQS3*ʐ^ܛIOZ/A*7EJ\VRF|72A _IPiE{Πh<)2ԥ؝4VTpNgQDt/)NF[HݻW2{="7b֫p.$Q8pbOW,hQ)sfHn-Xnu bӮKH5"8 *d)/낝i;ƹxOJDWӋ|;==%!RDM{S@g;(dEu,aFJ/{{FQDpCI_ ˖Aq꡹ЌESY$Ex6o' wYi/NN֍tރfv>Y' V<}1h$M-ǫ$<^ޔeA%$7ͬlRTNvuE'A}k| ]xlj3 މI|Wn/Ź 4VQ5>F#icMXQ+w*Z\YqU>%"E:RWeY} As\Ağ;2w_S.82ĩ+\mlDlYd<^NVÀ(c2`v2OdCuЀ& |1U8x3!XWMb4#v^Uېeάz6zm@lh~?d|ws ER`F{ɩS0}U.;ˊU>n;V:Ogϗ p^Bfm,QI&Sm~s jPAj!^, Yء5bуؼ 87V/gxI Gc=Itdoق8*+f9ȷ2j%;~F;|Xw40 ;L S?ypWư 3& _˝3pN, X=^9"_/ =Cn|JWT!iAѺ_xXn>])izBM?H = ɝ}Q;t+hiOju(v|8oӑdO@JkPW. PZ*q2 ^psl4.#cLdx!_na:};=)]ݭF]7j7ܸ=r x4Y=툔H̆)Ϳl*CU#RT=S&12B@ vcPϜg G;n5S`t<h"M&?&kFQiHh9=ۣ+4 a6${&*٢[LT,+ӈPb5u ^ [G4%,ϛ,ͩ.ld;]/!qAT-kȺI"n{q_)0GK&u?-;HLj^JIIo#w1 jhQ'Co\Ȝ1oi><:#y* Fc,め^[eS/A8 =Cԕ$Q0|L0s6* >77Mը.UgLg~{Ѐݹ$3UDMu0*5smǿr#:pZLVY@C}""3Z?5 M~D`5db} -ܑ$7\Z9 a"4ؒP)j sL􃲵:pkEaeAK?Ru4þj"VVZ;| ?"fe]=:Kͻ(K#CVU:Y P}O#= rgL0AMY6@}$JhS FL; Qa߹[-4Y\*| :])l܄?ɶIv/ D4:|A}'#㲲ӆ/*b~^.{LJΪ=>5:p!w?˟L^F6 ߋ7Wev>+ gvCX\|d 흔UrkLyvJ{a2KQa#I$c1|W8P`w /Q8ju 6GY֏S]B:\vIps%^ZKmr)9 pE[6&V\$Up/} h4 վi<|ͧc`f?sUSGl`Sau0:/k,1*D]-VzMoXz<= BTcwZL!̨z, ]FpK-I>aP a|-d/Yq*ǢD=@Yʕ1m)!lBʃ^ES!ý=B=B2!65. E hS/{y_sQKKD\[^VD[Ʌtu e'(W\S[3d3 gʚ`ʇR1)-Az02ːn je0[kxn#(yKdQ ?e r`DurOBrwB!Y„;&Rȉ1,շ1P4Ѷb{+Ps)QOwr?4[Z: ԋϠ7p%u1rt'q}+MdxA}!&2wGec}= I1I=!љβ;kH}6Vð ?QXWH$hPq=M>Ӥ؆L9]blJsO "rj@GAG2xzefĊvhdZؽ6% >y3 Z5#]^ǽ a䁒a[1-2.yիK1[(9#J1&C f}mc2Q{Y vcՍ>B> *֥k@ +BkPeZ~ߤ;j*QeרoGD+eޠZNxtN0FVӸ?aeZsW.37Jsm_Vѭ)JL~ !_ ah5HWQp:ē354QoWN]Htop:Z$tzM(7y/xG?Wiݪ9|FsJ[$QD̚OYZ6^/T4"ޡzDzGde)<\{*2fm/۞}&K2+ rcJ l/]&ӮD!}%;'"+4.w5iil>~a5'jCArrw|c  PSd%1 c[?[LAWpó;gZD։1u$ͨOӧK,JrX6vƫ:0aS5%DښŨtvBi?!JhC87f@J^/0YTnY9Et(p.5E#;AM( *THc]W%ǷjY# 2kdX"RņNxzнc"Vs` ~*+X.6 .;qa%44(13>81V` mDA~EioEyǃb[o: ǫ{0@[ `tq#u 'lȽ:ipuP'P]NOFZ\vNXy YK7l6A<|l+Cf%C٠K"Bql`@9q.״F)8 2 f+?u{i-~,xm}$,3DR?TCW17cwϮ}? wST }%78g| \bFPc[XHt0$XrZCh7Xdu鱯&YSC̽Tξ{U߭{*?'r?!IݨC%W/.|EYܑ_ ı8x TAg/J778A9OHy,rSz.M*.^\Qz4Ȣگuzi @枸`{"90} s`< a.5}.x̼:GY:!V#o%M%cq >єH"f>y ( r}n=*BNiC3Ds3)?в5ͼ5Jl).#!IurQ=:1GsR{1&϶/$g @~moRεݫMEr4Cy.V@!8.Cn'vt^ʆ"J5yiG = -=/)HeKibeH#vVұV:t>W ,Cy#tL\⭠]әҌZ .WYե6 vKdW>F$SEy{L|z%Mzo|Q撶c|g؃;$SZ+6y::M&5fS,o <` s"?w=QȞKmг~֖IJ!5=s1;5laY sDX΍$(nNr ⨖%:nMtϤ' iL0 ia1?  f>~ V|_IxjTROϖ݁>({EPM@=̴2_T~:#YYsVt$u@F|0T'PLJ5jC _8B \l~|V[|&"}K.z{_>v#rC%~6Yx*?Ǘ_[TSTxDHBYs.KZ:?`7w%/֫UN;2I ʯa^&BصdӁYDd h`}}2]ZЎ_Fd憃 y{ی- EtAT9sxVS۽2I%gv02 GZ=x{3lVıWٛ(2knh "J-pG\Yח-vAE-sQu2CxFAMj/ι(U,k.l/vB6Q{-n ,P5,f!"@]NSI/Vag$$TMh(Cy烌zc*ܞaq9 nG3g` BQ>sivC*qE'.^n!J虖dZK]="|s*hޡ?Vs8넂>` _r$6B&fGx AU;ة.߱_@E*]Yyhi5Ȁkfb]eګF׶Th>\+FҜˆ-*%A>pfW4V8kiey17M8>^ ;p<}>*&9ו9w8iaZhH[v#yHfc`:AnKfNz.?mI( -کu9; b>%D]fR `6 F*c8\L aKZ2{i }IJB~U~*621TfU?VXcW9L䔹ŦRm; M-8jKE2_aN"GuQQ32^ jr El-}UbAݣl r8W's@ƩOmg/O7 Ց8Ȳ\+\".bP6r906nj)l|VKC1@T0ry?tk \oM!F.o,pHEٲ  cϒ)~4pl$ MN75J&b.tJ1M[9 :JdܥN`SK$eYY 5[2<еjztƏ`|=¨m9P-禡vDEˆ=|*jFԭrS(KU\`UDംgyKR8d*r 5G]s$}KShlVV S&}nԚq-rȒ7._toN+p m4P~L#;?d?Dw1W8 x á{惪`pȌHiq&Ta/-|G^ iukECu6 ͚ dЯ{n6-\!_Y*IUa<,𺮬E 0Xr셴jXغfE2EcN>C~j~ K,}3 hvc ٝY_ܖK}AޣEI+`ERew3,^5Q)W$uri/tnDõPog&>@3ڵNs͋ _mM1 sxϠ۟ivj\> hDž0\ֱLiTz[ĸ.3 C*!ә A.e'o6˥mŃ v 15'$!\0BKz YN͍4kJaJ@pӲ6au5ε?s^epy`c nCS] 6I3_'88"%hx4rRm{d~d.j ͐=)H$Γ]ԡioyW2y]v(sX}T|aHfL/ӾR _.4#e$ n+blF}ägڻ_?+[fdlDҩ.7&x=hxnʵWμ,% #4nɲAB-$_ȏm*HºtIM mС7rr5jv]/c;\z\[Q! K?v=1taNobCl?Cʝ7Qy*]l 8?$eKt4YZ0&R6 AAF&;%Ԫ%y%I+TS,I-"܇L,50uhV5wwuUCƻ s1Vy @_xo(M c6y+wœYFiS~ޯZUХPf&IZ0M"*2 ( jk9>. Uwss]ۂx);JX3dexS{$QN\fo{חϓ0R4yqVɚP{lEr6֥i!,>*n߀]Ot5\uk>8B=K>E]cL(fFz "h >/OW1LEQdzĔqG$igJN8C@8*`͂ H? qe$ݸAz#vQ8O=qd|+)TqO)BLi"Ax2rxUgа+ kuXQeg_2ǙL ەUC}x53&-<x#8ywi`c5Rm\*xFPW8tnԱۮQ'lA &h"Putt|(2@P0˿ 4Y  RvѶ|fe 5^p8m$Y-T3` YB9%D-_+ͶF2yzO5Y4oiB)t]Iuv]L0Ew+-)~U8re*Dsc gzԔodT91q 9v`}7:;| Zd2ƊޒaYvVqn4R;oم <)~l%L8jTsfY_la!L.LNa TKv07{}Fp6 U͗FLۦӢIej@ ,* ɋ݀f0irw<"iυ AF mxe+C `B6]kca/1D礒`\" $wvUsq"gB !&HOQCcv{[iݵ.i#˜wTYs֜l~%D<ȃOR7B?;0zJzqU5٘))+E82 ig h6j5Uӻێ_yA6j1G' ӱ*I㢠#J j$gGdQRDன+g -hUH{n9->ȭ*T 8]?t9˗h d/b< TČ.z$K?FYS iXi p7Nߨ) zȶd*sFIպ@Pz}j`7'΍-^%4b1~ |S>kMjaw,5uRh9;\'R|Ҝnt^[\P<%Զn dh 9| "*˿(ͷB礭/m> % Qub[EEeB 8?l"p5\$g!Qt KNӡ2ɁyaisgY6C_I0Hyd1+Ѫ ȺH:βU{_^i~h;~Oq2NvW珂O (QDك 9W٦f!+ݜj_-ndH#r|="|<PNEjWʮ?蜥֪`71ClTQޑ2 ~z>)$ZYO &FUu:hOa&(FQn\)fp?a! Z!?#(چ( n XK'ZfnmρZDM:8F8," ԩ TEL4t$";oK3U\ܿ9N8v͗wphY eP7N"!bKE&_ qcxrպud{?=zܪK{tE7%y9۠'ա~. KN6g#cKCfyWHzP(Yr¶%ׂ7ͧq'&qlܼCyl(H[4XCh|$d-z>yimoO}8P' #u۠pu:NU(ϕrٶda5 4]ܤbnX{[,3zO Jbo&_4G9 gd]LNνxwrYD'E$OP{)ޟwJnwQE{PU!(JI\t\JЛjͲewb'ONQ&F1& ت5CldCX 3o4yvι\eg'sl3O1LȸsXaډ`G=FL:}s[yi4KQ^. ӃxY#M*8 QɈ' iYet-ͷP]N؄/] Isel\EP8nqpNfN%ʵdʵGKS?)T_>$@_,)Gc ղahLhE:̘֎6Zlc^Է eC51rdȟ6Gȉnk8w^64^GP;/X*9mӥobq2r{{x,{&&J:xw \63|2Nۆ2OF:7,[2 m%Z+H7itN"Pǯ?.<5 y\b(pֽ[T"6ˀǘ;[ЦG[dUq,)̕Såmxgqg|XEI^t-^P]yik/bz}/{JDY!mR \|g)ԈFҘ]ݔ36 ҕ#vWҌ )>GRҭRz2!$̠עqE-lPOb"4&krinRR\w.sTթ ⷳKƉdUbQ_%Έr D D@lYֻR}d_2lXmcumm?gL mcukˎBSEϭ7㏯0(N|C<:ohrXi|=O{/*gِ qqLrĞWrǴ, d"q}Y@a~(o͵`4P%l^dIɏ])W)1zR[8CAG`ǂ@ _uж8^o4)ߴSjH_~rbT) 6X, QH1l7k jΫ"{} +qmx-z#muI5b%!wc25(:i]#(LiJ֤o6V3;H>U9apoD]eޛTxHx"'%:%%ߵLd;uc=t R0=!Bo4ЯsL'rZ@,(IR$͗1%' / 3=7&/d\Զo3qr*ӑɟ!έ6>^q#W\*h+8~WCMM,ݡ21M|"~}ufw8xpi: 9H4\8cJ XZ ]\03uOʹc^yv$ - |d Hu^KTfw\|5g*l